Skip to content

CI: (deps): Bump pooch from 1.8.2 to 1.9.0 in /ci #3996

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
unidata-pr-helper merged 1 commit into from
Feb 2, 2026
Merged

CI: (deps): Bump pooch from 1.8.2 to 1.9.0 in /ci #3996

unidata-pr-helper merged 1 commit into from
Feb 2, 2026
+1 −1

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 2, 2026

Bumps pooch from 1.8.2 to 1.9.0.

Release notes

Sourced from pooch's releases.

v1.9.0

Released on: 2026/01/30

DOI: https://doi.org/10.5281/zenodo.18379610

Breaking changes:

  • Drop support for Python 3.7 and 3.8 (#450).

Bug fixes:

  • Explicitly pass filter to TarFile.extractall on Python >=3.12 (#458). Pass a filter="data" argument to TarFile.extractall to prevent dangerous security issues. The filter argument was added in Python 3.12, so only pass it on versions greater or equal than that. This change matches the default behaviour that will take place since Python 3.14.
  • Fix TQDM usage (#465). Newer versions of tqdm behave differently at a terminal vs in a jupyter notebook. Import from tqdm.auto instead so that the downloader looks right in either a notebook or the terminal.
  • Fix bug in file hashing on FIPS enabled system (#511). Set userforsecurity=False on hashlib hashing algorithms to make FIPS enabled systems happy.

New features:

  • Set User-Agent in requests headers for DOI downloaders (#507). Pass a custom User-Agent when making requests through DOI downloaders in order to bypass limit rates imposed by services like Zenodo to block abusive requests. The can now filter requests coming from Pooch from the rest. Add a global REQUESTS_HEADERS variable that is used by the doi_to_url function (which requires to make a request to doi.org to figure out the service provider). Add a new headers argument to the DOIDownloader to specifically pass requests headers. By default it'll use the Pooch's default user agent.
  • Extend support for Python 3.13 (#451) and Python 3.14 (#505).
  • Provide more descriptive errors when DOI request fails (#477). Raise the requests response to provide more informative errors when the status code is between 400 and 600.

Maintenance:

  • Add testing data to the package distributions (#421). The test code pooch/tests is installed but he data in pooch/tests/data are not. This makes it impossible to run tests on the installed package. Add the appropriate setuptools configuration to make it happen.
  • Move push to codecov to its own job in Actions (#424). Remove the push to codecov step from the test job into a new job that depends on the test job. Upload the coverage reports as artifacts after testing, and reuse the artifacts in the new job. Upload all coverage reports in a single push to Codecov to minimize the number of hits.
  • Increase the max positional args allowed by pylint (#438). Configure pylint to increase the maximum number of positional arguments allowed in any function or method.
  • Replace usage of pkg_resources for importlib.resources (#449).
  • Add mypy to CI job and type hints for one class. (#404). Add type hints to pooch/core.py and create a new typing submodule for custom type classes, and add it to the API Reference. Run mypy on CI to perform type checks, and create new targets in the Makefile. Extend the list of dependencies required to run the type checks.
  • Add pytest figshare mark to tests (#481). Add a pytest figshare mark to tests that make requests to Figshare. Such mark allows us to filter tests: use pytest -v -m figshare to only run tests with that mark, or use pytest -v -m "not figshare to run all test but the marked ones.
  • Skip Figshare related tests on Actions under MacOS (#482). Skip tests marked with figshare on Actions that use MacOS as runner. Those tests in CI were constantly failing, probably due to too many requests coming from GitHub. Add an optional PYTEST_ARGS_EXTRA variable to Makefile that can be used to pass extra arguments to pytest. Skip doctests that download files from Figshare.
  • List requirements to run type checks in new file (#492). Create a new env/requirements-types.txt file with the list of required packages to run types checks. This file is used by the GitHub Action workflow that automatically runs the type checks. List new requirements for type checks in environment.yml. Stop ignoring missing imports of xxhash in pyproject.toml. Ignore type assignment for xxhash in test file.
  • Fix uploads of coverage reports to codecov (#496). Checkout the repository in the codecov-upload job before uploading the coverage reports to codecov.
  • Pin black to v25 (#506). Pin black version used in the environment.yml and to run style checks on CI to 25.*.* and <26.0.0, respectively. Since we plan to replace black with Ruff for autoformatting, it's better to pin for now than reformat it with latest version.
  • Only run tests with network access on some CI jobs (#484). Our CI is continuously hitting some external network providers which is causing some of them (mostly figshare for now) to block our traffic. This means that our CI fails randomly and it's annoying. Only run network tests on jobs with the latest Python and optional dependencies installed to try to mitigate this.
  • Use a SPDX expression for license in pyproject.toml (#476). Use a SPDX expression for the license in pyproject.toml and remove the unneeded license classifier. This removes the warnings we were getting after running make build.
  • Add Typing :: Typed trove classifier (#472). Allow PyPI users know that Pooch supports type hints.
  • Allow to manually trigger test job in Actions (#475). Add workflow_dispatch as an event trigger for the test.yml workflow.
  • Standardize requests made by DOIDownloaders (#514). Respect user's decisions when defining the DOIDownloader with respect to arguments passed to requests.get whenever we call that function. This way, all calls made by DOIDownloaders and the repository classes make use of the same arguments, including timeout, headers, etc.

Documentation:

  • Add a link to the Fatiando Forum in the README (#461).
  • Add scXpand (#488), xclim (#445), CLISOPS (#445), and SPLASH (#432) to list of projects using Pooch.

Contributors:

  • Adam Boesky
  • Antonio Valentino
  • Daniel McCloy

... (truncated)

Changelog

Sourced from pooch's changelog.

Version 1.9.0

Released on: 2026/01/30

DOI: https://doi.org/10.5281/zenodo.18379610

Breaking changes:

  • Drop support for Python 3.7 and 3.8 ([#450](https://github.com/fatiando/pooch/issues/450) <https://github.com/fatiando/pooch/pull/450>__).

Bug fixes:

  • Explicitly pass filter to TarFile.extractall on Python >=3.12 ([#458](https://github.com/fatiando/pooch/issues/458) <https://github.com/fatiando/pooch/pull/458>__). Pass a filter="data" argument to TarFile.extractall to prevent dangerous security issues. The filter argument was added in Python 3.12, so only pass it on versions greater or equal than that. This change matches the default behaviour that will take place since Python 3.14.
  • Fix TQDM usage ([#465](https://github.com/fatiando/pooch/issues/465) <https://github.com/fatiando/pooch/pull/465>__). Newer versions of tqdm behave differently at a terminal vs in a jupyter notebook. Import from tqdm.auto instead so that the downloader looks right in either a notebook or the terminal.
  • Fix bug in file hashing on FIPS enabled system ([#511](https://github.com/fatiando/pooch/issues/511) <https://github.com/fatiando/pooch/pull/511>__). Set userforsecurity=False on hashlib hashing algorithms to make FIPS enabled systems happy.

New features:

  • Set User-Agent in requests headers for DOI downloaders ([#507](https://github.com/fatiando/pooch/issues/507) <https://github.com/fatiando/pooch/pull/507>__). Pass a custom User-Agent when making requests through DOI downloaders in order to bypass limit rates imposed by services like Zenodo to block abusive requests. The can now filter requests coming from Pooch from the rest. Add a global REQUESTS_HEADERS variable that is used by the doi_to_url function (which requires to make a request to doi.org to figure out the service provider). Add a new headers argument to the DOIDownloader to specifically pass requests headers. By default it’ll use the Pooch’s default user agent.
  • Extend support for Python 3.13 ([#451](https://github.com/fatiando/pooch/issues/451) <https://github.com/fatiando/pooch/pull/451>) and Python 3.14 ([#505](https://github.com/fatiando/pooch/issues/505) <https://github.com/fatiando/pooch/pull/505>).
  • Provide more descriptive errors when DOI request fails ([#477](https://github.com/fatiando/pooch/issues/477) <https://github.com/fatiando/pooch/pull/477>__). Raise the requests response to provide more informative errors when the status code is between 400 and 600.

Maintenance:

  • Add testing data to the package distributions ([#421](https://github.com/fatiando/pooch/issues/421) <https://github.com/fatiando/pooch/pull/421>__). The test code pooch/tests is installed but he data in pooch/tests/data are not. This makes it impossible to run tests on the installed package. Add the appropriate setuptools configuration to make it happen.
  • Move push to codecov to its own job in Actions ([#424](https://github.com/fatiando/pooch/issues/424) <https://github.com/fatiando/pooch/pull/424>__). Remove the push to codecov step from the test job into a new job that depends on the test job. Upload the coverage reports as artifacts after testing, and reuse the artifacts in the new job. Upload all coverage reports in a single push to Codecov to minimize the number of hits.
  • Increase the max positional args allowed by pylint ([#438](https://github.com/fatiando/pooch/issues/438) <https://github.com/fatiando/pooch/pull/438>__). Configure pylint to increase the maximum number of positional arguments allowed in any function or method.
  • Replace usage of pkg_resources for importlib.resources ([#449](https://github.com/fatiando/pooch/issues/449) <https://github.com/fatiando/pooch/pull/449>__).
  • Add mypy to CI job and type hints for one class. ([#404](https://github.com/fatiando/pooch/issues/404) <https://github.com/fatiando/pooch/pull/404>__). Add type hints to pooch/core.py and create a new typing submodule for custom type classes, and add it to the API Reference. Run mypy on CI to perform type checks, and create new targets in the Makefile. Extend the list of dependencies required to run the type checks.
  • Add pytest figshare mark to tests ([#481](https://github.com/fatiando/pooch/issues/481) <https://github.com/fatiando/pooch/pull/481>__). Add a pytest figshare mark to tests that make requests to Figshare. Such mark allows us to filter tests: use pytest -v -m figshare to only run tests with that mark, or use pytest -v -m "not figshare to run all test but the marked ones.
  • Skip Figshare related tests on Actions under MacOS ([#482](https://github.com/fatiando/pooch/issues/482) <https://github.com/fatiando/pooch/pull/482>__). Skip tests marked with figshare on Actions that use MacOS as runner. Those tests in CI were constantly failing, probably due to too many requests coming from GitHub. Add an optional PYTEST_ARGS_EXTRA variable to Makefile that can be used to pass extra arguments to pytest. Skip doctests that download files from Figshare.
  • List requirements to run type checks in new file ([#492](https://github.com/fatiando/pooch/issues/492) <https://github.com/fatiando/pooch/pull/492>__). Create a new env/requirements-types.txt file with the list of required packages to run types checks. This file is used by the GitHub Action workflow that automatically runs the type checks. List new requirements for type checks in environment.yml. Stop ignoring missing imports of xxhash in pyproject.toml. Ignore type assignment for xxhash in test file.
  • Fix uploads of coverage reports to codecov ([#496](https://github.com/fatiando/pooch/issues/496) <https://github.com/fatiando/pooch/pull/496>__). Checkout the repository in the codecov-upload job before uploading the coverage reports to codecov.
  • Pin black to v25 ([#506](https://github.com/fatiando/pooch/issues/506) <https://github.com/fatiando/pooch/pull/506>__). Pin black version used in the environment.yml and to run style checks on CI to 25.*.* and <26.0.0, respectively. Since we plan to replace black with Ruff for autoformatting, it’s better to pin for now than reformat it with latest version.
  • Only run tests with network access on some CI jobs ([#484](https://github.com/fatiando/pooch/issues/484) <https://github.com/fatiando/pooch/pull/484>__). Our CI is continuously hitting some external network providers which is causing some of them (mostly figshare for now) to block our traffic. This means that our CI fails randomly and it’s annoying. Only run network tests on jobs with the latest Python and optional dependencies installed to try to mitigate this.
  • Use a SPDX expression for license in pyproject.toml ([#476](https://github.com/fatiando/pooch/issues/476) <https://github.com/fatiando/pooch/pull/476>__). Use a SPDX expression for the license in pyproject.toml and remove the unneeded license classifier. This removes the warnings we were getting after running make build.
  • Add Typing :: Typed trove classifier ([#472](https://github.com/fatiando/pooch/issues/472) <https://github.com/fatiando/pooch/pull/472>__). Allow PyPI users know that Pooch supports type hints.
  • Allow to manually trigger test job in Actions ([#475](https://github.com/fatiando/pooch/issues/475) <https://github.com/fatiando/pooch/pull/475>__). Add workflow_dispatch as an event trigger for the test.yml workflow.
  • Standardize requests made by DOIDownloaders ([#514](https://github.com/fatiando/pooch/issues/514) <https://github.com/fatiando/pooch/pull/514>__). Respect user’s decisions when defining the DOIDownloader with respect to arguments passed to requests.get whenever we call that function. This way, all calls made by DOIDownloaders and the repository classes make use of the same arguments, including timeout, headers, etc.

Documentation:

  • Add a link to the Fatiando Forum in the README ([#461](https://github.com/fatiando/pooch/issues/461) <https://github.com/fatiando/pooch/pull/461>__).
  • Add scXpand ([#488](https://github.com/fatiando/pooch/issues/488) <https://github.com/fatiando/pooch/pull/488>), xclim ([#445](https://github.com/fatiando/pooch/issues/445) <https://github.com/fatiando/pooch/pull/445>), CLISOPS ([#445](https://github.com/fatiando/pooch/issues/445) <https://github.com/fatiando/pooch/pull/445>), and SPLASH ([#432](https://github.com/fatiando/pooch/issues/432) <https://github.com/fatiando/pooch/pull/432>) to list of projects using Pooch.

This release contains contributions from:

  • Adam Boesky
  • Antonio Valentino

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
CI: (deps): Bump pooch from 1.8.2 to 1.9.0 in /ci
5acfc0c 
Bumps [pooch](https://github.com/fatiando/pooch) from 1.8.2 to 1.9.0.
- [Release notes](https://github.com/fatiando/pooch/releases)
- [Changelog](https://github.com/fatiando/pooch/blob/main/doc/changes.rst)
- [Commits](fatiando/pooch@v1.8.2...v1.9.0)

---
updated-dependencies:
- dependency-name: pooch
  dependency-version: 1.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added Area: Infrastructure Pertains to project infrastructure (e.g. CI, linting) Type: Maintenance Updates and clean ups (but not wrong) labels Feb 2, 2026
@dependabot dependabot bot requested a review from a team as a code owner February 2, 2026 16:09
@dependabot dependabot bot requested review from dcamron and removed request for a team February 2, 2026 16:09
@dependabot dependabot bot added Area: Infrastructure Pertains to project infrastructure (e.g. CI, linting) Type: Maintenance Updates and clean ups (but not wrong) labels Feb 2, 2026
@unidata-pr-helper unidata-pr-helper bot enabled auto-merge February 2, 2026 16:09
@unidata-pr-helper unidata-pr-helper bot merged commit d6da33c into main Feb 2, 2026
46 of 54 checks passed
@unidata-pr-helper unidata-pr-helper bot deleted the dependabot-pip-ci-pooch-1.9.0 branch February 2, 2026 23:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@unidata-pr-helper unidata-pr-helper[bot] unidata-pr-helper[bot] approved these changes

@dcamron dcamron Awaiting requested review from dcamron dcamron is a code owner automatically assigned from Unidata/metpy-maintainers

Assignees

No one assigned

Labels

Area: Infrastructure Pertains to project infrastructure (e.g. CI, linting) Type: Maintenance Updates and clean ups (but not wrong)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants