Skip to content

(BSR) fix(recommendation): Update reco-api-deps (major)#388

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/major-reco-api-deps
Open

(BSR) fix(recommendation): Update reco-api-deps (major)#388
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/major-reco-api-deps

Conversation

@renovate

@renovate renovate Bot commented Dec 11, 2025

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
gunicorn (changelog) ~=23.0~=26.0 age confidence
numpy (changelog) ~=1.26~=2.5 age confidence
pandas ~=2.2~=3.0 age confidence
pytest-cov (changelog) ~=2.10~=7.1 age confidence
pytest-postgresql (changelog) ~=6.0~=8.1 age confidence
pytz ~=2023.3~=2026.2 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

benoitc/gunicorn (gunicorn)

v26.0.0

Compare Source

Breaking Changes

  • Eventlet worker removed: The eventlet worker class has been dropped. Migrate to gevent, gthread, or tornado.

New Features

  • ASGI Framework Compatibility Suite: New end-to-end compatibility test harness covering Starlette, FastAPI, Litestar, Quart, Sanic, and BlackSheep. Current grid passes 438/444 tests (98%).
  • ASGI Test Suite Expansion: 134 additional ASGI unit tests covering protocol semantics, lifespan, websockets, and chunked framing.

Security

  • HTTP/1.1 Request-Target Validation (RFC 9112 sections 3.2.3, 3.2.4):
    • Reject authority-form request-target outside CONNECT
    • Reject asterisk-form request-target outside OPTIONS
    • Reject relative-reference request-targets
  • Header Field Hardening (RFC 9110):
    • Reject control characters in header field-value (section 5.5)
    • Reject forbidden trailer field-names (section 6.5.1)
    • Reject Content-Length list form (RFC 9112 section 6.3)
  • Request Smuggling Hardening:
    • Tighten keepalive gate and scope finish_body byte cap
    • Keep _body_receiver alive across the keepalive smuggling gate so pipelined requests cannot re-enter a closed body
    • Address parser/protocol findings from a six-point WSGI/ASGI audit
  • PROXY Protocol (ASGI): Enforce proxy_allow_ips and tighten v1/v2 parsing in the ASGI callback parser.
  • Connection Draining: Drain the connection on close per RFC 9112 section 9.6 to prevent reset-on-close truncation.

Bug Fixes

  • Body Framing on HEAD/204/304:
    • Keep Content-Length on HEAD and 304 responses (#​3621)
    • Drop body framing on HEAD/204/304 even when the framework set it
    • Warn once when an ASGI app emits a body for a no-body response
  • HTTP/2 ASGI:
    • Fix _handle_stream_ended to set _body_complete in the async HTTP/2 handler so request bodies finalize correctly on stream end
    • Add InvalidChunkExtension mapping and fast-parser support in ASGI tests (#​3565)
  • HTTP/1.1 100-Continue: Stop adding Transfer-Encoding: chunked to 100-Continue interim responses.
  • WebSocket Close Handshake (RFC 6455):
    • Comply with the close handshake state machine
    • Close the transport after the close handshake completes
    • Fix binary send when the text key is None
  • Early Hints: Validate headers in the early_hints callback to match process_headers; pass only the header name to InvalidHeader (#​3588).
  • ASGI Framework Fixes:
    • Fix ASGI disconnect handling for Django-style apps
    • Fix Litestar request handling (use raw ASGI receive for body/headers)
    • Fix Litestar HTTP endpoints for compatibility tests
    • Fix Quart headers endpoint to normalize keys to lowercase
    • Fix Quart WebSocket close test app (missing accept())
    • Fix duplicate Transfer-Encoding header for BlackSheep streaming

Refactoring

  • Split BodyReceiver._closed into separate transport and body-wait flags for clearer keepalive/EOF semantics.

Changes

  • Fast HTTP Parser: Require gunicorn_h1c >= 0.6.5. Drop the last python_only test markers; the C extension is now used wherever available (CPython only; PyPy continues to use the Python parser).
  • Test Dependencies: Add h2 and uvloop to the testing extra; remove eventlet.
  • Docker Build: Bump GitHub Actions docker/setup-qemu-action, docker/setup-buildx-action, docker/login-action, docker/build-push-action, and docker/metadata-action to current major versions.

Full changelog: benoitc/gunicorn@25.3.0...26.0.0

v25.3.0: Gunicorn 25.3.0

Compare Source

Bug Fixes

  • HTTP/2 ASGI Body Duplication: Fix request body being received twice in HTTP/2
    ASGI requests, causing JSON parsing errors with "Extra data" messages
    (#​3558)

  • ASGI Chunked EOF Handling: Add finish() method to callback parser to handle
    chunked encoding edge case where connection closes before final CRLF after zero-chunk

  • HTTP/2 Documentation: Fix http_protocols examples to use comma-separated string
    instead of list syntax (#​3561)

  • Chunked Encoding: Reject chunk extensions containing bare CR bytes per RFC 9112
    (#​3556)

  • Request Line Limit: Fix --limit-request-line 0 to mean unlimited as documented,
    instead of using default maximum. Works with both Python and fast C parser.
    (#​3563)

Security

  • ASGI Parser Header Validation: Add security checks per RFC 9110/9112:
    • Reject duplicate Content-Length headers
    • Reject requests with both Content-Length and Transfer-Encoding
    • Reject chunked transfer encoding in HTTP/1.0
    • Reject stacked chunked encoding
    • Validate Transfer-Encoding values
    • Strict chunk size validation

Changes

  • Fast HTTP Parser: Update to gunicorn_h1c >= 0.6.3 for asgi_headers property
    and InvalidChunkExtension validation for bare CR rejection

  • ASGI PROXY Protocol: Add PROXY protocol v1/v2 support to callback parser

  • Docker Images: Update to Python 3.14

v25.2.0: Gunicorn 25.2.0

Compare Source

New Features
  • Fast HTTP Parser (gunicorn_h1c 0.4.1): Integrate new exception types and limit parameters from gunicorn_h1c 0.4.1 for both WSGI and ASGI workers
    • Requires gunicorn_h1c >= 0.4.1 for http_parser='fast'
    • Falls back to Python parser in auto mode if version not met
    • Proper HTTP status codes for limit errors (414, 431)
Bug Fixes
  • uWSGI Async Workers: Fix InvalidUWSGIHeader: incomplete header error when using gevent or gthread workers with uwsgi protocol behind nginx. (#​3552, PR #​3554)

  • FileWrapper Iterator Protocol: Add __iter__ and __next__ methods to FileWrapper for full PEP 3333 compliance. (#​3396, PR #​3550)

Performance
  • ASGI HTTP Parser Optimizations: Improve ASGI worker HTTP parsing performance
    • Callback-based parsing with direct bytearray buffer operations
    • Use bytearray.find() directly instead of converting to bytes first
    • Use index-based iteration for header parsing instead of list.pop(0) (O(1) vs O(n))

v25.1.0: Gunicorn 25.1.0

Compare Source

New Features
  • Control Interface (gunicornc): Add interactive control interface for managing
    running Gunicorn instances, similar to birdc for BIRD routing daemon
    (PR #​3505)

    • Unix socket-based communication with JSON protocol
    • Interactive mode with readline support and command history
    • Commands: show all/workers/dirty/config/stats/listeners
    • Worker management: worker add/remove/kill, dirty add/remove
    • Server control: reload, reopen, shutdown
    • New settings: --control-socket, --control-socket-mode, --no-control-socket
    • New CLI tool: gunicornc for connecting to control socket
    • See Control Interface Guide for details
  • Dirty Stash: Add global shared state between workers via dirty.stash
    (PR #​3503)

    • In-memory key-value store accessible by all workers
    • Supports get, set, delete, clear, keys, and has operations
    • Useful for sharing state like feature flags, rate limits, or cached data
  • Dirty Binary Protocol: Implement efficient binary protocol for dirty arbiter IPC
    using TLV (Type-Length-Value) encoding
    (PR #​3500)

    • More efficient than JSON for binary data
    • Supports all Python types: str, bytes, int, float, bool, None, list, dict
    • Better performance for large payloads
  • Dirty TTIN/TTOU Signals: Add dynamic worker scaling for dirty arbiters
    (PR #​3504)

    • Send SIGTTIN to increase dirty workers
    • Send SIGTTOU to decrease dirty workers
    • Respects minimum worker constraints from app configurations
Changes
  • ASGI Worker: Promoted from beta to stable
  • Dirty Arbiters: Now marked as beta feature
Documentation
  • Fix Markdown formatting in /configure documentation

v25.0.3

Compare Source

What's Changed

Bug Fixes
  • Fix RuntimeError when StopIteration raised in ASGI coroutine (#​3484)
  • Fix passing maxsplit in re.split() as positional argument (deprecated in Python 3.13)
Documentation
  • Updated sponsorship section and homepage

Full Changelog: benoitc/gunicorn@25.0.2...25.0.3

v25.0.2: Release 25.0.2

Compare Source

Bug Fixes

  • Fix ASGI concurrent request failures through nginx proxy by normalizing
    sockaddr tuples to handle both 2-tuple (IPv4) and 4-tuple (IPv6) formats
    (PR #​3485)

  • Fix graceful disconnect handling for ASGI worker to properly handle
    client disconnects without raising exceptions
    (PR #​3485)

  • Fix lazy import of dirty module for gevent compatibility - prevents
    import errors when concurrent.futures is imported before gevent monkey-patching
    (PR #​3483)

Changes

  • Refactor: Extract _normalize_sockaddr utility function for consistent
    socket address handling across workers

  • Add license headers to all Python source files

  • Update copyright year to 2026 in LICENSE and NOTICE files

v25.0.1

Compare Source

Bug Fixes

  • Fix ASGI streaming responses (SSE) hanging: add chunked transfer encoding for
    HTTP/1.1 responses without Content-Length header. Without chunked encoding,
    clients wait for connection close to determine end-of-response.

Changes

  • Update celery_alternative example to use FastAPI with native ASGI worker and
    uvloop for async task execution

Testing

  • Add ASGI compliance test suite with Docker-based integration tests covering HTTP,
    WebSocket, streaming, lifespan, framework integration (Starlette, FastAPI),
    HTTP/2, and concurrency scenarios

v25.0.0: Gunicorn 25.0.0

Compare Source

New Features

  • Dirty Arbiters: Separate process pool for executing long-running, blocking
    operations (AI model loading, heavy computation) without blocking HTTP workers
    (PR #​3460)

    • Inspired by Erlang's dirty schedulers
    • Asyncio-based with Unix socket IPC
    • Stateful workers that persist loaded resources
    • New settings: --dirty-app, --dirty-workers, --dirty-timeout,
      --dirty-threads, --dirty-graceful-timeout
    • Lifecycle hooks: on_dirty_starting, dirty_post_fork,
      dirty_worker_init, dirty_worker_exit
  • Per-App Worker Allocation for Dirty Arbiters: Control how many dirty workers
    load each app for memory optimization with heavy models
    (PR #​3473)

    • Set workers class attribute on DirtyApp (e.g., workers = 2)
    • Or use config format module:class:N (e.g., myapp:HeavyModel:2)
    • Requests automatically routed to workers with the target app
    • New exception DirtyNoWorkersAvailableError for graceful error handling
    • Example: 8 workers × 10GB model = 80GB → with workers=2: 20GB (75% savings)
  • HTTP/2 Support (Beta): Native HTTP/2 (RFC 7540) support for improved performance
    with modern clients (PR #​3468)

    • Multiplexed streams over a single connection
    • Header compression (HPACK)
    • Flow control and stream prioritization
    • Works with gthread, gevent, and ASGI workers
    • New settings: --http-protocols, --http2-max-concurrent-streams,
      --http2-initial-window-size, --http2-max-frame-size, --http2-max-header-list-size
    • Requires SSL/TLS and h2 library: pip install gunicorn[http2]
    • New example: examples/http2_gevent/ with Docker and tests
  • HTTP 103 Early Hints: Support for RFC 8297 Early Hints to enable browsers to
    preload resources before the final response
    (PR #​3468)

    • WSGI: environ['wsgi.early_hints'](headers) callback
    • ASGI: http.response.informational message type
    • Works with both HTTP/1.1 and HTTP/2
  • uWSGI Protocol for ASGI Worker: The ASGI worker now supports receiving requests
    via the uWSGI binary protocol from nginx
    (PR #​3467)

Bug Fixes

  • Fix HTTP/2 ALPN negotiation for gevent and eventlet workers when
    do_handshake_on_connect is False (the default). The TLS handshake is now
    explicitly performed before checking selected_alpn_protocol().

  • Fix setproctitle initialization with systemd socket activation
    (#​3465)

  • Fix Expect: 100-continue handling: ignore the header for HTTP/1.0 requests
    since 100-continue is only valid for HTTP/1.1+
    (PR #​3463)

  • Fix missing _expected_100_continue attribute in UWSGIRequest

  • Disable setproctitle on macOS to prevent segfaults during process title updates

  • Publish full exception traceback when the application fails to load
    (#​3462)

  • Fix ASGI: quick shutdown on SIGINT/SIGQUIT, graceful on SIGTERM

Deprecations

  • Eventlet Worker: The eventlet worker is deprecated and will be removed in
    Gunicorn 26.0. Eventlet itself is no longer actively maintained.
    Please migrate to gevent, gthread, or another supported worker type.

Changes

  • Remove obsolete Makefile targets
    (PR #​3471)
  • Replace RST with markdown documentation format

v24.1.1

Compare Source

Bug Fixes

  • Fix forwarded_allow_ips and proxy_allow_ips to remain as strings for backward
    compatibility with external tools like uvicorn. Network validation now uses strict
    mode to detect invalid CIDR notation (e.g., 192.168.1.1/24 where host bits are set)
    (#​3458,
    PR #​3459)

Full Changelog: benoitc/gunicorn@24.1.0...24.1.1

v24.1.0: Gunicorn 24.1.0

Compare Source

New Features

  • Official Docker Image: Gunicorn now publishes official Docker images to GitHub Container Registry (PR #​3454)

    • Available at ghcr.io/benoitc/gunicorn
    • Based on Python 3.12 slim image
    • Uses recommended worker formula (2 × CPU + 1)
    • Configurable via environment variables
  • PROXY Protocol v2 Support: Extended PROXY protocol implementation to support the binary v2 format in addition to the existing text-based v1 format (PR #​3451)

    • New --proxy-protocol modes: off, v1, v2, auto
    • auto mode (default when enabled) detects v1 or v2 automatically
    • v2 binary format is more efficient and supports additional metadata
    • Works with HAProxy, AWS NLB/ALB, and other PROXY protocol v2 sources
  • CIDR Network Support: --forwarded-allow-ips and --proxy-allow-from now accept CIDR notation (e.g., 192.168.0.0/16) for specifying trusted networks (PR #​3449)

  • Socket Backlog Metric: New gunicorn.socket.backlog gauge metric reports the current socket backlog size on Linux systems (PR #​3450)

  • InotifyReloader Enhancement: The inotify-based reloader now watches newly imported modules, not just those loaded at startup (PR #​3447)

Bug Fixes

  • Fix signal handling regression where SIGCLD alias caused "Unhandled signal: cld" errors on Linux when workers fail during boot (#​3453)
  • Fix socket blocking mode on keepalive connections preventing SSL handshake failures with async workers (PR #​3452)
  • Use smaller buffer size in finish_body() for faster timeout detection on slow or abandoned connections (PR #​3453)
  • Handle SSLWantReadError in finish_body() to prevent worker hangs during SSL renegotiation (PR #​3448)
  • Log SIGTERM as info level instead of warning to reduce noise in orchestrated environments (PR #​3446)
  • Print exception details to stderr when worker fails to boot (PR #​3443)
  • Fix unreader.unread() to prepend data to buffer instead of appending (PR #​3442)
  • Prevent RecursionError when pickling Config objects (PR #​3441)
  • Use proper exception chaining with raise from in glogging.py (PR #​3440)

Installation

pip install gunicorn==24.1.0

Or use the official Docker image:

docker pull ghcr.io/benoitc/gunicorn:24.1.0

v24.0.0

Compare Source

New Features

  • ASGI Worker (Beta): Native asyncio-based ASGI support for running async Python frameworks like FastAPI, Starlette, and Quart without external dependencies

    • HTTP/1.1 with keepalive connections
    • WebSocket support
    • Lifespan protocol for startup/shutdown hooks
    • Optional uvloop for improved performance
  • uWSGI Binary Protocol: Support for receiving requests from nginx via uwsgi_pass directive

  • Documentation Migration: Migrated to MkDocs with Material theme

Security

Install

pip install gunicorn==24.0.0
numpy/numpy (numpy)

v2.5.0: (June 21, 2026)

Compare Source

NumPy 2.5.0 Release Notes

Numpy 2.5.0 is a transitional release. It drops support for Python 3.11,
marking the end of distutils, and expires a large number of deprecations made
in the 2.0.x release. It also improves free threading and brings sorting into
compliance with the array-api standard with the addition of descending sorts.
There is also a fair amount of preparation for Python 3.15, which will be
supported starting with the first rc.

This release supports Python versions 3.12-3.14.

Highlights

  • Distutils has been removed,
  • Many expired deprecations, see below,
  • Many new deprecations, see below,
  • Many static typing improvements.
  • Improved support for free threading,
  • Support for descending sorts,

See New Features below for other additions.

Deprecations

  • numpy.char.chararray is deprecated. Use an ndarray with a string or bytes dtype instead.

    (gh-30605)

  • numpy.take now correctly checks if the result can be cast to the provided
    out=out under the same-kind rule. A DeprecationWarning is given now
    when this check fails. Previously, take incorrectly checked if out
    could be cast to the result (the wrong direction). This deprecation also
    affects compress and possibly other functions. (Future versions of NumPy
    may tighten the casting check further.)

    (gh-30615)

  • The numpy.char.[as]array functions are deprecated. Use an
    numpy.[as]array with a string or bytes dtype instead.

    (gh-30802)

  • Setting the dtype attribute is deprecated because mutating an array is unsafe
    if an array is shared, especially by multiple threads. As an alternative,
    you can create a view with a new dtype via array.view(dtype=new_dtype).

    (gh-29244)

  • Setting the shape attribute is deprecated because mutating an array is
    unsafe if an array is shared, especially by multiple threads. As an
    alternative, you can create a new view via np.reshape or
    np.ndarray.reshape. For example: x = np.arange(15); x = np.reshape(x, (3, 5)).
    To ensure no copy is made from the data, one can use np.reshape(..., copy=False).

    While setting the shape on an array is discouraged, for cases where it is
    difficult to work around, e.g., in __array_finalize__, it is possible
    with the private method np.ndarray._set_shape.

    (gh-29536)

  • Using the generic unit in numpy.timedelta64 is deprecated since this
    can lead to unexpected behavior such as non-transitive comparison, see
    gh-28287 for details. As
    an alternative, specify an explicit unit such as 's' (seconds) or 'D'
    (days) when constructing numpy.timedelta64. Due to this change, operations
    that implicitly rely on the generic unit are also deprecated. For
    example:

    arr = np.array([1, 2, 3], dtype="m8[s]")
    

1 is implicitly converted to generic timedelta64

  arr + 1

(gh-29619)

  • Resizing a Numpy array in place is deprecated since mutating an array is
    unsafe if an array is shared, especially by multiple threads. As an
    alternative, you can create a resized array via np.resize.

    (gh-30181)

  • numpy.fix is deprecated, use numpy.trunc instead. It is faster and
    follows the Array API standard. Both functions provide identical
    functionality: rounding array elements towards zero.

    (gh-30644)

  • numpy.ma.round_ is deprecated. numpy.ma.round can be used as a
    replacement.

    (gh-30738)

  • numpy.typename is deprecated because the names returned by it were
    outdated and inconsistent. numpy.dtype.name can be used as a
    replacement.

    (gh-30774)

  • Inputs other than integers are deprecated for numpy.triu_indices and
    numpy.tril_indices. Non-integer values for the M, k and N
    parameters of numpy.tri are deprecated. Non-integer values for the k
    parameter of both numpy.tril_indices_from and numpy.triu_indices_from
    are deprecated.

    (gh-30869)

  • Deprecations in custom dtype property and __array_finalize__.

    Previously arr.view(dtype=new_dtype) called arr.dtype = new_dtype
    also for subclasses, i.e., the attribute setting. That path is now
    deprecated and refined, meaning that even subclasses that do not see this
    DeprecationWarning may wish to update their code.

    A subclass that does any dtype specific logic (i.e. verifying the dtype
    in __array_finalize__ or has a dtype property) should now:

    • Set _set_dtype = None in which case arr.view(dtype=new_dtype)
      will call __array_finalize__ with the new dtype, ensuring that
      any validation __array_finalize__ will run is done.
    • Or, for a quick fix, define _set_dtype as a function (calling
      ndarray._set_dtype() to avoid DeprecationWarnings.
      (Future versions might migrate towards the _set_dtype = None path.)

    Ideally, follow NumPy's deprecation to prevent dtype mutation by users.
    The use of ndarray._set_dtype() may be necessary for some subclass
    finalization patterns, but should otherwise be avoided.

    (gh-31293)

Expired deprecations

  • numpy.distutils has been removed

    (gh-30340)

  • Passing None as dtype to np.finfo will now raise a TypeError
    (deprecated since 1.25)

    (gh-30460)

  • numpy.cross no longer supports 2-dimensional vectors.
    (Deprecated since 2.0)

    (gh-30461)

  • numpy._core.numerictypes.maximum_sctype has been removed.
    (deprecated since 2.0)

    (gh-30462)

  • numpy.row_stack has been removed in favor of numpy.vstack.
    (deprecated since 2.0)

    (gh-30463)

  • get_array_wrap has been removed.
    (deprecated since 2.0)

    (gh-30463)

  • recfromtxt and recfromcsv have been removed from numpy.lib._npyio
    in favor of numpy.genfromtxt.
    (deprecated since 2.0)

    (gh-30467)

  • The numpy.chararray re-export of numpy.char.chararray has been removed.
    (deprecated since 2.0)

    (gh-30604)

  • bincount now raises a TypeError for non-integer inputs.
    (deprecated since 2.1)

    (gh-30610)

  • The numpy.lib.math alias for the standard library math module has
    been removed.
    (deprecated since 1.25)

    (gh-30612)

  • Data type alias 'a' was removed in favor of 'S'.
    (deprecated since 2.0)

    (gh-30613)

  • _add_newdoc_ufunc(ufunc, newdoc) has been removed in favor of
    ufunc.__doc__ = newdoc.
    (deprecated since 2.2)

    (gh-30614)

Compatibility notes

linalg.eig and linalg.eigvals now always return complex arrays

Previously, the return values depended on whether the eigenvalues happen to lie
on the real line (which, for a general, non-symmetric matrix, is not
guaranteed).

This change makes consistent what was a value-dependent result. To retain the
previous behavior, do:

w = eigvals(a)
if np.any(w.imag == 0):  # this is what NumPy used to do
    w = w.real

If your matrix is symmetrix/hermitian, use eigh and eigvalsh instead of
eig and eigvals. These are guaranteed to return real values. A common
case is covariance matrices, which are symmetric and positive definite by
construction.

(gh-30411)

MSVC support

NumPy now requires minimum MSVC 19.35 toolchain version on Windows platforms.
This corresponds to Visual Studio 2022 version 17.5 Preview 2 or newer.

(gh-30489)

Cython support

NumPy's Cython headers (accessed via cimport numpy) now require Cython 3.0
or newer to build. If you try to compile a project that depends on NumPy's
Cython headers using Cython 0.29 or older, you will see a message like this:

Error compiling Cython file:
------------------------------------------------------------
...

versions.


#

See init.cython-30.pxd for the real Cython header


#

DEF err = int('Build aborted: the NumPy Cython headers require Cython 3.0.0 or newer.')
  ------------------------------------------------------------

  /path/to/site-packages/numpy/__init__.pxd:11:13: Error in compile-time expression:
  ValueError: invalid literal for int() with base 10: 
  'Build aborted: the NumPy Cython headers require Cython 3.0.0 or newer.'

Note that the invalid integer is not a bug in NumPy - we are intentionally
generating this error to avoid triggering a more obscure error later in the
build when an older Cython version tries to use a Cython feature that was not
available in the old Cython version.

(gh-30770)

numpy.where no longer truncates Python integers

Previously, if the x or y argument of numpy.where was a Python
integer that was out of range of the output type, it would be silently
truncated. Now, an OverflowError will be raised instead.

This change also applies to the underlying C API function PyArray_Where.

(gh-30803)

Default memory allocator change

NumPy now uses PyMem_RawMalloc and PyMem_RawFree as the default memory
allocator, instead of system's malloc and free directly.

(gh-30846)

from_dlpack raises BufferError instead of RuntimeError

np.from_dlpack now raises BufferError instead of RuntimeError when
the incoming DLPack tensor has an unsupported device, dtype, or exceeds the
maximum number of dimensions. This aligns with the DLPack and Array API
specifications, which recommend BufferError for data that cannot be
imported.

(gh-30937)

Corrections to the BTPE binomial sampler

Two independent errors in the Stirling series of the acceptance/rejection step
of the BTPE algorithm used by numpy.random.Generator.binomial have been
corrected:

  • The third and fourth error terms were added rather than subtracted. This sign
    error was inherited from section 5.3 of the original 1988 paper by
    Kachitvichyanukul & Schmeiser, which incorrectly adds all four terms.
  • The leading coefficient had a digit-swap typo (13680 instead of
    13860) that was introduced in the initial implementation.

As a result, Generator.binomial and Generator.multinomial, which uses
binomial internally, may now return different samples for the same seed.

The legacy numpy.random.RandomState.binomial and
numpy.random.RandomState.multinomial are not affected: they preserve the
original (incorrect) behavior, so existing streams remain reproducible.

(gh-31238)

datetime64/timedelta64 arithmetic raises on overflow

Addition, subtraction, and integer multiplication of datetime64 and
timedelta64 values now raise OverflowError when the result would
overflow int64 or land on the NaT sentinel value. Previously these
operations silently wrapped, often producing a value that was indistinguishable
from NaT. This matches the overflow checking already performed by
unit-conversion casts.

(gh-31378)

C API changes

  • It is now possible to register "real" and "imag" ArrayMethods via
    PyUFunc_AddLoopsFromSpecs. These will be used for imag and real
    and should normally set *view_offset in their resolve_descriptors
    function to allow the array attributes to return views.

    (gh-30984)

  • New PyDataType_TYPE, PyDataType_KIND, PyDataType_BYTEORDER and
    PyDataType_TYPEOBJ accessor macros to the C API. Together with the other
    accessor macros added for the NumPy 2.0 transition, these allow accessing the
    fields of PyArray_Descr structs without any direct field accesses.

    (gh-30994)

  • NumPy now supports the stable ABI for free-threaded Python as described in
    803{.interpreted-text role="pep"}.

    (gh-31091)

  • PyArray_DescrFromScalar now returns the full dtype descriptor for scalars
    of user-defined parametric data types, including any dtype parameters.
    Parameters were previously silently discarded, which could cause incorrect
    results in operations like astype on scalar objects. Internally, the
    function now delegates to discover_descr_from_pyobject, which handles
    parametric dtypes correctly.

    (gh-31067)

New Features

  • It is now possible to register user-dtypes for dlpack export and import
    via numpy.dtypes.register_dlpack_dtype. This functionality is meant to
    be used with care by user-dtype authors.

    (gh-31256)

Pixi package definitions

Pixi package definitions have been added for different kinds
of from-source builds of NumPy. These can be used in
downstream Pixi workspaces via the pixi-build feature.

Definitions for both default and AddressSanitizer-instrumented
(asan) builds are available in the source code under the
pixi-packages/ directory.

linux-64 and osx-arm64 platforms are supported.

(gh-30381)

numpy.ndarray now supports structural pattern matching

numpy.ndarray and its subclasses now have the Py_TPFLAGS_SEQUENCE flag
set, enabling structural pattern matching (PEP 634) with match/case
statements. This also enables Cython to optimize integer indexing operations.
See `arrays.ndarray.pattern-matching{.interpreted-text role="ref"}` for details.

(gh-30653)

Added N-D evaluation functions to the polynomial package

New functions polyvalnd, chebvalnd, legvalnd, hermvalnd,
hermevalnd, and lagvalnd have been added to evaluate polynomials
in arbitrary dimensions, analogous to the existing 2D and 3D evaluators.

(gh-30857)

New "descending" keyword argument for numpy.sort and numpy.argsort

Users can now pass the descending=True keyword argument to numpy.sort
and numpy.argsort to sort and argsort arrays in descending order. NaN
values, if present, are sorted to the end of the array in both ascending and
descending sorts. This feature is available for all built-in dtypes except
void, object, and generic. Note that SIMD optimizations for sorting
are currently not available for descending sorts, so performance may be slower.

(gh-31345)

Improvements

For f2py, the behaviour of intent(inplace) has improved. Previously,
if an input array did not have the right dtype or order, the input array was
modified in-place, changing its dtype and replacing its data by a corrected
copy. Now, instead, the corrected copy is kept a separate array, which, after
being passed and presumably modified by the fortran routine, is copied back to
the input routine. The above means one no longer has the risk that
pre-existing views or slices of the input array start pointing to unallocated
memory (at the price of increased overhead for the write-back copy at the end
of the call).

A potential problem would be that one might get very different results if one,
e.g., previously passed in an integer array where a double array was expected:
the writeback to integer would likely give wrong results. To avoid such
situations, intent(inplace) will now only allow arrays that have equivalent
type to that used in the fortran routine, i.e., dtype.kind is the same. For
instance, a routine expecting double would be able to receive float, but would
raise on integer input.

(gh-29929)

f2py modules now show allocatable arrays in dir()

Allocatable module variables wrapped by f2py now appear in dir()
output, matching their accessibility by name.

(gh-30965)

StringDType comparisons now correctly handle embedded NULL bytes.

(gh-31662)

Performance improvements and changes

Improved performance of numpy.searchsorted

The C++ binary search implementation used by numpy.searchsorted now has a
much better performance when searching for multiple keys. The new
implementation batches binary search steps across all keys to leverage cache
locality and out-of-order execution. Benchmarks show the new implementation can
be up to 20 times faster for hundreds of thousands keys while single-key
performance remains comparable to previous versions.

(gh-30517)

Improved scaling of ufuncs on free-threading

NumPy's ufuncs now scale significantly better on free-threading builds
of CPython due to the following optimizations:

  • Lock-free dispatch table: The ufuncs dispatch table is now implemented as
    a lock-free concurrent hash map, allowing multiple threads to call ufuncs
    without contention.
  • Immortal shared objects: Certain shared objects, such as global memory
    handlers, have been made immortal. This effectively reduces reference
    counting contention across threads.
  • Optimized memory allocation: NumPy now utilizes PyMem_RawMalloc and
    PyMem_RawFree for memory allocation. On Python 3.15 and newer, this
    leverages mimalloc and significantly reduces memory allocation overhead
    in multi-threaded workloads.

(gh-30846)

Faster reductions on small/medium contiguous arrays

numpy.sum, numpy.prod, numpy.any, numpy.all, and other
reductions with an identity value now use a fast path when the input is a
contiguous, aligned, non-object array and the reduction covers all axes
(axis=None) with no special arguments. Typical speedup is ~1.3x on small
arrays; numpy.any / numpy.all on contiguous boolean arrays can see
speedup up to 1.9x.

(gh-31274)

Typing improvements and changes

numpy.linalg typing improvements and preliminary shape-typing support

Input and output dtypes for numpy.linalg functions are now more precise.
Several of these functions also gain preliminary shape-typing support while
remaining backward compatible. For example, the return type of
numpy.linalg.matmul now depends on the shape-type of its inputs, or fall
back to the backward-compatible return type if the shape-types are unknown at
type-checking time. Because of limitations in Python's type system and current
type-checkers, shape-typing cannot cover every situation and is often only
implemented for the most common lower-rank cases.

(gh-30480)

numpy.ma typing annotations

The numpy.ma module is now fully covered by typing annotations. This
includes annotations for masked arrays, masks, and various functions and
methods. With this, NumPy has achieved 100% typing coverage across all its
submodules.

(gh-30566)

Shape-typing support for many functions and methods

Many functions and methods now have shape-aware return type annotations.
Type-checkers can now infer the number of dimensions of the returned array
through common operations. For example, np.linspace(0, 1) is now typed as a
1-d float64 array, and np.sum(x, keepdims=True) has the same number of
dimensions as x.

This covers numpy.linalg functions, array creation functions (like
asarray, from{buffer,string,file,iter,regex}), range functions
(linspace, logspace, geomspace), aggregation functions and methods
(sum, mean, std, var, min, max, all, any,
etc.), sorting (sort, argsort, argpartition), cumulative operations
(cumsum, cumprod, etc.), set operations (unique_values,
intersect1d, union1d, etc.), and various other functions including
nonzero, transpose, diagonal, atleast_{1,2,3}d, clip,
round, inner, bincount, and fft.fftfreq. Several of these also
gained more precise return dtype annotations as part of this work.

Shape-typing is still a work-in-progress, so coverage is not yet complete.
Because of limitations in Python's type system and current type-checkers,
shape-typing is often only implemented for the most common lower-rank cases.

(gh-31172)

numpy.fft typing improvements and preliminary shape-typing support

The numpy.fft functions now support non-float64/complex128 dtypes
and gain preliminary shape-typing support. For example, the return type of
numpy.fft.fft now depends on the shape-type of its inputs, falling back to
the backward-compatible return type when the shape-types are unknown at
type-checking time.

(gh-31226)

Changes

Structured array copies now use memcpy for contiguous dtypes

Copying structured arrays with identical dtypes now uses memcpy instead of
field-by-field transfer when the dtype has a contiguous layout (no gaps between
fields). A new NPY_NOT_TRIVIALLY_COPYABLE dtype flag is set on structured
dtypes that have gaps in their memory layout, such as those created with
explicit offsets or via multi-field indexing. Only these dtypes continue to
use the slower field-by-field copy.

This means that padding bytes in contiguous structured dtypes (e.g. those
created without explicit offsets) may now be copied as part of the
memcpy, whereas previously they were left untouched. Code that relies on
padding bytes being preserved during structured array copies may be affected.

(gh-29270)

numpy.ctypeslib.as_ctypes now does not support scalar types

The function numpy.ctypeslib.as_ctypes has been updated to only accept
numpy.ndarray. Passing a scalar type (e.g., numpy.int32(5)) will now
raise a TypeError. This change was made to avoid the issue
gh-30354 and to enforce the
readonly nature of scalar types in NumPy. The previous behavior relied on
undocumented implicit temporary arrays and was not well-defined. Users who
need to convert scalar types to ctypes should first convert them to an array
(e.g., numpy.asarray) before passing them to numpy.ctypeslib.as_ctypes.

(gh-30538)

__array_interface__ changes on scalars

Scalars now export the __array_interface__ directly rather than including
an array copy as a __ref entry. This means that scalars are now exported as
read-only while they previously exported as writeable. The path via __ref
was undocumented and not consistently used even within NumPy itself.

(gh-30538)

meshgrid now always returns a tuple

np.meshgrid previously used to return a list when sparse was true and
copy was false. Now, it always returns a tuple regardless of the
arguments.

(gh-30707)

numpy.triu_indices now accepts unsigned integers

numpy.triu_indices previously used to error in some cases when unsigned integers
were given as arguments. Now, it accepts them in all cases.

(gh-30869)

object dtype in .real and .imag and related functions

The array attributes .real and .imag now behave differently for object
arrays and return getattr(element, "real", element) or getattr(element, "imag", 0)
elementwise. Additionally, the return for both is now read-only to avoid possible
in-place changes having no effect.

This change also affects np.isreal() which uses arr.imag.

Previously, .imag always returned 0 while .real returned the
original array unmodified. The new behavior now returnes the correct values
for complex Python objects but may also lead to surprises for example if
element.real() is a method and not a property.

(gh-30984)

NumPy's internal memory allocations now use PyMem_RawMalloc

NumPy's internal memory allocations now use PyMem_RawMalloc instead of
malloc and can be tracked by tracemalloc.

(gh-31503)

v2.4.6

Compare Source

v2.4.5: (May 15, 2026)

Compare Source

NumPy 2.4.5 Release Notes

NumPy 2.4.5 is a patch release that fixes bugs discovered after the 2.4.4
release, has some typing improvements, and maintains infrastructure.

This release supports Python versions 3.11-3.14

Contributors

A total of 17 people contributed to this release. People with a "+" by their
names contributed a patch for the first time.

  • Aleksei Nikiforov
  • Anarion Zuo +
  • Ankit Ahlawat
  • Breno Favaretto +
  • Charles Harris
  • Igor Krivenko +
  • Ijtihed Kilani +
  • Joren Hammudoglu
  • Maarten Baert +
  • Matti Picus
  • Nathan Goldbaum
  • Praneeth Kodumagulla +
  • Ralf Gommers
  • RoomWithOutRoof +
  • Sebastian Berg
  • Warren Weckesser
  • div +
Pull requests merged

A total of 28 pull requests were merged for this release.

  • #​31093: MAINT: Prepare 2.4.x for further development
  • #​31182: TYP: fix np.shape assignability issue for python lists (#​31171)
  • #​31197: ENH: Return rank 0 for empty matrices in matrix_rank (#​30422)
  • #​31198: CI/BUG: add native jobs for s390x, fix bug in pack_inner...
  • #​31199: BUG: f2py map complex_long_double to NPY_CLONGDOUBLE
  • #​31205: MAINT: f2py: Stop setting re._MAXCACHE to 50.
  • #​31206: BUG: fix heap buffer overflow in timedelta to string casts
  • #​31207: MAINT: Rename ppc64le and s390x workflow (#​31121)
  • #​31208: BUG: Fix matvec/vecmat in-place aliasing (out=input produces...
  • #​31209: TYP: tile: accept numpy scalars and arrays as second argument...
  • #​31211: DEP: Undo deprecation for np.dtype() signature used by old pickles...
  • #​31212: REV: Manual revert of float16 svml use (#​31178)
  • #​31222: TYP: ix_ fix for boolean and non-1d input (#​31218)
  • #​31329: BUG: incorrect temp elision for new-style (NEP 43) user-defined...
  • #​31330: TYP: fix sliding_window_view axis parameter typing
  • #​31335: BUG: Prevent deadlock due to downstream importing NumPy in dlopen...
  • #​31336: BUG: Fix segfault in nditer.multi_index when __getitem__ raises...
  • #​31338: TYP: Fix ruff lint error
  • #​31357: BUG: fix memory leak in np.zeros when fill-zero loop raises (#​31320)
  • #​31358: BUG: np.einsum() fails with a 0-dimensional out argument and...
  • #​31379: BUG: Fix signed overflow issue in npy_gcd for INT_MIN on s390x...
  • #​31383: CI: remove Cirrus CI FreeBSD job (#​31380)
  • #​31390: BUILD: newer MKL uses so.3
  • #​31391: BLD/MAINT: improve support for Intel LLVM compilers
  • #​31401: BUG: Avoid UB in safe[add,sub,mul] helpers (#​31396)
  • #​31402: BUG: exclude __pycache__ directories from wheels (#​31397)
  • #​31404: TYP: _NestedSequence type parameter default to work around...
  • #​31426: TYP: Fix DTypeLike runtime type-checker support (#​31425)

v2.4.4: 2.4.4 (Mar 29, 2026)

Compare Source

NumPy 2.4.4 Release Notes

The NumPy 2.4.4 is a patch release that fixes bugs discovered after the 2.4.3
release. It should finally close issue #​30816, the OpenBLAS threading problem
on ARM.

This release supports Python versions 3.11-3.14

Contributors

A total of 8 people contributed to this release. People with a "+" by their
names contributed a patch for the first time.

  • Charles Harris
  • Daniel Haag +
  • Denis Prokopenko +
  • Harshith J +
  • Koki Watanabe
  • Marten van Kerkwijk
  • Matti Picus
  • Nathan Goldbaum

Pull requests merged

A total of 7 pull requests were merged for this release.

v2.4.3

Compare Source

v2.4.2

Compare Source

[v2.4.1](https://redirect.

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title BSR fix(recommendation): Update reco-api-deps (major) (BSR) fix(recommendation): Update reco-api-deps (major) Dec 11, 2025
@renovate renovate Bot force-pushed the renovate/major-reco-api-deps branch 2 times, most recently from 660ff01 to 1760a5b Compare December 26, 2025 10:28
@renovate renovate Bot force-pushed the renovate/major-reco-api-deps branch from 1760a5b to d04f593 Compare January 10, 2026 09:09
@renovate renovate Bot force-pushed the renovate/major-reco-api-deps branch 4 times, most recently from 172c090 to 96e38e5 Compare January 24, 2026 01:39
@renovate renovate Bot force-pushed the renovate/major-reco-api-deps branch 5 times, most recently from 1bbbce9 to 344fe10 Compare February 7, 2026 18:02
@renovate renovate Bot force-pushed the renovate/major-reco-api-deps branch 3 times, most recently from b5e81a4 to b27fd19 Compare February 17, 2026 22:39
@renovate renovate Bot force-pushed the renovate/major-reco-api-deps branch 2 times, most recently from e7362e1 to f9a33b3 Compare March 9, 2026 09:04
@renovate renovate Bot force-pushed the renovate/major-reco-api-deps branch 4 times, most recently from 485aa25 to f1bb240 Compare March 27, 2026 01:02
@renovate renovate Bot force-pushed the renovate/major-reco-api-deps branch 2 times, most recently from a15d826 to c08d580 Compare March 31, 2026 13:16
@renovate renovate Bot force-pushed the renovate/major-reco-api-deps branch 2 times, most recently from 9c76324 to 11f35cf Compare May 5, 2026 10:40
@renovate renovate Bot force-pushed the renovate/major-reco-api-deps branch 3 times, most recently from 9e6ebff to 142d49c Compare May 18, 2026 10:06
@renovate renovate Bot force-pushed the renovate/major-reco-api-deps branch from 142d49c to 9dd5047 Compare May 19, 2026 00:12
@renovate renovate Bot force-pushed the renovate/major-reco-api-deps branch 8 times, most recently from 1c8f8dd to e762e64 Compare June 2, 2026 13:31
@renovate renovate Bot force-pushed the renovate/major-reco-api-deps branch 5 times, most recently from 6d17c47 to 5580db7 Compare June 11, 2026 16:07
@renovate renovate Bot force-pushed the renovate/major-reco-api-deps branch 3 times, most recently from 222cb47 to b3bb321 Compare June 13, 2026 00:26
@renovate renovate Bot force-pushed the renovate/major-reco-api-deps branch 11 times, most recently from aefeb78 to fea3bdc Compare June 27, 2026 05:32
@renovate

renovate Bot commented Jun 27, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: apps/recommendation/api/uv.lock
Command failed: uv lock --upgrade-package gunicorn --upgrade-package numpy --upgrade-package pandas --upgrade-package pytest-cov --upgrade-package pytest-postgresql --upgrade-package pytz
Using CPython 3.11.15 interpreter at: /opt/containerbase/tools/python/3.11.15/bin/python3
  × No solution found when resolving dependencies:
  ╰─▶ Because the requested Python version (==3.11.*) does not satisfy
      Python>=3.12 and numpy==2.5.0 depends on Python>=3.12, we can conclude
      that numpy==2.5.0 cannot be used.
      And because only numpy<=2.5.0 is available and your project depends
      on numpy>=2.5, we can conclude that your project's requirements are
      unsatisfiable.

hint: The `requires-python` value (==3.11.*) includes Python versions that are not supported by your dependencies (e.g., numpy==2.5.0 only supports >=3.12). Consider using a more restrictive `requires-python` value (like >=3.12).

@renovate renovate Bot force-pushed the renovate/major-reco-api-deps branch from fea3bdc to 495e51e Compare June 29, 2026 20:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants