Bump the pip group across 1 directory with 3 updates

[dependabot]

Bumps the pip group with 3 updates in the / directory: protobuf, h11 and h2.

Updates protobuf from 5.28.2 to 5.29.5

Commits

• f5de0a0 Updating version.json and repo version numbers to: 29.5
• 8563766 Merge pull request #21858 from shaod2/py-cp-29
• 05ba1a8 Add recursion depth limits to pure python
• 1ef3f01 Internal pure python fixes
• 69cca9b Remove fast-path check for non-clang compilers in MessageCreator. (#21612)
• 21fdb7a fix: contains check segfaults on empty map (#20446) (#20904)
• 03c50e3 Re-enable aarch64 tests. (#20853)
• 128f0aa Add volatile to featuresResolved (#20767)
• bdd49bb Merge pull request #20755 from protocolbuffers/29.x-202503192110
• c659468 Updating version.json and repo version numbers to: 29.5-dev
• Additional commits viewable in compare view

Updates h11 from 0.14.0 to 0.16.0

Commits

• 1c5b075 this time for surer
• d9c3699 this time for sure...
• d91b9dd blacken
• 5a4683c Soothe mypy
• 9c9567f Bump version to 0.16.0
• 114803a Merge commit from fork
• 9462006 Bump version to 0.15.0
• 70a96be Merge pull request #181 from Julien00859/Julien00859/get_int_max_str_digits
• 60782ad Reject Content-Length longer 1 billion TB
• dff7cc3 Validate Chunked-Encoding chunk footer
• Additional commits viewable in compare view

Updates h2 from 4.1.0 to 4.3.0

Changelog

Sourced from h2's changelog.

4.3.0 (2025-08-23)

API Changes (Backward Incompatible)

• Reject header names and values containing illegal characters, based on RFC 9113, section 8.2.1. The main Python API is compatible, but some previously valid requests/response headers might now be blocked. Use the validate_inbound_headers config option if needed. Thanks to Sebastiano Sartor (sebsrt) for the report.
• Convert emitted events into Python dataclass, which introduces new constructors with required arguments. Instantiating these events without arguments, as previously commonly used API pattern, will no longer work.

API Changes (Backward Compatible)

• h2 events now have tighter type bounds, e.g. stream_id is guaranteed to not be None for most events now. This simplifies downstream type checking.
• Various typing-related improvements.

Bugfixes

• Fix error value when opening a new stream on too many open streams.

4.2.0 (2025-02-01)

API Changes (Backward Incompatible)

• Support for Python 3.6 has been removed.
• Support for Python 3.7 has been removed.
• Support for Python 3.8 has been removed.
• Remove mistakenly set max_inbound_frame_size attribute on H2Stream.

API Changes (Backward Compatible)

• Support for Python 3.11 has been added.
• Support for Python 3.12 has been added.
• Support for Python 3.13 has been added.
• Add an ability to send outbound cookies separately to improve headers compression.
• Updated packaging and testing infrastructure.

Bugfixes

• Fix repr() checks for Python 3.11
• Fix asyncio / wsgi examples.
• Clarify docs on using curl with http2.

Commits

• 1aae569 v4.3.0
• 9e4bbed merge surrounding whitespace and uppercase validators into illegal character ...
• 035e989 be stricter about which characters to accept for headers
• 883ed37 reject header names and values containing unpermitted characters \r, \n, ...
• 0583911 lint: fix TC006
• bbd3d90 fix(packaging): bump twine to pass meta check wildcard bugs
• ea3140f cleanup
• 9ce83ff exclude RDT from sdist
• 492d3db Update .readthedocs.yaml
• 243461d Create RTD config
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.