certifi · Jul 30, 2021 · Jul 30, 2021 · Oct 8, 2021 · Oct 26, 2021 · Oct 27, 2021
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,8 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions" # Necessary to update action hashes	
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    # Allow up to 3 opened pull requests for github-actions versions
+    open-pull-requests-limit: 3
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -4,24 +4,45 @@ on:
   push:
     branches: [master]
   pull_request: {}
+
+permissions:
+  contents: read
 
 jobs:
+  mypy:
+    runs-on: ubuntu-20.04
+
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - name: Set up Python
+        uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+      - name: Install dependencies
+        run: pip install mypy
+      - name: Run mypy
+        run: mypy --strict certifi
+
   test:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     strategy:
       matrix:
-        python-version: [3.5, 3.6, 3.7, 3.8, 3.9]
-
+        python-version:
+        - "3.6"
+        - "3.7"
+        - "3.8"
+        - "3.9"
+        - "3.10"
+        - "3.11"
+        - "3.12-dev"
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
       with:
         python-version: ${{ matrix.python-version }}
     - name: Install test dependencies
       run: |
         python -m pip install --upgrade pip
-        pip install pytest
+        python -m pip install pytest
     - name: Test with pytest
       run: |
-        pytest
+        python -W error -W 'ignore:Running attrs on Python 3.6' -m pytest
diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
@@ -0,0 +1,20 @@
+name: Lock Issues
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * *'
+
+permissions: {}
+
+jobs:
+  lock:
+    if: github.repository_owner == 'certifi'
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    steps:
+      - uses: dessant/lock-threads@be8aa5be94131386884a6da4189effda9b14aa21 # v4.0.1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          issue-inactive-days: 90
+          pr-inactive-days: 90
diff --git a/LICENSE b/LICENSE
@@ -6,7 +6,7 @@ Certificate data from Mozilla as of: Thu Nov  3 19:04:19 2011#
 This is a bundle of X.509 certificates of public Certificate Authorities
 (CA). These were automatically extracted from Mozilla's root certificates
 file (certdata.txt).  This file can be found in the mozilla source tree:
-http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1#
+https://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt
 It contains the certificates in PEM format and therefore
 can be directly used with curl / libcurl / php_curl, or with
 an Apache+mod_ssl webserver for SSL client authentication.

diff --git a/MANIFEST.in b/MANIFEST.in
@@ -1,4 +1,4 @@
-include MANIFEST.in README.rst LICENSE certifi/cacert.pem
+include MANIFEST.in README.rst LICENSE certifi/cacert.pem certifi/py.typed
 
 exclude .github/
-recursive-exclude .github
+recursive-exclude .github
diff --git a/README.rst b/README.rst
@@ -1,7 +1,7 @@
 Certifi: Python SSL Certificates
 ================================
 
-`Certifi`_ provides Mozilla's carefully curated collection of Root Certificates for
+Certifi provides Mozilla's carefully curated collection of Root Certificates for
 validating the trustworthiness of SSL certificates while verifying the identity
 of TLS hosts. It has been extracted from the `Requests`_ project.
 
@@ -30,21 +30,6 @@ Or from the command line::
 
 Enjoy!
 
-1024-bit Root Certificates
-~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Browsers and certificate authorities have concluded that 1024-bit keys are
-unacceptably weak for certificates, particularly root certificates. For this
-reason, Mozilla has removed any weak (i.e. 1024-bit key) certificate from its
-bundle, replacing it with an equivalent strong (i.e. 2048-bit or greater key)
-certificate from the same CA. Because Mozilla removed these certificates from
-its bundle, ``certifi`` removed them as well.
-
-In previous versions, ``certifi`` provided the ``certifi.old_where()`` function
-to intentionally re-add the 1024-bit roots back into your bundle. This was not
-recommended in production and therefore was removed at the end of 2018.
-
-.. _`Certifi`: https://certifiio.readthedocs.io/en/latest/
 .. _`Requests`: https://requests.readthedocs.io/en/master/
 
 Addition/Removal of Certificates

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,6 @@
+# Reporting Security Issues
+
+To report a security issue, please disclose it at [security advisory](https://github.com/certifi/python-certifi/security/advisories/new).
+
+We will respond within 7 working days of your submission. If the issue is confirmed as a vulnerability, we will open a Security Advisory and acknowledge your contributions as part of it. This project follows a 90 day disclosure timeline.
+
diff --git a/certifi/__init__.py b/certifi/__init__.py
@@ -1,3 +1,4 @@
 from .core import contents, where
 
-__version__ = "2021.05.30"
+__all__ = ["contents", "where"]
+__version__ = "2023.07.22"