Skip to content

fix(deps): update non-major dependencies#131

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/non-major
Open

fix(deps): update non-major dependencies#131
renovate[bot] wants to merge 1 commit intomainfrom
renovate/non-major

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Apr 10, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence Type Update
crawl4ai >=0.6.3>=0.8.6 age confidence project.dependencies patch
curl-cffi >=0.9.1>=0.15.0 age confidence project.dependencies minor
gdown >=5.2.0>=5.2.2 age confidence project.dependencies minor
langgraph (source, changelog) >=0.6.11>=1.1.6 age confidence project.dependencies patch
patchright (changelog) >=1.52.0>=1.58.2 age confidence project.dependencies patch
pydantic (changelog) >=2.12.5>=2.13.1 age confidence project.dependencies minor
pytest (changelog) >=8.4.1>=8.4.2 age confidence project.optional-dependencies minor
pytest-asyncio (changelog) >=1.0.0>=1.3.0 age confidence project.optional-dependencies patch
pytest-cov (changelog) >=6.2.1>=6.3.0 age confidence project.optional-dependencies minor
python (source) >=3.13,<3.14>=3.13.13,<3.14 age confidence requires-python patch
python 3.133.14.4 age confidence minor
ty (changelog) >=0.0.1a10>=0.0.31 age confidence project.optional-dependencies patch

Release Notes

lexiforest/curl_cffi (curl-cffi)

v0.15.0

Compare Source

🎉 Another release with significant changes!

Highlights

  • http/3 fingerprints, added for Chrome 145, 146 and Firefox 147. To verify http3 fingerprints, visit https://fp.impersonate.pro
  • http/3 proxy support with socks5 udp proxy server.
  • New CLI tool, just called curl-cffi, easier http debugging for both humans and agents. See docs. We also added a skill.
  • Compatibility optimization, curl_cffi is now fully static. Especially for macOS, no dependencies needed and compatible with macOS since 11.0.
  • ⚠️ Security improvement. If you are accepting urls from others and returning the response to them, you are vulnerable to redirection-based SSRF. Disable allow_redirects or at lease set allow_redirects="safe", see the advisory and the docs.
  • Performance optimization: WebSocket improvement and free-threading support.
  • Android is officially supported, closing a 3-years-old issue.
  • New impersonation behaviors, the cookie header behavior and POST boundary are now made exactly the same as browsers. These are not part of tls or http binary fingerprints, but are exploited by WAFs, too.

The list of proxy vendors with udp sock5 support is very limited, so I set up 2 servers for testing. You can simply run:

curl-cffi get https://fp.impersonate.pro/api/http3 --proxy socks5://imp:curl-cffi@206.189.95.199:1080 --http3-only
curl-cffi get https://fp.impersonate.pro/api/http3 --proxy socks5://imp:curl-cffi@24.144.88.46:1080 --http3-only

If you need more udp socks5 servers from us, click the 👀 emoji to vote.

What's Changed

New Contributors

Full Changelog: lexiforest/curl_cffi@v0.14.0...v0.15.0

langchain-ai/langgraph (langgraph)

v1.1.6: langgraph==1.1.6

Compare Source

Changes since 1.1.5

v1.1.5: langgraph==1.1.5

Compare Source

Changes since 1.1.4

  • release: prebuilt 1.0.9 and langgraph 1.1.5 (#​7401)
  • feat: enhance runtime w/ more execution information (#​7363)
  • Revert "chore: update configurable metadata" (#​7393)
  • feat(cli): add remote build support for langgraph deploy (#​7234)
  • chore: fix URL (#​7385)
  • fix(langgraph): update readme (#​7384)
  • chore: update configurable metadata (#​7367)

v1.1.4: langgraph==1.1.4

Compare Source

Changes since 1.1.3

  • release(langgraph): 1.1.4 (#​7356)
  • fix(langgraph): avoid recursion limit default sentinel collision (#​7355)
  • feat: Add LangSmith integration metadata to langgraph (#​7203)
  • chore(deps): bump pygments from 2.19.2 to 2.20.0 in /libs/langgraph (#​7353)
  • chore(deps): bump cryptography from 46.0.5 to 46.0.6 in /libs/langgraph (#​7324)
  • chore(deps): bump types-requests from 2.32.4.20260107 to 2.32.4.20260324 in /libs/langgraph (#​7297)
  • chore(deps): bump the minor-and-patch group in /libs/langgraph with 2 updates (#​7296)
  • chore(deps): bump requests from 2.32.5 to 2.33.0 in /libs/langgraph (#​7284)
  • chore(deps): bump the all-dependencies group in /libs/langgraph with 3 updates (#​7253)
pydantic/pydantic (pydantic)

v2.13.1

Compare Source

v2.13.0

Compare Source

GitHub release

The highlights of the v2.13 release are available in the blog post.
Several minor changes (considered non-breaking changes according to our versioning policy)
are also included in this release. Make sure to look into them before upgrading.

This release contains the updated pydantic.v1 namespace, matching version 1.10.26 which includes support for Python 3.14.

What's Changed

See the beta releases for all changes sinces 2.12.

New Features
  • Allow default factories of private attributes to take validated model data by @​Viicos in #​13013
Changes
Fixes
  • Change type of Any when synthesizing _build_sources for BaseSettings.__init__() signature in the mypy plugin by @​Viicos in #​13049
  • Fix model equality when using runtime extra configuration by @​Viicos in #​13062
Packaging
New Contributors
python/cpython (python)

v3.13.13

Compare Source

v3.13.12

Compare Source

v3.13.11

Compare Source

v3.13.10

Compare Source

v3.13.9

Compare Source

v3.13.8

Compare Source

v3.13.7

Compare Source

v3.13.6

Compare Source

v3.13.5

Compare Source

v3.13.4

Compare Source

v3.13.3

Compare Source

v3.13.2

Compare Source

v3.13.1

Compare Source

astral-sh/ty (ty)

v0.0.31

Compare Source

Released on 2026-04-15.

Bug fixes
  • Avoid panic from double inference for namedtuple(typename=T, field_names=x, **{}) (#​24641)
  • Avoid panic from double inference with missing functional Enum(...) names (#​24638)
  • Avoid panic from double inference with functional Enum(value=...) (#​24639)
  • Fix cases where invalid-key fix doesn't converge, and override-of-final-method produces invalid syntax (#​24649)
  • Fix unnecessary ty:ignore comments inserted by --add-ignore for diagnostics starting on the same line (#​24651)
CLI
  • Add --fix mode to enable auto-fix for diagnostics (#​24097)
Performance
  • Avoid excessive memory usage for dataclasses with many fields (#​24620)
Core type checking
  • Check inherited NamedTuple field conflicts (#​24542)
  • Error when duplicate keywords are provided to TypedDict constructors (#​24449)
  • Respect mixed positional and keyword arguments in TypedDict constructor (#​24448)
  • Respect subclass shadowing for inherited NamedTuple fields (#​24640)
  • Skip EnumMeta.__call__ for enum constructor signatures (#​24513)
Contributors

v0.0.30

Compare Source

Released on 2026-04-13.

As of v0.0.30, ty no longer unions Unknown into most inferred types of unannotated attributes. For example:

class Foo:
    def __init__(self) -> None:
        self.value = 1

reveal_type(Foo().value)  # revealed: int
Foo().value = "x"  # error: [invalid-assignment]

In previous versions, reveal_type(Foo().value) would have included Unknown, so the assignment to "x" would not have been flagged. Since this can affect inferred attribute types throughout a codebase, upgrading may lead to both new and resolved diagnostics. Initializers of None and other non-literal singleton types remain exceptions. See #​24531 for details.

Bug fixes
  • Disallow bare ParamSpec in Concatenate prefixes (#​24474)
  • Ensure '/' parameter appears before '*' when rendering Callable types (#​24497)
  • Ensure nested conditional blocks inherit TYPE_CHECKING state from outer blocks (#​24470)
  • Fix bad diagnostic range for incorrect implicit __init_subclass__ calls (#​24541)
  • Fix incorrect assignability of type[T] to a metaclass (#​24515)
  • Fix stack overflows from recursive types (#​24413)
  • Server: fix signature help for ParamSpec-specialized class calls (#​24399)
  • Use TypedDict field types as type context to inform the inference of arguments passed to TypedDict constructors (#​24422)
LSP server
  • Adjust semantic tokens implementation to ensure that type alias values have "type form" syntax highlighting in IDEs (#​24478)
  • Completions: rank symbols from typing and collections higher than third party re-exports (#​23643)
  • Ignore unsupported editor-selected Python versions (#​24498)
  • Improve TypedDict constructor support in the LSP by synthesizing __init__ (#​24476, #​24522, #​24535)
  • Return all attribute definitions for goto definition, rather than just the last definition in the given scope (#​24332)
  • Show info subdiagnostics in LSP diagnostic messages (#​24328)
  • Use the context of the kind of object a parameter is expected to receive to inform syntax highlighting of arguments passed to call expressions (#​23949)
Diagnostics
  • Hide "Rule xyz is enabled"-style hints unless verbose mode was specified (#​24469)
  • Improve consistency of pedantic lints complaining about badly named types (#​24575)
  • Point to the first reachable declaration, rather than the first declaration, in declaration-based diagnostics (#​24564)
Core type checking
  • Add support for functional Enum(...) syntax (#​23602, #​24570, #​24571)
  • Allow Final variable assignments in __post_init__ (#​24529)
  • Allow partially stringified type[...] annotations, e.g. type["MyClass"] (#​24518)
  • Emit a diagnostic when attempting to inherit from a class with __init_subclass__ = None (#​24543)
  • Fix TypeGuard and TypeIs narrowing for unbound method calls (#​24612)
  • Fix assignability of intersections with bounded TypeVars (#​24502)
  • Fix excess subscript argument inference for non-generic types so that list[int][0] leads to 1 diagnostic, rather than 2 (#​24354)
  • Inherit dataclass_transform metadata from metaclass bases (#​24615)
  • Lazily evaluate declaration reachability in field and enum filters (#​24451)
  • Normalize explicit None accessors in manual property construction (#​24492)
  • Reject deleting Final attributes (#​24508)
  • Respect non-required keys in TypedDict unpacking (#​24446)
  • Respect property deleters in attribute deletion checks (#​24500)
  • Stop special-casing str constructor (#​24514)
  • Stop unioning Unknown into types of un-annotated attributes (#​24531)
  • Support super() in metaclass methods (#​24483)
  • Tighten up a few edge cases in Concatenate type-expression parsing (#​24172)
  • Use basic blocks for determining if a node is in an if TYPE_CHECKING block (#​24394)
Contributors

v0.0.29

Compare Source

Released on 2026-04-05.

Bug fixes
  • Avoid special-casing for dataclasses.field if it's not in field_specifiers (#​24397)
  • Reject unsupported environment.python-version values in configuration files (#​24402)
  • Respect supported lower bounds from requires-python (#​24401)
Core type checking
  • Add support for types.new_class (#​23144)
  • Fix PEP 695 type aliases in with statement (#​24395)
  • Respect __new__ and metaclass __call__ return types (#​24357)
  • Treat enum attributes with type annotations as members (#​23776)
Contributors

v0.0.28

Compare Source

Released on 2026-04-02.

Bug fixes
  • Mark loop header assignments as used to avoid false positives in "unused variable" diagnostics (#​24336)
LSP server
  • Show constructor signature of classes when hovering over them (#​24257)
Core type checking
  • Avoid emitting cascading diagnostics when parsing invalid type expressions (#​24326)
  • Handle most "deep" mutual TypeVar constraints (#​24079)
  • Improve consistency and quality of diagnostics relating to invalid type forms (#​24325)
  • Improve robustness of various type-qualifier-related checks (#​24251)
  • Infer the extra_items keyword argument to class-based TypedDicts as an annotation expression (#​24362)
  • Use bidirectional inference to fix false positives on operations such as x: list[int | None] = [None] * 2 (#​24197)
  • Sync vendored typeshed stubs (#​24340). Typeshed diff
  • Tighten up validation of subscripts and attributes in type expressions (#​24329)
  • Use infer_type_expression for parsing parameter annotations and return-type annotations (#​24353)
  • Use infer_type_expression for validating PEP-613 type aliases (#​24370)
  • Validate TypedDict fields when subclassing (#​24338)
  • Validate type qualifiers in functional TypedDict fields and the extra_items keyword to functional TypedDicts (#​24360)
  • Improve diagnostics for invalid functional TypedDicts (#​24345)
Contributors

v0.0.27

Compare Source

Released on 2026-03-31.

Bug fixes
  • Fix panic on debug builds when attempting to provide autocomplete suggestions for list[int]<CURSOR>() (#​24167)
  • Fix instance-attribute lookup in methods of protocol classes (#​24213)
  • Fix nested global and nonlocal lookups through forwarding scopes (#​24279)
  • Fix panic on list[Annotated[()]] (#​24303)
  • Fix stack overflow on type A = TypeIs[Callable[[], A]] (#​24245)
  • Use _cls as the name of the first argument for synthesized collections.namedtuple constructor methods (#​24333)
LSP server
  • Fix semantic token classification for properties accessed on instances (#​24065)
  • Grey out unused bindings in the editor (#​23305)
Core type checking
  • Add bidirectional type context for TypedDict get() defaults (#​24231)
  • Add bidirectional type context for TypedDict pop() defaults (#​24229)
  • Add support for functional TypedDict (#​24174, #​24331, #​24295)
  • Ban type qualifiers in PEP-695 type aliases (#​24242)
  • Enforce Final attribute assignment rules for annotated and augmented writes (#​23880)
  • Improve support for Callable type context (#​23888)
  • Infer lambda expressions with Callable type context (#​22633)
  • Don't incorrectly infer the type of a method as being a singleton type when it's accessed off an instance (#​24039)
  • Propagate type context through await expressions (#​24256)
  • Resolve union-likes in emitting union attribute errors (#​24263)
  • Show the user where the variable was declared as Final when emitting a diagnostic about a Final variable being reassigned (#​24194)
Contributors

Configuration

📅 Schedule: (in timezone Asia/Ho_Chi_Minh)

  • Branch creation
    • "before 5am"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from n24q02m as a code owner April 10, 2026 19:01
@renovate renovate bot added the dependencies Pull requests that update a dependency file label Apr 10, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 10, 2026
edited
Loading

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 7 package(s) with unknown licenses.
See the Details below.

License Issues

pyproject.toml

PackageVersionLicenseIssue Type
crawl4ai>= 0.8.6NullUnknown License
gdown>= 5.2.2NullUnknown License
patchright>= 1.58.2NullUnknown License

uv.lock

PackageVersionLicenseIssue Type
curl-cffi0.15.0NullUnknown License
langgraph1.1.6NullUnknown License
langgraph-prebuilt1.0.9NullUnknown License
pydantic2.13.1NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
pip/crawl4ai >= 0.8.6 UnknownUnknown
pip/gdown >= 5.2.2 UnknownUnknown
pip/patchright >= 1.58.2 UnknownUnknown
pip/curl-cffi 0.15.0 UnknownUnknown
pip/langgraph 1.1.6 UnknownUnknown
pip/langgraph-prebuilt 1.0.9 UnknownUnknown
pip/pydantic 2.13.1 UnknownUnknown
pip/pydantic-core 2.46.1 🟢 6.7
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1030 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
License🟢 10license file detected
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
Fuzzing🟢 10project is fuzzed
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
Branch-Protection🟢 4branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/ty 0.0.31 UnknownUnknown

Scanned Files

  • pyproject.toml
  • uv.lock

@socket-security
Copy link
Copy Markdown

socket-security bot commented Apr 10, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedcurl-cffi@​0.14.0 ⏵ 0.15.099100 +16100100100

View full report

@renovate renovate bot force-pushed the renovate/non-major branch 8 times, most recently from 3794bda to 147c437 Compare April 14, 2026 17:42
@n24q02m n24q02m force-pushed the main branch 2 times, most recently from 1213e1a to 8d81f02 Compare April 16, 2026 07:35
@renovate renovate bot force-pushed the renovate/non-major branch 3 times, most recently from b69250c to 458d75f Compare April 17, 2026 04:11
@renovate renovate bot force-pushed the renovate/non-major branch from 458d75f to 9908894 Compare April 17, 2026 05:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@n24q02m n24q02m Awaiting requested review from n24q02m n24q02m is a code owner

At least 0 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants