chore(deps): bump nltk from 3.9.3 to 3.9.4

[dependabot]

Bumps nltk from 3.9.3 to 3.9.4.

Changelog

Sourced from nltk's changelog.

Version 3.9.4 2026-03-24

• Support Python 3.14
• Fix bug in Levenshtein distance when substitution_cost > 2
• Fix bug in Treebank detokeniser re quote ordering
• Fix bug in Jaro similarity for empty strings
• Several security enhancements
• Fix GHSA-rf74-v2fm-23pw: unbounded recursion in JSONTaggedDecoder
• Implement TextTiling vocabulary introduction method (Hearst 1997)
• Fix ALINE feature matrix errors and add comprehensive tests
• Support multiple VerbNet versions, fix longid/shortid regex for VerbNet ids
• Let downloader fallback to md5 when sha256 is unavailable
• Several other minor bugfixes and code cleanups

Thanks to the following contributors to 3.9.4: Min-Yen Kan, Eric Kafe, Emily Voss, bowiechen, Hrudhai01, jancallewaert, Mr-Neutr0n, pollak.peter89, ylwango613,

Version 3.9.3 2026-02-21

• Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader (#3468)
• Block path traversal/arbitrary reads in nltk.data for protocol-less refs (#3467)
• Block path traversal/abs paths in corpus readers and FS pointers (#3479, #3480)
• Validate external StanfordSegmenter JARs using SHA256 (#3477)
• Add optional sandbox enforcement for filestring() (#3485)
• Maintenance: downloader/zipped models, CI/tooling updates

Thanks to the following contributors to 3.9.3: Chris Clauss, Eric Kafe, HyperPS, purificant, Shivansh-Game, Christopher Smith

Version 3.9.2 2025-10-01

• Update download checksums to use SHA256 in built index
• Fix percentage escape in new-style string formatting
• replace shortened URLs using goo.gl
• Make Wordnet interoperable with various taggers and tagged corpora
• Fix saving PerceptronTagger
• Document how to reproduce old Wordnet studies
• properly initialize Portuguese corpus reader
• support for mixed rules conversion into Chomsky Normal Form
• only import tkinter if a GUI is needed
• issue #2112 with Corenlp
• new environment variable NLTK_DOWNLOADER_FORCE_INTERACTIVE_SHELL
• Lesk defaults to most frequent sense in case of ties

Thanks to the following contributors to 3.9.2: Jose Cols, Peter de Blanc, GeneralPoxter, Eric Kafe, William LaCroix, Jason Liu, Samer Masterson, Mike014, purificant, Andrew Ernest Ritz, samertm, Ikram Ul Haq, Christopher Smith, Ryan Mannion

Version 3.9.1 2024-08-19

... (truncated)

Commits

• ad9c96b Update copyright year
• 7edcddf Updates for 3.9.4 release
• 67a2736 Merge pull request #3180 from yzhaoinuw/bug-on-edit_distance_align
• 2b17ac5 Fix edit_distance_align backtrace for high substitution costs
• 4b72976 Merge pull request #3018 from JuanIMartinezB/bug/shortid-longid
• 8a5619f Merge pull request #3222 from Syzygy2048/feature/texttiling-vocabulary-introd...
• c6574d7 Merge pull request #3289 from ihitamandal/codeflash/optimize-windowdiff-2024-...
• 98ff5d9 Merge pull request #3435 from Hrudhai01/fix-3260-detokenize-quotes
• aec4fce Merge pull request #3522 from ekaf/pathsec
• eec4ee3 Merge pull request #3526 from nltk/update-contributing
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[greptile-apps]

PR author is in the excluded authors list.

[JiwaniZakir]

The PR title says this is a simple nltk bump, but uv.lock contains several other notable changes worth calling out explicitly. The textual minimum version specifier jumps from >=4.0.0 to >=6.0.0 (skipping v5 entirely), which is a significant constraint tightening that could break environments running Textual 4.x or 5.x — this change should be documented in the PR description and ideally accompanied by a changelog entry or comment explaining why v6+ is now required. Additionally, the lock file picks up new platform markers on altgraph (sys_platform != 'emscripten' and sys_platform != 'win32'), ptyprocess (same), and cffi (sys_platform != 'win32'), which reflect upstream metadata corrections but are worth verifying against any Windows or browser-based (Pyodide/emscripten) build targets the project may support. The strix-agent version also bumps from 0.8.2 to 0.8.3, which suggests this commit includes more than a dependency update — that version increment should be reflected in whatever changelog or release notes process the project uses.