Skip to content

chore(deps): bump the uv group across 1 directory with 11 updates#741

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/uv/uv-3385949354
Open

chore(deps): bump the uv group across 1 directory with 11 updates#741
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/uv/uv-3385949354

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 16, 2026
edited
Loading

Bumps the uv group with 11 updates in the / directory:

Package From To
authlib 1.6.6 1.6.9
black 25.9.0 26.3.1
cryptography 46.0.2 46.0.5
langsmith 0.4.32 0.6.3
lxml-html-clean 0.4.3 0.4.4
nbconvert 7.16.6 7.17.0
orjson 3.11.5 3.11.6
pillow 11.3.0 12.1.1
protobuf 6.32.1 6.33.5
pypdf 6.6.2 6.8.0
tornado 6.5.2 6.5.5

Updates authlib from 1.6.6 to 1.6.9

Release notes

Sourced from authlib's releases.

v1.6.9

Full Changelog: authlib/authlib@v1.6.8...v1.6.9

Changes in jose module

  • Not using header's jwk automatically
  • Add ES256K into default jwt algorithms
  • Remove deprecated algorithm from default registry
  • Generate random cek when cek length doesn't match

v1.6.8

Full Changelog: authlib/authlib@v1.6.7...v1.6.8

  • Add EdDSA to default jwt instance.

v1.6.7

Full Changelog: authlib/authlib@v1.6.6...v1.6.7

Set supported algorithms for the default jwt instance.

Changelog

Sourced from authlib's changelog.

Changelog

.. meta:: :description: The full list of changes between each Authlib release.

Here you can see the full list of changes between each Authlib release.

Version 1.7.0

Unreleased

  • Add support for OpenID Connect RP-Initiated Logout 1.0 <https://openid.net/specs/openid-connect-rpinitiated-1_0.html>_. See :ref:specs/rpinitiated for details. :issue:500
  • Per RFC 6749 Section 3.3, the scope parameter is now optional at both authorization and token endpoints. client.get_allowed_scope() is called to determine the default scope when omitted. :issue:845
  • Stop support for Python 3.9, start support Python 3.14. :pr:850
  • Allow AuthorizationServerMetadata.validate() to compose with RFC extension classes.
  • Fix expires_at=0 being incorrectly treated as None. :issue:530
  • Allow ResourceProtector decorator to be used without parentheses. :issue:604
  • Implement RFC9700 PKCE downgrade countermeasure.
  • Set User-Agent header when fetching server metadata and JWKs. :issue:704
  • RFC7523 accepts the issuer URL as a valid audience. :issue:730

Upgrade Guide: :ref:joserfc_upgrade.

Commits
  • 9266eaa chore: release 1.6.9
  • b9bb2b2 fix(oidc): fail close at validating c_hash and at_hash
  • 1b0a1d9 fix(jose): generate random cek when cek length doesn't match
  • 5be3c51 fix(jose): add ES256K into default jwt algorithms
  • 48b345f fix(jose): remove deprecated algorithm from default registry
  • a5d4b2d fix(jose): do not use header's jwk automatically
  • a769f34 chore: release 1.6.8
  • 84f3fa2 fix: add EdDSA to default jwt algorithms
  • 38e872a chore: release 1.6.7
  • b87c32e fix: remove "none" algorithm from default jwt instance
  • See full diff in compare view

Updates black from 25.9.0 to 26.3.1

Release notes

Sourced from black's releases.

26.3.1

Stable style

  • Prevent Jupyter notebook magic masking collisions from corrupting cells by using exact-length placeholders for short magics and aborting if a placeholder can no longer be unmasked safely (#5038)

Configuration

  • Always hash cache filename components derived from --python-cell-magics so custom magic names cannot affect cache paths (#5038)

Blackd

  • Disable browser-originated requests by default, add configurable origin allowlisting and request body limits, and bound executor submissions to improve backpressure (#5039)

26.3.0

Stable style

  • Don't double-decode input, causing non-UTF-8 files to be corrupted (#4964)
  • Fix crash on standalone comment in lambda default arguments (#4993)
  • Preserve parentheses when # type: ignore comments would be merged with other comments on the same line, preventing AST equivalence failures (#4888)

Preview style

  • Fix bug where if guards in case blocks were incorrectly split when the pattern had a trailing comma (#4884)
  • Fix string_processing crashing on unassigned long string literals with trailing commas (one-item tuples) (#4929)
  • Simplify implementation of the power operator "hugging" logic (#4918)

Packaging

  • Fix shutdown errors in PyInstaller builds on macOS by disabling multiprocessing in frozen environments (#4930)

Performance

  • Introduce winloop for windows as an alternative to uvloop (#4996)
  • Remove deprecated function uvloop.install() in favor of uvloop.new_event_loop() (#4996)
  • Rename maybe_install_uvloop function to maybe_use_uvloop to simplify loop installation and creation of either a uvloop/winloop evenloop or default eventloop (#4996)

Output

... (truncated)

Changelog

Sourced from black's changelog.

26.3.1

Stable style

  • Prevent Jupyter notebook magic masking collisions from corrupting cells by using exact-length placeholders for short magics and aborting if a placeholder can no longer be unmasked safely (#5038)

Configuration

  • Always hash cache filename components derived from --python-cell-magics so custom magic names cannot affect cache paths (#5038)

Blackd

  • Disable browser-originated requests by default, add configurable origin allowlisting and request body limits, and bound executor submissions to improve backpressure (#5039)

26.3.0

Stable style

  • Don't double-decode input, causing non-UTF-8 files to be corrupted (#4964)
  • Fix crash on standalone comment in lambda default arguments (#4993)
  • Preserve parentheses when # type: ignore comments would be merged with other comments on the same line, preventing AST equivalence failures (#4888)

Preview style

  • Fix bug where if guards in case blocks were incorrectly split when the pattern had a trailing comma (#4884)
  • Fix string_processing crashing on unassigned long string literals with trailing commas (one-item tuples) (#4929)
  • Simplify implementation of the power operator "hugging" logic (#4918)

Packaging

  • Fix shutdown errors in PyInstaller builds on macOS by disabling multiprocessing in frozen environments (#4930)

Performance

  • Introduce winloop for windows as an alternative to uvloop (#4996)
  • Remove deprecated function uvloop.install() in favor of uvloop.new_event_loop() (#4996)
  • Rename maybe_install_uvloop function to maybe_use_uvloop to simplify loop installation and creation of either a uvloop/winloop evenloop or default eventloop (#4996)

... (truncated)

Commits

Updates cryptography from 46.0.2 to 46.0.5

Changelog

Sourced from cryptography's changelog.

46.0.5 - 2026-02-10


* An attacker could create a malicious public key that reveals portions of your
  private key when using certain uncommon elliptic curves (binary curves).
  This version now includes additional security checks to prevent this attack.
  This issue only affects binary elliptic curves, which are rarely used in
  real-world applications. Credit to **XlabAI Team of Tencent Xuanwu Lab and
  Atuin Automated Vulnerability Discovery Engine** for reporting the issue.
  **CVE-2026-26007**
* Support for ``SECT*`` binary elliptic curves is deprecated and will be
  removed in the next release.

.. v46-0-4:


46.0.4 - 2026-01-27

  • Dropped support for win_arm64 wheels_.
  • Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.

.. _v46-0-3:

46.0.3 - 2025-10-15


* Fixed compilation when using LibreSSL 4.2.0.

.. _v46-0-2:

Commits

Updates langsmith from 0.4.32 to 0.6.3

Release notes

Sourced from langsmith's releases.

v0.6.1

What's Changed

Full Changelog: langchain-ai/langsmith-sdk@v0.6.0...v0.6.1

v0.6.0

What's Changed

Full Changelog: langchain-ai/langsmith-sdk@v0.5.2...v0.6.0

v0.6.0rc0

What's Changed

Full Changelog: langchain-ai/langsmith-sdk@v0.5.1...v0.6.0rc0

v0.5.2

What's Changed

Full Changelog: langchain-ai/langsmith-sdk@v0.5.1...v0.5.2

... (truncated)

Commits

Updates lxml-html-clean from 0.4.3 to 0.4.4

Changelog

Sourced from lxml-html-clean's changelog.

0.4.4 (2026-02-26)

Bugs fixed

  • Fixed a bug where Unicode escapes in CSS were not properly decoded before security checks. This prevents attackers from bypassing filters using escape sequences. (CVE-2026-28348)
  • Fixed a security issue where <base> tags could be used for URL hijacking attacks. The <base> tag is now automatically removed whenever the <head> tag is removed (via page_structure=True or manual configuration), as <base> must be inside <head> according to HTML specifications. (CVE-2026-28350)
Commits
  • fd10d79 Add more tests for different combinations of backslashes and unicode
  • 5b7e228 Restore the removal of all backslashes from styles after decoding of unicode ...
  • 88da8f9 Prepare release 0.4.4
  • 9c5612c Remove <base> tags to prevent URL hijacking attacks
  • 2ef7326 Implement unicode escape decoding
  • 7c854af Add missing Python 3.14 to classifiers
  • 80cebf7 Continue using the package link
  • 1cef82e Update safe sanitizer recommendation
  • 79f35f4 CI: Drop Python 3.8, add 3.14
  • See full diff in compare view

Updates nbconvert from 7.16.6 to 7.17.0

Release notes

Sourced from nbconvert's releases.

v7.17.0

7.17.0

(Full Changelog)

Enhancements made

Bugs fixed

Maintenance and upkeep improvements

Documentation improvements

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​bollwyvl (activity) | @​Carreau (activity) | @​h3pdesign (activity) | @​hackowitz-af (activity) | @​krassowski (activity) | @​mberlanda (activity) | @​mgorny (activity) | @​minrk (activity) | @​MSeal (activity) | @​QuLogic (activity) | @​salmankadaya (activity) | @​shreve (activity) | @​th3gowtham (activity)

Changelog

Sourced from nbconvert's changelog.

7.17.0

(Full Changelog)

Enhancements made

Bugs fixed

Maintenance and upkeep improvements

Documentation improvements

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​bollwyvl (activity) | @​Carreau (activity) | @​h3pdesign (activity) | @​hackowitz-af (activity) | @​krassowski (activity) | @​mberlanda (activity) | @​mgorny (activity) | @​minrk (activity) | @​MSeal (activity) | @​QuLogic (activity) | @​salmankadaya (activity) | @​shreve (activity) | @​th3gowtham (activity)

Commits

Updates orjson from 3.11.5 to 3.11.6

Release notes

Sourced from orjson's releases.

3.11.6

Changed

  • orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
  • Drop support for Python 3.9.
  • ABI compatibility with CPython 3.15 alpha 5.
  • Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

  • Fix sporadic crash serializing deeply nested list of dict.
Changelog

Sourced from orjson's changelog.

3.11.6 - 2026-01-29

Changed

  • orjson now includes code licensed under the Mozilla Public License 2.0 (MPL-2.0).
  • Drop support for Python 3.9.
  • ABI compatibility with CPython 3.15 alpha 5.
  • Build now depends on Rust 1.89 or later instead of 1.85.

Fixed

  • Fix sporadic crash serializing deeply nested list of dict.
Commits

Updates pillow from 11.3.0 to 12.1.1

Release notes

Sourced from pillow's releases.

12.1.1

https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html

Dependencies

Other changes

12.1.0

https://pillow.readthedocs.io/en/stable/releasenotes/12.1.0.html

Deprecations

Documentation

Dependencies

Testing

... (truncated)

Commits

Updates protobuf from 6.32.1 to 6.33.5

Release notes

Sourced from protobuf's releases.

Protocol Buffers v34.0-rc1

Announcements

Bazel

  • Fix: cc_toolchain should prefer protoc when prebuilt flag is flipped. (#25168) (protocolbuffers/protobuf@8c857c3)
  • Breaking change: Remove deprecated ProtoIn...

    Description has been truncated

    Note
    Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Mar 16, 2026
@greptile-apps
Copy link
Copy Markdown

greptile-apps bot commented Mar 16, 2026

No reviewable files after applying ignore patterns.

@dependabot @giordano-lucas
chore(deps): bump the uv group across 1 directory with 11 updates
987e8cd 
Bumps the uv group with 11 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [authlib](https://github.com/authlib/authlib) | `1.6.6` | `1.6.9` |
| [black](https://github.com/psf/black) | `25.9.0` | `26.3.1` |
| [cryptography](https://github.com/pyca/cryptography) | `46.0.2` | `46.0.5` |
| [langsmith](https://github.com/langchain-ai/langsmith-sdk) | `0.4.32` | `0.6.3` |
| [lxml-html-clean](https://github.com/fedora-python/lxml_html_clean) | `0.4.3` | `0.4.4` |
| [nbconvert](https://github.com/jupyter/nbconvert) | `7.16.6` | `7.17.0` |
| [orjson](https://github.com/ijl/orjson) | `3.11.5` | `3.11.6` |
| [pillow](https://github.com/python-pillow/Pillow) | `11.3.0` | `12.1.1` |
| [protobuf](https://github.com/protocolbuffers/protobuf) | `6.32.1` | `6.33.5` |
| [pypdf](https://github.com/py-pdf/pypdf) | `6.6.2` | `6.8.0` |
| [tornado](https://github.com/tornadoweb/tornado) | `6.5.2` | `6.5.5` |



Updates `authlib` from 1.6.6 to 1.6.9
- [Release notes](https://github.com/authlib/authlib/releases)
- [Changelog](https://github.com/authlib/authlib/blob/main/docs/changelog.rst)
- [Commits](authlib/authlib@v1.6.6...v1.6.9)

Updates `black` from 25.9.0 to 26.3.1
- [Release notes](https://github.com/psf/black/releases)
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md)
- [Commits](psf/black@25.9.0...26.3.1)

Updates `cryptography` from 46.0.2 to 46.0.5
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@46.0.2...46.0.5)

Updates `langsmith` from 0.4.32 to 0.6.3
- [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases)
- [Commits](https://github.com/langchain-ai/langsmith-sdk/commits)

Updates `lxml-html-clean` from 0.4.3 to 0.4.4
- [Changelog](https://github.com/fedora-python/lxml_html_clean/blob/main/CHANGES.rst)
- [Commits](fedora-python/lxml_html_clean@0.4.3...0.4.4)

Updates `nbconvert` from 7.16.6 to 7.17.0
- [Release notes](https://github.com/jupyter/nbconvert/releases)
- [Changelog](https://github.com/jupyter/nbconvert/blob/main/CHANGELOG.md)
- [Commits](jupyter/nbconvert@v7.16.6...v7.17.0)

Updates `orjson` from 3.11.5 to 3.11.6
- [Release notes](https://github.com/ijl/orjson/releases)
- [Changelog](https://github.com/ijl/orjson/blob/master/CHANGELOG.md)
- [Commits](ijl/orjson@3.11.5...3.11.6)

Updates `pillow` from 11.3.0 to 12.1.1
- [Release notes](https://github.com/python-pillow/Pillow/releases)
- [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst)
- [Commits](python-pillow/Pillow@11.3.0...12.1.1)

Updates `protobuf` from 6.32.1 to 6.33.5
- [Release notes](https://github.com/protocolbuffers/protobuf/releases)
- [Commits](https://github.com/protocolbuffers/protobuf/commits)

Updates `pypdf` from 6.6.2 to 6.8.0
- [Release notes](https://github.com/py-pdf/pypdf/releases)
- [Changelog](https://github.com/py-pdf/pypdf/blob/main/CHANGELOG.md)
- [Commits](py-pdf/pypdf@6.6.2...6.8.0)

Updates `tornado` from 6.5.2 to 6.5.5
- [Changelog](https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst)
- [Commits](tornadoweb/tornado@v6.5.2...v6.5.5)

---
updated-dependencies:
- dependency-name: authlib
  dependency-version: 1.6.9
  dependency-type: indirect
  dependency-group: uv
- dependency-name: black
  dependency-version: 26.3.1
  dependency-type: indirect
  dependency-group: uv
- dependency-name: cryptography
  dependency-version: 46.0.5
  dependency-type: indirect
  dependency-group: uv
- dependency-name: langsmith
  dependency-version: 0.6.3
  dependency-type: indirect
  dependency-group: uv
- dependency-name: lxml-html-clean
  dependency-version: 0.4.4
  dependency-type: indirect
  dependency-group: uv
- dependency-name: nbconvert
  dependency-version: 7.17.0
  dependency-type: indirect
  dependency-group: uv
- dependency-name: orjson
  dependency-version: 3.11.6
  dependency-type: indirect
  dependency-group: uv
- dependency-name: pillow
  dependency-version: 12.1.1
  dependency-type: indirect
  dependency-group: uv
- dependency-name: protobuf
  dependency-version: 6.33.5
  dependency-type: indirect
  dependency-group: uv
- dependency-name: pypdf
  dependency-version: 6.8.0
  dependency-type: indirect
  dependency-group: uv
- dependency-name: tornado
  dependency-version: 6.5.5
  dependency-type: indirect
  dependency-group: uv
...

Signed-off-by: dependabot[bot] <support@github.com>
@giordano-lucas giordano-lucas force-pushed the dependabot/uv/uv-3385949354 branch from 96c2744 to 987e8cd Compare March 23, 2026 10:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants