chore(deps): bump the dev-dependencies group across 1 directory with 32 updates

[dependabot]

Updates the requirements on pydantic, starlette, uvicorn, python-multipart, sqlalchemy, testcontainers, pika, fastapi, granian, redis, gitpython, grpcio, websockets, boto3, azure-storage-blob, opentelemetry-api, opentelemetry-sdk, opentelemetry-instrumentation-starlette, structlog, presidio-analyzer, presidio-anonymizer, pyjwt, cryptography, pyotp, click, pytest, pytest-asyncio, coverage, mypy, ruff, respx and aiosmtpd to permit the latest version.
Updates pydantic to 2.13.4

Release notes

Sourced from pydantic's releases.

v2.13.4 2026-05-06

v2.13.4 (2026-05-06)

What's Changed

Packaging

• Bump libc from 0.2.155 to 0.2.185 by @​Viicos in #13109
• Adapt pydantic-core linker flags on macOS by @​washingtoneg and @​Viicos in #13147

Fixes

• Preserve RootModel core metadata by @​Viicos in #13129

Full Changelog: pydantic/pydantic@v2.13.3...v2.13.4

Changelog

Sourced from pydantic's changelog.

v2.13.4 (2026-05-06)

GitHub release

What's Changed

Packaging

• Bump libc from 0.2.155 to 0.2.185 by @​Viicos in #13109
• Adapt pydantic-core linker flags on macOS by @​washingtoneg and @​Viicos in #13147

Fixes

• Preserve RootModel core metadata by @​Viicos in #13129

v2.13.3 (2026-04-20)

GitHub release

What's Changed

Fixes

• Handle AttributeError subclasses with from_attributes by @​Viicos in #13096

v2.13.2 (2026-04-17)

GitHub release

What's Changed

Fixes

• Fix ValidationInfo.field_name missing with model_validate_json() by @​Viicos in #13084

v2.13.1 (2026-04-15)

GitHub release

What's Changed

Fixes

• Fix ValidationInfo.data missing with model_validate_json() by @​davidhewitt in #13079

v2.13.0 (2026-04-13)

GitHub release

The highlights of the v2.13 release are available in the blog post.

... (truncated)

Commits

• cf67d4b Fix linting
• f0d8a21 Prepare release v2.13.4
• 5e3fe1d Check for pydantic tag pattern in CI
• 7f9edcc Document tagging conventions
• b46a0c9 Adapt pydantic-core linker flags on macOS
• 50629c8 Update to PyPy 7.3.22
• 8522ebb Preserve RootModel core metadata
• a37f3af Adapt MISSING sentinel test to work with unreleased typing_extensions ver...
• 909259a Remove Logfire example in documentation
• 2c4174c Bump libc from 0.2.155 to 0.2.185
• See full diff in compare view

Updates starlette to 1.3.1

Release notes

Sourced from starlette's releases.

Version 1.3.1

What's Changed

• Use StarletteDeprecationWarning instead of DeprecationWarning by @​Kludex in Kludex/starlette#3119
• Enforce max_fields and max_part_size in FormParser by @​Kludex in Kludex/starlette#3329
• Enforce FormParser limits in parser callbacks by @​Kludex in Kludex/starlette#3331

Full Changelog: Kludex/starlette@1.3.0...1.3.1

Changelog

Sourced from starlette's changelog.

1.3.1 (June 12, 2026)

Fixed

• Enforce max_fields and max_part_size in FormParser #3329.
• Enforce FormParser limits in parser callbacks #3331.

1.3.0 (June 11, 2026)

Added

• Add httpx2 to the full extra #3323.
• Annotate the URLPath protocol parameter with Literal #3285.

Fixed

• Build request.url from structured components #3326.
• Clamp oversized suffix ranges in FileResponse #3307.
• Catch OSError alongside MultiPartException when closing temp files #3191.
• Avoid collapsing exception groups raised from user code #2830.
• Use removeprefix to strip the weak ETag indicator in is_not_modified #3193.
• Fix IndexError in URL.replace() on a URL with no authority #3317.
• Adjust testclient typing and warnings #3322.

1.2.1 (May 31, 2026)

Fixed

• Use httpx2 for type checking in the testclient module #3304.
• Add assert error for requires() when the request parameter is not a Request type #3298.

1.2.0 (May 28, 2026)

Added

• Support httpx2 in the test client #3291.

1.1.0 (May 23, 2026)

Added

• Use "application/octet-stream" as the FileResponse media type fallback #3283.

Fixed

• Only dispatch standard HTTP verbs in HTTPEndpoint #3286.
• Reject absolute paths in StaticFiles.lookup_path #3287.

1.0.1 (May 21, 2026)

... (truncated)

Commits

• 8ebffd0 Version 1.3.1 (#3330)
• 25b8e17 Enforce FormParser limits in parser callbacks (#3331)
• dba1c4b Enforce max_fields and max_part_size in FormParser (#3329)
• 45e51dc Use StarletteDeprecationWarning instead of DeprecationWarning (#3119)
• 5f8610c Version 1.3.0 (#3327)
• 167b585 Build request.url from structured components (#3326)
• 3730925 Use removeprefix to strip weak ETag indicator in is_not_modified (#3193)
• e6f7ad1 avoid collapsing exception groups from user code (#2830)
• 115228f Annotate URLPath protocol parameter with Literal (#3285)
• 113f193 docs: replace inline ASGI server list with link to canonical implemen… (#3204)
• Additional commits viewable in compare view

Updates uvicorn to 0.49.0

Release notes

Sourced from uvicorn's releases.

Version 0.49.0

What's Changed

• Bump httptools minimum version to 0.8.0 by @​Kludex in Kludex/uvicorn#2962
• Consume duplicate forwarding headers in ProxyHeadersMiddleware (reverses the 0.48.0 behavior of ignoring them) by @​Kludex in Kludex/uvicorn#2971

Full Changelog: Kludex/uvicorn@0.48.0...0.49.0

Changelog

Sourced from uvicorn's changelog.

0.49.0 (June 3, 2026)

Changed

• Bump httptools minimum version to 0.8.0 (#2962)
• Consume duplicate forwarding headers in ProxyHeadersMiddleware (reverses the 0.48.0 behavior of ignoring them) (#2971)

0.48.0 (May 24, 2026)

Changed

• Default ssl_ciphers to None and use OpenSSL defaults (#2940)

Fixed

• Ignore duplicate forwarding headers in ProxyHeadersMiddleware (#2944)

0.47.0 (May 14, 2026)

Added

• Add ssl_context_factory for custom SSLContext configuration (#2920)

Changed

• Eagerly import the ASGI app in the parent process (#2919)

Fixed

• Treat fd=0 as a valid file descriptor with reload/workers (#2927)

0.46.0 (April 23, 2026)

Added

• Support ws_max_size in wsproto implementation (#2915)
• Support ws_ping_interval and ws_ping_timeout in wsproto implementation (#2916)

Changed

• Use bytearray for incoming WebSocket message buffer in websockets-sansio (#2917)

0.45.0 (April 21, 2026)

Added

• Add --reset-contextvars flag to isolate ASGI request context (#2912)
• Accept os.PathLike for log_config (#2905)
• Accept log_level strings case-insensitively (#2907)

... (truncated)

Commits

• 3ef2e3e Version 0.49.0 (#2973)
• eeb64b1 Consume duplicate forwarding headers in ProxyHeadersMiddleware (#2971)
• 630f4ac Make the watchfiles reload tests deterministic (#2972)
• 9154922 chore(deps): bump the github-actions group across 1 directory with 6 updates ...
• 739727a Migrate docs deploy from Cloudflare Pages to Workers (#2967)
• be4a240 Gate docs preview deploy on Cloudflare token presence (#2966)
• c489d7e Bump httptools minimum version to 0.8.0 (#2962)
• 9f547bd Skip docs preview deploy for Dependabot PRs (#2961)
• 44446b8 Migrate documentation from MkDocs Material to Zensical (#2959)
• cfd659c Bump pymdown-extensions to 10.21.3 (#2958)
• Additional commits viewable in compare view

Updates python-multipart to 0.0.32

Release notes

Sourced from python-multipart's releases.

Version 0.0.32

What's Changed

• Replace per-byte partial-boundary scan with rfind lookbehind by @​Kludex in Kludex/python-multipart#300

Full Changelog: Kludex/python-multipart@0.0.31...0.0.32

Changelog

Sourced from python-multipart's changelog.

0.0.32 (2026-06-04)

• Speed up partial-boundary scanning for CR/LF-dense part data #300.

0.0.31 (2026-06-04)

• Speed up multipart header parsing and callback dispatch #295.
• Bound header field name size before validating #296.
• Validate Content-Length is non-negative in parse_form #297.

0.0.30 (2026-05-31)

• Parse application/x-www-form-urlencoded bodies per the WHATWG URL standard, treating only & as a field separator #290.
• Ignore RFC 2231/5987 extended parameters (name*, filename*) in parse_options_header, keeping the plain parameter authoritative per RFC 7578 §4.2 #291.

0.0.29 (2026-05-17)

• Handle malformed RFC 2231 continuations in parse_options_header #270.

0.0.28 (2026-05-10)

• Speed up partial-boundary tail scan via bytes.find #281.
• Cap multipart boundary length at 256 bytes #282.

0.0.27 (2026-04-27)

• Add multipart header limits #267.
• Pass parse offsets via constructors #268.

0.0.26 (2026-04-10)

• Skip preamble before the first multipart boundary more efficiently #262.
• Silently discard epilogue data after the closing multipart boundary #259.

0.0.25 (2026-04-10)

• Add MIME content type info to File #143.
• Handle CTE values case-insensitively #258.
• Remove custom FormParser classes #257.
• Add UPLOAD_DELETE_TMP to FormParser config #254.
• Emit field_end for trailing bare field names on finalize #230.
• Handle multipart headers case-insensitively #252.
• Apply Apache-2.0 properly #247.

0.0.24 (2026-04-05)

• Validate chunk_size in parse_form() #244.

0.0.23 (2026-04-05)

... (truncated)

Commits

• 238ead6 Version 0.0.32 (#302)
• 8672979 Replace per-byte partial-boundary scan with rfind lookbehind (#300)
• 8190779 Bump the python-packages group with 7 updates (#301)
• 0d3c086 Use uv package ecosystem for Dependabot (#299)
• 4cffc68 Version 0.0.31 (#298)
• c814948 Reject negative Content-Length in parse_form (#297)
• 6b837d4 Bound header field name size before validating (#296)
• e0c4f9d Bump the github-actions group with 3 updates (#294)
• b8a01bb Bump the python-packages group with 3 updates (#293)
• 6732164 Speed up multipart header parsing and callback dispatch (#295)
• Additional commits viewable in compare view

Updates sqlalchemy to 2.0.51

Release notes

Sourced from sqlalchemy's releases.

2.0.51

Released: June 15, 2026

orm

• [orm] [bug] Fixed issue where _orm.subqueryload() combined with PropComparator.of_type() and PropComparator.and_() would silently drop the additional filter criteria, causing all related objects to be loaded instead of only those matching the filter. The LoaderCriteriaOption was being constructed against the base entity rather than the effective entity indicated by PropComparator.of_type(). Pull request courtesy Arya Rizky.

  References: #13207

• [orm] [bug] Fixed bug where a failure during tpc_prepare() within _orm.Session.commit() for a two-phase session would raise IllegalStateChangeError instead of the original database exception. The internal _prepare_impl() method's error handler was unable to invoke _orm.SessionTransaction.rollback() due to a state-change guard, preventing proper cleanup and masking the underlying error.

  References: #13356

engine

• [engine] [bug] Fixed issue where Result.freeze() would lose track of ambiguous column names present in the original CursorResult, causing key-based access on the thawed result to silently return a value instead of raising InvalidRequestError. The SimpleResultMetaData now accepts and propagates ambiguous key information so that frozen, thawed, and pickled results raise consistently for duplicate column names. Pull request courtesy Saurabh Kohli.

  References: #9427

sql

• [sql] [bug] Fixed issue where _sql.StatementLambdaElement would proxy attribute access through the cached "expected" expression rather than the resolved expression, causing stale closure-bound parameter values to be used when a lambda statement was extended with non-lambda criteria such as an additional .where() clause. Courtesy cjc0013.

  References: #10827

... (truncated)

Commits

• See full diff in compare view

Updates testcontainers to 4.14.2

Release notes

Sourced from testcontainers's releases.

testcontainers: v4.14.2

4.14.2 (2026-03-18)

Features

• kafka: allow configurable listener name and security protocol (#966) (44dd40b)

Changelog

Sourced from testcontainers's changelog.

4.14.2 (2026-03-18)

Features

• kafka: allow configurable listener name and security protocol (#966) (44dd40b)

4.14.1 (2026-01-31)

Bug Fixes

• Allow passing in a custom wait strategy string in MySQL, Cassandra, Kafka and Trino (#953) (be4d09e)
• compose: expose useful compose options (#951) (183e1aa)
• core: bring back dind tests (7337266)
• core: Use WaitStrategy internally for wait_for function (#942) (e323317)
• nats: add support for jetstream (#938) (49c9af8)
• Support Elasticsearch 9.x (#881) (f690e88), closes #860

4.14.0 (2026-01-07)

Features

• Add ExecWaitStrategy and migrate Postgres from deprecated decorator (#935) (2d9eee3)

Bug Fixes

• add ruff to deps (#919) (5853d32)
• cassandra,mysqk,kafka: Use wait strategy instead of deprecated wait_for_logs (#945) (b7791b9)
• core: recreate poetry lockfile with latest versions of libraries (#946) (9a97385)
• elasticsearch: Use wait strategy instead of deprecated decorator (#915) (c785ecd)
• minio: minio client requires kwargs now (#933) (37f5902)
• minio: Use wait strategy instead of deprecated decorator (#899) (febccb7)

4.13.3 (2025-11-14)

Bug Fixes

• do not require consumer of library to state nonsupport for py4 (#912) (f608df9)
• docs: Update dependencies for docs (#900) (3f66784)
• support python 3.14!!! - (#917) (f76e982)

4.13.2 (2025-10-07)

Bug Fixes

... (truncated)

Commits

• 5c67efb chore(main): release testcontainers 4.14.2 (#969)
• 44dd40b feat(kafka): allow configurable listener name and security protocol (#966)
• a78475a chore(main): Migrate to uv (#960)
• 17eb0b0 chore(main): release testcontainers 4.14.1 (#954)
• f690e88 fix: Support Elasticsearch 9.x (#881)
• 15e99ee add modifications
• 7337266 fix(core): bring back dind tests
• 49c9af8 fix(nats): add support for jetstream (#938)
• e323317 fix(core): Use WaitStrategy internally for wait_for function (#942)
• 183e1aa fix(compose): expose useful compose options (#951)
• Additional commits viewable in compare view

Updates pika to 1.4.1

Release notes

Sourced from pika's releases.

1.4.1

https://pypi.org/project/pika/1.4.1/ | GitHub milestone

Changelog

Sourced from pika's changelog.

1.4.1 (2026-05-22)

Merged pull requests:

• Fix Channel.close() for channels with multiple consumers #1596 (gbenson)

1.4.0 (2026-05-06)

Full Changelog

Implemented enhancements:

• Enforce yapf/google formatting in CI #1558
• Add Hatch dev environment and scripts #1579 (lukebakken)
• Drop more Python 2 compatibility code #1561 (lukebakken)

Closed issues:

• Add Hatch scripts to standardize developer commands #1578
• Fix outdated and broken documentation across the project #1568
• Update Codecov default branch and badge #1563
• GitHub actions workflows and test code need updates for RabbitMQ 4.3 #1547
• datetime.datetime.utcfromtimestamp() is deprecated #1539
• URLParameters这个类有bug #1533
• Custom transport #1532
• x-delay value is being returned in the header as a UINT64 and not a SINT16 #1531
• Pika should advertise the exchange_exchange_bindings client capability #1530
• Missing type annotations #1523
• There is no info about return type of queue_declare() method of pika.channel #1522
• Getting the user who sent the message #1510
• Where is examples/consume_recover_retry.py ? #1499
• Type Hint Issue with arguments parameter in queue_declare method of BlockingChannel Class - (expected "DeclareOk | None" [arg-type]) #1482
• queue_declare does not receive the callback at random times #1480
• There is no current event loop in thread #1479
• Cannot find reference 'exceptions' in '__init__.pyi' #1473
• Convert to pytest #1469
• Add a CI lint check using ruff and fix all findings #1371
• Add support for proxy configuration (Socks5) #1359
• BlockingIOError: [WinError 10035] A non-blocking socket operation could not be completed immediately #1314

Merged pull requests:

• Update outdated documentation across the pika project #1577 (suchitd)
• Fix TypeError in select_connection #1575 (suchitd)
• Support Python 3.7+ in CI and fix typing_extensions import #1574 (lukebakken)
• Add yapf formatter enforcement #1573 (alonfaraj)
• Replace PIKA_TEST_TLS env with pytest flag #1572 (alonfaraj)
• Fix field table type decoding to match RabbitMQ wire format #1566 (lukebakken)
• Legacy file fixes #1562 (alonfaraj)
• Add AGENTS.md with AI agent guidelines #1560 (lukebakken)

... (truncated)

Commits

• 5f0ba9e Merge pull request #1597 from pika/pika-1.4.1
• 31d80a9 pika 1.4.1
• b7af301 Merge pull request #1596 from gbenson/main
• 305fbe6 pika 1.4.0
• 9a3a6e5 Merge pull request #1577 from pika/doc/project-scope-update
• f750ce3 Merge branch 'main' into doc/project-scope-update
• ccfe924 Ensure that pip is run the same way in each workflow.
• 47129ca Caching pip artifacts actually does not accomplish anything.
• 0a721f7 Fix copyright year and document legacy-python.yaml workflow
• f7f51db Merge branch 'main' into doc/project-scope-update
• Additional commits viewable in compare view

Updates fastapi to 0.138.0

Release notes

Sourced from fastapi's releases.

0.138.0

Features

• ✨ Add support for app.frontend("/", directory="dist") and router.frontend("/", directory="dist"). PR #15800 by @​tiangolo.
  • Read the docs: Frontend.

Docs

• 📝 Fix typo in release notes. PR #15807 by @​tiangolo.
• 📝 Add app.frontend() instructions to Agent Library Skill. PR #15805 by @​tiangolo.
• 📝 Update release notes link. PR #15802 by @​tiangolo.
• ✏️ Update white space characters in bigger apps. PR #15801 by @​tiangolo.
• ✏️ Fix grammar, typos, and broken links in docs. PR #15694 by @​YuriiMotov.

Translations

• 🌐 Enable Hindi docs translations. PR #15554 by @​YuriiMotov.

Internal

• 🐛 Fix failing test, update format for raised errors. PR #15804 by @​tiangolo.
• 👷 Fix test-alls-green. PR #15803 by @​tiangolo.
• 🔧 Enable checking release-notes.md for typos. PR #15796 by @​YuriiMotov.
• 📝 Tweak wording about deploying to FastAPI Cloud. PR #15793 by @​tiangolo.
• 🔨 Use gpt-5.5 model in translate.py, specify -chat to avoid warnings. PR #15792 by @​YuriiMotov.

Commits

• 4b83b0d 🔖 Release version 0.138.0 (#15808)
• 041cb0c 📝 Update release notes
• 1039384 📝 Fix typo in release notes (#15807)
• 0303491 📝 Update release notes
• 190f6e2 📝 Add Frontend instructions to Agent Library Skill (#15805)
• 17945e5 📝 Update release notes
• 2260afa 🐛 Fix failing test, update format for raised errors (#15804)
• 0cd5001 📝 Update release notes
• 7cb1ab6 👷 Fix test-alls-green (#15803)
• 9c7eceb 📝 Update release notes
• Additional commits viewable in compare view

Updates granian to 2.7.7

Release notes

Sourced from granian's releases.

Granian 2.7.7

Patch release

Changes since 2.7.6:

• Fix a bug in ASGI protocol websockets teardown leading to Python's event-loop blocking
• Fix a memory leak in async applications calls

Commits

• 3602250 Pin maturin to 1.13
• 0afbc3b Review ws teardown flow in ASGI proto (#864)
• bc190d7 Ensure decref in CallbackSchedulerState ffi calls (ref #862)
• 4b05673 Bump version to 2.7.7
• 9faa93e Polar no longer supports OSS
• 564a78f Bump dependencies
• 26799c9 Enhance workers shutdown, add more log info on shutdown
• 64b055b Bump version to 2.7.6
• 822548b Review proxy headers util impl
• a7d8f1d Drop handle with interpreter attached on ipc shutdown (#847)
• Additional commits viewable in compare view

Updates redis to 8.0.1

Release notes

Sourced from redis's releases.

8.0.1

Changes

🐛 Bug Fixes

• Fix Unix socket maintenance notification handling and tests (#4097)
• Fix async cluster node connection release on write errors (#4111)
• Fixed async MultiDBClient with underlying RedisCluster (#4108)
• Fix hiredis readiness checks for high file descriptors (#4115)
• fix(search): parse RESP3 FT.SEARCH responses with bytes-typed keys (#4109)
• Fixing pubsub's listen method to be blocking. (#4119)
• fix(asyncio): release pooled connection when Pipeline.reset() is cancelled (#4123)
• Avoid per-check fd allocation in hiredis _socket_can_read() — use poll() instead of a per-call selector (#4118)

🧰 Maintenance

• Updating PyJWT dependency. (#4100)
• Update CI badge in README.md (#4099)
• Add missing url query argument parser for ssl_min_version (#4047)
• ci: least-privilege permissions on spellcheck (read) and stale-issues (job-level write for actions/stale) (#4080)
• Bumping github-versions actions (#4102)
• Updating lib version + supported Redis versions in README.md + updating the Redis versions in CI test matrix (#4092)

We'd like to thank all the contributors who worked on this release! @​violuke @​mokashang @​arpitjain099 @​coredumperror @​elena-kolevska @​vladvildanov @​petyaslavova

Commits

• 7c0fd11 Updating lib version to 8.0.1
• b7a4d7d Avoid per-check fd allocation in hiredis _socket_can_read() — use poll() ...
• eec778e fix(asyncio): release pooled connection when Pipeline.reset() is cancelled (#...
• 08e01bb Fixing pubsub's listen method to be blocking. (#4119)
• 3d5257a fix(search): parse RESP3 FT.SEARCH responses with bytes-typed keys (#4109)
• cce28ff Fix hiredis readiness checks for high file descriptors (#4115)
• e20691c Fixed async MultiDBClient with underlying RedisCluster (#4108)
• ea37fcc Fix async cluster node connection release on write errors (#4111)
• f4146fa Updating lib version + supported Redis versions in README.md + updating the R...
• d47674e Bumping github-versions actions (#4102)
• Additional commits viewable in compare view

Updates gitpython to 3.1.50

Release notes

Sourced from gitpython's releases.

3.1.50

What's Changed

• Bump https://github.com/astral-sh/ruff-pre-commit from v0.15.8 to 0.15.12 in the pre-commit group by @​dependabot[bot] in gitpython-developers/GitPython#2140
• Bump git/ext/gitdb from 335c0f6 to 53c94d6 by @​dependabot[bot] in gitpython-developers/GitPython#2141
• Fix Repo() autodiscovery in linked worktrees when GIT_DIR is set by @​meliezer in gitpython-developers/GitPython#2128
• Validate config key names before writing by @​Byron in gitpython-developers/GitPython#2142

New Contributors

• @​meliezer made their first contribution in gitpython-developers/GitPython#2128

Full Changelog: gitpython-developers/GitPython@3.1.49...3.1.50

Commits

• 5a294a6 bump version to 3.1.50
• d7b029f Merge pull request #2142 from gitpython-developers/fix-validate-config-key-ne...
Description has been truncated