Bump the python-dependencies group with 12 updates

[dependabot]

Bumps the python-dependencies group with 12 updates:

Package	From	To
cbor2	5.9.0	6.0.1
certifi	2026.2.25	2026.4.22
click	8.3.2	8.3.3
cryptography	46.0.7	48.0.0
greenlet	3.4.0	3.5.0
idna	3.12	3.13
mako	1.3.11	1.3.12
packaging	26.1	26.2
pyopenssl	26.0.0	26.2.0
pytz	2026.1.post1	2026.2
sentry-sdk	2.58.0	2.59.0
zope-interface	8.3	8.4

Updates cbor2 from 5.9.0 to 6.0.1

Release notes

Sourced from cbor2's releases.

6.0.1

• Fixed an error in the mutability logic during decoding, leading to values being decoded as immutable in unexpected places (#295)

6.0.0

• No changes since v6.0.0rc1

6.0.0rc1

• MAJOR REWRITE: The Python and C implementations of the encoder and decoder were replaced with a single, Rust-based implementation in the interest of maintainability.

  Here are some of the highlights:

  • Improved memory safety (100% safe-mode Rust)
  • Complete elimination of reference leaks
  • Support for free-threading and subinterpreters
  • Substantially improved performance
  • Improved decoder error handling where any non-base exception gets wrapped in a CBORDecodeError
  • Iterative, rather than recursive decoding, meaning the container nesting depth is limited only by the available memory, rather than the C stack size

• BACKWARD INCOMPATIBLE Changed the signature of the tag_hook decoder callables to accept (CBORTag, immutable as arguments instead of CBORDecoder, CBORTag)

• BACKWARD INCOMPATIBLE Changed the signature of the object_hook decoder callables to accept (Mapping[Any, Any], bool) instead of (CBORDecoder, dict[Any, Any])

• BACKWARD INCOMPATIBLE Removed the break_marker singleton as no longer necessary

• BACKWARD INCOMPATIBLE Removed the CBORDecodeValueError exception, instead chaining ValueError or TypeError to a CBORDecodeError

• BACKWARD INCOMPATIBLE Changed the decoding of semantic tag 261 to yield an IPv4Interface or IPv6Interface if the address contains host bits

• BACKWARD INCOMPATIBLE Removed the individual decoding functions from the API as they were mistakenly called directly by users. Please open an issue if you need them back.

• BACKWARD INCOMPATIBLE Changed the encoding of IP addresses to use the semantic tags 52 and 54 instead of the deprecated 260 and 261 (#232)

• BACKWARD INCOMPATIBLE Dropped the deprecated cbor2.decoder and cbor2.encoder modules – everything in the API is now importable directly from cbor2

• BACKWARD INCOMPATIBLE The cbor2.FrozenDict class has now been renamed frozendict and is not available on Python 3.15 where the built-in frozendict class must be used instead

• Added the semantic_decoders decoder option to add or override decoders for specific semantic tags

• Added the immutable decoder flag to always use immutable containers where possible when decoding a CBOR stream

• Added the allow_indefinite decoder option to optionally disallow indefinite-length strings and containers

• Dropped support for Python 3.9

• Fixed the decoder not rejecting invalid two-byte simple value sequences (0xF800 - 0xF81F)

Commits

• 3d22272 Bumped up the version
• 7e07ab5 Fixed ContinueFrame handler not mutating the immutable flag in the current frame
• 03c656c Marked the 6.x series as supported
• 516c1a2 Bumped up the version
• c175272 [pre-commit.ci] pre-commit autoupdate (#294)
• 547186a [pre-commit.ci] pre-commit autoupdate (#292)
• c544b4b Install tzdata for Windows when testing
• 9d95436 Removed timezones workaround in Hypothesis strategies
• ffd7030 Bump the github-actions group with 3 updates (#293)
• 71b0e95 Install Rust in the RTD build job
• Additional commits viewable in compare view

Updates certifi from 2026.2.25 to 2026.4.22

Commits

• 5dddfb0 2026.04.22 (#410)
• f99eccd Bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 (#404)
• 918bed0 Bump actions/upload-artifact from 7.0.0 to 7.0.1 (#405)
• 0a49067 Bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 (#403)
• acf6ce8 Bump actions/download-artifact from 8.0.0 to 8.0.1 (#398)
• feb0ed2 Bump actions/download-artifact from 7.0.0 to 8.0.0 (#397)
• d9c11a5 Bump actions/upload-artifact from 6.0.0 to 7.0.0 (#396)
• See full diff in compare view

Updates click from 8.3.2 to 8.3.3

Release notes

Sourced from click's releases.

8.3.3

This is the Click 8.3.3 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/click/8.3.3/ Changes: https://click.palletsprojects.com/page/changes/#version-8-3-3 Milestone: https://github.com/pallets/click/milestone/30

• Use :func:shlex.split to split pager and editor commands into argv lists for :class:subprocess.Popen, removing shell=True. #1026 #1477 #2775
• Fix TypeError when rendering help for an option whose default value is an object that doesn't support equality comparison with strings, such as semver.Version. #3298 #3299
• Fix pager test pollution under parallel execution by using pytest's tmp_path fixture instead of a shared temporary file path. #3238
• Treat Sentinel.UNSET values in a default_map as absent, so they fall through to the next default source instead of being used as the value. #3224 #3240
• Patch pdb.Pdb in CliRunner isolation so pdb.set_trace(), breakpoint(), and debuggers subclassing pdb.Pdb (ipdb, pdbpp) can interact with the real terminal instead of the captured I/O streams. #654 #824 #843 #951 #3235
• Add optional randomized parallel test execution using pytest-randomly and pytest-xdist to detect test pollution and race conditions. #3151
• Add contributor documentation for running stress tests, randomized parallel tests, and Flask smoke tests. #3151 #3177
• Show custom show_default string in prompts, matching the existing help text behavior. #2836 #2837 #3165 #3262 #3280 #3328
• Fix default=True with boolean flag_value always returning the flag_value instead of True. The default=True to flag_value substitution now only applies to non-boolean flags, where True acts as a sentinel meaning "activate this flag by default". For boolean flags, default=True is returned as a literal value. #3111 #3239
• Mark make_default_short_help as private API. #3189 #3250
• CliRunner's redirected streams now expose the original file descriptor via fileno(), so that faulthandler, subprocess, and other C-level consumers no longer crash with io.UnsupportedOperation. #2865
• Change :class:ParameterSource to an :class:~enum.IntEnum and reorder its members from most to least explicit, so values can be compared to check whether a parameter was explicitly provided. #2879 #3248

Changelog

Sourced from click's changelog.

Version 8.3.3

Released 2026-04-20

• Use :func:shlex.split to split pager and editor commands into argv lists for :class:subprocess.Popen, removing shell=True. :issue:1026 :pr:1477 :pr:2775
• Fix TypeError when rendering help for an option whose default value is an object that doesn't support equality comparison with strings, such as semver.Version. :issue:3298 :pr:3299
• Fix pager test pollution under parallel execution by using pytest's tmp_path fixture instead of a shared temporary file path. :pr:3238
• Treat Sentinel.UNSET values in a default_map as absent, so they fall through to the next default source instead of being used as the value. :issue:3224 :pr:3240
• Patch pdb.Pdb in CliRunner isolation so pdb.set_trace(), breakpoint(), and debuggers subclassing pdb.Pdb (ipdb, pdbpp) can interact with the real terminal instead of the captured I/O streams. :issue:654 :issue:824 :issue:843 :pr:951 :pr:3235
• Add optional randomized parallel test execution using pytest-randomly and pytest-xdist to detect test pollution and race conditions. :pr:3151
• Add contributor documentation for running stress tests, randomized parallel tests, and Flask smoke tests. :pr:3151 :pr:3177
• Show custom show_default string in prompts, matching the existing help text behavior. :issue:2836 :pr:2837 :pr:3165 :pr:3262 :pr:3280 :pr:3328
• Fix default=True with boolean flag_value always returning the flag_value instead of True. The default=True to flag_value substitution now only applies to non-boolean flags, where True acts as a sentinel meaning "activate this flag by default". For boolean flags, default=True is returned as a literal value. :issue:3111 :pr:3239
• Mark make_default_short_help as private API. :issue:3189 :pr:3250
• CliRunner's redirected streams now expose the original file descriptor via fileno(), so that faulthandler, subprocess, and other C-level consumers no longer crash with io.UnsupportedOperation. :issue:2865
• Change :class:ParameterSource to an :class:~enum.IntEnum and reorder its members from most to least explicit, so values can be compared to check whether a parameter was explicitly provided. :issue:2879 :pr:3248

Commits

• c06d2d0 Release 8.3.3
• f1f191e Apply format guidelines to commits since latest 8.3.2 release (#3343)
• bb59ba0 Apply format guidelines to commits since latest 8.3.2 release
• 4a35225 Reduce blast-radius of UNSET in default_map (#3240)
• c07bb93 Merge branch 'stable' into unset-in-default-map
• c7e1ba8 Reorder ParameterSource (#3248)
• 76552ff Show default string in prompt (#3328)
• ac5cec5 Reorder ParameterSource from most to least explicit
• 8c452e0 Merge branch 'stable' into show-default-string-in-prompt
• 8c95c73 Reconcile default value passing and default activation (#3239)
• Additional commits viewable in compare view

Updates cryptography from 46.0.7 to 48.0.0

Changelog

Sourced from cryptography's changelog.

48.0.0 - 2026-05-04

* **BACKWARDS INCOMPATIBLE:** Support for Python 3.8 has been removed.
  ``cryptography`` now requires Python 3.9 or later.
* **BACKWARDS INCOMPATIBLE:** Loading an X.509 CRL whose inner
  ``TBSCertList.signature`` algorithm does not match the outer
  ``signatureAlgorithm`` now raises ``ValueError``. Previously, such CRLs
  were parsed successfully and only rejected during signature validation.
* Added support for :doc:`/hazmat/primitives/asymmetric/mlkem` and
  :doc:`/hazmat/primitives/asymmetric/mldsa` when using OpenSSL 3.5.0 or
  later, in addition to the existing AWS-LC and BoringSSL support. This means
  post-quantum algorithms are now available to users of our wheels.

Note: Going forward, we do not guarantee that all functionality

in cryptography will be available when building against

OpenSSL. See :doc:/statements/state-of-openssl for more information.

.. _v47-0-0:
47.0.0 - 2026-04-24

• Support for Python 3.8 is deprecated and will be removed in the next cryptography release.
• BACKWARDS INCOMPATIBLE: Support for binary elliptic curves (SECT* classes) has been removed. These curves are rarely used and have additional security considerations that make them undesirable.
• BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.1.x has been removed. OpenSSL 3.0.0 or later is now required. LibreSSL, BoringSSL, and AWS-LC continue to be supported.
• BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 4.1.
• BACKWARDS INCOMPATIBLE: Loading keys with unsupported algorithms or keys with unsupported explicit curve encodings now raises :class:~cryptography.exceptions.UnsupportedAlgorithm instead of ValueError. This change affects :func:~cryptography.hazmat.primitives.serialization.load_pem_private_key, :func:~cryptography.hazmat.primitives.serialization.load_der_private_key, :func:~cryptography.hazmat.primitives.serialization.load_pem_public_key, :func:~cryptography.hazmat.primitives.serialization.load_der_public_key, and :meth:~cryptography.x509.Certificate.public_key when called on certificates with unsupported public key algorithms.
• BACKWARDS INCOMPATIBLE: When parsing elliptic curve private keys, we now reject keys that incorrectly encode a private key of the wrong length because such keys are impossible to process in a constant-time manner. We do not believe keys with this problem are in wide use, however we may revert this change based on the feedback we receive.
• Deprecated passing 64-bit (8-byte) and 128-bit (16-byte) keys to :class:~cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES. In a

... (truncated)

Commits

• 8e03e30 bump for 48.0.0 release (#14796)
• 295e0d2 Add AGENTS.md with CLAUDE.md symlink (#14794)
• 104a2de Bump BoringSSL, OpenSSL, AWS-LC in CI (#14793)
• 67ec1e5 call check_length early on AesSiv::encrypt (#14792)
• b2da57a changelog for mldsa/mlkem for openssl (#14791)
• 3cf44ad ML-KEM OpenSSL support (#14781)
• 2e31639 ML-DSA OpenSSL support (#14773)
• 5affe5a fix rust nightly clippy (#14790)
• 2e73ca4 bump rust-openssl dep and update EcPoint::mul_generator to mul_generator2 (#1...
• 82ebd3b Bump BoringSSL, OpenSSL, AWS-LC in CI (#14785)
• Additional commits viewable in compare view

Updates greenlet from 3.4.0 to 3.5.0

Changelog

Sourced from greenlet's changelog.

3.5.0 (2026-04-27)

• Remove the atexit callback. This callback caused greenlet APIs to become unavailable far too soon during interpreter shutdown. Now they remain available while all atexit callbacks run. Sometime after Py_IsFinalizing becomes true, they may begin misbehaving. Because the order in which C extensions are finalized is undefined, C extensions that are sensitive to this need to check the results of that function before invoking greenlet APIs. As a convenience, PyGreenlet_GetCurrent sets an exception and returns NULL when this happens (and greenlet.getcurrent begins returning None); other greenlet C API functions have undefined behaviour. Methods invoked directly on pre-existing greenlet.greenlet objects will continue to function at least until the greenlet C extension has been garbage collected and finalized.

  See PR 508 <https://github.com/python-greenlet/greenlet/pull/508>_.

Commits

• c7acc72 Preparing release 3.5.0
• d08f99b CHANGES: Update link from #507 to more full description in #508.
• fd3391e Merge pull request #508 from python-greenlet/issue507-remove-atexit
• 004e1e9 Remove the atexit callback.
• b784a69 Back to development: 3.4.1
• See full diff in compare view

Updates idna from 3.12 to 3.13

Changelog

Sourced from idna's changelog.

3.13 (2026-04-22) +++++++++++++++++

• Correct classification error for codepoint U+A7F1

Commits

• 89cdfd2 Release v3.13
• 1eb0686 Pre-release 3.13
• 5f20d1e Merge pull request #220 from kjd/unicode-next
• 4ea8425 Regenerate idnadata.py with correct NFKC_CF data
• fd47341 Use NFKC_CF from Unicode data files instead of Python's unicodedata module
• a5304a4 Merge pull request #219 from kjd/release-3.12
• See full diff in compare view

Updates mako from 1.3.11 to 1.3.12

Release notes

Sourced from mako's releases.

1.3.12

Released: Tue Apr 28 2026

bug

• [bug] [template] Fixed issue in TemplateLookup where a URI with backslash path separators (e.g. \..\secret.txt) could bypass the directory traversal check on Windows, allowing reads of arbitrary files outside of the template directory. Backslash characters in URIs are now normalized to forward slashes before path resolution.

  References: #435

Commits

• See full diff in compare view

Updates packaging from 26.1 to 26.2

Release notes

Sourced from packaging's releases.

26.2

What's Changed

Fixes:

• Fix incorrect sysconfig var name for pyemscripten by @​ryanking13 in pypa/packaging#1160
• Make Version, Specifier, SpecifierSet, Tag, Marker, and Requirement pickle-safe and backward-compatible with pickles created in 25.0-26.1 (including references to the removed packaging._structures module) by @​eachimei and @​henryiii in pypa/packaging#1163, pypa/packaging#1168, pypa/packaging#1170, and pypa/packaging#1171
• fix: re-export ExceptionGroup for now by @​henryiii in pypa/packaging#1164

Documentation:

• docs: add errors section and fix missing details by @​henryiii in pypa/packaging#1159
• docs(dev): document property-based test suite by @​r266-tech in pypa/packaging#1167
• Fix typo in DirectUrl documentation by @​sbidoul in pypa/packaging#1169
• docs(specifiers): add is_unsatisfiable() usage example by @​r266-tech in pypa/packaging#1166

Internal:

• Enable the auditor persona on zizmor by @​henryiii in pypa/packaging#1158
• Test new pickle guarantees by @​henryiii in pypa/packaging#1174
• Use native uv integration in rtd by @​henryiii in pypa/packaging#1175

New Contributors

• @​ryanking13 made their first contribution in pypa/packaging#1160
• @​eachimei made their first contribution in pypa/packaging#1163

Full Changelog: pypa/packaging@26.1...26.2

Changelog

Sourced from packaging's changelog.

26.2 - 2026-04-24

Fixes:

Fix incorrect sysconfig var name for pyemscripten in (:pull:1160)
Make Version, Specifier, SpecifierSet, Tag, Marker, and Requirement pickle-safe

and backward-compatible with pickles created in 25.0-26.1 (including references to the removed

packaging._structures module) (:pull:1163, :pull:1168, :pull:1170, :pull:1171)
Re-export ExceptionGroup in metadata for now in (:pull:1164)

Documentation:

Add errors section and fix missing details in (:pull:1159)
Document our property-based test suite in (:pull:1167)
Fix a DirectUrl typo in (:pull:1167)
Add example of is_unsatisfiable in (:pull:1166)

Internal:

Enable the auditor persona on zizmor in (:pull:1158)
Test new pickle guarantees in (:pull:1174)
Use new native ReadTheDocs uv integration in (:pull:1175)

Commits

• 84a87ee Bump for release
• 4a616b6 docs: a few more updates to prepare for 26.2 (#1176)
• 9de6f44 ci: use native uv integration in rtd (#1175)
• bc76e14 chore: update changelog for 26.2 (#1161)
• 3f00091 tests: add a pickle check (#1174)
• 48a8a06 fix: make Requirements/Markers pickle-safe (#1171)
• 823b44e fix: make Tags pickle-safe (#1170)
• 4bed32d fix: make Specifier / SpecifierSet pickle-safe (#1168)
• 963118e fix: re-export ExceptionGroup for now (#1164)
• 66e34a8 docs(specifiers): add is_unsatisfiable() usage example (#1166)
• Additional commits viewable in compare view

Updates pyopenssl from 26.0.0 to 26.2.0

Changelog

Sourced from pyopenssl's changelog.

26.2.0 (2026-05-04)

Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Removed deprecated OpenSSL.crypto.X509Extension, OpenSSL.crypto.X509Req.add_extension, OpenSSL.crypto.X509Req.get_extensions, OpenSSL.crypto.X509.add_extension, OpenSSL.crypto.X509.get_extensions. cryptography.x509 should be used instead.
• It is now an error to calling any mutating method on OpenSSL.SSL.Context after it has been used to create a Connection. This was previously deprecated and has always been unsafe.

Deprecations: ^^^^^^^^^^^^^

Changes: ^^^^^^^^

• Maximum supported cryptography version is now 48.x.
• Added OpenSSL.SSL.Connection.set_options to set options on a per-connection basis.

26.1.0 (2026-04-24)

Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Deprecations: ^^^^^^^^^^^^^

Changes: ^^^^^^^^

• Maximum supported cryptography version is now 47.x.
• Fixed X509Name field setters to correctly pass the value length to OpenSSL. Previously, values containing NUL bytes would be silently truncated, causing a divergence between the stored ASN.1 value and the value visible from Python. Credit to BudongJW for reporting the issue. CVE-2026-40475

Commits

• 2320887 Prepare 26.2.0 release (#1500)
• 068c200 make it an error to mutate after using a context (#1429)
• f004dcd put X509Extension removal changelog in the right version (#1498)
• d696686 add Connection.set_options (#1497)
• 7e42f8f Remove X509Extension, which has been deprecated for a year (#1376)
• 6e43ae1 Remove tests-cryptography-main for Python 3.8 (#1496)
• 3be23b6 Prepare 26.1.0 release (#1495)
• e6be3fc Add note on versioning policy (#1494)
• 402177b Bump actions/upload-artifact in /.github/actions/upload-coverage (#1492)
• 08c796c Bump actions/upload-artifact from 7.0.0 to 7.0.1 (#1491)
• Additional commits viewable in compare view

Updates pytz from 2026.1.post1 to 2026.2

Commits

• 45957c5 Bump github actions/checkout to @​v6
• 8e927c6 Bump version numbers to 2026.2 (IANA 2026b)
• 6f08ade IANA 2026b
• edbfbdf Squashed 'tz/' changes from dd6be6d155..8be0d5483d
• a148b03 Fix typo in README
• b841195 fix typo
• See full diff in compare view

Updates sentry-sdk from 2.58.0 to 2.59.0

Release notes

Sourced from sentry-sdk's releases.

2.59.0

New Features ✨

Langchain

• Record run_name as gen_ai.function_id on Invoke Agent Spans by @​alexander-alderman-webb in #5926
• Record run_name in on_tool_start by @​alexander-alderman-webb in #5925
• Record run_name in on_chat_model_start by @​alexander-alderman-webb in #5924

Other

• (ci) Cancel in-progress PR workflows on new commit push by @​joshuarli in #5994
• (consts) Add updated span convention constants to SPANDATA by @​ericapisani in #6093
• (fastapi) Support span streaming in active thread tracking by @​ericapisani in #6118
• (httpx) Migrate to span first by @​ericapisani in #6084
• (huggingface_hub) Migrate to span first by @​ericapisani in #6124
• (mcp) Migrate to span first by @​ericapisani in #6131
• Add db.driver.name spans to database integrations by @​ericapisani in #6082

Bug Fixes 🐛

We've put additional data that might contain sensitive information, like GraphQL documents, behind the send_default_pii option.

Httpx

• Consistently early-exit when adding request source by @​alexander-alderman-webb in #6151
• Set code.namespace and code.function instead of code.function.name in span streaming by @​alexander-alderman-webb in #6150

Langchain

• Record run_name as gen_ai.function_id for text completions by @​alexander-alderman-webb in #6073
• Set agent name as gen_ai.agent.name for chat and tool spans by @​alexander-alderman-webb in #5877

Other

• (asgi) Use inspect.iscoroutinefunction on Python 3.14+ by @​alexander-alderman-webb in #6135
• (batcher) Reset lock and flusher in child after fork by @​ericapisani in #6163
• (google_genai) Redact binary data in inline_data and fix multi-part message extraction by @​ericapisani in #5977
• (grpc) Add isolation_scope to async server interceptor by @​robinvd in #5940
• (metrics,logs) Don't attach span_id if no active span by @​sentrivana in #6162
• (monitor) Release Monitor._thread_lock after fork (#6148) by @​vokracko in #6159
• (openai-agents) Resolve agent from bindings for openai-agents >= 0.14 by @​ericapisani in #6102
• (profiler) Stop nulling buffer on teardown by @​ericapisani in #6075
• (quart) Use inspect.iscoroutinefunction when Quart does by @​alexander-alderman-webb in #6133
• (security) Prevent GitHub script injection in update-tox workflow by @​fix-it-felix-sentry in #6171
• (starlette/fastapi) Use inspect.iscoroutinefunction when Starlette does by @​alexander-alderman-webb in #6134
• (tornado) Make sure context manager doesn't double yield by @​sentrivana in #6152
• Introduce _get_current_streamed_span() to keep types backwards compatible by @​alexander-alderman-webb in #6177

Internal Changes 🔧

... (truncated)

Changelog

Sourced from sentry-sdk's changelog.

2.59.0

New Features ✨

Langchain

• Record run_name as gen_ai.function_id on Invoke Agent Spans by @​alexander-alderman-webb in #5926
• Record run_name in on_tool_start by @​alexander-alderman-webb in #5925
• Record run_name in on_chat_model_start by @​alexander-alderman-webb in #5924

Other

• (ci) Cancel in-progress PR workflows on new commit push by @​joshuarli in #5994
• (consts) Add updated span convention constants to SPANDATA by @​ericapisani in #6093
• (fastapi) Support span streaming in active thread tracking by @​ericapisani in #6118
• (httpx) Migrate to span first by @​ericapisani in #6084
• (huggingface_hub) Migrate to span first by @​ericapisani in #6124
• (mcp) Migrate to span first by @​ericapisani in #6131
• Add db.driver.name spans to database integrations by @​ericapisani in #6082

Bug Fixes 🐛

We've put additional data that might contain sensitive information, like GraphQL documents, behind the send_default_pii option.

Httpx

• Consistently early-exit when adding request source by @​alexander-alderman-webb in #6151
• Set code.namespace and code.function instead of code.function.name in span streaming by @​alexander-alderman-webb in #6150

Langchain

• Record run_name as gen_ai.function_id for text completions by @​alexander-alderman-webb in #6073
• Set agent name as gen_ai.agent.name for chat and tool spans by @​alexander-alderman-webb in #5877

Other

• (asgi) Use inspect.iscoroutinefunction on Python 3.14+ by @​alexander-alderman-webb in #6135
• (batcher) Reset lock and flusher in child after fork by @​ericapisani in #6163
• (google_genai) Redact binary data in inline_data and fix multi-part message extraction by @​ericapisani in #5977
• (grpc) Add isolation_scope to async server interceptor by @​robinvd in #5940
• (metrics,logs) Don't attach span_id if no active span by @​sentrivana in #6162
• (monitor) Release Monitor._thread_lock after fork (#6148) by @​vokracko in #6159
• (openai-agents) Resolve agent from bindings for openai-agents >= 0.14 by @​ericapisani in #6102
• (profiler) Stop nulling buffer on teardown by @​ericapisani in #6075
• (quart) Use inspect.iscoroutinefunction when Quart does by @​alexander-alderman-webb in #6133
• (security) Prevent GitHub script injection in update-tox workflow by @​fix-it-felix-sentry in #6171
• (starlette/fastapi) Use inspect.iscoroutinefunction when Starlette does by @​alexander-alderman-webb in #6134
• (tornado) Make sure context manager doesn't double yield by @​sentrivana in #6152
• Introduce _get_current_streamed_span() to keep types backwards compatible by @​alexander-alderman-webb in #6177

... (truncated)

Commits

• 689cb97 Update CHANGELOG.md
• 397dda9 release: 2.59.0
• c0c254a test: Rename file (#6194)
• d90a923 ref(batcher): Only flush the bucket that triggered the flush event (#6168)
• 6436518 ci: 🤖 Update test matrix with new releases (05/04) (#6186)
• 98294ce fix: Introduce _get_current_streamed_span() to keep types backwards compati...
• 66b3c6b test(fastmcp): Span streaming tests (#6167)
• b5735ab fix(batcher): Reset lock and flusher in child after fork (#6163)
• fc3eab4 fix(metrics,logs): Don't attach span_id if no active span (#6162)
• 8e5bd96 test: Assert presence of profile chunks after shutdown (#6174)
• Additional commits viewable in compare view

Updates zope-interface from 8.3 to 8.4

Changelog

Sourced from zope-interface's changelog.

8.4 (2026-04-25)

• Add support for automatically building and publishing Windows/ARM64 wheels.

Commits

• 7a6b18a - prepare release 8.4
• 9f69380 Merge pull request #367 from zopefoundation/config-with-c-code-template-0076d287
• d042b25 - check changes from zopefoundation/meta#410
• 9d11e80 - apply latest zope.meta templates
• 82c447f Back to development: 8.4
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.