Skip to content

chore(deps): Bump the minor-and-patch group across 1 directory with 11 updates#57

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/apps/python-extractor/minor-and-patch-5443d29c36
Open

chore(deps): Bump the minor-and-patch group across 1 directory with 11 updates#57
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/apps/python-extractor/minor-and-patch-5443d29c36

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 20, 2026

Copy link
Copy Markdown

Bumps the minor-and-patch group with 11 updates in the /apps/python-extractor directory:

Package From To
fastapi 0.136.1 0.138.0
uvicorn 0.46.0 0.49.0
pydantic 2.13.3 2.13.4
pydantic-settings 2.14.0 2.14.2
beautifulsoup4 4.14.3 4.15.0
lxml 6.1.0 6.1.1
yt-dlp 2026.3.17 2026.6.9
ctranslate2 4.7.1 4.8.0
pytest 9.0.3 9.1.1
pytest-asyncio 1.3.0 1.4.0
ruff 0.15.12 0.15.18

Updates fastapi from 0.136.1 to 0.138.0

Release notes

Sourced from fastapi's releases.

0.138.0

Features

  • ✨ Add support for app.frontend("/", directory="dist") and router.frontend("/", directory="dist"). PR #15800 by @​tiangolo.

Docs

Translations

Internal

0.137.2

Features

  • ✨ Add iter_route_contexts() for advanced use cases that used to use router.routes (e.g. Jupyverse). PR #15785 by @​tiangolo.

Translations

Internal

... (truncated)

Commits

Updates uvicorn from 0.46.0 to 0.49.0

Release notes

Sourced from uvicorn's releases.

Version 0.49.0

What's Changed

Full Changelog: Kludex/uvicorn@0.48.0...0.49.0

Version 0.48.0

What's Changed

Full Changelog: Kludex/uvicorn@0.47.0...0.48.0

Version 0.47.0

What's Changed

Full Changelog: Kludex/uvicorn@0.46.0...0.47.0

Changelog

Sourced from uvicorn's changelog.

0.49.0 (June 3, 2026)

Changed

  • Bump httptools minimum version to 0.8.0 (#2962)
  • Consume duplicate forwarding headers in ProxyHeadersMiddleware (reverses the 0.48.0 behavior of ignoring them) (#2971)

0.48.0 (May 24, 2026)

Changed

  • Default ssl_ciphers to None and use OpenSSL defaults (#2940)

Fixed

  • Ignore duplicate forwarding headers in ProxyHeadersMiddleware (#2944)

0.47.0 (May 14, 2026)

Added

  • Add ssl_context_factory for custom SSLContext configuration (#2920)

Changed

  • Eagerly import the ASGI app in the parent process (#2919)

Fixed

  • Treat fd=0 as a valid file descriptor with reload/workers (#2927)
Commits
  • 3ef2e3e Version 0.49.0 (#2973)
  • eeb64b1 Consume duplicate forwarding headers in ProxyHeadersMiddleware (#2971)
  • 630f4ac Make the watchfiles reload tests deterministic (#2972)
  • 9154922 chore(deps): bump the github-actions group across 1 directory with 6 updates ...
  • 739727a Migrate docs deploy from Cloudflare Pages to Workers (#2967)
  • be4a240 Gate docs preview deploy on Cloudflare token presence (#2966)
  • c489d7e Bump httptools minimum version to 0.8.0 (#2962)
  • 9f547bd Skip docs preview deploy for Dependabot PRs (#2961)
  • 44446b8 Migrate documentation from MkDocs Material to Zensical (#2959)
  • cfd659c Bump pymdown-extensions to 10.21.3 (#2958)
  • Additional commits viewable in compare view

Updates pydantic from 2.13.3 to 2.13.4

Release notes

Sourced from pydantic's releases.

v2.13.4 2026-05-06

v2.13.4 (2026-05-06)

What's Changed

Packaging

Fixes

Full Changelog: pydantic/pydantic@v2.13.3...v2.13.4

Changelog

Sourced from pydantic's changelog.

v2.13.4 (2026-05-06)

GitHub release

What's Changed

Packaging

Fixes

Commits
  • cf67d4b Fix linting
  • f0d8a21 Prepare release v2.13.4
  • 5e3fe1d Check for pydantic tag pattern in CI
  • 7f9edcc Document tagging conventions
  • b46a0c9 Adapt pydantic-core linker flags on macOS
  • 50629c8 Update to PyPy 7.3.22
  • 8522ebb Preserve RootModel core metadata
  • a37f3af Adapt MISSING sentinel test to work with unreleased typing_extensions ver...
  • 909259a Remove Logfire example in documentation
  • 2c4174c Bump libc from 0.2.155 to 0.2.185
  • See full diff in compare view

Updates pydantic-settings from 2.14.0 to 2.14.2

Release notes

Sourced from pydantic-settings's releases.

v2.14.2

What's Changed

This is a security patch release.

Security

Fixes GHSA-4xgf-cpjx-pc3j: NestedSecretsSettingsSource with secrets_nested_subdir=True could follow a symbolic link inside secrets_dir pointing outside it, reading out-of-tree files into settings values and bypassing the secrets_dir_max_size cap. Affected versions: >= 2.12.0, < 2.14.2.

Full Changelog: pydantic/pydantic-settings@v2.14.1...v2.14.2

v2.14.1

What's Changed

Full Changelog: pydantic/pydantic-settings@v2.14.0...v2.14.1

Commits

Updates beautifulsoup4 from 4.14.3 to 4.15.0

Updates lxml from 6.1.0 to 6.1.1

Changelog

Sourced from lxml's changelog.

6.1.1 (2026-05-18)

Bugs fixed

Commits
  • b4a4c59 Build: Fix build in Py3.8.
  • a116dcb Fix typo: type annotions -> type annotations in PEP 560 comments (GH-504)
  • 7287a75 Prepare release of 6.1.1.
  • 5927a6d Add missing "xlink:href" to the known HTML link attributes.
  • 23efeb4 Build: Fix build in Py3.8.
  • 2c0563b Build: Add bug patch for libxslt 1.1.43 and apply it during the static librar...
  • 8a35fcc Fix doctest in PyPy3.9.
  • See full diff in compare view

Updates yt-dlp from 2026.3.17 to 2026.6.9

Release notes

Sourced from yt-dlp's releases.

yt-dlp 2026.06.09

Installation Discord Donate Documentation Nightly Master

A description of the various files is in the README

The zipimport Unix executable contains code licensed under ISC and MIT. The PyInstaller-bundled executables are subject to these and other licenses, all of which are compiled in THIRD_PARTY_LICENSES.txt


Important changes

  • The minimum supported versions of Deno, Node, and Bun have been raised. The minimum required version of Deno is now v2.3.0; supported Node versions are v22 and up; Bun support has been deprecated and limited to versions 1.2.11 through 1.3.14.
  • Security
    • Usage of vulnerable conversions (e.g. %()s) with the --exec option is an all-too-common pitfall. To remedy this, --exec now only allows safe conversions in its command templates.
      • Most users can simply replace %(...)s with %(...)q in their --exec argument(s). Numeric conversions are unaffected by this change. Using unsafe conversions with --exec poses a significant security risk. Read more
    • [CVE-2026-50019] File Downloader cookie leak with curl
      • Impact is limited to users of --downloader curl; cookies are now properly passed to curl so that it respects their scope
    • [CVE-2026-50023] Dangerous file type creation via insufficient filename sanitization
      • Writing files with the extensions .desktop, .url, or .webloc is now only allowed in the context of --write-link functionality
    • [CVE-2026-50574] Arbitrary code execution via manifest downloads with aria2c
      • Impact is limited to users of --downloader aria2c
      • Support for downloading HLS and DASH formats with aria2c has been removed. Users affected by this change should migrate to use -N for concurrent fragment downloads via the native downloader

Core changes

Extractor changes

... (truncated)

Changelog

Sourced from yt-dlp's changelog.

Changelog

2026.06.09

Important changes

  • The minimum supported versions of Deno, Node, and Bun have been raised. The minimum required version of Deno is now v2.3.0; supported Node versions are v22 and up; Bun support has been deprecated and limited to versions 1.2.11 through 1.3.14.
  • Security
    • Usage of vulnerable conversions (e.g. %()s) with the --exec option is an all-too-common pitfall. To remedy this, --exec now only allows safe conversions in its command templates.
      • Most users can simply replace %(...)s with %(...)q in their --exec argument(s). Numeric conversions are unaffected by this change. Using unsafe conversions with --exec poses a significant security risk. Read more
    • [CVE-2026-50019] File Downloader cookie leak with curl
      • Impact is limited to users of --downloader curl; cookies are now properly passed to curl so that it respects their scope
    • [CVE-2026-50023] Dangerous file type creation via insufficient filename sanitization
      • Writing files with the extensions .desktop, .url, or .webloc is now only allowed in the context of --write-link functionality
    • [CVE-2026-50574] Arbitrary code execution via manifest downloads with aria2c
      • Impact is limited to users of --downloader aria2c
      • Support for downloading HLS and DASH formats with aria2c has been removed. Users affected by this change should migrate to use -N for concurrent fragment downloads via the native downloader

Core changes

Extractor changes

... (truncated)

Commits

Updates ctranslate2 from 4.7.1 to 4.8.0

Release notes

Sourced from ctranslate2's releases.

v4.8.0

v4.8.0 (2026-06-06)

New features

Fixes and improvements

v4.7.2

v4.7.2 (2026-05-18)

New features

Fixes and improvements

Changelog

Sourced from ctranslate2's changelog.

v4.8.0 (2026-06-06)

New features

Fixes and improvements

v4.7.2 (2026-05-18)

New features

Fixes and improvements

Commits
  • 54a546c Version 4.80 (#2061)
  • 0214986 Upgrade Thrust submodule from 1.12.0 to CCCL 2.7.0 (#2062)
  • fbfee84 Add support for Google T5Gemma2 (#2058)
  • 5dfc5d8 Upgrade CI system dependencies and reduce build time (#2056)
  • 0b160a7 Enables PACKED_GEMM by default for Intel MKL to improve Intel CPU performanc...
  • 4a9ed43 Adopt latest BS_thread_pool libary version v5.1.0 (#2053)
  • 9ff9c71 Fix PyPI publish: download wheels to dist/ to avoid directory hash error (#2050)
  • 9463f04 Fix flaky transformers_wav2vec2 test (#1996)
  • 95fdccb Bump version to 4.72
  • 09e5fea Gemma4 support for dense model (#2048)
  • Additional commits viewable in compare view

Updates pytest from 9.0.3 to 9.1.1

Release notes

Sourced from pytest's releases.

9.1.1

pytest 9.1.1 (2026-06-19)

Bug fixes

  • #14220: Fixed a logic bug in pytest.RaisesGroup which would might cause it to display incorrect "It matches FooError() which was paired with BarError" messages.
  • #14591: Fixed a regression in pytest 9.1.0 which caused overriding a parametrized fixture with an indirect @​pytest.mark.parametrize to fail with "duplicate parametrization of '<fixture name>'".
  • #14606: Fixed list-item typing errors from mypy in @pytest.mark.parametrize <pytest.mark.parametrize ref> argvalues parameter.
  • #14608: Fixed a regression in pytest 9.1.0 where conftest.py files located in <invocation dir>/test* were no longer loaded as initial conftests when invoked without arguments. This could cause certain hooks (like pytest_addoption) in these files to not fire.

9.1.0

pytest 9.1.0 (2026-06-13)

Removals and backward incompatible breaking changes

  • #14533: When using --doctest-modules, autouse fixtures with module, package or session scope that are defined inline in Python test modules (not plugins or conftests) will now possibly execute twice.

    If this is undesirable, move the fixture definition to a conftest.py file if possible.

    Technical explanation for those interested: When using --doctest-modules, pytest possibly collects Python modules twice, once as pytest.Module and once as a DoctestModule (depending on the configuration). Due to improvements in pytest's fixture implementation, if e.g. the DoctestModule collects a fixture, it is now visible to it only, and not to the Module. This means that both need to register the fixtures independently.

Deprecations (removal in next major release)

  • #10819: Added a deprecation warning for class-scoped fixtures defined as instance methods (without @classmethod). Such fixtures set attributes on a different instance than the test methods use, leading to unexpected behavior. Use @classmethod decorator instead -- by yastcher.

    See 10819 and 14011.

  • #12882: Calling request.getfixturevalue() <pytest.FixtureRequest.getfixturevalue> during teardown to request a fixture that was not already requested is now deprecated and will become an error in pytest 10.

    See dynamic-fixture-request-during-teardown for details.

  • #13409: Using non-~collections.abc.Collection iterables (such as generators, iterators, or custom iterable objects) for the argvalues parameter in @pytest.mark.parametrize <pytest.mark.parametrize ref> and metafunc.parametrize <pytest.Metafunc.parametrize> is now deprecated.

    These iterables get exhausted after the first iteration, leading to tests getting unexpectedly skipped in cases such as running pytest.main() multiple times, using class-level parametrize decorators, or collecting tests multiple times.

    See parametrize-iterators for details and suggestions.

  • #13946: The private config.inicfg attribute is now deprecated. Use config.getini() <pytest.Config.getini> to access configuration values instead.

    See config-inicfg for more details.

  • #14004: Passing baseid to ~pytest.FixtureDef or nodeid strings to fixture registration APIs is now deprecated. These are internal pytest APIs that are used by some plugins.

... (truncated)

Commits
  • cf470ec Prepare release version 9.1.1
  • e0c8ce6 Merge pull request #14625 from pytest-dev/patchback/backports/9.1.x/a07c31a97...
  • 1b82d16 Merge pull request #14624 from pytest-dev/patchback/backports/9.1.x/b375b79ec...
  • 501c4bc Merge pull request #14596 from bluetech/doc-classmethod
  • b61f588 Merge pull request

…1 updates

Bumps the minor-and-patch group with 11 updates in the /apps/python-extractor directory:

| Package | From | To |
| --- | --- | --- |
| [fastapi](https://github.com/fastapi/fastapi) | `0.136.1` | `0.138.0` |
| [uvicorn](https://github.com/Kludex/uvicorn) | `0.46.0` | `0.49.0` |
| [pydantic](https://github.com/pydantic/pydantic) | `2.13.3` | `2.13.4` |
| [pydantic-settings](https://github.com/pydantic/pydantic-settings) | `2.14.0` | `2.14.2` |
| [beautifulsoup4](https://www.crummy.com/software/BeautifulSoup/bs4/) | `4.14.3` | `4.15.0` |
| [lxml](https://github.com/lxml/lxml) | `6.1.0` | `6.1.1` |
| [yt-dlp](https://github.com/yt-dlp/yt-dlp) | `2026.3.17` | `2026.6.9` |
| [ctranslate2](https://github.com/OpenNMT/CTranslate2) | `4.7.1` | `4.8.0` |
| [pytest](https://github.com/pytest-dev/pytest) | `9.0.3` | `9.1.1` |
| [pytest-asyncio](https://github.com/pytest-dev/pytest-asyncio) | `1.3.0` | `1.4.0` |
| [ruff](https://github.com/astral-sh/ruff) | `0.15.12` | `0.15.18` |



Updates `fastapi` from 0.136.1 to 0.138.0
- [Release notes](https://github.com/fastapi/fastapi/releases)
- [Commits](fastapi/fastapi@0.136.1...0.138.0)

Updates `uvicorn` from 0.46.0 to 0.49.0
- [Release notes](https://github.com/Kludex/uvicorn/releases)
- [Changelog](https://github.com/Kludex/uvicorn/blob/main/docs/release-notes.md)
- [Commits](Kludex/uvicorn@0.46.0...0.49.0)

Updates `pydantic` from 2.13.3 to 2.13.4
- [Release notes](https://github.com/pydantic/pydantic/releases)
- [Changelog](https://github.com/pydantic/pydantic/blob/main/HISTORY.md)
- [Commits](pydantic/pydantic@v2.13.3...v2.13.4)

Updates `pydantic-settings` from 2.14.0 to 2.14.2
- [Release notes](https://github.com/pydantic/pydantic-settings/releases)
- [Commits](pydantic/pydantic-settings@v2.14.0...v2.14.2)

Updates `beautifulsoup4` from 4.14.3 to 4.15.0

Updates `lxml` from 6.1.0 to 6.1.1
- [Release notes](https://github.com/lxml/lxml/releases)
- [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt)
- [Commits](lxml/lxml@lxml-6.1.0...lxml-6.1.1)

Updates `yt-dlp` from 2026.3.17 to 2026.6.9
- [Release notes](https://github.com/yt-dlp/yt-dlp/releases)
- [Changelog](https://github.com/yt-dlp/yt-dlp/blob/master/Changelog.md)
- [Commits](yt-dlp/yt-dlp@2026.03.17...2026.06.09)

Updates `ctranslate2` from 4.7.1 to 4.8.0
- [Release notes](https://github.com/OpenNMT/CTranslate2/releases)
- [Changelog](https://github.com/OpenNMT/CTranslate2/blob/master/CHANGELOG.md)
- [Commits](OpenNMT/CTranslate2@v4.7.1...v4.8.0)

Updates `pytest` from 9.0.3 to 9.1.1
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](pytest-dev/pytest@9.0.3...9.1.1)

Updates `pytest-asyncio` from 1.3.0 to 1.4.0
- [Release notes](https://github.com/pytest-dev/pytest-asyncio/releases)
- [Commits](pytest-dev/pytest-asyncio@v1.3.0...v1.4.0)

Updates `ruff` from 0.15.12 to 0.15.18
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ruff@0.15.12...0.15.18)

---
updated-dependencies:
- dependency-name: fastapi
  dependency-version: 0.138.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: uvicorn
  dependency-version: 0.49.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: pydantic
  dependency-version: 2.13.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: pydantic-settings
  dependency-version: 2.14.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: beautifulsoup4
  dependency-version: 4.15.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: lxml
  dependency-version: 6.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: yt-dlp
  dependency-version: 2026.6.9
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: ctranslate2
  dependency-version: 4.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: pytest
  dependency-version: 9.1.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: pytest-asyncio
  dependency-version: 1.4.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: ruff
  dependency-version: 0.15.18
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jun 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants