Skip to content

chore(deps-dev): bump vcrpy from 8.1.1 to 8.3.0#9672

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/vcrpy-8.3.0
Open

chore(deps-dev): bump vcrpy from 8.1.1 to 8.3.0#9672
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/vcrpy-8.3.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps vcrpy from 8.1.1 to 8.3.0.

Release notes

Sourced from vcrpy's releases.

v8.3.0

What's Changed

  • Add support for niquests (#980) — thanks @​ionelmc
  • Recording now fails fast if a request or response contains a Python object the safe YAML loader (introduced in 8.2.1) couldn't read back, instead of writing a cassette that breaks on replay. The error shows exactly how to register the object if you need it (#1007, #1009) — thanks @​Polandia94
  • New vcr.serializers.yamlserializer.with_custom_tags(...) builds a YAML serializer supporting custom Python object tags on both record and replay, registered per VCR instance via register_serializer (#1007, #1009) — thanks @​Polandia94
  • Clearer error when a cassette contains an unsupported YAML tag, and the stale git.io migration link is gone (#1007, #1008) — thanks @​gaoflow
  • Fix stale keep-alive connection reuse across cassettes; unpin werkzeug (#1001)

Full Changelog: kevin1024/vcrpy@v8.2.1...v8.3.0

v8.2.1

What's Changed

  • SECURITY: Cassettes are now loaded with a safe YAML loader, preventing arbitrary code execution when a cassette from an untrusted source is loaded. Previously a crafted cassette containing a Python object tag (e.g. !!python/object/apply:os.system) would execute code on load, including via the normal vcr.use_cassette() path. Existing cassettes (including file-upload/streaming bodies) continue to load. Advisory: GHSA-rpj2-4hq8-938g — thanks @​RamiAltai and @​EQSTLab for the reports.
  • Validate record_mode and raise a clear error on an invalid value (#208)
  • Recommend pytest-recording over the unmaintained pytest-vcr in the docs (#986)

Full Changelog: kevin1024/vcrpy@v8.2.0...v8.2.1

v8.2.0

What's Changed

  • Add support for httpx 2.x (#993) - thanks @​dsfaccini
  • Patch httpx transports instead of httpcore (#972) - thanks @​seowalex
  • Fix aiohttp 3.14 compatibility: AsyncStreamReaderMixin removed and ClientResponse now requires stream_writer (#995) - thanks @​dsfaccini
  • Account for modified requests when storing played cassettes, so drop_unused_requests honours before_record_request filtering (#962) - thanks @​jamesbraza
  • Make the request URL available on VCRHTTPResponse (#976) - thanks @​dAnjou
  • Improve error message when a matching request has already been consumed (#985) - thanks @​Polandia94
  • Fix body check in convert_body_to_unicode to use an explicit type check (#982) - thanks @​Polandia94
  • Add env proxy cassette regression test (#994) - thanks @​tine1117
  • Remove milestone references from docs (#984) - thanks @​Polandia94
  • CI: bump sphinx-rtd-theme from 3.0.2 to 3.1.0 (#973)

Full Changelog: kevin1024/vcrpy@v8.1.1...v8.2.0

Changelog

Sourced from vcrpy's changelog.

Changelog

All help in providing PRs to close out bug issues is appreciated. Even if that is providing a repo that fully replicates issues. We have very generous contributors that have added these to bug issues which meant another contributor picked up the bug and closed it out.

  • 8.3.0

    • Add support for niquests (#980) - thanks @​ionelmc
    • Refuse to record a cassette containing a Python object the safe YAML loader could not read back, so recording fails fast instead of producing a cassette that breaks on replay (#1007, #1009) - thanks @​Polandia94
    • Add vcr.serializers.yamlserializer.with_custom_tags to build a YAML serializer supporting custom Python object tags on both record and replay, registered per VCR instance via register_serializer (#1007, #1009) - thanks @​Polandia94
    • Clearer error when a cassette contains an unsupported YAML tag, and remove the stale git.io migration link (#1007, #1008) - thanks @​gaoflow
    • Fix stale keep-alive connection reuse across cassettes; unpin werkzeug (#1001)
  • 8.2.1

    • SECURITY: Load cassettes with a safe YAML loader, preventing arbitrary code execution when a cassette from an untrusted source is loaded (GHSA-rpj2-4hq8-938g) - thanks @​RamiAltai and @​EQSTLab
    • Validate record_mode and raise a clear error on an invalid value (#208)
    • Recommend pytest-recording over the unmaintained pytest-vcr in the docs (#986)
  • 8.2.0

    • Add support for httpx 2.x (#993) - thanks @​dsfaccini
    • Patch httpx transports instead of httpcore (#972) - thanks @​seowalex
    • Fix aiohttp 3.14 compatibility: AsyncStreamReaderMixin removed and ClientResponse now requires stream_writer (#995) - thanks @​dsfaccini
    • Account for modified requests when storing played cassettes, so drop_unused_requests honours before_record_request filtering (#962) - thanks @​jamesbraza
    • Make the request URL available on VCRHTTPResponse (#976) - thanks @​dAnjou
    • Improve error message when a matching request has already been consumed (#985) - thanks @​Polandia94
    • Fix body check in convert_body_to_unicode to use an explicit type check (#982) - thanks @​Polandia94
    • Add env proxy cassette regression test (#994) - thanks @​tine1117
    • Remove milestone references from docs (#984) - thanks @​Polandia94
    • CI: bump sphinx-rtd-theme from 3.0.2 to 3.1.0 (#973)
  • 8.1.1

    • Fix sync requests in async contexts for HTTPX (#965) - thanks @​seowalex
    • CI: bump peter-evans/create-pull-request from 7 to 8 (#969)
  • 8.1.0

  • 8.0.0

    • BREAKING: Drop support for Python 3.9 (major version bump) - thanks @​jairhenrique
    • BREAKING: Drop support for urllib3 < 2 - fixes CVE warnings from urllib3 1.x (#926, #880) - thanks @​jairhenrique
    • New feature: drop_unused_requests option to remove unused interactions from cassettes (#763) - thanks @​danielnsilva
    • Rewrite httpx support to patch httpcore instead of httpx (#943) - thanks @​seowalex
      • Fixes httpx.ResponseNotRead exceptions (#832, #834)
      • Fixes KeyError: 'follow_redirects' (#945)
      • Adds support for custom httpx transports
    • Fix HTTPS proxy handling - proxy address no longer ends up in cassette URIs (#809, #914) - thanks @​alga

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [vcrpy](https://github.com/kevin1024/vcrpy) from 8.1.1 to 8.3.0.
- [Release notes](https://github.com/kevin1024/vcrpy/releases)
- [Changelog](https://github.com/kevin1024/vcrpy/blob/master/docs/changelog.rst)
- [Commits](kevin1024/vcrpy@v8.1.1...v8.3.0)

---
updated-dependencies:
- dependency-name: vcrpy
  dependency-version: 8.3.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Bot PRs that update dependencies label Jul 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Bot PRs that update dependencies

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants