chore(deps): bump scrapy from 2.13.3 to 2.14.2 in /ingest

[dependabot]

Bumps scrapy from 2.13.3 to 2.14.2.

Release notes

Sourced from scrapy's releases.

2.14.2

• Values from the Referrer-Policy header of HTTP responses are no longer executed as Python callables. See the cwxj-rr6w-m6w7 security advisory for details.
• In line with the standard, 301 redirects of POST requests are converted into GET requests.

Full Changelog

2.14.1

• Deprecate maybeDeferred_coro()
• Pass the spider arg to custom stat collectors {open,close}_spider()
• Replace deprecated Codecov CI action

Full Changelog

2.14.0

• More coroutine-based replacements for Deferred-based APIs
• The default priority queue is now DownloaderAwarePriorityQueue
• Dropped support for Python 3.9 and PyPy 3.10
• Improved and documented the API for custom download handlers

Full changelog

2.13.4

Fix for the CVE-2025-6176 security issue: improved protection against decompression bombs in HttpCompressionMiddleware for responses compressed using the br and deflate methods. Requires brotli >= 1.2.0.

Full changelog

Changelog

Sourced from scrapy's changelog.

Scrapy 2.14.2 (2026-03-12)

Security bug fixes

-   Values from the ``Referrer-Policy`` header of HTTP responses are no longer
    executed as Python callables. See the `cwxj-rr6w-m6w7`_ security advisory
    for details.
.. _cwxj-rr6w-m6w7: https://github.com/scrapy/scrapy/security/advisories/GHSA-cwxj-rr6w-m6w7



In line with the standard <https://fetch.spec.whatwg.org/#http-redirect-fetch>__, 301 redirects of

POST requests are converted into GET requests.
Converting to a GET request implies not only a method change, but also

omitting the body and Content-* headers in the redirect request. On

cross-origin redirects (for example, cross-domain redirects), this is

effectively a security bug fix for scenarios where the body contains

secrets.


Deprecations

-   Passing a response URL string as the first positional argument to
    :meth:`scrapy.spidermiddlewares.referer.RefererMiddleware.policy` is
    deprecated. Pass a :class:`~scrapy.http.Response` instead.
The parameter has also been renamed to ``response`` to reflect this change.
The old parameter name (``resp_or_url``) is deprecated.

New features



Added a new setting, :setting:REFERER_POLICIES, to allow customizing

supported referrer policies.

Bug fixes

-   Made additional redirect scenarios convert to ``GET`` in line with the
    `standard <https://fetch.spec.whatwg.org/#http-redirect-fetch>`__:
-   Only ``POST`` 302 redirects are converted into ``GET`` requests; other
    methods are preserved.

-   ``HEAD`` 303 redirects are not converted into ``GET`` requests.

-   ``GET`` 303 redirects do not have their body or standard ``Content-*``

</tr></table>

</code></pre>

</blockquote>

<p>... (truncated)</p>

</details>

<details>

<summary>Commits</summary>
<ul>

<li><a href="https://github.com/scrapy/scrapy/commit/498b4fc1a431c71ea699b2d7e0bd518c7ceca302&quot;&gt;&lt;code&gt;498b4fc&lt;/code&gt;&lt;/a> Bump version: 2.14.1 → 2.14.2</li>

<li><a href="https://github.com/scrapy/scrapy/commit/378bb68039876c5e77b293cccd80eb5f306afd7e&quot;&gt;&lt;code&gt;378bb68&lt;/code&gt;&lt;/a> Proofread the release notes</li>

<li><a href="https://github.com/scrapy/scrapy/commit/8e28f938d29a496c3bf9fbffb212e1808213d9c4&quot;&gt;&lt;code&gt;8e28f93&lt;/code&gt;&lt;/a> Make test_no_warning_when_referer_middleware_present less brittle</li>

<li><a href="https://github.com/scrapy/scrapy/commit/886131c7b2f2e792fc139e5660f908239836388c&quot;&gt;&lt;code&gt;886131c&lt;/code&gt;&lt;/a> Run pre-commit</li>

<li><a href="https://github.com/scrapy/scrapy/commit/945b787a263586cb5803c01c6da57daad8997ae5&quot;&gt;&lt;code&gt;945b787&lt;/code&gt;&lt;/a> Merge remote-tracking branch 'cwxj-rr6w-m6w7/fix-referer-policy-handling' int...</li>

<li><a href="https://github.com/scrapy/scrapy/commit/8974580e438d18a105b8a0475e90bce2f1eb4dca&quot;&gt;&lt;code&gt;8974580&lt;/code&gt;&lt;/a> Reword the release note entry to consider the 301 redirect fix a security bug...</li>

<li><a href="https://github.com/scrapy/scrapy/commit/ba3d7bc7a8329d26862fcae248ececa386c1548a&quot;&gt;&lt;code&gt;ba3d7bc&lt;/code&gt;&lt;/a> Remove the non-standard 307/308 handling, and align other aspects with the st...</li>

<li><a href="https://github.com/scrapy/scrapy/commit/04db6a542407666de586d277acb1a651c389354e&quot;&gt;&lt;code&gt;04db6a5&lt;/code&gt;&lt;/a> Add a docstring to _load_policy_class()</li>

<li><a href="https://github.com/scrapy/scrapy/commit/a39545195ea41f22d7bfdc3eab83ef564480e516&quot;&gt;&lt;code&gt;a395451&lt;/code&gt;&lt;/a> allow to override → allow overriding</li>

<li><a href="https://github.com/scrapy/scrapy/commit/842d0becf0f36152a1090c62c0e5d9c950241975&quot;&gt;&lt;code&gt;842d0be&lt;/code&gt;&lt;/a> Rename test function</li>

<li>Additional commits viewable in <a href="https://github.com/scrapy/scrapy/compare/2.13.3...2.14.2&quot;&gt;compare view</a></li>

</ul>

</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options


You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

You can disable automated security fix PRs for this repo from the Security Alerts page.