build(deps): bump the production group across 1 directory with 7 updates

[dependabot]

Bumps the production group with 7 updates in the / directory:

Package	From	To
matplotlib	3.10.3	3.10.9
numpy	2.2.6	2.4.4
pillow	12.1.1	12.2.0
polars	1.29.0	1.40.1
scikit-learn	1.6.1	1.8.0
statsmodels	0.14.4	0.14.6
xxhash	3.5.0	3.7.0

Updates matplotlib from 3.10.3 to 3.10.9

Release notes

Sourced from matplotlib's releases.

v3.10.9

This is a micro release of the v3.10.x series. Highlights of this release include:

• Various minor bug and doc fixes
• Security hardening validation of cyclers - Removing eval usage
• Security hardening in Latex and PS calls - Removing shell escapes

REL: v3.10.8

This is a bugfix release in the 3.10.x series.

The primary highlights of this release are:

• Properly allow freethreaded mode in the MacOS backend
• Better error handling for MacOS backend

REL: v3.10.7

This is the latest bugfix release in the 3.10.x series.

The most important update in this release is that the minimum version of pyparsing has been updated to version 3.0.

REL: v3.10.6

This is a bugfix release in the 3.10.x series.

Highlights from this release include:

- Fix regression of hi-dpi support for Qt
- Fix race condition in TexManager.make_dvi & make_png
- Various documentation and other bugfixes

REL: v3.10.5

This is the fourth bugfix release of the 3.10.x series.

Included in this release is distributed wheels for Python 3.14 (including freethreaded) and Windows ARM.

There are also several smaller bugfixes.

Commits

• dd8d78b REL: v3.10.9
• 2fb1891 REL: Release prep v3.10.9
• d0e923a Merge branch 'v3.10.8-doc' into v3.10.x
• 1637932 Merge pull request #31558 from meeseeksmachine/auto-backport-of-pr-31556-on-v...
• a83faac Backport PR #31556: FIX: Inverted PyErr_Occurred check in enum type caster (_...
• a4f57ab Merge pull request #31545 from ksunden/backport-of-pr-31282-on-v3.10.x
• 063288d Merge pull request #31544 from ksunden/backport-of-pr-31248-on-v3.10.x
• b2ed196 Backport PR #31248: SEC: Remove eval() from validate_cycler
• acc6024 Merge pull request #31282 from scottshambaugh/tex_no_shell
• e3fb541 Merge pull request #31078 from meeseeksmachine/auto-backport-of-pr-31075-on-v...
• Additional commits viewable in compare view

Updates numpy from 2.2.6 to 2.4.4

Release notes

Sourced from numpy's releases.

2.4.4 (Mar 29, 2026)

NumPy 2.4.4 Release Notes

The NumPy 2.4.4 is a patch release that fixes bugs discovered after the 2.4.3 release. It should finally close issue #30816, the OpenBLAS threading problem on ARM.

This release supports Python versions 3.11-3.14

Contributors

A total of 8 people contributed to this release. People with a "+" by their names contributed a patch for the first time.

• Charles Harris
• Daniel Haag +
• Denis Prokopenko +
• Harshith J +
• Koki Watanabe
• Marten van Kerkwijk
• Matti Picus
• Nathan Goldbaum

Pull requests merged

A total of 7 pull requests were merged for this release.

• #30978: MAINT: Prepare 2.4.x for further development
• #31049: BUG: Add test to reproduce problem described in #30816 (#30818)
• #31052: BUG: fix FNV-1a 64-bit selection by using NPY_SIZEOF_UINTP (#31035)
• #31053: BUG: avoid warning on ufunc with where=True and no output
• #31058: DOC: document caveats of ndarray.resize on 3.14 and newer
• #31079: TST: fix POWER VSX feature mapping (#30801)
• #31084: MAINT: numpy.i: Replace deprecated sprintf with snprintf...

2.4.3 (Mar 9, 2026)

NumPy 2.4.3 Release Notes

The NumPy 2.4.3 is a patch release that fixes bugs discovered after the 2.4.2 release. The most user visible fix may be a threading fix for OpenBLAS on ARM, closing issue #30816.

This release supports Python versions 3.11-3.14

Contributors

A total of 11 people contributed to this release. People with a "+" by their names contributed a patch for the first time.

• Antareep Sarkar +

... (truncated)

Changelog

Sourced from numpy's changelog.

This is a walkthrough of the NumPy 2.4.0 release on Linux, which will be the first feature release using the numpy/numpy-release <https://github.com/numpy/numpy-release>__ repository.

The commands can be copied into the command line, but be sure to replace 2.4.0 with the correct version. This should be read together with the :ref:general release guide <prepare_release>.

Facility preparation

Before beginning to make a release, use the requirements/*_requirements.txt files to ensure that you have the needed software. Most software can be installed with pip, but some will require apt-get, dnf, or whatever your system uses for software. You will also need a GitHub personal access token (PAT) to push the documentation. There are a few ways to streamline things:

• Git can be set up to use a keyring to store your GitHub personal access token. Search online for the details.

Prior to release

Add/drop Python versions

When adding or dropping Python versions, multiple config and CI files need to be edited in addition to changing the minimum version in pyproject.toml. Make these changes in an ordinary PR against main and backport if necessary. We currently release wheels for new Python versions after the first Python RC once manylinux and cibuildwheel support that new Python version.

Backport pull requests

Changes that have been marked for this release must be backported to the maintenance/2.4.x branch.

Update 2.4.0 milestones

Look at the issues/prs with 2.4.0 milestones and either push them off to a later version, or maybe remove the milestone. You may need to add a milestone.

Check the numpy-release repo

... (truncated)

Commits

• be93fe2 Merge pull request #31090 from charris/prepare-2.4.4
• f5245dc REL: Prepare for the NumPy 2.4.4 release
• 02e838b Merge pull request #31084 from charris/backport-31056
• fa74b2d MAINT: numpy.i: Replace deprecated sprintf with snprintf (#31056)
• 533a6db Merge pull request #31079 from charris/backport-20801
• 9e496cb TST: fix POWER VSX feature mapping (#30801)
• 8052c4b Merge pull request #31058 from charris/backport-31021
• 7f13b5a MAINT: Skip test on PyPy.
• 4c5fdd6 MAINT: Remove unused import of tracemalloc.
• a3ca5ed Update numpy/_core/src/multiarray/shape.c
• Additional commits viewable in compare view

Updates pillow from 12.1.1 to 12.2.0

Release notes

Sourced from pillow's releases.

12.2.0

https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html

Documentation

• Update 12.2.0 release notes #9522 [@​hugovk]
• Add loader plugins: AMOS abk, Atari Degas, 40+ more obscure formats via Netpbm #9482 [@​bitplane]
• Update Python versions #9515 [@​radarhere]
• Jeffrey A. Clark -> Jeffrey 'Alex' Clark #9513 [@​aclark4life]
• Add release notes for #9394, #9419 and #9456 #9467 [@​radarhere]
• Add Amiga Workbench .info loader to 3rd party plugins list #9459 [@​bitplane]
• Merge PFM documentation into PPM #9434 [@​radarhere]
• Update macOS tested Pillow versions #9431 [@​radarhere]
• Fix CVE number #9430 [@​hugovk]

Dependencies

• Update xz to 5.8.3 #9523 [@​radarhere]
• Update libjpeg-turbo to 3.1.4.1 #9507 [@​radarhere]
• Update libpng to 1.6.56 #9499 [@​radarhere]
• Update freetype to 2.14.3 #9485 [@​radarhere]
• Updated libavif to 1.4.1 #9479 [@​radarhere]
• Updated harfbuzz to 13.2.1 #9461 [@​radarhere]
• Update Ghostscript to 10.7.0 #9469 [@​radarhere]
• Update harfbuzz to 13.0.1 #9453 [@​radarhere]
• Update libavif to 1.4.0 #9460 [@​radarhere]
• Update freetype to 2.14.2 #9449 [@​radarhere]
• Update actions/download-artifact action to v8 #9451 [@renovate[bot]]
• Updated libpng to 1.6.55 #9425 [@​radarhere]

Testing

• Cleanup .spider extension in the same test where it is added #9517 [@​radarhere]
• Run tests in parallel via tox for 3.5x speedup #9516 [@​hugovk]
• Enable colour in CI logs #9486 [@​hugovk]
• Update Ghostscript to 10.7.0 #9469 [@​radarhere]
• Simplify TGA test code #9477 [@​radarhere]
• Update tests to check for ValueError when encoding an empty image #9464 [@​radarhere]
• Upgrade CI from macos-15-intel to macos-26-intel #9454 [@​hugovk]
• Add check-case-conflict hook #9446 [@​radarhere]
• Specify platform when pulling docker image #9440 [@​radarhere]
• GHA: Cache libavif and webp builds for Ubuntu #9437 [@​hugovk]
• Update macOS tested Pillow versions #9431 [@​radarhere]

Other changes

• Check calloc return value #9527 [@​radarhere]
• Check all allocs in the Arrow tree #9488 [@​wiredfool]
• Reject non-numeric elements inside list coords #9526 [@​hugovk]
• Move variable declaration inside define #9525 [@​radarhere]

... (truncated)

Commits

• 3c41c09 12.2.0 version bump
• cdaa29e Check calloc return value (#9527)
• 585b2f5 Check calloc return value
• ecf011e Check all allocs in the Arrow tree (#9488)
• cf6de8c Reject non-numeric elements inside list coords (#9526)
• ffdcede Update 12.2.0 release notes (#9522)
• 7929d77 Added security release notes (#149)
• c4f7aa5 Added security release notes
• 22cdb5f Move variable declaration inside define (#9525)
• fc15b3b Resize tall images vertically first (#9524)
• Additional commits viewable in compare view

Updates polars from 1.29.0 to 1.40.1

Release notes

Sourced from polars's releases.

Python Polars 1.40.1

🚀 Performance improvements

• Skip validity mask processing in __array_ufunc__ when no inputs have nulls (#27358)

✨ Enhancements

• Cargo deny (#27363)
• Add maintain_order parameter to merge_sorted (#27263)

🐞 Bug fixes

• Honor having predicate in GroupBy iter (#27370)
• Use the physical dtype for NumUnorderedImplodeReducer arrow ListArray (#27375)
• Address bug in reduce_balanced for certain input length lists affecting pl.concat (#27352)
• Ensure list.sample() allows fraction > 1 when with_replacement=True (#27350)
• Ensure append() errors when upcast=False (#27346)
• Always rechunk sorts, prune sorts even in eager execution (#27356)
• Fix typing for DataFrame.__init__ and Series.__init__ so they don't require all optional dependencies to be installed (#27348)

📖 Documentation

• Split out openlineage docs into guide and configuration (#27371)
• Add explanation on the observatory sqlite db file (#27354)

🛠️ Other improvements

• Disable mypy type checking for pyarrow calls (#27377)
• Disable debug symbols in macos coverage tests (#27361)
• Cargo deny (#27363)

Thank you to all our contributors for making this release possible! @​EndPositive, @​Kevin-Patyk, @​MarcoGorelli, @​carnarez, @​dsprenkels, @​gab23r, @​jonathanchang31, @​kdn36, @​mzjp2 and @​ritchie46

Python Polars 1.40.0

🏆 Highlights

• Add streaming support for grouped AsOf join (#27293)

⚠️ Deprecations

• Deprecate support for dataframe interchange protocol (#27214)

🚀 Performance improvements

• Create IR slice from expr slice pushdown (#27200)
• Add streaming support for grouped AsOf join (#27293)
• Avoid unnecessary rechunk when sorting already sorted DataFrame (#27264)
• Lower basic over() to streaming primitives (#27303)
• Lower drop_{nulls,nans} in streaming group_by aggregations (#27296)

... (truncated)

Commits

• 344a0ea Python Polars 1.40.1 (#27381)
• 4856eb3 fix: Honor having predicate in GroupBy iter (#27370)
• f992305 chore(python): Disable mypy type checking for pyarrow calls (#27377)
• 17f9074 chore: Disable debug symbols in macos coverage tests (#27361)
• 44948d3 fix: Use the physical dtype for NumUnorderedImplodeReducer arrow `ListArray...
• 6bb1cf8 fix(python): Address bug in reduce_balanced for certain input length lists ...
• fb70396 docs: Split out openlineage docs into guide and configuration (#27371)
• 2436421 fix: Ensure list.sample() allows fraction > 1 when `with_replacement=True...
• 21f150f ci(rust): Cargo deny (#27363)
• dd9be47 perf: Skip validity mask processing in array_ufunc when no inputs have nu...
• Additional commits viewable in compare view

Updates scikit-learn from 1.6.1 to 1.8.0

Release notes

Sourced from scikit-learn's releases.

Release 1.8.0

We're happy to announce the 1.8.0 release.

You can read the release highlights under https://scikit-learn.org/stable/auto_examples/release_highlights/plot_release_highlights_1_8_0.html and the long version of the change log under https://scikit-learn.org/stable/whats_new/v1.8.html

This version supports Python versions 3.11 to 3.14 and features support of free-threaded CPython.

You can upgrade with pip as usual:

pip install -U scikit-learn

The conda-forge builds can be installed using:

conda install -c conda-forge scikit-learn

Scikit-learn 1.7.2

We're happy to announce the 1.7.2 release.

This release contains a few bug fixes and is the first version supporting Python 3.14.

You can see the changelog here: https://scikit-learn.org/stable/whats_new/v1.7.html#version-1-7-2

You can upgrade with pip as usual:

pip install -U scikit-learn

The conda-forge builds can be installed using:

conda install -c conda-forge scikit-learn

Thanks to everyone who contributed to this release !

Scikit-learn 1.7.1

We're happy to announce the 1.7.1 release.

This release contains fixes for a few regressions introduced in 1.7.

You can see the changelog here: https://scikit-learn.org/stable/whats_new/v1.7.html#version-1-7-1

You can upgrade with pip as usual:

</tr></table> 

... (truncated)

Commits

• 646da0f [cd build]
• 4f4f283 Generate changelog
• 967dcde Set version
• cb1424b DOC Release highlights for 1.8 (#32809)
• 5645b27 🔒 🤖 CI Update lock files for main CI build(s) 🔒 🤖 (#32859)
• 6b9fb11 🔒 🤖 CI Update lock files for free-threaded CI build(s) 🔒 :rob...
• a0f6d88 🔒 🤖 CI Update lock files for array-api CI build(s) 🔒 🤖 ...
• c1de8fc FIX Make get_namespace handle pandas dataframe input (#32838)
• 764249a Fix _safe_indexing with non integer arrays on array API inputs (#32840)
• eca5e0a FIX Add new default max_samples=None in Bagging estimators (#32825)
• Additional commits viewable in compare view

Updates statsmodels from 0.14.4 to 0.14.6

Release notes

Sourced from statsmodels's releases.

Release 0.14.6

This patch release fixes an issue with pandas 3.0.0 that prevented statsmodels from importing. It also addresses some minor changes that improve future compatibility in NumPy.

Release 0.14.5

This patch release fixes an issue with recent SciPy releases (1.16+) that prevented statsmodels from importing. It also addresses some small changes that improve future compatibility.

Commits

• 40e6a84 Merge pull request #9701 from bashtage/doc-0.14.6-changes
• 120ad27 DOC: Release note for 0.14.6
• e8b0ab0 Merge pull request #9700 from bashtage/final-0.14.6-changes
• 8ad398a MAINT: Improve compatability wiht recent NumPy
• 9495808 Merge pull request #9633 from bashtage/changes-0-14-6
• b44854a STY: Fix linting fails
• e7b2fa5 MAINT: Update for recent changes
• 1107ea5 Merge pull request #9591 from bashtage/rls-0-14-5-notes
• f3b362a MAINT: Update CI
• e2249ab DOC: Final fixes
• Additional commits viewable in compare view

Updates xxhash from 3.5.0 to 3.7.0

Release notes

Sourced from xxhash's releases.

v3.7.0

• Drop support for Python 3.7
• Build armv7l manylinux/musllinux wheels
• Build riscv64 manylinux/musllinux wheels
• Build android and ios wheels

---

Full list of changes: ifduyue/python-xxhash@v3.6.0...v3.7.0

v3.6.0

• Build wheels for Python 3.14
• Python free-threading support
• Typing: Use Buffer type stubs
• Deprecate xxhash.VERSION_TUPLE, it will be removed in the next major release

---

Full list of changes: ifduyue/python-xxhash@v3.5.0...v3.6.0

Changelog

Sourced from xxhash's changelog.

v3.7.0 2025-04-25

- Drop support for Python 3.7
- Build armv7l manylinux/musllinux wheels
- Build riscv64 manylinux/musllinux wheels
- Build android and ios wheels
v3.6.0 2025-10-02

• Build wheels for Python 3.14
• Python free-threading support
• Typing: Use Buffer type stubs
• Deprecate xxhash.VERSION_TUPLE, it will be removed in the next major release

Commits

• 404589e Prepare 3.7.0
• d3cd664 Bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0
• 0d7d943 Bump pypa/cibuildwheel from 3.4.0 to 3.4.1
• c4b8775 Bump actions/download-artifact from 7 to 8
• 1ae3e5b Bump actions/upload-artifact from 6 to 7
• 8faaa34 Bump pypa/cibuildwheel from 3.3.1 to 3.4.0
• 4ba9b0c Bump docker/setup-qemu-action from 3 to 4
• 43bb203 Bump actions/download-artifact from 6 to 7
• a7a3bd2 Bump actions/upload-artifact from 5 to 6
• c35bf01 Bump pypa/cibuildwheel from 3.3.0 to 3.3.1
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions