Bump the minor-and-patch group across 1 directory with 5 updates

[dependabot]

Bumps the minor-and-patch group with 5 updates in the / directory:

Package	From	To
langchain-core	1.2.26	1.2.29
agent-framework-core	1.0.0rc5	1.0.1
logfire	4.31.0	4.32.0
ruff	0.15.8	0.15.10
prek	0.3.8	0.3.9

Updates langchain-core from 1.2.26 to 1.2.29

Release notes

Sourced from langchain-core's releases.

langchain-core==1.2.29

Changes since langchain-core==1.2.28

release(core): 1.2.29 and also port #36725 (#36727)

langchain-core==1.2.28

Changes since langchain-core==1.2.27

release(core): release 1.2.28 (#36614) fix(core): add more sanitization to templates (#36612)

langchain-core==1.2.27

Changes since langchain-core==1.2.26

release(core): 1.2.27 (#36586) fix(core): handle symlinks in deprecated prompt save path (#36585) chore: add comment explaining pygments>=2.20.0 (#36570)

Credit to Jeff Ponte (@​JDP-Security) for reporting the symlink resolution issue in #36585.

Commits

• 479a255 release(core): 1.2.29 and also port #36725 (#36727)
• 396711b ci: pin all actions to full-length commit SHAs (#36621) (#36728)
• dd7c3eb release(core): release 1.2.28 (#36614)
• af2ed47 fix(core): add more sanitization to templates (#36612)
• 7e5858d release(standard-tests): 1.1.6 (#36610)
• fe99cb2 fix(standard-tests): update standard tests for sandbox backends (#36036)
• 65bbd47 chore(model-profiles): refresh model profile data (#36596)
• 6486404 release(core): 1.2.27 (#36586)
• 7629c74 fix(core): handle symlinks in deprecated prompt save path (#36585)
• ce21bf4 ci: convert working-directory to validated dropdown (#36575)
• Additional commits viewable in compare view

Updates agent-framework-core from 1.0.0rc5 to 1.0.1

Release notes

Sourced from agent-framework-core's releases.

python-1.0.1

1.0.1 - 2026-04-09

[!IMPORTANT]
Security hardening for FileCheckpointStorage: Checkpoint deserialization now flows through a restricted unpickler by default, which only permits a built-in set of safe Python types and all agent_framework framework types. If your application stores custom types in checkpoints, pass their "module:qualname" identifiers via the new allowed_checkpoint_types constructor parameter — otherwise loads will raise WorkflowCheckpointException. See Security Considerations for details and the opt-in format.

Added

• samples: Add sample documentation for two separate Neo4j context providers for retrieval and memory (#4010)
• agent-framework-azure-cosmos: Add Cosmos DB NoSQL checkpoint storage for Python workflows (#4916)

Changed

• docs: Remove pre-release flag from agent-framework installation instructions (#5082)
• samples: Revise agent examples in README.md (#5067)
• repo: Update CHANGELOG with v1.0.0 release (#5069)
• agent-framework-core: [BREAKING] Fix handoff workflow context management and improve AG-UI demo (#5136)
• agent-framework-core: Restrict persisted checkpoint deserialization by default (#4941)
• samples: Bump vite from 7.3.1 to 7.3.2 in /python/samples/05-end-to-end/ag_ui_workflow_handoff/frontend (#5132)
• python: Bump cryptography from 46.0.6 to 46.0.7 (#5176)
• python: Bump mcp from 1.26.0 to 1.27.0 (#5117)
• python: Bump mcp[ws] from 1.26.0 to 1.27.0 (#5119)

Fixed

• agent-framework-core: Raise clear handler registration error for unresolved TypeVar annotations (#4944)
• agent-framework-openai: Fix response_format crash on background polling with empty text (#5146)
• agent-framework-foundry: Strip tools from FoundryAgent request when agent_reference is present (#5101)
• agent-framework-core: Fix test compatibility for entity key validation (#5179)
• agent-framework-openai: Stop emitting duplicate reasoning content from response.reasoning_text.done and response.reasoning_summary_text.done events (#5162)

Full Changelog: microsoft/agent-framework@python-1.0.0...python-1.0.1

dotnet-1.0.0

Changes:

• c798cb7a2ecd675c898db84931fb700060bceb77 release: Mark Handoff Orchestrations Experimental (#5065)
• 524c0216e45a1b6e09b3e2816321c23a4ef57962 .NET: Update release versions (#5059)
• 281661e4097868f75cef5219353b1ddb3106a081 .NET: Remove timeout from InputWait in OffThread execution (#4996)
• b0613a8cebdee0e67f81acb1553d9cc1f9318c2b .NET: Bump Azure.AI.Projects to 2.0.0 GA (#5060)
• 79b38040e8193aa9abf06a7b2f31d69f551af0af fix: Update Google.GenAI to verison compatible with M.E.AI 10.4.0+ (#5061)
• a356a165681d0ecd3583250aeff2159820269ce8 .NET: Remove OpenAIAssistantClientExtensions class (#5058)

• 628bb1af48ea264d17147f30190c1e745da309f7 .NET: Rename Microsoft.Agents.AI.AzureAI to Microsoft.Agents.AI.Foundry and consolidate FoundryMemory (#5042)
• 15e435b47237b2d5f246df1cae28701e2d3780fa Fix telemetry sample bug (#5037)
• 38de9914815833f7e06644c516dfef53853b3785 .NET: Fix RequestInfoEvent lost when resuming workflow from checkpoint (#4955)
• 25696a72dca5f1c07917076b5ad2d0520f89b3bb .NET: Replace Azure Foundry/Azure AI Foundry with Microsoft Foundry in .NET samples (#5032)
• 2cb78ea12e20ffcd102b00c0f42a23f53a32df21 fix and unify devui samples (#5025)
• acaadc9c45702325b0ffb71009f8a558b114a9c9 .NET: Add a verify-samples tool and skill (#5005)
• 34329840e1db8bb67c5bc010fedca2426dddacae Add Neo4j GraphRAG samples (#4994)
• 2a8c3e2dcf4b7c90df844c18c5b8190b63e48b82 fixes to azure ai search init, samples (#5021)

... (truncated)

Commits

• 4a36f10 Python: Bump Python version to 1.0.1 for a release (#5196)
• d4036c5 Python: Migrate GitHub Copilot package to SDK 0.2.x (#5107)
• 790a759 Bump mcp from 1.26.0 to 1.27.0 in /python (#5117)
• a172313 Bump mcp[ws] from 1.26.0 to 1.27.0 in /python (#5119)
• e8757ce Bump cryptography from 46.0.6 to 46.0.7 in /python (#5176)
• eea543e Bump vite (#5132)
• 4dbe696 Python: Restrict persisted checkpoint deserialization by default (#4941)
• 5e8fe0b Python: Stop emitting duplicate reasoning content from OpenAI `response.reaso...
• 1dd828d CHANGELOG Update with V1.0.0 Release (#5069)
• 8348584 VerifySamples: Filter projects to net10 only (#5184)
• Additional commits viewable in compare view

Updates logfire from 4.31.0 to 4.32.0

Release notes

Sourced from logfire's releases.

v4.32.0

• Add push_dataset helpers to the experimental API client by @​dmontagu in #1848

v4.31.2

• fix: Show token badges for OpenAI streaming logs by @​alexmojaki in #1857
• fix: OTel warning during tail sampling buffer replay by @​cyberksh in #1632

v4.31.1

• Capture token usage and cost attributes in OpenAI streaming logs by @​alexmojaki in #1846
• Capture token usage and cost attributes in Anthropic streaming logs by @​alexmojaki in #1850
• Capture operation.cost for OpenAI embeddings by @​alexmojaki in #1843
• Capture gen_ai.usage.raw for Anthropic by @​alexmojaki in #1847
• fix: strip cf-connecting-ip header in forward_export_request by @​BreytMN in #1824
• Handle patching of sys.stdout better by @​alexmojaki in #1840

Changelog

Sourced from logfire's changelog.

[v4.32.0] (2026-04-10)

• Add push_dataset helpers to the experimental API client by @​dmontagu in #1848

[v4.31.2] (2026-04-10)

• fix: Show token badges for OpenAI streaming logs by @​alexmojaki in #1857
• fix: OTel warning during tail sampling buffer replay by @​cyberksh in #1632

[v4.31.1] (2026-04-09)

• Capture token usage and cost attributes in OpenAI streaming logs by @​alexmojaki in #1846
• Capture token usage and cost attributes in Anthropic streaming logs by @​alexmojaki in #1850
• Capture operation.cost for OpenAI embeddings by @​alexmojaki in #1843
• Capture gen_ai.usage.raw for Anthropic by @​alexmojaki in #1847
• fix: strip cf-connecting-ip header in forward_export_request by @​BreytMN in #1824
• Handle patching of sys.stdout better by @​alexmojaki in #1840

Commits

• 644e5ad Release v4.32.0 (#1859)
• b68c838 Add push_dataset helpers to the experimental API client (#1848)
• c3fa8f1 Release v4.31.2 (#1858)
• 7460a5e fix: add gen_ai.system to OpenAI streaming logs (#1857)
• 13a96f4 refactor: gateway shutdown date (#1855)
• cada147 remove note about not supporting grpc ingest (#1853)
• 955c32a fix: otel warning during tail sampling buffer replay (#1632)
• bf8a027 chore: Remove completed usage attribute specs (#1852)
• f66769a Release v4.31.1 (#1851)
• 73678d7 Add usage attributes to Anthropic streaming spans (#1850)
• Additional commits viewable in compare view

Updates ruff from 0.15.8 to 0.15.10

Release notes

Sourced from ruff's releases.

0.15.10

Release Notes

Released on 2026-04-09.

Preview features

• [flake8-logging] Allow closures in except handlers (LOG004) (#24464)
• [flake8-self] Make SLF diagnostics robust to non-self-named variables (#24281)
• [flake8-simplify] Make the fix for collapsible-if safe in preview (SIM102) (#24371)

Bug fixes

• Avoid emitting multi-line f-string elements before Python 3.12 (#24377)
• Avoid syntax error from E502 fixes in f-strings and t-strings (#24410)
• Strip form feeds from indent passed to dedent_to (#24381)
• [pyupgrade] Fix panic caused by handling of octals (UP012) (#24390)
• Reject multi-line f-string elements before Python 3.12 (#24355)

Rule changes

• [ruff] Treat f-string interpolation as potential side effect (RUF019) (#24426)

Server

• Add support for custom file extensions (#24463)

Documentation

• Document adding fixes in CONTRIBUTING.md (#24393)
• Fix JSON typo in settings example (#24517)

Contributors

• @​charliermarsh
• @​dylwil3
• @​silverstein
• @​anishgirianish
• @​shizukushq
• @​zanieb
• @​AlexWaygood

Install ruff 0.15.10

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/ruff/releases/download/0.15.10/ruff-installer.sh | sh

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.10

Released on 2026-04-09.

Preview features

• [flake8-logging] Allow closures in except handlers (LOG004) (#24464)
• [flake8-self] Make SLF diagnostics robust to non-self-named variables (#24281)
• [flake8-simplify] Make the fix for collapsible-if safe in preview (SIM102) (#24371)

Bug fixes

• Avoid emitting multi-line f-string elements before Python 3.12 (#24377)
• Avoid syntax error from E502 fixes in f-strings and t-strings (#24410)
• Strip form feeds from indent passed to dedent_to (#24381)
• [pyupgrade] Fix panic caused by handling of octals (UP012) (#24390)
• Reject multi-line f-string elements before Python 3.12 (#24355)

Rule changes

• [ruff] Treat f-string interpolation as potential side effect (RUF019) (#24426)

Server

• Add support for custom file extensions (#24463)

Documentation

• Document adding fixes in CONTRIBUTING.md (#24393)
• Fix JSON typo in settings example (#24517)

Contributors

• @​charliermarsh
• @​dylwil3
• @​silverstein
• @​anishgirianish
• @​shizukushq
• @​zanieb
• @​AlexWaygood

0.15.9

Released on 2026-04-02.

Preview features

• [pyflakes] Flag annotated variable redeclarations as F811 in preview mode (#24244)
• [ruff] Allow dunder-named assignments in non-strict mode for RUF067 (#24089)

... (truncated)

Commits

• 252f761 Bump 0.15.10 (#24519)
• 37a1ec8 [ty] Fix assignability of intersections with bounded typevars (#24502)
• f518cc9 [ty] Allow partially stringified type[…] annotations (#24518)
• 16c4090 docs: fix JSON typo in settings example (#24517)
• 99d97bd [ty] Tighten up a few edge cases in Concatenate type-expression parsing (#2...
• 2714e34 [ty] Enable pull-diagnostics by default in E2E tests (#24516)
• d8bc700 LSP: Add support for custom extensions (#24463)
• a45f96d [ty] stop special-casing str constructor (#24514)
• 87a0f01 [ruff] Treat f-string interpolation as potential side effect in RUF019 (#24426)
• e9ba848 [ty] Fix excess subscript argument inference for non-generic types (#24354)
• Additional commits viewable in compare view

Updates prek from 0.3.8 to 0.3.9

Release notes

Sourced from prek's releases.

0.3.9

Release Notes

Released on 2026-04-13.

Highlight

prek auto-update is now stricter about pinned revisions and more useful in CI. It now keeps rev and # frozen: comments in sync, can detect impostor commits when validating pinned SHAs, and lets you use prek auto-update --check to fail on both available updates and frozen-ref mismatches without rewriting the config.

Examples:

$ prek auto-update
# updates revs and repairs stale `# frozen:` comments
$ prek auto-update --freeze
writes frozen SHAs with matching # frozen: <tag> comments
$ prek auto-update --check
exits non-zero when updates are available, a # frozen: comment is stale,
or a pinned SHA does not belong to the fetched upstream refs

Enhancements

• Check and sync frozen comments during auto-update (#1896)
• Handle impostor commits in auto-update (#1919)
• Add experimental language: dotnet support (#1871)
• Honor repo and worktree core.hooksPath (#1892)
• Add prek run --no-fail-fast to override config file (#1859)
• Add forbid-new-submodules as builtin hook (#1853)
• Clean stale patch files in cache gc (#1877)
• Display auto-update results by config entry (#1922)
• Restrict patch directory permissions (#1876)
• Show tag names in auto-update --freeze output (#1916)
• Use a bitset for hook stages (#1860)

Bug fixes

• Canonicalize CWD and GIT_ROOT paths (#1878)
• Ensure quotes are added for non-string revisions in auto-update (#1936)

Documentation

• Update docs for case of hooks modifying files with a non-zero exit code (#1879)

... (truncated)

Changelog

Sourced from prek's changelog.

0.3.9

Released on 2026-04-13.

Highlight

prek auto-update is now stricter about pinned revisions and more useful in CI. It now keeps rev and # frozen: comments in sync, can detect impostor commits when validating pinned SHAs, and lets you use prek auto-update --check to fail on both available updates and frozen-ref mismatches without rewriting the config.

Examples:

$ prek auto-update
# updates revs and repairs stale `# frozen:` comments
$ prek auto-update --freeze
writes frozen SHAs with matching # frozen: <tag> comments
$ prek auto-update --check
exits non-zero when updates are available, a # frozen: comment is stale,
or a pinned SHA does not belong to the fetched upstream refs

Enhancements

• Check and sync frozen comments during auto-update (#1896)
• Handle impostor commits in auto-update (#1919)
• Add experimental language: dotnet support (#1871)
• Honor repo and worktree core.hooksPath (#1892)
• Add prek run --no-fail-fast to override config file (#1859)
• Add forbid-new-submodules as builtin hook (#1853)
• Clean stale patch files in cache gc (#1877)
• Display auto-update results by config entry (#1922)
• Restrict patch directory permissions (#1876)
• Show tag names in auto-update --freeze output (#1916)
• Use a bitset for hook stages (#1860)

Bug fixes

• Canonicalize CWD and GIT_ROOT paths (#1878)
• Ensure quotes are added for non-string revisions in auto-update (#1936)

Documentation

• Update docs for case of hooks modifying files with a non-zero exit code (#1879)

Contributors

... (truncated)

Commits

• 3a9b9fe Ensure quotes are added for non-string revisions in auto-update (#1936)
• 501d1db Bump version to 0.3.9 (#1934)
• dc98c47 Honor repo and worktree core.hooksPath (#1892)
• 08c1f70 Remove bracket from auto-update project header (#1933)
• 4292fe2 Update pre-commit hook crate-ci/typos to v1.45.0 (#1930)
• adafad0 Update GitHub Actions (#1929)
• f0bf283 Update dependency uv to v0.11.3 (#1928)
• 059f272 Display auto-update results by config entry (#1922)
• 7899b90 Handle --no-lazy-fetch not available
• ff0769a Handle impostor commits in auto-update
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.