chore(deps): bump the dev-dependencies group across 1 directory with 35 updates

[dependabot]

Updates the requirements on pydantic, starlette, uvicorn, python-multipart, sqlalchemy, alembic, argon2-cffi, testcontainers, pika, fastapi, granian, redis, gitpython, grpcio, websockets, boto3, azure-storage-blob, opentelemetry-api, opentelemetry-sdk, opentelemetry-instrumentation-starlette, structlog, presidio-analyzer, presidio-anonymizer, pyjwt, cryptography, pyotp, click, pytest, pytest-asyncio, coverage, mypy, ruff, respx, aiosmtpd and mkdocs-material to permit the latest version.
Updates pydantic to 2.13.4

Release notes

Sourced from pydantic's releases.

v2.13.4 2026-05-06

v2.13.4 (2026-05-06)

What's Changed

Packaging

• Bump libc from 0.2.155 to 0.2.185 by @​Viicos in #13109
• Adapt pydantic-core linker flags on macOS by @​washingtoneg and @​Viicos in #13147

Fixes

• Preserve RootModel core metadata by @​Viicos in #13129

Full Changelog: pydantic/pydantic@v2.13.3...v2.13.4

Changelog

Sourced from pydantic's changelog.

v2.13.4 (2026-05-06)

GitHub release

What's Changed

Packaging

• Bump libc from 0.2.155 to 0.2.185 by @​Viicos in #13109
• Adapt pydantic-core linker flags on macOS by @​washingtoneg and @​Viicos in #13147

Fixes

• Preserve RootModel core metadata by @​Viicos in #13129

v2.13.3 (2026-04-20)

GitHub release

What's Changed

Fixes

• Handle AttributeError subclasses with from_attributes by @​Viicos in #13096

v2.13.2 (2026-04-17)

GitHub release

What's Changed

Fixes

• Fix ValidationInfo.field_name missing with model_validate_json() by @​Viicos in #13084

v2.13.1 (2026-04-15)

GitHub release

What's Changed

Fixes

• Fix ValidationInfo.data missing with model_validate_json() by @​davidhewitt in #13079

v2.13.0 (2026-04-13)

GitHub release

The highlights of the v2.13 release are available in the blog post.

... (truncated)

Commits

• cf67d4b Fix linting
• f0d8a21 Prepare release v2.13.4
• 5e3fe1d Check for pydantic tag pattern in CI
• 7f9edcc Document tagging conventions
• b46a0c9 Adapt pydantic-core linker flags on macOS
• 50629c8 Update to PyPy 7.3.22
• 8522ebb Preserve RootModel core metadata
• a37f3af Adapt MISSING sentinel test to work with unreleased typing_extensions ver...
• 909259a Remove Logfire example in documentation
• 2c4174c Bump libc from 0.2.155 to 0.2.185
• See full diff in compare view

Updates starlette to 1.3.1

Release notes

Sourced from starlette's releases.

Version 1.3.1

What's Changed

• Use StarletteDeprecationWarning instead of DeprecationWarning by @​Kludex in Kludex/starlette#3119
• Enforce max_fields and max_part_size in FormParser by @​Kludex in Kludex/starlette#3329
• Enforce FormParser limits in parser callbacks by @​Kludex in Kludex/starlette#3331

Full Changelog: Kludex/starlette@1.3.0...1.3.1

Changelog

Sourced from starlette's changelog.

1.3.1 (June 12, 2026)

Fixed

• Enforce max_fields and max_part_size in FormParser #3329.
• Enforce FormParser limits in parser callbacks #3331.

1.3.0 (June 11, 2026)

Added

• Add httpx2 to the full extra #3323.
• Annotate the URLPath protocol parameter with Literal #3285.

Fixed

• Build request.url from structured components #3326.
• Clamp oversized suffix ranges in FileResponse #3307.
• Catch OSError alongside MultiPartException when closing temp files #3191.
• Avoid collapsing exception groups raised from user code #2830.
• Use removeprefix to strip the weak ETag indicator in is_not_modified #3193.
• Fix IndexError in URL.replace() on a URL with no authority #3317.
• Adjust testclient typing and warnings #3322.

1.2.1 (May 31, 2026)

Fixed

• Use httpx2 for type checking in the testclient module #3304.
• Add assert error for requires() when the request parameter is not a Request type #3298.

1.2.0 (May 28, 2026)

Added

• Support httpx2 in the test client #3291.

1.1.0 (May 23, 2026)

Added

• Use "application/octet-stream" as the FileResponse media type fallback #3283.

Fixed

• Only dispatch standard HTTP verbs in HTTPEndpoint #3286.
• Reject absolute paths in StaticFiles.lookup_path #3287.

1.0.1 (May 21, 2026)

... (truncated)

Commits

• 8ebffd0 Version 1.3.1 (#3330)
• 25b8e17 Enforce FormParser limits in parser callbacks (#3331)
• dba1c4b Enforce max_fields and max_part_size in FormParser (#3329)
• 45e51dc Use StarletteDeprecationWarning instead of DeprecationWarning (#3119)
• 5f8610c Version 1.3.0 (#3327)
• 167b585 Build request.url from structured components (#3326)
• 3730925 Use removeprefix to strip weak ETag indicator in is_not_modified (#3193)
• e6f7ad1 avoid collapsing exception groups from user code (#2830)
• 115228f Annotate URLPath protocol parameter with Literal (#3285)
• 113f193 docs: replace inline ASGI server list with link to canonical implemen… (#3204)
• Additional commits viewable in compare view

Updates uvicorn to 0.49.0

Release notes

Sourced from uvicorn's releases.

Version 0.49.0

What's Changed

• Bump httptools minimum version to 0.8.0 by @​Kludex in Kludex/uvicorn#2962
• Consume duplicate forwarding headers in ProxyHeadersMiddleware (reverses the 0.48.0 behavior of ignoring them) by @​Kludex in Kludex/uvicorn#2971

Full Changelog: Kludex/uvicorn@0.48.0...0.49.0

Changelog

Sourced from uvicorn's changelog.

0.49.0 (June 3, 2026)

Changed

• Bump httptools minimum version to 0.8.0 (#2962)
• Consume duplicate forwarding headers in ProxyHeadersMiddleware (reverses the 0.48.0 behavior of ignoring them) (#2971)

0.48.0 (May 24, 2026)

Changed

• Default ssl_ciphers to None and use OpenSSL defaults (#2940)

Fixed

• Ignore duplicate forwarding headers in ProxyHeadersMiddleware (#2944)

0.47.0 (May 14, 2026)

Added

• Add ssl_context_factory for custom SSLContext configuration (#2920)

Changed

• Eagerly import the ASGI app in the parent process (#2919)

Fixed

• Treat fd=0 as a valid file descriptor with reload/workers (#2927)

0.46.0 (April 23, 2026)

Added

• Support ws_max_size in wsproto implementation (#2915)
• Support ws_ping_interval and ws_ping_timeout in wsproto implementation (#2916)

Changed

• Use bytearray for incoming WebSocket message buffer in websockets-sansio (#2917)

0.45.0 (April 21, 2026)

Added

• Add --reset-contextvars flag to isolate ASGI request context (#2912)
• Accept os.PathLike for log_config (#2905)
• Accept log_level strings case-insensitively (#2907)

... (truncated)

Commits

• 3ef2e3e Version 0.49.0 (#2973)
• eeb64b1 Consume duplicate forwarding headers in ProxyHeadersMiddleware (#2971)
• 630f4ac Make the watchfiles reload tests deterministic (#2972)
• 9154922 chore(deps): bump the github-actions group across 1 directory with 6 updates ...
• 739727a Migrate docs deploy from Cloudflare Pages to Workers (#2967)
• be4a240 Gate docs preview deploy on Cloudflare token presence (#2966)
• c489d7e Bump httptools minimum version to 0.8.0 (#2962)
• 9f547bd Skip docs preview deploy for Dependabot PRs (#2961)
• 44446b8 Migrate documentation from MkDocs Material to Zensical (#2959)
• cfd659c Bump pymdown-extensions to 10.21.3 (#2958)
• Additional commits viewable in compare view

Updates python-multipart to 0.0.32

Release notes

Sourced from python-multipart's releases.

Version 0.0.32

What's Changed

• Replace per-byte partial-boundary scan with rfind lookbehind by @​Kludex in Kludex/python-multipart#300

Full Changelog: Kludex/python-multipart@0.0.31...0.0.32

Changelog

Sourced from python-multipart's changelog.

0.0.32 (2026-06-04)

• Speed up partial-boundary scanning for CR/LF-dense part data #300.

0.0.31 (2026-06-04)

• Speed up multipart header parsing and callback dispatch #295.
• Bound header field name size before validating #296.
• Validate Content-Length is non-negative in parse_form #297.

0.0.30 (2026-05-31)

• Parse application/x-www-form-urlencoded bodies per the WHATWG URL standard, treating only & as a field separator #290.
• Ignore RFC 2231/5987 extended parameters (name*, filename*) in parse_options_header, keeping the plain parameter authoritative per RFC 7578 §4.2 #291.

0.0.29 (2026-05-17)

• Handle malformed RFC 2231 continuations in parse_options_header #270.

0.0.28 (2026-05-10)

• Speed up partial-boundary tail scan via bytes.find #281.
• Cap multipart boundary length at 256 bytes #282.

0.0.27 (2026-04-27)

• Add multipart header limits #267.
• Pass parse offsets via constructors #268.

0.0.26 (2026-04-10)

• Skip preamble before the first multipart boundary more efficiently #262.
• Silently discard epilogue data after the closing multipart boundary #259.

0.0.25 (2026-04-10)

• Add MIME content type info to File #143.
• Handle CTE values case-insensitively #258.
• Remove custom FormParser classes #257.
• Add UPLOAD_DELETE_TMP to FormParser config #254.
• Emit field_end for trailing bare field names on finalize #230.
• Handle multipart headers case-insensitively #252.
• Apply Apache-2.0 properly #247.

0.0.24 (2026-04-05)

• Validate chunk_size in parse_form() #244.

0.0.23 (2026-04-05)

... (truncated)

Commits

• 238ead6 Version 0.0.32 (#302)
• 8672979 Replace per-byte partial-boundary scan with rfind lookbehind (#300)
• 8190779 Bump the python-packages group with 7 updates (#301)
• 0d3c086 Use uv package ecosystem for Dependabot (#299)
• 4cffc68 Version 0.0.31 (#298)
• c814948 Reject negative Content-Length in parse_form (#297)
• 6b837d4 Bound header field name size before validating (#296)
• e0c4f9d Bump the github-actions group with 3 updates (#294)
• b8a01bb Bump the python-packages group with 3 updates (#293)
• 6732164 Speed up multipart header parsing and callback dispatch (#295)
• Additional commits viewable in compare view

Updates sqlalchemy to 2.0.51

Release notes

Sourced from sqlalchemy's releases.

2.0.51

Released: June 15, 2026

orm

• [orm] [bug] Fixed issue where _orm.subqueryload() combined with PropComparator.of_type() and PropComparator.and_() would silently drop the additional filter criteria, causing all related objects to be loaded instead of only those matching the filter. The LoaderCriteriaOption was being constructed against the base entity rather than the effective entity indicated by PropComparator.of_type(). Pull request courtesy Arya Rizky.

  References: #13207

• [orm] [bug] Fixed bug where a failure during tpc_prepare() within _orm.Session.commit() for a two-phase session would raise IllegalStateChangeError instead of the original database exception. The internal _prepare_impl() method's error handler was unable to invoke _orm.SessionTransaction.rollback() due to a state-change guard, preventing proper cleanup and masking the underlying error.

  References: #13356

engine

• [engine] [bug] Fixed issue where Result.freeze() would lose track of ambiguous column names present in the original CursorResult, causing key-based access on the thawed result to silently return a value instead of raising InvalidRequestError. The SimpleResultMetaData now accepts and propagates ambiguous key information so that frozen, thawed, and pickled results raise consistently for duplicate column names. Pull request courtesy Saurabh Kohli.

  References: #9427

sql

• [sql] [bug] Fixed issue where _sql.StatementLambdaElement would proxy attribute access through the cached "expected" expression rather than the resolved expression, causing stale closure-bound parameter values to be used when a lambda statement was extended with non-lambda criteria such as an additional .where() clause. Courtesy cjc0013.

  References: #10827

... (truncated)

Commits

• See full diff in compare view

Updates alembic to 1.18.5

Release notes

Sourced from alembic's releases.

1.18.5

Released: June 25, 2026

usecase

• [usecase] [commands] Added --splice support to the merge() command. Previously, the merge command would suggest using --splice when attempting to merge non-head revisions, but the flag was not actually accepted by the command. The splice parameter is now available in both the command-line interface and the command.merge() function, matching the existing support in command.revision(). Pull request courtesy Kadir Can Ozden.

  References: #1712

• [usecase] [environment] Added ScriptDirectory.get_heads.consider_depends_on parameter to ScriptDirectory.get_heads(). When set to True, head revisions that are also a dependency of another revision via depends_on are excluded from the result, matching the effective heads that would be present in the alembic_version table after running all upgrades.

  References: #1806

bug

• [bug] [autogenerate] Fixed rendering of dialect keyword arguments containing ~sqlalchemy.schema.Column objects within sequences, such as postgresql_include. These were previously rendered using repr(), producing invalid Python in the generated migration scripts. Column objects within list or tuple values are now correctly rendered as their string column names. Pull request courtesy Ajay Singh.

  References: #1258

• [bug] [mysql] Implemented type comparison for ENUM datatypes on MySQL, which checks that the individual enum values are equivalent. If additional entries are on either side, this generates a diff. Changes of order do not generate a diff. Pull request courtesy Furkan Köykıran.

  References: #1745, #779

• [bug] [operations] Fixed bug where the inline_references parameter of Operations.add_column() did not include foreign key referential actions such as ON DELETE, ON UPDATE, DEFERRABLE, INITIALLY, and MATCH when rendering the inline REFERENCES clause.

... (truncated)

Commits

• See full diff in compare view

Updates argon2-cffi to 25.1.0

Release notes

Sourced from argon2-cffi's releases.

25.1.0

Highlights

This release is mostly about smoothing out packaging metadata and improve support for Pyodide / WebAssembly environments.

Full changelog below!

Special Thanks

This release would not be possible without my generous sponsors! Thank you to all of you making sustainable maintenance possible! If you would like to join them, go to https://github.com/sponsors/hynek and check out the sweet perks!

Above and Beyond

Variomedia AG (@variomedia), Tidelift (@tidelift), Klaviyo (@klaviyo), Privacy Solutions GmbH (@privacy-solutions), FilePreviews (@filepreviews), Doist (@Doist), nate nowack (@zzstoatzz), Daniel Fortunov (@asqui), and Kevin P. Fleming (@kpfleming).

Maintenance Sustainers

Buttondown (@buttondown), Christopher Dignam (@chdsbd), Magnus Watn (@magnuswatn), David Cramer (@dcramer), Jesse Snyder (@jessesnyder), Rivo Laks (@rivol), Polar (@polarsource), Mike Fiedler (@miketheman), Duncan Hill (@cricalix), Colin Marquardt (@cmarqu), Pieter Swinkels (@swinkels), Nick Libertini (@libertininick), Brian M. Dennis (@crossjam), Moving Content AG (@moving-content), ProteinQure (@ProteinQure), The Westervelt Company (@westerveltco), Sławomir Ehlert (@slafs), Mostafa Khalil (@khadrawy), Filip Mularczyk (@mukiblejlok), Thomas Klinger (@thmsklngr), Andreas Poehlmann (@ap--), August Trapper Bigelow (@atbigelow), Carlton Gibson (@carltongibson), and Roboflow (@roboflow).

Not to forget 14 more amazing humans who chose to be generous but anonymous!

Full Changelog

Added

• Official support for Python 3.13 and 3.14. No code changes were necessary.

Removed

• Python 3.7 is not supported anymore. #186

Changed

• argon2.PasswordHasher.check_needs_rehash() now also accepts bytes like the rest of the API. #174

• Improved parameter compatibility handling for Pyodide / WebAssembly environments. #190

---

This release contains contributions from @​alarmfox, @​hynek, @​isidroas, @​ngoldbaum, @​peterc-s, and @​twm.

Artifact Attestations

You can verify this release's artifact attestions using GitHub's CLI tool by downloading the sdist and wheel from PyPI and running:

... (truncated)

Changelog

Sourced from argon2-cffi's changelog.

25.1.0 - 2025-06-03

Added

• Official support for Python 3.13 and 3.14. No code changes were necessary.

Removed

• Python 3.7 and 3.8 are not supported anymore. #186

Changed

• argon2.PasswordHasher.check_needs_rehash() now also accepts bytes like the rest of the API. #174

• Improved parameter compatibility handling for Pyodide / WebAssembly environments. #190

23.1.0 - 2023-08-15

Removed

• Python 3.6 is not supported anymore.

Deprecated

• The InvalidHash exception is deprecated in favor of InvalidHashError. No plans for removal currently exist and the names can (but shouldn't) be used interchangeably.

• argon2.hash_password(), argon2.hash_password_raw(), and argon2.verify_password() that have been soft-deprecated since 2016 are now hard-deprecated. They now raise DeprecationWarnings and will be removed in 2024.

Added

• Official support for Python 3.11 and 3.12. No code changes were necessary.

• argon2.exceptions.InvalidHashError as a replacement for InvalidHash.

• salt parameter to argon2.PasswordHasher.hash() to allow for custom salts. This is only useful for specialized use-cases -- leave it on None unless you know exactly what you are doing. #153

... (truncated)

Commits

• 1fcae4f Prepare 25.1.0
• 18939b1 ci: placate dr zizmor
• 8dcceb5 ci: pin & trust
• 9542242 Clean up trove classifiers
• 298af7e Switch to dependency groups (#202)
• 2eedf07 Update & rename Ruff
• bc861f0 Add 3.14
• f8260dd [pre-commit.ci] pre-commit autoupdate (#200)
• b8321fa Add a multithreaded stress test (#199)
• 9143d90 [pre-commit.ci] pre-commit autoupdate (#198)
• Additional commits viewable in compare view

Updates testcontainers to 4.14.2

Release notes

Sourced from testcontainers's releases.

testcontainers: v4.14.2

4.14.2 (2026-03-18)

Features

• kafka: allow configurable listener name and security protocol (#966) (44dd40b)

Changelog

Sourced from testcontainers's changelog.

4.14.2 (2026-03-18)

Features

• kafka: allow configurable listener name and security protocol (#966) (44dd40b)

4.14.1 (2026-01-31)

Bug Fixes

• Allow passing in a custom wait strategy string in MySQL, Cassandra, Kafka and Trino (#953) (be4d09e)
• compose: expose useful compose options (#951) (183e1aa)
• core: bring back dind tests (7337266)
• core: Use WaitStrategy internally for wait_for function (#942) (e323317)
• nats: add support for jetstream (#938) (49c9af8)
• Support Elasticsearch 9.x (#881) (f690e88), closes #860

4.14.0 (2026-01-07)

Features

• Add ExecWaitStrategy and migrate Postgres from deprecated decorator (#935) (2d9eee3)

Bug Fixes

• add ruff to deps (#919) (5853d32)
• cassandra,mysqk,kafka: Use wait strategy instead of deprecated wait_for_logs (#945) (b7791b9)
• core: recreate poetry lockfile with latest versions of libraries (#946) (9a97385)
• elasticsearch: Use wait strategy instead of deprecated decorator (#915) (c785ecd)
• minio: minio client requires kwargs now (#933) (37f5902)
• minio: Use wait strategy instead of deprecated decorator (#899) (febccb7)

4.13.3 (2025-11-14)

Bug Fixes

• do not require consumer of library to state nonsupport for py4 (#912) (f608df9)
• docs: Update dependencies for docs (#900) (3f66784)
• support python 3.14!!! - (#917) (f76e982)

4.13.2 (2025-10-07)

Bug Fixes

... (truncated)

Commits

• 5c67efb chore(main): release testcontainers 4.14.2 (#969)
• 44dd40b feat(kafka): allow configurable listener name and security protocol (#966)
• a78475a chore(main): Migrate to uv (#960)
• 17eb0b0 chore(main): release testcontainers 4.14.1 (#954)
• f690e88 fix: Support Elasticsearch 9.x (#881)
• 15e99ee add modifications
• 7337266 fix(core): bring back dind tests
• 49c9af8 fix(nats): add support for jetstream (#938)
• e323317 fix(core): Use WaitStrategy internally for wait_for function (#942)
• 183e1aa fix(compose): expose useful compose options (#951)
• Additional commits viewable in compare view

Updates pika to 1.4.1

Release notes

Sourced from pika's releases.

1.4.1

https://pypi.org/project/pika/1.4.1/ | GitHub milestone

Changelog

Sourced from pika's changelog.

1.4.1 (2026-05-22)

Merged pull requests:

• Fix Channel.close() for channels with multiple consumers #1596 (gbenson)

1.4.0 (2026-05-06)

Full Changelog

Implemented enhancements:

• Enforce yapf/google formatting in CI #1558
• Add Hatch dev environment and scripts #1579 (lukebakken)
• Drop more Python 2 compatibility code #1561 (lukebakken)

Closed issues:

• Add Hatch scripts to standardize developer commands #1578
• Fix outdated and broken documentation across the project #1568
• Update Codecov default branch and badge #1563
• GitHub actions workflows and test code need updates for RabbitMQ 4.3 #1547
• datetime.datetime.utcfromtimestamp() is deprecated #1539
• URLParameters这个类有bug #1533
• Custom transport #1532
• x-delay value is being returned in the header as a UINT64 and not a SINT16 #1531
• Pika should advertise the exchange_exchange_bindings client capability #1530
• Missing type annotations #1523
• There is no info about return type of queue_declare() method of pika.channel #1522
• Getting the user who sent the message #1510
• Where is examples/consume_recover_retry.py ? #1499
• Type Hint Issue with arguments parameter in queue_declare method of BlockingChannel Class - (expected "DeclareOk | None" [arg-type]) #1482
• queue_declare does not receive the callback at random times #1480
• There is no current event loop in thread #1479
• Cannot find reference 'exceptions' in '__init__.pyi' #1473
• Convert to pytest #1469
• Add a CI lint check using ruff and fix all findings #1371
• Add support for proxy configuration (Socks5) #1359
• BlockingIOError: [WinError 10035] A non-blocking socket operation could not be completed immediately #1314

Merged pull requests:

• Update outdated documentation across the pika project #1577 (suchitd)
• Fix TypeError in select_connection #1575 (suchitd)
• Support Python 3.7+ in CI and fix typing_extensions import #1574 (lukebakken)
• Add yapf formatter enforcement #1573 (alonfaraj)
• Replace PIKA_TEST_TLS env with pytest flag #1572 (alonfaraj)
• Fix field table type decoding to match RabbitMQ wire format #1566 (lukebakken)
• Legacy file fixes #1562 (alonfaraj)
• Add AGENTS.md with AI agent guidelines #1560 (lukebakken)

... (truncated)

Commits

• 5f0ba9e Merge pull request #1597 from pika/pika-1.4.1
• 31d80a9 pika 1.4.1
• b7af301 Merge pull request #1596 from gbenson/main
• 305fbe6 pika 1.4.0
• 9a3a6e5 Merge pull request #1577 from pika/doc/project-scope-update
• f750ce3 Merge branch 'main' into doc/project-scope-update
• ccfe924 Ensure that pip is run the same way in each workflow.
• 47129ca Caching pip artifacts actually does not accomplish anything.
• 0a721f7 Fix copyright year and document legacy-python.yaml workflow
• f7f51db Merge branch 'main' into doc/project-scope-update
• Additional commits viewable in compare view

Updates fastapi to 0.138.1

Release notes

Sourced from fastapi's releases.

0.138.1

Refactors

• ♻️ Refactor Library Skills, make info easier to find for agents. PR #15841 by @​tiangolo.

Internal

• 👷 Simplify pull request workflow triggers. PR #15836 by @​tiangolo.
• 👷 Update issue-manager to 0.7.1. PR #15833 by @​tiangolo.
• ⬆️ Update issue-manager to 0.7.0. PR #15831 by @​tiangolo.
• 🔧 Update sponsors: Add TestMu again. PR #15830 by @​tiangolo.
• 🔒️ Update zizmor workflow security checks. PR #15820 by @​tiangolo.
• ⬆ Bump pydantic-settings from 2.14.1 to 2.14.2. PR #15799 by @​dependabot[bot].

Commits

• b90c49a 🔖 Release version 0.138.1 (#15842)
• 1f2f3df 📝 Update release notes
• 0af003a ♻️ Refactor Library Skills, make info easier to find for agents (#15841)