chore(deps): bump the security-auth group with 3 updates

[dependabot]

Bumps the security-auth group with 3 updates: certifi, xmlsec and zxcvbn.

Updates certifi from 2025.8.3 to 2025.11.12

Commits

• 37ea150 2025.11.12 (#375)
• 2fa50bb Bump actions/upload-artifact from 4.6.2 to 5.0.0 (#374)
• 6cadb53 Bump actions/download-artifact from 5.0.0 to 6.0.0 (#373)
• fb14ac4 2025.10.05 (#371)
• 2c7c7ee Add Python 3.14 classifier in setup.py
• 1a5cb7b Bump actions/setup-python from 5.6.0 to 6.0.0 (#367)
• dea5960 Bump pypa/gh-action-pypi-publish from 1.12.4 to 1.13.0 (#366)
• 83566b7 Bump actions/checkout from 4.2.2 to 5.0.0
• ca2e121 Bump actions/download-artifact from 4.3.0 to 5.0.0
• See full diff in compare view

Updates xmlsec from 1.3.14 to 1.3.17

Release notes

Sourced from xmlsec's releases.

1.3.17

Release Date: 2025-11-11 Version: 1.3.17

---

Compatibility and Wheel Support

This release provides binary wheels that are fully compatible with lxml v6.0.2. The compatibility is ensured by using the same underlying libxml2 version in both python-xmlsec and lxml.

Because of this strict requirement, the wheels cannot be used with versions of lxml lower than 6.0.2. Mixing versions will lead to runtime errors.

Common Error

If you see the following message:

lxml & xmlsec libxml2 library version mismatch

it indicates that the version of libxml2 used to build lxml does not match the version used to build python-xmlsec.

Recommended Solutions

• Upgrade lxml to v6.0.2, or
• Build both lxml and python-xmlsec manually from source using the same libxml2 version

---

Wheel Build Configuration

Linux and macOS Wheels

These wheels are built against the following versions, which match those used in lxml v6.0.2:

• libxml2 v2.14.6
• libxslt v1.1.43
• xmlsec1 v1.3.9
• zlib v1.3.1
• libiconv v1.18
• openssl v3.6.0

Windows Binary Wheels

The Windows binary wheels were compiled using Visual Studio 2022 and include the following libraries:

• iconv v1.18-1
• libxml2 v2.11.9-3
• libxslt v1.1.39
• openssl v3.0.16.pl1

... (truncated)

Commits

• 8d98ff2 [pre-commit.ci] pre-commit autoupdate (#399)
• 47d4201 Bump xmlsec1 library to v1.3.9 (#398)
• 60a0788 [pre-commit.ci] pre-commit autoupdate (#394)
• 1bb2324 Add support for Python 3.14 (#393)
• c42bf92 [pre-commit.ci] pre-commit autoupdate (#391)
• 47f3e00 [pre-commit.ci] pre-commit autoupdate (#389)
• c8b1b6b Refactor packaging build helpers into dedicated modules (#388)
• a241c56 build riscv64 wheel (#387)
• e88d9ce [pre-commit.ci] pre-commit autoupdate (#386)
• 8d51c09 [pre-commit.ci] pre-commit autoupdate (#385)
• Additional commits viewable in compare view

Updates zxcvbn from 4.4.28 to 4.5.0

Changelog

Sourced from zxcvbn's changelog.

v4.5.0 (2025-02-19)

• decorator solution for lazy loading frequency_lists library View
• handle zero-length password gracefully View
• add failing test for empty password scenario View
• Merge branch 'musicsnobj-feature/l33t-exploit' View
• Merge branch 'feature/l33t-exploit' of github.com:musicsnobj/zxcvbn-python into musicsnobj-feature/l33t-exploit View
• use optional third arg instead of env variable for max password length View
• Merge branch 'feature/setup-tox' into feature/l33t-exploit View
• fuzzy match all py test versions View
• update README w/ tested py versions, try 3.8.* as test version View
• remove python 2 condition from mypy job View
• add py versions 3.12 and 3.13 View
• add py versions 3.9, 3.10, 3.11 View
• trying another tox config View
• tweak tox config View
• rm reference to requirements.txt View
• let tox control pytest version View
• try python version 3.8.18 by itself View
• update build.yml with python versions supported by Ubuntu 24.04 View
• try dropping python versions older than 3.6 View
• try v5 of setup-python gha View
• add tox.ini, add python versions to test View
• fuzzy match all py test versions View
• update README w/ tested py versions, try 3.8.* as test version View
• remove python 2 condition from mypy job View
• add py versions 3.12 and 3.13 View
• add py versions 3.9, 3.10, 3.11 View
• trying another tox config View
• tweak tox config View
• rm reference to requirements.txt View
• let tox control pytest version View
• try python version 3.8.18 by itself View
• update build.yml with python versions supported by Ubuntu 24.04 View
• try dropping python versions older than 3.6 View
• try v5 of setup-python gha View
• add tox.ini, add python versions to test View
• add max password length, default 72, configurable via ZXCVBN_MAX_LENGTH env var View
• Match the correct dictionary name for English words View
• Add the license file to the source tarball View
• update supported python versions in README View
• github actions & mypy View
• Fix syntax warning over comparison of literals using is. (#53) View
• Added Python 3.8 to travis config. (#50) View
• add 3.7 in python versions tested on travis ci (#44) View

Commits

• 566fff1 update changelog, update setup.py for version 4.5.0
• f416148 decorator solution for lazy loading frequency_lists library
• 2939b6b handle zero-length password gracefully
• 8459ce5 add failing test for empty password scenario
• 2b3e11f Merge branch 'musicsnobj-feature/l33t-exploit'
• c7fc8b1 Merge branch 'feature/l33t-exploit' of github.com:musicsnobj/zxcvbn-python in...
• 1ed43f5 use optional third arg instead of env variable for max password length
• 98a2b4d Merge branch 'feature/setup-tox' into feature/l33t-exploit
• 558084c fuzzy match all py test versions
• 7369112 update README w/ tested py versions, try 3.8.* as test version
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Assignees

The following users could not be added as assignees: posthog/devex. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Please fix the above issues or remove invalid values from dependabot.yml.