Skip to content

build(deps): bump the uv group across 1 directory with 8 updates#89

Merged
deeleeramone merged 7 commits into
developfrom
dependabot/uv/pywry/uv-c367cfff6b
Jun 29, 2026
Merged

build(deps): bump the uv group across 1 directory with 8 updates#89
deeleeramone merged 7 commits into
developfrom
dependabot/uv/pywry/uv-c367cfff6b

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps the uv group with 8 updates in the /pywry directory:

Package From To
pydantic-settings 2.14.1 2.14.2
joserfc 1.6.4 1.6.7
langgraph-checkpoint 4.0.2 4.1.1
langgraph-sdk 0.3.13 0.3.15
langsmith 0.8.0 0.8.18
python-multipart 0.0.27 0.0.31
starlette 1.0.1 1.3.1
tornado 6.5.6 6.5.7

Updates pydantic-settings from 2.14.1 to 2.14.2

Release notes

Sourced from pydantic-settings's releases.

v2.14.2

What's Changed

This is a security patch release.

Security

Fixes GHSA-4xgf-cpjx-pc3j: NestedSecretsSettingsSource with secrets_nested_subdir=True could follow a symbolic link inside secrets_dir pointing outside it, reading out-of-tree files into settings values and bypassing the secrets_dir_max_size cap. Affected versions: >= 2.12.0, < 2.14.2.

Full Changelog: pydantic/pydantic-settings@v2.14.1...v2.14.2

Commits

Updates joserfc from 1.6.4 to 1.6.7

Release notes

Sourced from joserfc's releases.

1.6.7

   🐞 Bug Fixes

    View changes on GitHub

1.6.5

No significant changes

    View changes on GitHub
Changelog

Sourced from joserfc's changelog.

1.6.7

Released on May 23, 2026

  • Update for type hints.

1.6.6

Released on May 18, 2026

  • JWS: validate payload size when b64=false.

1.6.5

Released on May 3, 2026

  • JWS: increase registry's payload max size.
Commits
  • 1e5b94d chore: release 1.6.7
  • 75d9f95 fix(typing): use cast for type hints
  • 6d24037 Merge pull request #98 from jonathangreen/algorithms-accept-collection
  • 102a7a7 fix(typing): accept any Collection for algorithms, not just list
  • 8b869e8 chore: release 1.6.6
  • 00d599b chore: update actions
  • 9186561 Merge pull request #97 from authlib/fix-b64
  • 4d4ea2e fix(jws): validate payload size for b64=false
  • b6554cc Merge pull request #96 from sebasxsala/fix-p512-fixture
  • b89eadf test: normalize P-521 private key fixture
  • Additional commits viewable in compare view

Updates langgraph-checkpoint from 4.0.2 to 4.1.1

Release notes

Sourced from langgraph-checkpoint's releases.

langgraph-checkpoint==4.1.1

Changes since checkpoint==4.1.0

  • release(checkpoint): 4.1.1 (#7890)
  • fix(checkpoint): restrict lc:2 envelope revival to default constructor (#7892)
  • chore(deps): bump idna from 3.11 to 3.15 in /libs/checkpoint (#7860)
  • chore(deps): bump langsmith from 0.7.31 to 0.8.0 in /libs/checkpoint (#7784)

langgraph-checkpoint==4.1.0

Changes since checkpoint==4.1.0a4

  • release: bump alpha packages to official versions (#7775)
  • chore(deps): bump urllib3 from 2.6.3 to 2.7.0 in /libs/checkpoint (#7762)
  • chore(deps): bump langchain-core from 1.3.2 to 1.3.3 in /libs/checkpoint (#7752)
  • feat(checkpoint): force delta channel snapshot after max supersteps since last snapshot (#7746)
  • fix(checkpoint): specify allowed_objects in Reviver (#7743)
  • chore: remove keepset helper (#7745)
  • chore(langgraph): add guide/conformance for delta channel checkpointer (#7736)
  • docs(checkpoint): mark DeltaChannel and delta-history APIs as beta (#7732)
  • chore(deps): bump the minor-and-patch group across 1 directory with 3 updates (#7670)
  • chore: "chore: minor clean up around checkpoint and delta channel" (#7706)
  • chore: minor clean up around checkpoint and delta channel (#7705)

langgraph-checkpoint==4.1.0a4

Changes since checkpoint==4.1.0a3

  • release: alpha bump (a4) for langgraph, checkpoint, checkpoint-postgres (#7701)
  • feat: public get_writes_history saver API + delta cadence rework (#7699)

langgraph-checkpoint==4.1.0a3

Changes since checkpoint==4.1.0a2

  • release: alpha bump (a3) for langgraph, checkpoint, checkpoint-postgres (#7678)
  • chore(langgraph): use two phase read to avoid unnecessary data transport (#7660)
  • release: alpha for timers (#7647)
  • feat(langgraph): DeltaChannel: store sentinel in blobs, reconstruct from checkpoint_writes (#7586)
  • chore: dynamic push-task timeouts (#7646)
  • chore: update x links to langchain_oss (#7645)
  • release(checkpoint): 4.0.3 (#7625)
  • fix(checkpoint): revive lc=2 JSON blobs for safe types without allowlist (#7582)

langgraph-checkpoint==4.1.0a2

Changes since checkpoint==4.1.0a1

langgraph-checkpoint==4.1.0a1

Changes since checkpoint==4.0.3

  • release: alpha for timers (#7647)
  • feat(langgraph): DeltaChannel: store sentinel in blobs, reconstruct from checkpoint_writes (#7586)
  • chore: dynamic push-task timeouts (#7646)

... (truncated)

Commits
  • d1e2ff0 release(checkpoint): 4.1.1 (#7890)
  • e787af2 release(sdk-py): 0.3.15 (#7891)
  • 604534e fix(sdk-py): percent-encode caller-supplied identifiers in URL paths (#7893)
  • 346aa97 fix(checkpoint): restrict lc:2 envelope revival to default constructor (#7892)
  • 82b3872 chore(deps): bump the uv group across 2 directories with 1 update (#7853)
  • fcc4ab8 chore(deps): bump idna from 3.11 to 3.15 in /libs/checkpoint (#7860)
  • 701d344 chore(deps): bump idna from 3.11 to 3.15 in /libs/checkpoint-postgres (#7861)
  • 2c7967c chore(deps): bump idna from 3.11 to 3.15 in /libs/cli (#7865)
  • bf7fec0 release(langgraph): 1.2.1 (#7883)
  • 8215a9d feat(langgraph): add before_builtins opt-in for stream transformers (#7882)
  • Additional commits viewable in compare view

Updates langgraph-sdk from 0.3.13 to 0.3.15

Release notes

Sourced from langgraph-sdk's releases.

langgraph-sdk==0.3.15

Changes since sdk==0.3.14

  • release(checkpoint): 4.1.1 (#7890)
  • release(sdk-py): 0.3.15 (#7891)
  • fix(sdk-py): percent-encode caller-supplied identifiers in URL paths (#7893)
  • release(langgraph): 1.2.1 (#7883)
  • chore(deps): bump idna from 3.11 to 3.15 in /libs/sdk-py (#7863)
  • chore(deps): bump urllib3 from 2.6.3 to 2.7.0 in /libs/sdk-py (#7764)
  • chore(deps): bump langsmith from 0.7.31 to 0.8.0 in /libs/sdk-py (#7789)
  • release: bump alpha packages to official versions (#7775)
  • chore(langgraph): bump langchain-core to 1.4.0 (#7767)
  • feat(sdk-py): support metadata filter for crons search/count (#7737)
  • chore(deps): bump ty from 0.0.23 to 0.0.33 in /libs/sdk-py (#7666)

langgraph-sdk==0.3.14

Changes since sdk==0.3.13

  • release(sdk-py): 0.3.14 (#7712)
  • feat(sdk-py): add return_minimal to threads update (#7704)
  • release: alpha bump (a4) for langgraph, checkpoint, checkpoint-postgres (#7701)
  • release: alpha bump langgraph 1.2.0a6 (#7697)
  • release: alpha bump prebuilt 1.1.0a2, langgraph 1.2.0a5 (#7682)
  • release: alpha bump prebuilt 1.1.0a1, langgraph 1.2.0a4 (#7679)
  • feat(langgraph): dispatch stream_events(version='v3') on Pregel (#7677)
  • release: alpha bump (a3) for langgraph, checkpoint, checkpoint-postgres (#7678)
  • release: alpha for timers (#7647)
  • chore: update x links to langchain_oss (#7645)
  • feat(langgraph): add streaming transformer infrastructure and tests (#7519)
  • chore(deps): bump the minor-and-patch group across 1 directory with 4 updates (ty held back) (#7635)
  • release(prebuilt): 1.0.12, langgraph 1.1.10 (#7623)
  • release(checkpoint): 4.0.3 (#7625)
  • release(prebuilt): 1.0.11 (#7610)
  • feat(prebuilt): allow ToolNode tools to return list[Command | ToolMessage] (#7596)
  • chore(langgraph): bump version 1.1.8 -> 1.1.9 (#7563)
  • release(langgraph): 1.1.8 (#7545)
  • release(prebuilt): 1.0.10 (#7541)
  • release(langgraph): 1.1.7 (#7540)
  • chore(deps): bump langsmith from 0.7.20 to 0.7.31 in /libs/sdk-py (#7528)
  • release(checkpoint): 4.0.2 (#7518)
  • chore(deps-dev): bump pytest from 9.0.2 to 9.0.3 in /libs/sdk-py (#7504)
  • release(langgraph): 1.1.7a2 (#7511)
  • chore: allow passing some metadata only for tracing purposes (#7383)
  • release(langgraph): 1.1.7a1 (#7476)
  • chore(deps): bump langchain-core from 1.2.22 to 1.2.28 in /libs/sdk-py (#7449)
Commits

Updates langsmith from 0.8.0 to 0.8.18

Release notes

Sourced from langsmith's releases.

v0.8.18

What's Changed

Full Changelog: langchain-ai/langsmith-sdk@v0.8.17...v0.8.18

v0.8.17

What's Changed

New Contributors

Full Changelog: langchain-ai/langsmith-sdk@v0.8.16...v0.8.17

v0.8.16

What's Changed

... (truncated)

Commits
  • 31c2bf6 release(py): 0.8.18 (#3063)
  • 8955b68 chore: reconcile bumpversion config and mandate release process for agents (#...
  • 411401f test(python): fix integration assertions for updated attachment error message...
  • 9c55156 Merge commit from fork
  • 5b2bd8d chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates ...
  • d8642f9 chore(deps): bump the npm_and_yarn group across 4 directories with 4 updates ...
  • 953c2e5 chore(deps-dev): bump langchain-anthropic from 1.4.4 to 1.4.6 in /python (#3044)
  • 5513699 chore(deps): bump starlette from 1.0.1 to 1.3.1 in /python (#3039)
  • 8becdef chore(deps): bump cryptography from 46.0.7 to 48.0.1 in /python (#3038)
  • 1a9c522 chore(deps): bump aiohttp from 3.14.0 to 3.14.1 in /python (#3037)
  • Additional commits viewable in compare view

Updates python-multipart from 0.0.27 to 0.0.31

Release notes

Sourced from python-multipart's releases.

Version 0.0.31

What's Changed

Full Changelog: Kludex/python-multipart@0.0.30...0.0.31

Version 0.0.30

What's Changed

Full Changelog: Kludex/python-multipart@0.0.29...0.0.30

Version 0.0.29

What's Changed

Full Changelog: Kludex/python-multipart@0.0.28...0.0.29

Version 0.0.28

What's Changed

Full Changelog: Kludex/python-multipart@0.0.27...0.0.28

Changelog

Sourced from python-multipart's changelog.

0.0.31 (2026-06-04)

  • Speed up multipart header parsing and callback dispatch #295.
  • Bound header field name size before validating #296.
  • Validate Content-Length is non-negative in parse_form #297.

0.0.30 (2026-05-31)

  • Parse application/x-www-form-urlencoded bodies per the WHATWG URL standard, treating only & as a field separator #290.
  • Ignore RFC 2231/5987 extended parameters (name*, filename*) in parse_options_header, keeping the plain parameter authoritative per RFC 7578 §4.2 #291.

0.0.29 (2026-05-17)

  • Handle malformed RFC 2231 continuations in parse_options_header #270.

0.0.28 (2026-05-10)

  • Speed up partial-boundary tail scan via bytes.find #281.
  • Cap multipart boundary length at 256 bytes #282.
Commits

Updates starlette from 1.0.1 to 1.3.1

Release notes

Sourced from starlette's releases.

Version 1.3.1

What's Changed

Full Changelog: Kludex/starlette@1.3.0...1.3.1

Version 1.3.0

What's Changed

New Contributors

Full Changelog: Kludex/starlette@1.2.1...1.3.0

Version 1.2.1

What's Changed

New Contributors

Full Changelog: Kludex/starlette@1.2.0...1.2.1

Version 1.2.0

What's Changed

Full Changelog: Kludex/starlette@1.1.0...1.2.0

Version 1.1.0

... (truncated)

Changelog

Sourced from starlette's changelog.

1.3.1 (June 12, 2026)

Fixed

  • Enforce max_fields and max_part_size in FormParser #3329.
  • Enforce FormParser limits in parser callbacks #3331.

1.3.0 (June 11, 2026)

Added

  • Add httpx2 to the full extra #3323.
  • Annotate the URLPath protocol parameter with Literal #3285.

Fixed

  • Build request.url from structured components #3326.
  • Clamp oversized suffix ranges in FileResponse #3307.
  • Catch OSError alongside MultiPartException when closing temp files #3191.
  • Avoid collapsing exception groups raised from user code #2830.
  • Use removeprefix to strip the weak ETag indicator in is_not_modified #3193.
  • Fix IndexError in URL.replace() on a URL with no authority #3317.
  • Adjust testclient typing and warnings #3322.

1.2.1 (May 31, 2026)

Fixed

  • Use httpx2 for type checking in the testclient module #3304.
  • Add assert error for requires() when the request parameter is not a Request type #3298.

1.2.0 (May 28, 2026)

Added

  • Support httpx2 in the test client #3291.

1.1.0 (May 23, 2026)

Added

  • Use "application/octet-stream" as the FileResponse media type fallback #3283.

Fixed

  • Only dispatch standard HTTP verbs in HTTPEndpoint #3286.
  • Reject absolute paths in StaticFiles.lookup_path #3287.
Commits
  • 8ebffd0 Version 1.3.1 (#3330)
  • 25b8e17 Enforce FormParser limits in parser callbacks (#3331)
  • dba1c4b Enforce max_fields and max_part_size in FormParser (#3329)
  • 45e51dc Use StarletteDeprecationWarning instead of DeprecationWarning (#3119)
  • 5f8610c Version 1.3.0 (#3327)
  • 167b585 Build request.url from structured components (#3326)
  • 3730925 Use removeprefix to strip weak ETag indicator in is_not_modified (#3193)
  • e6f7ad1 avoid collapsing exception groups from user code (#2830)
  • 115228f Annotate URLPath protocol parameter with Literal (#3285)
  • 113f193 docs: replace inline ASGI server list with link to canonical implemen… (#3204)
  • Additional commits viewable in compare view

Updates tornado from 6.5.6 to 6.5.7

Changelog

Sourced from tornado's changelog.

Release notes

.. toctree:: :maxdepth: 2

releases/v6.5.7 releases/v6.5.6 releases/v6.5.5 releases/v6.5.4 releases/v6.5.3 releases/v6.5.2 releases/v6.5.1 releases/v6.5.0 releases/v6.4.2 releases/v6.4.1 releases/v6.4.0 releases/v6.3.3 releases/v6.3.2 releases/v6.3.1 releases/v6.3.0 releases/v6.2.0 releases/v6.1.0 releases/v6.0.4 releases/v6.0.3 releases/v6.0.2 releases/v6.0.1 releases/v6.0.0 releases/v5.1.1 releases/v5.1.0 releases/v5.0.2 releases/v5.0.1 releases/v5.0.0 releases/v4.5.3 releases/v4.5.2 releases/v4.5.1 releases/v4.5.0 releases/v4.4.3 releases/v4.4.2 releases/v4.4.1 releases/v4.4.0 releases/v4.3.0 releases/v4.2.1 releases/v4.2.0 releases/v4.1.0 releases/v4.0.2 releases/v4.0.1 releases/v4.0.0 releases/v3.2.2 releases/v3.2.1

... (truncated)

Commits
  • 48fc2d4 Merge pull request #3633 from bdarnell/curl-reset-65
  • 4ae1ddd Release notes and version bump for 6.5.7
  • 3154caa curl_httpclient: Reset the curl object before putting it on the freelist
  • 7d869c0 Merge pull request #3631 from bdarnell/cve-links
  • 288241f docs: Use the correct link syntax
  • 8da981c docs: Add CVE links to 6.5.6 release notes
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the uv group with 8 updates in the /pywry directory:

| Package | From | To |
| --- | --- | --- |
| [pydantic-settings](https://github.com/pydantic/pydantic-settings) | `2.14.1` | `2.14.2` |
| [joserfc](https://github.com/authlib/joserfc) | `1.6.4` | `1.6.7` |
| [langgraph-checkpoint](https://github.com/langchain-ai/langgraph) | `4.0.2` | `4.1.1` |
| [langgraph-sdk](https://github.com/langchain-ai/langgraph) | `0.3.13` | `0.3.15` |
| [langsmith](https://github.com/langchain-ai/langsmith-sdk) | `0.8.0` | `0.8.18` |
| [python-multipart](https://github.com/Kludex/python-multipart) | `0.0.27` | `0.0.31` |
| [starlette](https://github.com/Kludex/starlette) | `1.0.1` | `1.3.1` |
| [tornado](https://github.com/tornadoweb/tornado) | `6.5.6` | `6.5.7` |



Updates `pydantic-settings` from 2.14.1 to 2.14.2
- [Release notes](https://github.com/pydantic/pydantic-settings/releases)
- [Commits](pydantic/pydantic-settings@v2.14.1...v2.14.2)

Updates `joserfc` from 1.6.4 to 1.6.7
- [Release notes](https://github.com/authlib/joserfc/releases)
- [Changelog](https://github.com/authlib/joserfc/blob/main/docs/changelog.rst)
- [Commits](authlib/joserfc@1.6.4...1.6.7)

Updates `langgraph-checkpoint` from 4.0.2 to 4.1.1
- [Release notes](https://github.com/langchain-ai/langgraph/releases)
- [Commits](langchain-ai/langgraph@checkpoint==4.0.2...checkpoint==4.1.1)

Updates `langgraph-sdk` from 0.3.13 to 0.3.15
- [Release notes](https://github.com/langchain-ai/langgraph/releases)
- [Commits](langchain-ai/langgraph@0.3.13...0.3.15)

Updates `langsmith` from 0.8.0 to 0.8.18
- [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases)
- [Commits](langchain-ai/langsmith-sdk@v0.8.0...v0.8.18)

Updates `python-multipart` from 0.0.27 to 0.0.31
- [Release notes](https://github.com/Kludex/python-multipart/releases)
- [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md)
- [Commits](Kludex/python-multipart@0.0.27...0.0.31)

Updates `starlette` from 1.0.1 to 1.3.1
- [Release notes](https://github.com/Kludex/starlette/releases)
- [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md)
- [Commits](Kludex/starlette@1.0.1...1.3.1)

Updates `tornado` from 6.5.6 to 6.5.7
- [Changelog](https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst)
- [Commits](tornadoweb/tornado@v6.5.6...v6.5.7)

---
updated-dependencies:
- dependency-name: pydantic-settings
  dependency-version: 2.14.2
  dependency-type: direct:production
  dependency-group: uv
- dependency-name: joserfc
  dependency-version: 1.6.7
  dependency-type: indirect
  dependency-group: uv
- dependency-name: langgraph-checkpoint
  dependency-version: 4.1.1
  dependency-type: indirect
  dependency-group: uv
- dependency-name: langgraph-sdk
  dependency-version: 0.3.15
  dependency-type: indirect
  dependency-group: uv
- dependency-name: langsmith
  dependency-version: 0.8.18
  dependency-type: indirect
  dependency-group: uv
- dependency-name: python-multipart
  dependency-version: 0.0.31
  dependency-type: indirect
  dependency-group: uv
- dependency-name: starlette
  dependency-version: 1.3.1
  dependency-type: indirect
  dependency-group: uv
- dependency-name: tornado
  dependency-version: 6.5.7
  dependency-type: indirect
  dependency-group: uv
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Issues related to PyWry dependencies python:uv Pull requests that update python:uv code labels Jun 29, 2026
@deeleeramone deeleeramone added the full-test Run the full testing suite on this PR. label Jun 29, 2026
@deeleeramone deeleeramone removed the full-test Run the full testing suite on this PR. label Jun 29, 2026
@deeleeramone deeleeramone merged commit 63336fa into develop Jun 29, 2026
12 checks passed
@deeleeramone deeleeramone deleted the dependabot/uv/pywry/uv-c367cfff6b branch June 29, 2026 19:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Issues related to PyWry dependencies python:uv Pull requests that update python:uv code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant