Bump distlib from 0.3.6 to 0.4.3

[dependabot]

Warning

Dependabot will stop supporting python v3.9!

Please upgrade to one of the following versions: v3.9, v3.10, v3.11, v3.12, v3.13, or v3.14.

Bumps distlib from 0.3.6 to 0.4.3.

Changelog

Sourced from distlib's changelog.

0.4.3

Released: 2026-06-12


resources

Removed too-restrictive check for escaping resources.



0.4.2

Released: 2026-06-08

• locators

  • Fix URL percent-encoding using space-padding instead of zero-padding. Thanks to Kadir Can Ozden for the patch.

  • Harden decompression against malicious input. Thanks to tonghuaroot for the patch, which was adapted slightly.

• manifest

  • Use os.lstat in findall to correctly detect symlinked directories. Thanks to Kadir Can Ozden for the patch.

• metadata

  • Improve logic to incorporate newer metadata versions.

• resources

  • Ensure that constructed resource paths don't escape the package. Thanks to tonghuaroot for the patch.

• util

  • Fix #255: Update cache_from_source() for Python 3.15. Thanks to Victor Stinner for the patch.

  • Check during unarchiving that the destination directory isn't escaped via symlinks. Thanks to tonghuaroot for the patch.

  • Improved performance of normalize_name using dual replace. Thanks to Hugo van Kemenade for the patch.

• wheel

... (truncated)

Commits

• 3f4a377 Changes for 0.4.3.
• 5ee19e6 Relax too-strict escaping check for resources.
• f0e3d1a Bump version.
• 06e010d Add upper version limit for setuptools for build, to keep metadata version to...
• 8b5aa55 Added tag 0.4.2 for changeset 5295c0ceb419
• 8183ea6 Update change log.
• 55ca016 Changes for 0.4.2.
• 7e282ab Update metadata logic to incorporate newer versions.
• fa4ea50 Remove non-portable portion of test.
• e06a1d5 Further refine tests.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)