[PR #11749/81160396 backport][3.13] Bump brotli from 1.1.0 to 1.2.0 (#11779)

patchback[bot] · dependabot[bot] · web-flow · commit 351989ce8fa4 · 2025-12-02T01:10:06.000Z
**This is a backport of PR #11749 as merged into 3.14 (8116039).** Bumps [brotli](https://github.com/google/brotli) from 1.1.0 to 1.2.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/google/brotli/releases">brotli's releases</a>.</em></p> <blockquote> <h2>v1.2.0</h2> <h3>SECURITY</h3> <ul> <li>python: added <code>Decompressor::can_accept_more_data</code> method and optional <code>output_buffer_limit</code> argument <code>Decompressor::process</code>; that allows mitigation of unexpectedly large output; reported by Charles Chan (<a href="https://github.com/charleswhchan">https://github.com/charleswhchan</a>)</li> </ul> <h3>Added</h3> <ul> <li><strong>decoder / encoder: added static initialization to reduce binary size</strong></li> <li>python: allow limiting decoder output (see SECURITY section)</li> <li>CLI: <code>brcat</code> alias; allow decoding concatenated brotli streams</li> <li>kt: pure Kotlin decoder</li> <li>cgo: support &quot;raw&quot; dictionaries</li> <li>build: Bazel modules</li> </ul> <h3>Removed</h3> <ul> <li>java: dropped <code>finalize()</code> for native entities</li> </ul> <h3>Fixed</h3> <ul> <li>java: in <code>compress</code> pass correct length to native encoder</li> </ul> <h3>Improved</h3> <ul> <li>build: install man pages</li> <li>build: updated / fixed / refined Bazel buildfiles</li> <li>encoder: faster encoding</li> <li>cgo: link via pkg-config</li> <li>python: modernize extension / allow multi-phase module initialization</li> </ul> <h3>Changed</h3> <ul> <li>decoder / encoder: static tables use &quot;small&quot; model (allows 2GiB+ binaries)</li> </ul> <h2>v1.2.0 RC2</h2> <h2>What's Changed (compared to RC1)</h2> <ul> <li>pick changes from Debian patch by <a href="https://github.com/copybara-service"><code>@​copybara-service</code></a>[bot] in <a href="https://redirect.github.com/google/brotli/pull/1349">google/brotli#1349</a></li> <li>pick changes from Alpine patch by <a href="https://github.com/copybara-service"><code>@​copybara-service</code></a>[bot] in <a href="https://redirect.github.com/google/brotli/pull/1348">google/brotli#1348</a></li> <li>pick VCPKG patches by <a href="https://github.com/copybara-service"><code>@​copybara-service</code></a>[bot] in <a href="https://redirect.github.com/google/brotli/pull/1350">google/brotli#1350</a></li> <li>fix copy-paste in Java decoder by <a href="https://github.com/copybara-service"><code>@​copybara-service</code></a>[bot] in <a href="https://redirect.github.com/google/brotli/pull/1357">google/brotli#1357</a></li> </ul> <h2>v1.2.0 RC1</h2> <p><strong>IMPORTANT</strong>: though this is a pre-release for v1.2.0, it is expected that some changes will be added before release; most notably concerning build files: patches applied by Alpine, Debian, Conan, VCPKG will be partially/fully integrated.</p> <h3>SECURITY</h3> <ul> <li>python: added <code>Decompressor::can_accept_more_data</code> method and optional <code>output_buffer_limit</code> argument <code>Decompressor::process</code>; that allows mitigation of unexpectedly large output; reported by Charles Chan (<a href="https://github.com/charleswhchan">https://github.com/charleswhchan</a>)</li> </ul> <h3>Added</h3> <ul> <li><strong>decoder / encoder: added static initialization to reduce binary size</strong></li> <li>python: allow limiting decoder output (see SECURITY section)</li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/google/brotli/blob/master/CHANGELOG.md">brotli's changelog</a>.</em></p> <blockquote> <h2>[1.2.0] - 2025-10-27</h2> <h3>SECURITY</h3> <ul> <li>python: added <code>Decompressor::can_accept_more_data</code> method and optional <code>output_buffer_limit</code> argument <code>Decompressor::process</code>; that allows mitigation of unexpectedly large output; reported by Charles Chan (<a href="https://github.com/charleswhchan">https://github.com/charleswhchan</a>)</li> </ul> <h3>Added</h3> <ul> <li><strong>decoder / encoder: added static initialization to reduce binary size</strong></li> <li>python: allow limiting decoder output (see SECURITY section)</li> <li>CLI: <code>brcat</code> alias; allow decoding concatenated brotli streams</li> <li>kt: pure Kotlin decoder</li> <li>cgo: support &quot;raw&quot; dictionaries</li> <li>build: Bazel modules</li> </ul> <h3>Removed</h3> <ul> <li>java: dropped <code>finalize()</code> for native entities</li> </ul> <h3>Fixed</h3> <ul> <li>java: in <code>compress</code> pass correct length to native encoder</li> </ul> <h3>Improved</h3> <ul> <li>build: install man pages</li> <li>build: updated / fixed / refined Bazel buildfiles</li> <li>encoder: faster encoding</li> <li>cgo: link via pkg-config</li> <li>python: modernize extension / allow multi-phase module initialization</li> </ul> <h3>Changed</h3> <ul> <li>decoder / encoder: static tables use &quot;small&quot; model (allows 2GiB+ binaries)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/google/brotli/commit/028fb5a23661f123017c060daa546b55cf4bde29"><code>028fb5a</code></a> release v1.2.0</li> <li><a href="https://github.com/google/brotli/commit/390de5b472ec8c40a7b8e5029e47fd6493f7a755"><code>390de5b</code></a> build and test csharp decoder</li> <li><a href="https://github.com/google/brotli/commit/3499acbb7ac7818c1b929a8c9c5c5f8a634751da"><code>3499acb</code></a> regenerate go/kt/js/ts</li> <li><a href="https://github.com/google/brotli/commit/8ca2312c61f1f5853be0708f9b1d6a6ad002d2a4"><code>8ca2312</code></a> fix release workflow</li> <li><a href="https://github.com/google/brotli/commit/ee771daf20bab6533cbc629407c50cff1c87d9f1"><code>ee771da</code></a> fix copy-paste in Java decoder</li> <li><a href="https://github.com/google/brotli/commit/42aee3289154cb3e8db1c7a8ebfa639c857578b9"><code>42aee32</code></a> try to fix release workflow</li> <li><a href="https://github.com/google/brotli/commit/392c06bac05cc1d098ab105cbbda766f19853d92"><code>392c06b</code></a> redesign release resource uploading</li> <li><a href="https://github.com/google/brotli/commit/1964cdb1b9e16a2a0c27fbd3b2a3bccb2c1a8294"><code>1964cdb</code></a> ramp up all GH actions plugins</li> <li><a href="https://github.com/google/brotli/commit/61605b1cb34ba84ae71c13b383d850a59cac85b2"><code>61605b1</code></a> pick VCPKG patches</li> <li><a href="https://github.com/google/brotli/commit/4b0f27b6f985b4301ad5cec4a31b9792ecf252bc"><code>4b0f27b</code></a> pick changes from Alpine patch</li> <li>Additional commits viewable in <a href="https://github.com/google/brotli/compare/go/cbrotli/v1.1.0...v1.2.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=brotli&package-manager=pip&previous-version=1.1.0&new-version=1.2.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
diff --git a/requirements/base-ft.txt b/requirements/base-ft.txt
@@ -14,7 +14,7 @@ async-timeout==5.0.1 ; python_version < "3.11"
     # via -r requirements/runtime-deps.in
 attrs==25.3.0
     # via -r requirements/runtime-deps.in
-brotli==1.1.0 ; platform_python_implementation == "CPython"
+brotli==1.2.0 ; platform_python_implementation == "CPython"
     # via -r requirements/runtime-deps.in
 cffi==2.0.0
     # via pycares
diff --git a/requirements/base.txt b/requirements/base.txt
@@ -14,7 +14,7 @@ async-timeout==5.0.1 ; python_version < "3.11"
     # via -r requirements/runtime-deps.in
 attrs==25.3.0
     # via -r requirements/runtime-deps.in
-brotli==1.1.0 ; platform_python_implementation == "CPython"
+brotli==1.2.0 ; platform_python_implementation == "CPython"
     # via -r requirements/runtime-deps.in
 cffi==2.0.0
     # via pycares
diff --git a/requirements/constraints.txt b/requirements/constraints.txt
@@ -30,7 +30,7 @@ blockbuster==1.5.25
     # via
     #   -r requirements/lint.in
     #   -r requirements/test-common.in
-brotli==1.1.0 ; platform_python_implementation == "CPython"
+brotli==1.2.0 ; platform_python_implementation == "CPython"
     # via -r requirements/runtime-deps.in
 build==1.3.0
     # via pip-tools
diff --git a/requirements/dev.txt b/requirements/dev.txt
@@ -30,7 +30,7 @@ blockbuster==1.5.25
     # via
     #   -r requirements/lint.in
     #   -r requirements/test-common.in
-brotli==1.1.0 ; platform_python_implementation == "CPython"
+brotli==1.2.0 ; platform_python_implementation == "CPython"
     # via -r requirements/runtime-deps.in
 build==1.3.0
     # via pip-tools
diff --git a/requirements/runtime-deps.txt b/requirements/runtime-deps.txt
@@ -14,7 +14,7 @@ async-timeout==5.0.1 ; python_version < "3.11"
     # via -r requirements/runtime-deps.in
 attrs==25.3.0
     # via -r requirements/runtime-deps.in
-brotli==1.1.0 ; platform_python_implementation == "CPython"
+brotli==1.2.0 ; platform_python_implementation == "CPython"
     # via -r requirements/runtime-deps.in
 cffi==2.0.0
     # via pycares
diff --git a/requirements/test-ft.txt b/requirements/test-ft.txt
@@ -18,7 +18,7 @@ attrs==25.3.0
     # via -r requirements/runtime-deps.in
 blockbuster==1.5.25
     # via -r requirements/test-common.in
-brotli==1.1.0 ; platform_python_implementation == "CPython"
+brotli==1.2.0 ; platform_python_implementation == "CPython"
     # via -r requirements/runtime-deps.in
 cffi==2.0.0
     # via
diff --git a/requirements/test.txt b/requirements/test.txt
@@ -18,7 +18,7 @@ attrs==25.3.0
     # via -r requirements/runtime-deps.in
 blockbuster==1.5.25
     # via -r requirements/test-common.in
-brotli==1.1.0 ; platform_python_implementation == "CPython"
+brotli==1.2.0 ; platform_python_implementation == "CPython"
     # via -r requirements/runtime-deps.in
 cffi==2.0.0
     # via
