Skip to content

Deps: Bump the python-packages group with 7 updates#132

Merged
greenbonebot merged 1 commit into
mainfrom
dependabot/pip/python-packages-04a3e02b12
Apr 20, 2026
Merged

Deps: Bump the python-packages group with 7 updates#132
greenbonebot merged 1 commit into
mainfrom
dependabot/pip/python-packages-04a3e02b12

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 20, 2026

Copy link
Copy Markdown
Contributor

Bumps the python-packages group with 7 updates:

Package From To
fastapi 0.135.3 0.136.0
lxml 6.0.4 6.1.0
packaging 26.0 26.1
pydantic 2.13.0b3 2.13.2
pydantic-core 2.45.0 2.46.2
ruff 0.15.10 0.15.11
stamina 25.2.0 26.1.0

Updates fastapi from 0.135.3 to 0.136.0

Release notes

Sourced from fastapi's releases.

0.136.0

Upgrades

0.135.4

Refactors

Internal

Commits

Updates lxml from 6.0.4 to 6.1.0

Changelog

Sourced from lxml's changelog.

6.1.0 (2026-04-17)

This release fixes a possible external entity injection (XXE) vulnerability in iterparse() and the ETCompatXMLParser.

Features added

  • GH#486: The HTML ARIA accessibility attributes were added to the set of safe attributes in lxml.html.defs. This allows lxml_html_clean to pass them through. Patch by oomsveta.

  • The default chunk size for reading from file-likes in iterparse() is now configurable with a new chunk_size argument.

Bugs fixed

  • LP#2146291: The resolve_entities option was still set to True for iterparse and ETCompatXMLParser, allowing for external entity injection (XXE) when using these parsers without setting this option explicitly. The default was now changed to 'internal' only (as for the normal XML and HTML parsers since lxml 5.0). Issue found by Sihao Qiu as CVE-2026-41066.
Commits
  • 43722f4 Update changelog.
  • 8747040 Name version of option change in docstring.
  • 6c36e6c Fix pypistats URL in download statistics script.
  • c7d76d6 Change security policy to point to Github security advisories.
  • 378ccf8 Update project income report.
  • 315270b Docs: Reduce TOC depth of package pages and move module contents first.
  • 6dbba7f Docs: Show current year in copyright line.
  • e4385bf Update project income report.
  • 5bed1e1 Validate file hashes in release download script.
  • c13ee10 Prepare release of 6.1.0.
  • Additional commits viewable in compare view

Updates packaging from 26.0 to 26.1

Release notes

Sourced from packaging's releases.

26.1

Features:

Behavior adaptations:

Pylock (PEP 751) updates:

Fixes:

Performance:

... (truncated)

Changelog

Sourced from packaging's changelog.

26.1 - 2026-04-14


Features:
  • PEP 783: add handling for Emscripten wheel tags in (:pull:804)
  • PEP 803: add handling for the abi3.abi3t free-threading tag in (:pull:1099)
  • PEP 723: add packaging.dependency_groups module, based on the dependency-groups package in (:pull:1065)
  • Add the packaging.direct_url module in (:pull:944)
  • Add the packaging.errors module in (:pull:1071)
  • Add SpecifierSet.is_unsatisfiable using ranges (new internals that will be expanded in future versions) in (:pull:1119)
  • Add create_compatible_tags_selector to select compatible tags in (:pull:1110)
  • Add a key argument to SpecifierSet.filter() in (:pull:1068)
  • Support & and | for Marker's in (:pull:1146)
  • Normalize Version.__replace__ and add Version.from_parts in (:pull:1078)
  • Add an option to validate compressed tag set sort order in parse_wheel_filename in (:pull:1150)

Behavior adaptations:

  • Narrow exclusion of pre-releases for <V.postN to match spec in (:pull:1140)
  • Narrow exclusion of post-releases for >V to match spec in (:pull:1141)
  • Rename format_full_version to _format_full_version to make it visibly private in (:pull:1125)
  • Restrict local version to ASCII in (:pull:1102)

Pylock (PEP 751) updates:

  • Add pylock select function in (:pull:1092)
  • Document pylock select() method and PylockSelectError in (:pull:1153)
  • Add filename property to PackageSdist and PackageWheel, more validation in (:pull:1095)
  • Give preference to path over url in (:pull:1128)
  • Validate name/version consistency in file names in (:pull:1114)

Fixes:

  • Fix > comparison for versions with dev+local segments in (:pull:1097)
  • Fix incorrect self-comparison for InfinityType and NegativeInfinityType in (:pull:1093)
  • Canonicalize when deduplicating specifiers in SpecifierSet in (:pull:1109)
  • Fix charset error message formatting in (:pull:1121)
  • Handle the key parameter in SpecifierSet.filter when specifiers are empty and prerelease is False in (:pull:1096)
  • Standardize inner components of repr output in (:pull:1090)
  • Specifier's === uses original string, not normalized, when available in (:pull:1124)
  • Propagate int-max-str-digits ValueError in (:pull:1155)

Performance:

  • Add fast path for parsing simple versions (digits and dots only) in (:pull:1082)
  • Add fast path for Version to Version comparison by skipping _key property in (:pull:1083)
  • Cache Version hash value in dedicated slot in (:pull:1118)
  • Overhaul _cmpkey to remove use of custom objects in (:pull:1116)
  • Skip __replace__ in Specifier comparison if not needed in (:pull:1081)
    </tr></table>

... (truncated)

Commits
  • c1a88a3 Bump for release
  • 702c25e docs: update changelog for 26.1 (#1156)
  • 3f4f5d4 Implement is_unsatisfiable on SpecifierSet using ranges (#1119)
  • 06c6555 Propagate int-max-str-digits ValueError (#1155)
  • 905c90c feat: option to validate compressed tag set sort order in `parse_wheel_filena...
  • af0026c docs(pylock): document select() method and PylockSelectError (#1153)
  • 668da86 Rename format_full_version to _format_full_version to make it visibly private...
  • f294d52 tests: do not reload the tags module (#1152)
  • 2c6c7df feat: add handling for Emscripten wheels tags per PEP 783 (#804)
  • 6762eea docs(markers): document & and | operators for combining Marker objects (#1151)
  • Additional commits viewable in compare view

Updates pydantic from 2.13.0b3 to 2.13.2

Release notes

Sourced from pydantic's releases.

v2.13.1 2026-04-15

v2.13.1 (2026-04-15)

What's Changed

Fixes

Full Changelog: pydantic/pydantic@v2.13.0...v2.13.1

v2.13.0 2026-04-13

v2.13.0 (2026-04-13)

The highlights of the v2.13 release are available in the blog post. Several minor changes (considered non-breaking changes according to our versioning policy) are also included in this release. Make sure to look into them before upgrading.

This release contains the updated pydantic.v1 namespace, matching version 1.10.26 which includes support for Python 3.14.

What's Changed

See the beta releases for all changes sinces 2.12.

Packaging

  • Add zizmor for GitHub Actions workflow linting by @​Viicos in #13039
  • Update jiter to v0.14.0 to fix a segmentation fault on musl Linux by @​Viicos in #13064

New Features

  • Allow default factories of private attributes to take validated model data by @​Viicos in #13013

Changes

Fixes

  • Change type of Any when synthesizing _build_sources for BaseSettings.__init__() signature in the mypy plugin by @​Viicos in #13049
  • Fix model equality when using runtime extra configuration by @​Viicos in #13062

New Contributors

Full Changelog: pydantic/pydantic@v2.12.0...v2.13.0

Changelog

Sourced from pydantic's changelog.

v2.13.2 (2026-04-17)

GitHub release

What's Changed

Fixes

  • Fix ValidationInfo.field_name missing with model_validate_json() by @​Viicos in #13084

v2.13.1 (2026-04-15)

GitHub release

What's Changed

Fixes

v2.13.0 (2026-04-13)

GitHub release

The highlights of the v2.13 release are available in the blog post. Several minor changes (considered non-breaking changes according to our versioning policy) are also included in this release. Make sure to look into them before upgrading.

This release contains the updated pydantic.v1 namespace, matching version 1.10.26 which includes support for Python 3.14.

What's Changed

See the beta releases for all changes sinces 2.12.

New Features

  • Allow default factories of private attributes to take validated model data by @​Viicos in #13013

Changes

Fixes

  • Change type of Any when synthesizing _build_sources for BaseSettings.__init__() signature in the mypy plugin by @​Viicos in #13049
  • Fix model equality when using runtime extra configuration by @​Viicos in #13062

Packaging

... (truncated)

Commits

Updates pydantic-core from 2.45.0 to 2.46.2

Commits

Updates ruff from 0.15.10 to 0.15.11

Release notes

Sourced from ruff's releases.

0.15.11

Release Notes

Released on 2026-04-16.

Preview features

  • [ruff] Ignore RUF029 when function is decorated with asynccontextmanager (#24642)
  • [airflow] Implement airflow-xcom-pull-in-template-string (AIR201) (#23583)
  • [flake8-bandit] Fix S103 false positives and negatives in mask analysis (#24424)

Bug fixes

  • [flake8-async] Omit overridden methods for ASYNC109 (#24648)

Documentation

  • [flake8-async] Add override mention to ASYNC109 docs (#24666)
  • Update Neovim config examples to use vim.lsp.config (#24577)

Contributors

Install ruff 0.15.11

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/ruff/releases/download/0.15.11/ruff-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://releases.astral.sh/github/ruff/releases/download/0.15.11/ruff-installer.ps1 | iex"

Download ruff 0.15.11

File Platform Checksum
ruff-aarch64-apple-darwin.tar.gz Apple Silicon macOS checksum
ruff-x86_64-apple-darwin.tar.gz Intel macOS checksum
ruff-aarch64-pc-windows-msvc.zip ARM64 Windows checksum
ruff-i686-pc-windows-msvc.zip x86 Windows checksum

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.11

Released on 2026-04-16.

Preview features

  • [ruff] Ignore RUF029 when function is decorated with asynccontextmanager (#24642)
  • [airflow] Implement airflow-xcom-pull-in-template-string (AIR201) (#23583)
  • [flake8-bandit] Fix S103 false positives and negatives in mask analysis (#24424)

Bug fixes

  • [flake8-async] Omit overridden methods for ASYNC109 (#24648)

Documentation

  • [flake8-async] Add override mention to ASYNC109 docs (#24666)
  • Update Neovim config examples to use vim.lsp.config (#24577)

Contributors

Commits

Updates stamina from 25.2.0 to 26.1.0

Release notes

Sourced from stamina's releases.

26.1.0

Highlights

stamina now allows more than 1024 retries by handling overflows and warns on a footgun.

Full changelog below!

Special Thanks

This release would not be possible without my generous sponsors! Thank you to all of you making sustainable maintenance possible! If you would like to join them, go to https://github.com/sponsors/hynek and check out the sweet perks!

Above and Beyond

Variomedia AG (@variomedia), Tidelift (@tidelift), Kraken Tech (@kraken-tech), Klaviyo (@klaviyo), Privacy Solutions GmbH (@privacy-solutions), FilePreviews (@filepreviews), Ecosystems (@ecosyste-ms), TestMu AI Open Source Office (Formerly LambdaTest) (@LambdaTest-Inc), Doist (@Doist), Daniel Fortunov (@asqui), and Kevin P. Fleming (@kpfleming).

Maintenance Sustainers

Buttondown (@buttondown), Christopher Dignam (@chdsbd), Magnus Watn (@magnuswatn), David Cramer (@dcramer), Rivo Laks (@rivol), Polar (@polarsource), Mike Fiedler (@miketheman), Duncan Hill (@cricalix), Colin Marquardt (@cmarqu), Pieter Swinkels (@swinkels), Nick Libertini (@libertininick), Brian M. Dennis (@crossjam), Celebrity News AG (@celebritynewsag), The Westervelt Company (@westerveltco), Sławomir Ehlert (@slafs), Mostafa Khalil (@khadrawy), Filip Mularczyk (@mukiblejlok), Thomas Klinger (@thmsklngr), Andreas Poehlmann (@ap--), August Trapper Bigelow (@atbigelow), Carlton Gibson (@carltongibson), and Roboflow (@roboflow).

Full Changelog

Changed

  • Passing timeout=0 now raises a warning since it counterintuitively disables all retries. If you explicitly want to disable the timeout, use timeout=None.

Fixed

  • _compute_backoff() no longer raises OverflowError when the attempt number exceeds 1024 with a float wait_exp_base. The exponential result is now clamped to wait_max on overflow. #137

This release contains contributions from @​hynek, and @​vigneshakaviki.

Artifact Attestations

You can verify this release's artifact attestions using GitHub's CLI tool by downloading the sdist and wheel from PyPI and running:

$ gh attestation verify --owner hynek stamina-26.1.0.tar.gz

and

</tr></table> 

... (truncated)

Changelog

Sourced from stamina's changelog.

26.1.0 - 2026-04-13

Changed

  • Passing timeout=0 now raises a warning since it counterintuitively disables all retries. If you explicitly want to disable the timeout, use timeout=None.

Fixed

  • _compute_backoff() no longer raises OverflowError when the attempt number exceeds 1024 with a float wait_exp_base. The exponential result is now clamped to wait_max on overflow. #137
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the python-packages group with 7 updates:

| Package | From | To |
| --- | --- | --- |
| [fastapi](https://github.com/fastapi/fastapi) | `0.135.3` | `0.136.0` |
| [lxml](https://github.com/lxml/lxml) | `6.0.4` | `6.1.0` |
| [packaging](https://github.com/pypa/packaging) | `26.0` | `26.1` |
| [pydantic](https://github.com/pydantic/pydantic) | `2.13.0b3` | `2.13.2` |
| [pydantic-core](https://github.com/pydantic/pydantic) | `2.45.0` | `2.46.2` |
| [ruff](https://github.com/astral-sh/ruff) | `0.15.10` | `0.15.11` |
| [stamina](https://github.com/hynek/stamina) | `25.2.0` | `26.1.0` |


Updates `fastapi` from 0.135.3 to 0.136.0
- [Release notes](https://github.com/fastapi/fastapi/releases)
- [Commits](fastapi/fastapi@0.135.3...0.136.0)

Updates `lxml` from 6.0.4 to 6.1.0
- [Release notes](https://github.com/lxml/lxml/releases)
- [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt)
- [Commits](lxml/lxml@lxml-6.0.4...lxml-6.1.0)

Updates `packaging` from 26.0 to 26.1
- [Release notes](https://github.com/pypa/packaging/releases)
- [Changelog](https://github.com/pypa/packaging/blob/main/CHANGELOG.rst)
- [Commits](pypa/packaging@26.0...26.1)

Updates `pydantic` from 2.13.0b3 to 2.13.2
- [Release notes](https://github.com/pydantic/pydantic/releases)
- [Changelog](https://github.com/pydantic/pydantic/blob/v2.13.2/HISTORY.md)
- [Commits](pydantic/pydantic@v2.13.0b3...v2.13.2)

Updates `pydantic-core` from 2.45.0 to 2.46.2
- [Release notes](https://github.com/pydantic/pydantic/releases)
- [Changelog](https://github.com/pydantic/pydantic/blob/main/HISTORY.md)
- [Commits](https://github.com/pydantic/pydantic/commits)

Updates `ruff` from 0.15.10 to 0.15.11
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ruff@0.15.10...0.15.11)

Updates `stamina` from 25.2.0 to 26.1.0
- [Release notes](https://github.com/hynek/stamina/releases)
- [Changelog](https://github.com/hynek/stamina/blob/main/CHANGELOG.md)
- [Commits](hynek/stamina@25.2.0...26.1.0)

---
updated-dependencies:
- dependency-name: fastapi
  dependency-version: 0.136.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-packages
- dependency-name: lxml
  dependency-version: 6.1.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: python-packages
- dependency-name: packaging
  dependency-version: '26.1'
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: python-packages
- dependency-name: pydantic
  dependency-version: 2.13.2
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: python-packages
- dependency-name: pydantic-core
  dependency-version: 2.46.2
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: python-packages
- dependency-name: ruff
  dependency-version: 0.15.11
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: python-packages
- dependency-name: stamina
  dependency-version: 26.1.0
  dependency-type: indirect
  update-type: version-update:semver-major
  dependency-group: python-packages
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Apr 20, 2026
@dependabot dependabot Bot requested review from a team as code owners April 20, 2026 04:17
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Apr 20, 2026
@greenbonebot greenbonebot enabled auto-merge (rebase) April 20, 2026 04:18
@greenbonebot greenbonebot merged commit 5c41597 into main Apr 20, 2026
11 of 12 checks passed
@greenbonebot greenbonebot deleted the dependabot/pip/python-packages-04a3e02b12 branch April 20, 2026 06:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants