Bump the production-version-updates group with 4 updates

[dependabot]

Bumps the production-version-updates group with 4 updates: fastapi, pydantic-settings, anyio and markupsafe.

Updates fastapi from 0.117.1 to 0.118.0

Release notes

Sourced from fastapi's releases.

0.118.0

Fixes

• 🐛 Fix support for StreamingResponses with dependencies with yield or UploadFiles, close after the response is done. PR #14099 by @​tiangolo.

Before FastAPI 0.118.0, if you used a dependency with yield, it would run the exit code after the path operation function returned but right before sending the response.

This change also meant that if you returned a StreamingResponse, the exit code of the dependency with yield would have been already run.

For example, if you had a database session in a dependency with yield, the StreamingResponse would not be able to use that session while streaming data because the session would have already been closed in the exit code after yield.

This behavior was reverted in 0.118.0, to make the exit code after yield be executed after the response is sent.

You can read more about it in the docs for Advanced Dependencies - Dependencies with yield, HTTPException, except and Background Tasks. Including what you could do if you wanted to close a database session earlier, before returning the response to the client.

Docs

• 📝 Update tutorial/security/oauth2-jwt/ to use pwdlib with Argon2 instead of passlib. PR #13917 by @​Neizvestnyj.
• ✏️ Fix typos in OAuth2 password request forms. PR #14112 by @​alv2017.
• 📝 Update contributing guidelines for installing requirements. PR #14095 by @​alejsdev.

Translations

• 🌐 Sync German docs. PR #14098 by @​nilslindemann.

Internal

• ⬆ [pre-commit.ci] pre-commit autoupdate. PR #14103 by @​pre-commit-ci[bot].
• ♻️ Refactor sponsor image handling. PR #14102 by @​alejsdev.
• 🐛 Fix sponsor display issue by hiding element on image error. PR #14097 by @​alejsdev.
• 🐛 Hide sponsor badge when sponsor image is not displayed. PR #14096 by @​alejsdev.

Commits

• 333f1ba 🔖 Release version 0.118.0
• 1d5168a 📝 Update release notes
• bfa54b4 📝 Update release notes
• e329d78 🐛 Fix support for StreamingResponses with dependencies with yield or `Upl...
• 861b22c 📝 Update release notes
• efdafa4 📝 Update tutorial/security/oauth2-jwt/ to use pwdlib with Argon2 instead ...
• 450a334 📝 Update release notes
• 3eb2ee7 ✏️ Fix typos in OAuth2 password request forms (#14112)
• 287eb31 📝 Update release notes
• cca3341 🌐 Sync German docs (#14098)
• Additional commits viewable in compare view

Updates pydantic-settings from 2.10.1 to 2.11.0

Release notes

Sourced from pydantic-settings's releases.

v2.11.0

What's Changed

• CLI Serialize Support by @​kschwab in pydantic/pydantic-settings#643
• Inspect type aliases to determine if an annotation is complex by @​tselepakis in pydantic/pydantic-settings#644
• Revert "fix: Respect 'cli_parse_args' from model_config with settings_customise_sources (#611)" by @​hramezani in pydantic/pydantic-settings#655
• Remove parsing of command line arguments from CliSettingsSource.__init__. by @​trygve-baerland in pydantic/pydantic-settings#656
• turn off allow_abbrev on subparsers by @​mroch in pydantic/pydantic-settings#658
• CLI Serialization Fixes by @​kschwab in pydantic/pydantic-settings#649
• Fix PydanticModel type checking. by @​kschwab in pydantic/pydantic-settings#659
• Avoid env_prefix falling back to env vars without prefix by @​tselepakis in pydantic/pydantic-settings#648
• Warn if model_config sets unused keys for missing settings sources by @​HomerusJa in pydantic/pydantic-settings#663
• Included endpoint_url kwarg in AWSSecretsManagerSettingsSource class by @​adrianohrl in pydantic/pydantic-settings#664
• Fix typo ("Accesing") in the "Adding sources" docs by @​deepyaman in pydantic/pydantic-settings#668
• CLI Windows Path Fix by @​kschwab in pydantic/pydantic-settings#669
• Cli root model support by @​kschwab in pydantic/pydantic-settings#677
• Snake case conversion in Azure Key Vault by @​AndreuCodina in pydantic/pydantic-settings#680
• Make InitSettingsSource resolution deterministic by @​enrico-stauss in pydantic/pydantic-settings#681
• Update deps by @​hramezani in pydantic/pydantic-settings#683

New Contributors

• @​tselepakis made their first contribution in pydantic/pydantic-settings#644
• @​trygve-baerland made their first contribution in pydantic/pydantic-settings#656
• @​mroch made their first contribution in pydantic/pydantic-settings#658
• @​HomerusJa made their first contribution in pydantic/pydantic-settings#663
• @​adrianohrl made their first contribution in pydantic/pydantic-settings#664
• @​deepyaman made their first contribution in pydantic/pydantic-settings#668
• @​enrico-stauss made their first contribution in pydantic/pydantic-settings#681

Full Changelog: pydantic/pydantic-settings@2.10.1...v2.11.0

Commits

• 3e66430 Prepare release 2.11.0 (#684)
• 44fb5b7 Update deps (#683)
• 0497ef2 Make InitSettingsSource resolution deterministic (#681)
• c22cef4 Snake case conversion in Azure Key Vault (#680)
• 9c6c9b5 Cli root model support (#677)
• a164b73 CLI Windows Path Fix (#669)
• d81f8d8 Fix typo ("Accesing") in the "Adding sources" docs (#668)
• 53ade97 Included endpoint_url kwarg in AWSSecretsManagerSettingsSource class (#664)
• 1967d6f Warn if model_config sets unused keys for missing settings sources (#663)
• 1fc2087 Avoid env_prefix falling back to env vars without prefix (#648)
• Additional commits viewable in compare view

Updates anyio from 4.10.0 to 4.11.0

Release notes

Sourced from anyio's releases.

4.11.0

• Added support for cancellation reasons (the reason parameter to CancelScope.cancel()) (#975)
• Bumped the minimum version of Trio to v0.31.0
• Added the ability to enter the event loop from foreign (non-worker) threads by passing the return value of anyio.lowlevel.current_token() to anyio.from_thread.run() and anyio.from_thread.run_sync() as the token keyword argument (#256)
• Added pytest option (anyio_mode = "auto") to make the pytest plugin automatically handle all async tests (#971)
• Added the anyio.Condition.wait_for() method for feature parity with asyncio (#974)
• Changed the default type argument of anyio.abc.TaskStatus from Any to None (#964)
• Fixed TCP listener behavior to guarantee the same ephemeral port is used for all socket listeners when local_port=0 (#857; PR by @​11kkw and @​agronholm)
• Fixed inconsistency between Trio and asyncio where a TCP stream that previously raised a BrokenResourceError on send() would still raise BrokenResourceError after the stream was closed on asyncio, but ClosedResourceError on Trio. They now both raise a ClosedResourceError in this scenario. (#671)

Changelog

Sourced from anyio's changelog.

Version history

This library adheres to Semantic Versioning 2.0 <http://semver.org/>_.

4.11.0

• Added support for cancellation reasons (the reason parameter to CancelScope.cancel()) ([#975](https://github.com/agronholm/anyio/issues/975) <https://github.com/agronholm/anyio/pull/975>_)
• Bumped the minimum version of Trio to v0.31.0
• Added the ability to enter the event loop from foreign (non-worker) threads by passing the return value of anyio.lowlevel.current_token() to anyio.from_thread.run() and anyio.from_thread.run_sync() as the token keyword argument ([#256](https://github.com/agronholm/anyio/issues/256) <https://github.com/agronholm/anyio/issues/256>_)
• Added pytest option (anyio_mode = "auto") to make the pytest plugin automatically handle all async tests ([#971](https://github.com/agronholm/anyio/issues/971) <https://github.com/agronholm/anyio/pull/971>_)
• Added the anyio.Condition.wait_for() method for feature parity with asyncio ([#974](https://github.com/agronholm/anyio/issues/974) <https://github.com/agronholm/anyio/pull/974>_)
• Changed the default type argument of anyio.abc.TaskStatus from Any to None ([#964](https://github.com/agronholm/anyio/issues/964) <https://github.com/agronholm/anyio/pull/964>_)
• Fixed TCP listener behavior to guarantee the same ephemeral port is used for all socket listeners when local_port=0 ([#857](https://github.com/agronholm/anyio/issues/857) <https://github.com/agronholm/anyio/issues/857>_; PR by @​11kkw and @​agronholm)
• Fixed inconsistency between Trio and asyncio where a TCP stream that previously raised a BrokenResourceError on send() would still raise BrokenResourceError after the stream was closed on asyncio, but ClosedResourceError on Trio. They now both raise a ClosedResourceError in this scenario. ([#671](https://github.com/agronholm/anyio/issues/671) <https://github.com/agronholm/anyio/issues/671>_)

4.10.0

• Added the feed_data() method to the BufferedByteReceiveStream class, allowing users to inject data directly into the buffer

• Added various class methods to wrap existing sockets as listeners or socket streams:

  • SocketListener.from_socket()
  • SocketStream.from_socket()
  • UNIXSocketStream.from_socket()
  • UDPSocket.from_socket()
  • ConnectedUDPSocket.from_socket()
  • UNIXDatagramSocket.from_socket()
  • ConnectedUNIXDatagramSocket.from_socket()

• Added a hierarchy of connectable stream classes for transparently connecting to various remote or local endpoints for exchanging bytes or objects

• Added context manager mix-in classes (anyio.ContextManagerMixin and anyio.AsyncContextManagerMixin) to help write classes that embed other context managers, particularly cancel scopes or task groups ([#905](https://github.com/agronholm/anyio/issues/905) <https://github.com/agronholm/anyio/pull/905>_; PR by @​agronholm and

... (truncated)

Commits

• 08737af Bumped up the version
• 8bb9fe0 Fixed the inconsistent exception on sending to a closed TCP stream (#980)
• 9637093 [pre-commit.ci] pre-commit autoupdate (#981)
• f1bc6ee Fixed changelog entry formatting
• 0b58964 Mentioned the sub-interpreter support in the README
• 1ed112c Ensure same port is used for IPv4/IPv6 when creating TCP listener with local_...
• aceeee0 Re-enabled coverage reporting on macOS
• 6b890dc Reworded a changelog entry and added PR links to others
• 944257d Updated pre-commit modules
• 087975f Fixed a documentation style (#976)
• Additional commits viewable in compare view

Updates markupsafe from 3.0.2 to 3.0.3

Release notes

Sourced from markupsafe's releases.

3.0.3

This is the MarkupSafe 3.0.3 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/MarkupSafe/3.0.3/ Changes: https://markupsafe.palletsprojects.com/page/changes/#version-3-0-3 Milestone: https://github.com/pallets/markupsafe/milestone/15?closed=1

• __version__ raises DeprecationWarning instead of UserWarning. #487
• Adopt multi-phase initialization PEP 489 for the C extension. #494
• Build Windows ARM64 wheels. #485
• Build Python 3.14 wheels. #503
• Build riscv64 wheels. #505

Changelog

Sourced from markupsafe's changelog.

Version 3.0.3

Released 2025-09-27

• __version__ raises DeprecationWarning instead of UserWarning. :issue:487
• Adopt multi-phase initialisation (:pep:489) for the C extension. :issue:494
• Build Windows ARM64 wheels. :issue:485
• Build Python 3.14 wheels. :issue:503
• Build riscv64 wheels. :issue:505

Commits

• 297fc8e release version 3.0.3
• 7e4e6ce Free-threading: run with pytest-run-paralell (#507)
• 6100b9c enable riscv64 wheels (#506)
• c9d5ecf enable riscv64 wheels
• 2f9b337 tox for 3.14
• 78d951a update dev dependencies
• bb6744e add entry
• 65c4134 upgrade cibuildwheel, add cp314 wheels and test on CPython 3.14 (#504)
• 3a9bd88 add cp314 wheels
• aafe44d remove slsa provenance (#501)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions