Bump the minor-and-patch group across 1 directory with 5 updates

[dependabot]

Bumps the minor-and-patch group with 5 updates in the / directory:

Package	From	To
pypdf	6.9.2	6.10.0
pillow	12.1.1	12.2.0
rapidfuzz	3.14.3	3.14.5
pytest	9.0.2	9.0.3
ty	0.0.26	0.0.29

Updates pypdf from 6.9.2 to 6.10.0

Release notes

Sourced from pypdf's releases.

Version 6.10.0, 2026-04-10

What's new

Security (SEC)

• Disallow custom XML entity declarations for XMP metadata (#3724) by @​stefan6419846

New Features (ENH)

• Skip MD5 key derivation for AES-256 encrypted PDFs (#3694) by @​Ygnas

Bug Fixes (BUG)

• Use remove_orphans in compress_identical_objects (#3310) by @​j-t-1
• Fix PdfReadError when xref table contains comments before trailer (#3710) by @​rassie
• Correctly verify AES padding during decryption (#3699) by @​stefan6419846
• Fix stale object cache from non-authoritative object streams (#3698) by @​astahlman
• Fix extract_links pairing when annotations include non-links (#3687) by @​ReinerBRO

Documentation (DOC)

• Add AI policy (#3717) by @​stefan6419846

Full Changelog

Changelog

Sourced from pypdf's changelog.

Version 6.10.0, 2026-04-10

Security (SEC)

• Disallow custom XML entity declarations for XMP metadata (#3724)

New Features (ENH)

• Skip MD5 key derivation for AES-256 encrypted PDFs (#3694)

Bug Fixes (BUG)

• Use remove_orphans in compress_identical_objects (#3310)
• Fix PdfReadError when xref table contains comments before trailer (#3710)
• Correctly verify AES padding during decryption (#3699)
• Fix stale object cache from non-authoritative object streams (#3698)
• Fix extract_links pairing when annotations include non-links (#3687)

Documentation (DOC)

• Add AI policy (#3717)

Full Changelog

Commits

• fd0aeca REL: 6.10.0
• b15a374 SEC: Disallow custom XML entity declarations for XMP metadata (#3724)
• d0d9de6 DEV: Update cryptography to 46.0.7 in ci.txt
• 1e0e5be DOC: Include policies about AI and PoCs into security policy
• 3155e04 Bump cryptography from 46.0.6 to 46.0.7 in /requirements (#3723)
• 696b978 DEV: Bump codecov/codecov-action from 5 to 6 (#3701)
• 5456731 TST: Extending typing to tests; cover generic and scripts folder files (#3660)
• e00505e DOC: Add AI policy (#3717)
• bd95bd8 Fix PdfReadError when xref table contains comments before trailer (#3710)
• f3f501b DEV: Update pygments version to 2.20.0 (#3707)
• Additional commits viewable in compare view

Updates pillow from 12.1.1 to 12.2.0

Release notes

Sourced from pillow's releases.

12.2.0

https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html

Documentation

• Update 12.2.0 release notes #9522 [@​hugovk]
• Add loader plugins: AMOS abk, Atari Degas, 40+ more obscure formats via Netpbm #9482 [@​bitplane]
• Update Python versions #9515 [@​radarhere]
• Jeffrey A. Clark -> Jeffrey 'Alex' Clark #9513 [@​aclark4life]
• Add release notes for #9394, #9419 and #9456 #9467 [@​radarhere]
• Add Amiga Workbench .info loader to 3rd party plugins list #9459 [@​bitplane]
• Merge PFM documentation into PPM #9434 [@​radarhere]
• Update macOS tested Pillow versions #9431 [@​radarhere]
• Fix CVE number #9430 [@​hugovk]

Dependencies

• Update xz to 5.8.3 #9523 [@​radarhere]
• Update libjpeg-turbo to 3.1.4.1 #9507 [@​radarhere]
• Update libpng to 1.6.56 #9499 [@​radarhere]
• Update freetype to 2.14.3 #9485 [@​radarhere]
• Updated libavif to 1.4.1 #9479 [@​radarhere]
• Updated harfbuzz to 13.2.1 #9461 [@​radarhere]
• Update Ghostscript to 10.7.0 #9469 [@​radarhere]
• Update harfbuzz to 13.0.1 #9453 [@​radarhere]
• Update libavif to 1.4.0 #9460 [@​radarhere]
• Update freetype to 2.14.2 #9449 [@​radarhere]
• Update actions/download-artifact action to v8 #9451 [@renovate[bot]]
• Updated libpng to 1.6.55 #9425 [@​radarhere]

Testing

• Cleanup .spider extension in the same test where it is added #9517 [@​radarhere]
• Run tests in parallel via tox for 3.5x speedup #9516 [@​hugovk]
• Enable colour in CI logs #9486 [@​hugovk]
• Update Ghostscript to 10.7.0 #9469 [@​radarhere]
• Simplify TGA test code #9477 [@​radarhere]
• Update tests to check for ValueError when encoding an empty image #9464 [@​radarhere]
• Upgrade CI from macos-15-intel to macos-26-intel #9454 [@​hugovk]
• Add check-case-conflict hook #9446 [@​radarhere]
• Specify platform when pulling docker image #9440 [@​radarhere]
• GHA: Cache libavif and webp builds for Ubuntu #9437 [@​hugovk]
• Update macOS tested Pillow versions #9431 [@​radarhere]

Other changes

• Check calloc return value #9527 [@​radarhere]
• Check all allocs in the Arrow tree #9488 [@​wiredfool]
• Reject non-numeric elements inside list coords #9526 [@​hugovk]
• Move variable declaration inside define #9525 [@​radarhere]

... (truncated)

Commits

• 3c41c09 12.2.0 version bump
• cdaa29e Check calloc return value (#9527)
• 585b2f5 Check calloc return value
• ecf011e Check all allocs in the Arrow tree (#9488)
• cf6de8c Reject non-numeric elements inside list coords (#9526)
• ffdcede Update 12.2.0 release notes (#9522)
• 7929d77 Added security release notes (#149)
• c4f7aa5 Added security release notes
• 22cdb5f Move variable declaration inside define (#9525)
• fc15b3b Resize tall images vertically first (#9524)
• Additional commits viewable in compare view

Updates rapidfuzz from 3.14.3 to 3.14.5

Release notes

Sourced from rapidfuzz's releases.

Release 3.14.5

Fixed

• fix release ci attempting to upload a pyodide wheel

Release 3.14.4

Added

• add risc64 wheels
• add support for taskflow 4.0.0

Changed

• upgrade to Cython==3.2.4.

Fixed

• fix type hints for extractOne when no score_cutoff is provided

Changelog

Sourced from rapidfuzz's changelog.

Changelog

[3.14.5] - 2026-08-07 ^^^^^^^^^^^^^^^^^^^^^ Fixed

* fix release ci attempting to upload a pyodide wheel
[3.14.4] - 2026-04-06
^^^^^^^^^^^^^^^^^^^^^
Added

• add risc64 wheels
• add support for taskflow 4.0.0

Changed

* upgrade to ``Cython==3.2.4``.
Fixed
* fix type hints for extractOne when no score_cutoff is provided
[3.14.3] - 2025-11-01

^^^^^^^^^^^^^^^^^^^^^

Fixed



add missing pypy and freethreaded linux wheels

Removed

• drop s390x and ppc64le wheels since they are virtually unused and require extremly long to build under emulation

[3.14.2] - 2025-10-30 ^^^^^^^^^^^^^^^^^^^^^ Changed

* upgrade to ``Cython==3.1.6``
* enable free threading
[3.14.1] - 2025-09-08
^^^^^^^^^^^^^^^^^^^^^
Fixed
* Fully disable line tracing in release builds
[3.14.0] - 2025-08-27

^^^^^^^^^^^^^^^^^^^^^

Changed

</tr></table>

</code></pre>

</blockquote>

<p>... (truncated)</p>

</details>

<details>

<summary>Commits</summary>
<ul>

<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/edf9f3c2d016c878dae1511301f8b4a501bba871&quot;&gt;&lt;code&gt;edf9f3c&lt;/code&gt;&lt;/a> fix release ci</li>

<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/3d8470bf60062dda5c200517f61a8ff43e3e9ef2&quot;&gt;&lt;code&gt;3d8470b&lt;/code&gt;&lt;/a> enable verbose publish</li>

<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/7fd4ee202b5e3cc9f158f505a33d934a68c14148&quot;&gt;&lt;code&gt;7fd4ee2&lt;/code&gt;&lt;/a> Bump the github-actions group across 1 directory with 3 updates</li>

<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/9691cf1bf985eaf59f6c968f3d7cd8e59054ebaa&quot;&gt;&lt;code&gt;9691cf1&lt;/code&gt;&lt;/a> tag release</li>

<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/fd16748843be7d1a4842604fa3429e3943e80e5c&quot;&gt;&lt;code&gt;fd16748&lt;/code&gt;&lt;/a> ci: switch riscv64 from QEMU to native RISE runner</li>

<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/7f7d58b91a2716eaaec939a72b476ab1bf1ead1b&quot;&gt;&lt;code&gt;7f7d58b&lt;/code&gt;&lt;/a> ci: add riscv64 wheel builds via QEMU</li>

<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/f4b56942bdbbb99bba556656ea8a0aef1e8c12f0&quot;&gt;&lt;code&gt;f4b5694&lt;/code&gt;&lt;/a> Bump pypa/cibuildwheel from 3.3.1 to 3.4.0 in the github-actions group</li>

<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/f2873ce9868285eca1d05d8645791d76a2b545fe&quot;&gt;&lt;code&gt;f2873ce&lt;/code&gt;&lt;/a> Bump the github-actions group across 1 directory with 3 updates</li>

<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/4e48509d858454ea994521f90ae8c5d66eb15073&quot;&gt;&lt;code&gt;4e48509&lt;/code&gt;&lt;/a> support Taskflow 4.0.0</li>

<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/70480396a66fadabd897407ce289978dec2c13c0&quot;&gt;&lt;code&gt;7048039&lt;/code&gt;&lt;/a> Bump the github-actions group across 1 directory with 4 updates</li>

<li>Additional commits viewable in <a href="https://github.com/rapidfuzz/RapidFuzz/compare/v3.14.3...v3.14.5&quot;&gt;compare view</a></li>

</ul>

</details>
<br />

Updates pytest from 9.0.2 to 9.0.3

Release notes
Sourced from pytest's releases.

9.0.3
pytest 9.0.3 (2026-04-07)
Bug fixes


#12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.


#13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.
Previously this resulted in an internal assertion failure during plugin loading.
Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.


#13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.


#14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.


#14343: Fixed use of insecure temporary directory (CVE-2025-71176).


Improved documentation

#13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
#13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
#14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
#14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes


#12689: The test reports are now published to Codecov from GitHub Actions.
The test statistics is visible on the web interface.
-- by aleguy02





Commits

a7d58d7 Prepare release version 9.0.3
089d981 Merge pull request #14366 from bluetech/revert-14193-backport
8127eaf Revert "Fix: assertrepr_compare respects dict insertion order (#14050) (#14193)"
99a7e60 Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/95d8423bd...
ddee02a Merge pull request #14343 from bluetech/cve-2025-71176-simple
74eac69 doc: Update training info (#14298) (#14301)
f92dee7 Merge pull request #14267 from pytest-dev/patchback/backports/9.0.x/d6fa26c62...
7ee58ac Merge pull request #12378 from Pierre-Sassoulas/fix-implicit-str-concat-and-d...
37da870 Merge pull request #14259 from mitre88/patch-4 (#14268)
c34bfa3 Add explanation for string context diffs (#14257) (#14266)
Additional commits viewable in compare view




Updates ty from 0.0.26 to 0.0.29

Release notes
Sourced from ty's releases.

0.0.29
Release Notes
Released on 2026-04-05.
Bug fixes

Avoid special-casing for dataclasses.field if it's not in field_specifiers (#24397)
Reject unsupported environment.python-version values in configuration files (#24402)
Respect supported lower bounds from requires-python (#24401)

Core type checking

Add support for types.new_class (#23144)
Fix PEP 695 type aliases in with statement (#24395)
Respect __new__ and metaclass __call__ return types (#24357)
Treat enum attributes with type annotations as members (#23776)

Contributors

@​charliermarsh
@​carljm

Install ty 0.0.29
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/ty/releases/download/0.0.29/ty-installer.sh | sh

Install prebuilt binaries via powershell script
powershell -ExecutionPolicy Bypass -c "irm https://releases.astral.sh/github/ty/releases/download/0.0.29/ty-installer.ps1 | iex"

Download ty 0.0.29



File
Platform
Checksum




ty-aarch64-apple-darwin.tar.gz
Apple Silicon macOS
checksum


ty-x86_64-apple-darwin.tar.gz
Intel macOS
checksum


ty-aarch64-pc-windows-msvc.zip
ARM64 Windows
checksum


ty-i686-pc-windows-msvc.zip
x86 Windows
checksum


ty-x86_64-pc-windows-msvc.zip
x64 Windows
checksum


ty-aarch64-unknown-linux-gnu.tar.gz
ARM64 Linux
checksum


ty-i686-unknown-linux-gnu.tar.gz
x86 Linux
checksum


ty-powerpc64-unknown-linux-gnu.tar.gz
PPC64 Linux
checksum


ty-powerpc64le-unknown-linux-gnu.tar.gz
PPC64LE Linux
checksum





... (truncated)


Changelog
Sourced from ty's changelog.

0.0.29
Released on 2026-04-05.
Bug fixes

Avoid special-casing for dataclasses.field if it's not in field_specifiers (#24397)
Reject unsupported environment.python-version values in configuration files (#24402)
Respect supported lower bounds from requires-python (#24401)

Core type checking

Add support for types.new_class (#23144)
Fix PEP 695 type aliases in with statement (#24395)
Respect __new__ and metaclass __call__ return types (#24357)
Treat enum attributes with type annotations as members (#23776)

Contributors

@​charliermarsh
@​carljm

0.0.28
Released on 2026-04-02.
Bug fixes

Mark loop header assignments as used to avoid false positives in "unused variable" diagnostics (#24336)

LSP server

Show constructor signature of classes when hovering over them (#24257)

Core type checking

Avoid emitting cascading diagnostics when parsing invalid type expressions (#24326)
Handle most "deep" mutual TypeVar constraints (#24079)
Improve consistency and quality of diagnostics relating to invalid type forms (#24325)
Improve robustness of various type-qualifier-related checks (#24251)
Infer the extra_items keyword argument to class-based TypedDicts as an annotation expression (#24362)
Use bidirectional inference to fix false positives on operations such as x: list[int | None] = [None] * 2 (#24197)
Sync vendored typeshed stubs (#24340). Typeshed diff
Tighten up validation of subscripts and attributes in type expressions (#24329)
Use infer_type_expression for parsing parameter annotations and return-type annotations (#24353)
Use infer_type_expression for validating PEP-613 type aliases (#24370)
Validate TypedDict fields when subclassing (#24338)
Validate type qualifiers in functional TypedDict fields and the extra_items keyword to functional TypedDicts (#24360)
Improve diagnostics for invalid functional TypedDicts (#24345)



... (truncated)


Commits

438a78d Bump version to 0.0.29 (#3218)
927aad2 Bump version to 0.0.28 (#3206)
29d288e Publish installers to /installers/ty/latest on the mirror (#3202)
5c9e342 Bump version to 0.0.27 (#3185)
e6a5731 Update actions/cache action to v5.0.4 (#3172)
c47b982 Update prek dependencies (#3173)
657abcf Update astral-sh/setup-uv action to v8 (#3174)
9e582cb Fetch the cargo-dist binary directly instead of using the installer (#3160)
d5c51ea docs: use content tabs (#3146)
9893776 Use the release environment in publish-docs (#3147)
See full diff in compare view




Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options


You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions