Update dependency curl-cffi to v0.15.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
curl-cffi	==0.10.0 → ==0.15.0

---

Release Notes

lexiforest/curl_cffi (curl-cffi)

v0.15.0

Compare Source

🎉 Another release with significant changes!

Highlights

• http/3 fingerprints, added for Chrome 145, 146 and Firefox 147. To verify http3 fingerprints, visit https://fp.impersonate.pro
• http/3 proxy support with socks5 udp proxy server.
• New CLI tool, just called curl-cffi, easier http debugging for both humans and agents. See docs. We also added a skill.
• Compatibility optimization, curl_cffi is now fully static. Especially for macOS, no dependencies needed and compatible with macOS since 11.0.
• ⚠️ Security improvement. If you are accepting urls from others and returning the response to them, you are vulnerable to redirection-based SSRF. Disable allow_redirects or at lease set allow_redirects="safe", see the advisory and the docs.
• Performance optimization: WebSocket improvement and free-threading support.
• Android is officially supported, closing a 3-years-old issue.
• New impersonation behaviors, the cookie header behavior and POST boundary are now made exactly the same as browsers. These are not part of tls or http binary fingerprints, but are exploited by WAFs, too.

The list of proxy vendors with udp sock5 support is very limited, so I set up 2 servers for testing. You can simply run:

curl-cffi get https://fp.impersonate.pro/api/http3 --proxy socks5://imp:curl-cffi@206.189.95.199:1080 --http3-only
curl-cffi get https://fp.impersonate.pro/api/http3 --proxy socks5://imp:curl-cffi@24.144.88.46:1080 --http3-only

If you need more udp socks5 servers from us, click the 👀 emoji to vote.

What's Changed

• Fix some of the extension values being overwritten caused by applying… by @​enter-a-new-username3 in #​680
• Typehint session return values and internal functions by @​Vizonex in #​664
• Add free threaded builds by @​lexiforest in #​697
• Async WebSocket: Docs, Safety & Performance Improvements by @​Sh3llcod3 in #​692
• Add support for Android by @​lexiforest in #​699
• add type hint for request responses by @​MFTabriz in #​690
• Response hint fix for < 3.13 by @​novitae in #​546
• Fix BufferError Crash by @​Sh3llcod3 in #​700
• WS: Small Optimizations by @​Sh3llcod3 in #​702
• Add support for retrying by @​lexiforest in #​689
• WS: Update Docs by @​Sh3llcod3 in #​705
• Enable http3 fingerprints by @​lexiforest in #​712
• Add support for loongarch64 by @​wxpppp in #​716
• Make the CLI more useful by @​lexiforest in #​726
• Add option to mitigate SSRF by @​lexiforest in #​727
• Expose http3 fingerprints customization by @​lexiforest in #​728
• Add body to response.request by @​lexiforest in #​710
• fix Makefile issue by @​p9s in #​655
• Add support for READFUNCTION by @​lexiforest in #​698

New Contributors

• @​enter-a-new-username3 made their first contribution in #​680
• @​MFTabriz made their first contribution in #​690
• @​wxpppp made their first contribution in #​716
• @​p9s made their first contribution in #​655

Full Changelog: lexiforest/curl_cffi@v0.14.0...v0.15.0

v0.14.0

Compare Source

This release contains a few changes that might break the code for some people, hopefully not too many:

1. Async websocket is completed rewritten, great performance boost, but a few breaking API.
2. macOS requirement is now 15.0+, the same as GitHub actions builder, due to bundled c-ares.
3. Python requirement is now 3.10+, as we planned.

Personal notes:

I have been holding this version for a while, thinking that I should fix the unintentional macOS version upgrade and implement pro features within this release. But it turns out that 2025 has been a fruitful, but exhausting year for me. Significant number of PRs have been merged since last release, so let's make them available for all.

What's Changed

• docs: fix impersonation docs link in README to working URL by @​MrDebugger in #​616
• Add support for riscv and armv7l wheels by @​lexiforest in #​622
• refactor: enhance Curl class cleanup methods by @​montovaneli in #​618
• chore: make async session HTTP methods truly async by @​serozhenka in #​619
• CLI script curl-cffi by @​haron in #​621
• Use conditional imports based on thread backend selection by @​Caellian in #​625
• enhance Curl class to handle None curl cases by @​montovaneli in #​631
• added response and request size to Response and parse it in session by @​manjustice in #​648
• Add raise_for_status parameter to Session and AsyncSession by @​RohanDisa in #​651
• Fix cURL error 77 on Windows by encoding file-path options with system ANSI codepage by @​ewnn112 in #​647
• Improve Async WebSocket by @​Sh3llcod3 in #​650
• Fix Content-Type header update for non-empty data in set_curl_options by @​sarperavci in #​658
• Upgrade websockets and FastAPI version in tests and dev by @​lexiforest in #​662
• Use timedelta for elapsed-time handling to improve Requests compatibility by @​sarperavci in #​661
• Fix websocket close code validation by @​blood-worm in #​673

New Contributors

• @​MrDebugger made their first contribution in #​616
• @​haron made their first contribution in #​621
• @​Caellian made their first contribution in #​625
• @​manjustice made their first contribution in #​648
• @​RohanDisa made their first contribution in #​651
• @​ewnn112 made their first contribution in #​647
• @​Sh3llcod3 made their first contribution in #​650
• @​sarperavci made their first contribution in #​658
• @​blood-worm made their first contribution in #​673

Full Changelog: lexiforest/curl_cffi@v0.13.0...v0.14.0

v0.13.0

Compare Source

bugfixes

Fixed asyncio timeout issue, if you are experiencing this, please update to 0.13.

What's Changed

• Add support for building curl_cffi wheels on WoA by @​lowkeyrossi in #​603
• Add support for building Win-ARM64 wheels by @​lowkeyrossi in #​608
• fix websocket message with chunks by @​montovaneli in #​606
• Fix race condition in WebSocket concurrent sends by @​ferdimsu in #​605
• Try to streamline asyncio according to curl docs by @​lexiforest in #​602
• Respect REQUESTS_CA_BUNDLE and CURL_CA_BUNDLE enviroment variable by @​henrysky in #​611

New Contributors

• @​lowkeyrossi made their first contribution in #​603
• @​montovaneli made their first contribution in #​606
• @​henrysky made their first contribution in #​611

Full Changelog: lexiforest/curl_cffi@v0.12.0...v0.13.0

v0.12.0

Compare Source

What's Changed

• Fix WebSocket send fails on second message after sending large message by @​ferdimsu in #​570
• Added Safari 26.0 targets.

New Contributors

• @​ferdimsu made their first contribution in #​570

Full Changelog: lexiforest/curl_cffi@v0.11.4...v0.12.0

v0.11.4

Compare Source

What's Changed

• bugfix: move curl_options to the end of setopt by @​lexiforest in #​580
• Added windows http/3 support.

Full Changelog: lexiforest/curl_cffi@v0.11.3...v0.11.4

v0.11.3

Compare Source

Fixed tor fingerprints.

v0.11.2

Compare Source

Minor breaking change

The response.cookies object now contains only cookies from current request. If you are using the following patterns and hit a redirect, you will need a session.

import curl_cffi
r = curl_cffi.get("https://httpbin.org/redirect")

# ❌ Cookie from previous redirect may be lost.
do_something(r.cookies)

s = curl_cffi.Session()
r = s.get("https://httpbin.org/redirect")

# ✅ Use a session instead, to retrive all cookies in the session
do_something(s.cookies)

What's Changed

• Allow using string for setting http version by @​lexiforest in #​566
• Only include cookies in current request in response.cookies by @​lexiforest in #​572
• Fallback to latin-1 for redirected url in Location header by @​lexiforest in #​575
• Add toggle for firefox specific extensions by @​lexiforest in #​576
• Option to disable cookie store (2) by @​novitae in #​489

Full Changelog: lexiforest/curl_cffi@v0.11.1...v0.11.2

v0.11.1

Compare Source

v0.11.0

Compare Source

Added support for HTTP/3, except for Windows.

>>> import curl_cffi
>>> from curl_cffi import CurlHttpVersion
>>> r = curl_cffi.get("https://cloudflare-quic.com", http_version=CurlHttpVersion.V3ONLY)
>>> r.status_code
200
>>> r.http_version == CurlHttpVersion.V3
True

Also added new targets: tor145, safari184, safari184_ios, chrome136.

What's Changed

• fix HEADERFUNCTION typo by @​GeekDuanLian in #​518
• fix: let request headers encoding take precedence over session headers encoding by @​serozhenka in #​514
• Complete support for DEBUGFUNCTION by @​GeekDuanLian in #​519
• Add support for http/3 by @​lexiforest in #​538
• Add markdown extraction method by @​lexiforest in #​541
• Support more curl_multi_* functions by @​el1s7 in #​548
• add CURL_IPRESOLVE Enum by @​GeekDuanLian in #​523
• Add support for curl_easy_upkeep by @​lexiforest in #​557
• Add missing ciphers by @​lexiforest in #​558

New Contributors

• @​GeekDuanLian made their first contribution in #​518

Full Changelog: lexiforest/curl_cffi@v0.10.0...v0.11.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: uv.lock

Command failed: uv lock --upgrade-package curl-cffi
warning: The `tool.uv.dev-dependencies` field (used in `pyproject.toml`) is deprecated and will be removed in a future release; use `dependency-groups.dev` instead
Using CPython 3.14.6 interpreter at: /opt/containerbase/tools/python/3.14.6/bin/python3
  × No solution found when resolving dependencies for split (markers:
  │ python_full_version == '3.9.*'):
  ╰─▶ Because the requested Python version (>=3.9) does not satisfy
      Python>=3.10 and curl-cffi==0.15.0 depends on Python>=3.10, we can
      conclude that curl-cffi==0.15.0 cannot be used.
      And because your project depends on curl-cffi==0.15.0, we can conclude
      that your project's requirements are unsatisfiable.

hint: While the active Python version is 3.14, the resolution failed for other Python versions supported by your project. Consider limiting your project's supported Python versions using `requires-python`.
hint: The `requires-python` value (>=3.9) includes Python versions that are not supported by your dependencies (e.g., curl-cffi==0.15.0 only supports >=3.10). Consider using a more restrictive `requires-python` value (like >=3.10).