Skip to content

Bump scrapy from 2.13.4 to 2.14.2#98

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/scrapy-2.14.2
Open

Bump scrapy from 2.13.4 to 2.14.2#98
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/scrapy-2.14.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Mar 13, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps scrapy from 2.13.4 to 2.14.2.

Release notes

Sourced from scrapy's releases.

2.14.2

  • Values from the Referrer-Policy header of HTTP responses are no longer executed as Python callables. See the cwxj-rr6w-m6w7 security advisory for details.
  • In line with the standard, 301 redirects of POST requests are converted into GET requests.

Full Changelog

2.14.1

  • Deprecate maybeDeferred_coro()
  • Pass the spider arg to custom stat collectors {open,close}_spider()
  • Replace deprecated Codecov CI action

Full Changelog

2.14.0

  • More coroutine-based replacements for Deferred-based APIs
  • The default priority queue is now DownloaderAwarePriorityQueue
  • Dropped support for Python 3.9 and PyPy 3.10
  • Improved and documented the API for custom download handlers

Full changelog

Changelog

Sourced from scrapy's changelog.

Scrapy 2.14.2 (2026-03-12)

Security bug fixes


-   Values from the ``Referrer-Policy`` header of HTTP responses are no longer
    executed as Python callables. See the `cwxj-rr6w-m6w7`_ security advisory
    for details.

.. _cwxj-rr6w-m6w7: https://github.com/scrapy/scrapy/security/advisories/GHSA-cwxj-rr6w-m6w7



    

  • 

    In line with the standard <https://fetch.spec.whatwg.org/#http-redirect-fetch>__, 301 redirects of
    
POST requests are converted into GET requests.
    

    Converting to a GET request implies not only a method change, but also
    
omitting the body and Content-* headers in the redirect request. On
    
cross-origin redirects (for example, cross-domain redirects), this is
    
effectively a security bug fix for scenarios where the body contains
    
secrets.
    

    • 



Deprecations



-   Passing a response URL string as the first positional argument to
    :meth:`scrapy.spidermiddlewares.referer.RefererMiddleware.policy` is
    deprecated. Pass a :class:`~scrapy.http.Response` instead.

The parameter has also been renamed to ``response`` to reflect this change.
The old parameter name (``resp_or_url``) is deprecated.



New features




    

  • Added a new setting, :setting:REFERER_POLICIES, to allow customizing
    
supported referrer policies.
    • 



Bug fixes



-   Made additional redirect scenarios convert to ``GET`` in line with the
    `standard <https://fetch.spec.whatwg.org/#http-redirect-fetch>`__:

-   Only ``POST`` 302 redirects are converted into ``GET`` requests; other
    methods are preserved.

-   ``HEAD`` 303 redirects are not converted into ``GET`` requests.

-   ``GET`` 303 redirects do not have their body or standard ``Content-*``



</tr></table>

</code></pre>

</blockquote>

<p>... (truncated)</p>

</details>

<details>

<summary>Commits</summary>


<ul>

<li><a href="https://github.com/scrapy/scrapy/commit/498b4fc1a431c71ea699b2d7e0bd518c7ceca302&quot;&gt;&lt;code&gt;498b4fc&lt;/code&gt;&lt;/a> Bump version: 2.14.1 → 2.14.2</li>

<li><a href="https://github.com/scrapy/scrapy/commit/378bb68039876c5e77b293cccd80eb5f306afd7e&quot;&gt;&lt;code&gt;378bb68&lt;/code&gt;&lt;/a> Proofread the release notes</li>

<li><a href="https://github.com/scrapy/scrapy/commit/8e28f938d29a496c3bf9fbffb212e1808213d9c4&quot;&gt;&lt;code&gt;8e28f93&lt;/code&gt;&lt;/a> Make test_no_warning_when_referer_middleware_present less brittle</li>

<li><a href="https://github.com/scrapy/scrapy/commit/886131c7b2f2e792fc139e5660f908239836388c&quot;&gt;&lt;code&gt;886131c&lt;/code&gt;&lt;/a> Run pre-commit</li>

<li><a href="https://github.com/scrapy/scrapy/commit/945b787a263586cb5803c01c6da57daad8997ae5&quot;&gt;&lt;code&gt;945b787&lt;/code&gt;&lt;/a> Merge remote-tracking branch 'cwxj-rr6w-m6w7/fix-referer-policy-handling' int...</li>

<li><a href="https://github.com/scrapy/scrapy/commit/8974580e438d18a105b8a0475e90bce2f1eb4dca&quot;&gt;&lt;code&gt;8974580&lt;/code&gt;&lt;/a> Reword the release note entry to consider the 301 redirect fix a security bug...</li>

<li><a href="https://github.com/scrapy/scrapy/commit/ba3d7bc7a8329d26862fcae248ececa386c1548a&quot;&gt;&lt;code&gt;ba3d7bc&lt;/code&gt;&lt;/a> Remove the non-standard 307/308 handling, and align other aspects with the st...</li>

<li><a href="https://github.com/scrapy/scrapy/commit/04db6a542407666de586d277acb1a651c389354e&quot;&gt;&lt;code&gt;04db6a5&lt;/code&gt;&lt;/a> Add a docstring to _load_policy_class()</li>

<li><a href="https://github.com/scrapy/scrapy/commit/a39545195ea41f22d7bfdc3eab83ef564480e516&quot;&gt;&lt;code&gt;a395451&lt;/code&gt;&lt;/a> allow to override → allow overriding</li>

<li><a href="https://github.com/scrapy/scrapy/commit/842d0becf0f36152a1090c62c0e5d9c950241975&quot;&gt;&lt;code&gt;842d0be&lt;/code&gt;&lt;/a> Rename test function</li>

<li>Additional commits viewable in <a href="https://github.com/scrapy/scrapy/compare/2.13.4...2.14.2&quot;&gt;compare view</a></li>

</ul>

</details>


<br />




Note

Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Mar 13, 2026
@dependabot dependabot Bot force-pushed the dependabot/pip/scrapy-2.14.2 branch from 294137f to 51d3f28 Compare March 29, 2026 09:52
@dependabot
Bump scrapy from 2.13.4 to 2.14.2
cb73e07 
Bumps [scrapy](https://github.com/scrapy/scrapy) from 2.13.4 to 2.14.2.
- [Release notes](https://github.com/scrapy/scrapy/releases)
- [Changelog](https://github.com/scrapy/scrapy/blob/master/docs/news.rst)
- [Commits](scrapy/scrapy@2.13.4...2.14.2)

---
updated-dependencies:
- dependency-name: scrapy
  dependency-version: 2.14.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/pip/scrapy-2.14.2 branch from 51d3f28 to cb73e07 Compare March 29, 2026 09:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants