Skip to content

chore(deps): bump the uv group across 3 directories with 7 updates#3951

Open
dependabot[bot] wants to merge 1 commit into
canaryfrom
dependabot/uv/baml_language/sdks/python/rust/bridge_python/uv-3c9c252911
Open

chore(deps): bump the uv group across 3 directories with 7 updates#3951
dependabot[bot] wants to merge 1 commit into
canaryfrom
dependabot/uv/baml_language/sdks/python/rust/bridge_python/uv-3c9c252911

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 8, 2026

Copy link
Copy Markdown
Contributor

Bumps the uv group with 1 update in the /baml_language/sdks/python/rust/bridge_python directory: pytest.
Bumps the uv group with 4 updates in the /integ-tests/python directory: flask, h11, idna and pyasn1.
Bumps the uv group with 1 update in the /integ-tests/python-v1 directory: pydantic.

Updates pytest from 9.0.2 to 9.0.3

Release notes

Sourced from pytest's releases.

9.0.3

pytest 9.0.3 (2026-04-07)

Bug fixes

  • #12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

  • #13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

    Previously this resulted in an internal assertion failure during plugin loading.

    Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

  • #13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

  • #14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

  • #14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

  • #13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
  • #13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
  • #14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
  • #14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

  • #12689: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible on the web interface.

    -- by aleguy02

Commits

Updates flask from 3.0.3 to 3.1.3

Release notes

Sourced from flask's releases.

3.1.3

This is the Flask 3.1.3 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.3/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-3

  • The session is marked as accessed for operations that only access the keys but not the values, such as in and len. GHSA-68rp-wp8r-4726

3.1.2

This is the Flask 3.1.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.2/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-2 Milestone: https://github.com/pallets/flask/milestone/38?closed=1

  • stream_with_context does not fail inside async views. #5774
  • When using follow_redirects in the test client, the final state of session is correct. #5786
  • Relax type hint for passing bytes IO to send_file. #5776

3.1.1

This is the Flask 3.1.1 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.1/ Changes: https://flask.palletsprojects.com/en/stable/changes/#version-3-1-1 Milestone https://github.com/pallets/flask/milestone/36?closed=1

  • Fix signing key selection order when key rotation is enabled via SECRET_KEY_FALLBACKS. GHSA-4grg-w6v8-c28g
  • Fix type hint for cli_runner.invoke. #5645
  • flask --help loads the app and plugins first to make sure all commands are shown. #5673
  • Mark sans-io base class as being able to handle views that return AsyncIterable. This is not accurate for Flask, but makes typing easier for Quart. #5659

3.1.0

This is the Flask 3.1.0 feature release. A feature release may include new features, remove previously deprecated code, add new deprecations, or introduce potentially breaking changes. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. Test with warnings treated as errors to be able to adapt to deprecation warnings early.

PyPI: https://pypi.org/project/Flask/3.1.0/ Changes: https://flask.palletsprojects.com/en/stable/changes/#version-3-1-0 Milestone: https://github.com/pallets/flask/milestone/33?closed=1

  • Drop support for Python 3.8. #5623
  • Update minimum dependency versions to latest feature releases. Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9. #5624, #5633
  • Provide a configuration option to control automatic option responses. #5496
  • Flask.open_resource/open_instance_resource and Blueprint.open_resource take an encoding parameter to use when opening in text mode. It defaults to utf-8. #5504
  • Request.max_content_length can be customized per-request instead of only through the MAX_CONTENT_LENGTH config. Added MAX_FORM_MEMORY_SIZE and MAX_FORM_PARTS config. Added documentation about resource limits to the security page. #5625
  • Add support for the Partitioned cookie attribute (CHIPS), with the SESSION_COOKIE_PARTITIONED config. #5472
  • -e path takes precedence over default .env and .flaskenv files. load_dotenv loads default files in addition to a path unless load_defaults=False is passed. #5628
  • Support key rotation with the SECRET_KEY_FALLBACKS config, a list of old secret keys that can still be used for unsigning. Extensions will need to add support. #5621
  • Fix how setting host_matching=True or subdomain_matching=False interacts with SERVER_NAME. Setting SERVER_NAME no longer restricts requests to only that domain. #5553
  • Request.trusted_hosts is checked during routing, and can be set through the TRUSTED_HOSTS config. #5636
Changelog

Sourced from flask's changelog.

Version 3.1.3

Released 2026-02-18

  • The session is marked as accessed for operations that only access the keys but not the values, such as in and len. :ghsa:68rp-wp8r-4726

Version 3.1.2

Released 2025-08-19

  • stream_with_context does not fail inside async views. :issue:5774
  • When using follow_redirects in the test client, the final state of session is correct. :issue:5786
  • Relax type hint for passing bytes IO to send_file. :issue:5776

Version 3.1.1

Released 2025-05-13

  • Fix signing key selection order when key rotation is enabled via SECRET_KEY_FALLBACKS. :ghsa:4grg-w6v8-c28g
  • Fix type hint for cli_runner.invoke. :issue:5645
  • flask --help loads the app and plugins first to make sure all commands are shown. :issue:5673
  • Mark sans-io base class as being able to handle views that return AsyncIterable. This is not accurate for Flask, but makes typing easier for Quart. :pr:5659

Version 3.1.0

Released 2024-11-13

  • Drop support for Python 3.8. :pr:5623
  • Update minimum dependency versions to latest feature releases. Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9. :pr:5624,5633
  • Provide a configuration option to control automatic option responses. :pr:5496
  • Flask.open_resource/open_instance_resource and Blueprint.open_resource take an encoding parameter to use when opening in text mode. It defaults to utf-8. :issue:5504
  • Request.max_content_length can be customized per-request instead of only through the MAX_CONTENT_LENGTH config. Added

... (truncated)

Commits
  • 22d9247 release version 3.1.3
  • 089cb86 Merge commit from fork
  • c17f379 request context tracks session access
  • 27be933 start version 3.1.3
  • 4e652d3 Abort if the instance folder cannot be created (#5903)
  • 3d03098 Abort if the instance folder cannot be created
  • 407eb76 document using gevent for async (#5900)
  • ac5664d document using gevent for async
  • 4f79d5b Increase required flit_core version to 3.11 (#5865)
  • fe3b215 Increase required flit_core version to 3.11
  • Additional commits viewable in compare view

Updates h11 from 0.14.0 to 0.16.0

Commits

Updates idna from 3.10 to 3.15

Changelog

Sourced from idna's changelog.

3.15 (2026-05-12)

  • Enforce DNS-length cap on individual labels early in check_label, short-circuiting contextual-rule processing for oversized input while staying compatible with UTS 46 usage.
  • Tidy core helpers: hoist bidi category sets to module-level frozensets (avoiding per-codepoint list construction), simplify length checks, and reuse the shared _unicode_dots_re from idna.core in the codec module.
  • Use raise ... from err for proper exception chaining and switch internal string formatting to f-strings.
  • Allow flit_core 4.x in the build backend.
  • Expand the ruff lint set (flake8-bugbear, flake8-simplify, pyupgrade, perflint) and apply the surfaced fixes; pin lint CI to Python 3.14.
  • Add Dependabot configuration for GitHub Actions.
  • Convert README and HISTORY from reStructuredText to Markdown.
  • Reference CVE-2026-45409 for the 3.14 advisory in place of the initial GHSA identifier.

Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for contributions to this release.

3.14 (2026-05-10)

  • Removed opportunity to process long inputs into quadratic time by rejecting oversize inputs up-front. Closes a bypass of the CVE-2024-3651 mitigation. [CVE-2026-45409]

Thanks to Stan Ulbrych for reporting the issue.

3.13 (2026-04-22)

  • Correct classification error for codepoint U+A7F1

3.12 (2026-04-21)

  • Update to Unicode 17.0.0.
  • Issue a deprecation warning for the transitional argument.
  • Added lazy-loading to provide some performance improvements.
  • Removed vestiges of code related to Python 2 support, including segmentation of data structures specific to Jython.

Thanks to Rodrigo Nogueira for contributions to this release.

3.11 (2025-10-12)

  • Update to Unicode 16.0.0, including significant changes to UTS46 processing. As a result of Unicode ending support for it, transitional processing no longer has an effect and returns the same result.

... (truncated)

Commits
  • af30a09 Release 3.15
  • 30314d4 Pre-release 3.15rc0
  • 05d4b21 Merge pull request #237 from kjd/convert-docs-to-markdown
  • 2987fdb Convert README and HISTORY from reStructuredText to Markdown
  • 59fa800 Merge pull request #236 from kjd/dependabot/github_actions/actions-f3e34333ea
  • def6983 Merge branch 'master' into dependabot/github_actions/actions-f3e34333ea
  • bbd8004 Merge pull request #234 from StanFromIreland/patch-1
  • edd07c0 Bump github/codeql-action from 3.35.2 to 4.35.2 in the actions group
  • 5557db0 Merge branch 'master' into patch-1
  • f11746c Merge pull request #235 from StanFromIreland/patch-2
  • Additional commits viewable in compare view

Updates pyasn1 from 0.6.1 to 0.6.3

Release notes

Sourced from pyasn1's releases.

Release 0.6.3

It's a minor release.

  • Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (CVE-2026-30922).
  • Fixed OverflowError from oversized BER length field.
  • Fixed DeprecationWarning stacklevel for deprecated attributes.
  • Fixed asDateTime incorrect fractional seconds parsing.

All changes are noted in the CHANGELOG.

Release 0.6.2

It's a minor release.

  • Fixed continuation octet limits in OID/RELATIVE-OID decoder (CVE-2026-23490).
  • Added support for Python 3.14.
  • Added SECURITY.md policy.
  • Migrated to pyproject.toml packaging.

All changes are noted in the CHANGELOG.

Changelog

Sourced from pyasn1's changelog.

Revision 0.6.3, released 16-03-2026

Revision 0.6.2, released 16-01-2026

Commits
  • af65c3b Prepare release 0.6.3
  • 5a49bd1 Merge commit from fork
  • 5494ba4 Fix asDateTime incorrect fractional seconds parsing (#102)
  • 71f486e Fix DeprecationWarning stacklevel for deprecated attributes (#101)
  • d7cb42d Fix OverflowError from oversized BER length field (#100)
  • e7356f8 Prepare release 0.6.2
  • 3908f14 Merge commit from fork
  • 0a7e067 Add support for Python 3.14 (#97)
  • 33656e9 Create Security Policy
  • fa62307 fix for issue #91: unit tests failing due to missing code (#92)
  • Additional commits viewable in compare view

Updates werkzeug from 3.0.6 to 3.1.8

Release notes

Sourced from werkzeug's releases.

3.1.8

This is the Werkzeug 3.1.8 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.8/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-8 Milestone: https://github.com/pallets/werkzeug/milestone/45?closed=1

  • Request.host and get_host return the empty string if the header is missing or has invalid characters. #3142

3.1.7

This is the Werkzeug 3.1.7 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.7/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-7 Milestone: https://github.com/pallets/werkzeug/milestone/44?closed=1

  • parse_list_header preserves partially quoted items, discards empty items, and returns empty for unclosed quoted values. #3128
  • WWWAuthenticate.to_header does not produce a trailing space when there are no parameters. #3127
  • Transfer-Encoding is parsed as a set. #3134
  • Request.host, get_host, and host_is_trusted validate the characters of the value. An empty value is no longer allowed. A Unix socket server address is ignored. The trusted_list argument to host_is_trusted is optional. #3113
  • Fix multipart form parser handling of newline at boundary. #3088
  • Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. #3108
  • merge_slashes merges any number of consecutive slashes. #3121

3.1.6

This is the Werkzeug 3.1.6 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.6/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-6

  • safe_join on Windows does not allow special devices names in multi-segment paths. GHSA-29vq-49wr-vm6x

3.1.5

This is the Werkzeug 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.5/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-5 Milestone: https://github.com/pallets/werkzeug/milestone/43?closed=1

  • safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. GHSA-87hc-h4r5-73f7
  • The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. #3065 #3077
  • Fix AttributeError when initializing DebuggedApplication with pin_security=False. #3075

3.1.4

This is the Werkzeug 3.1.4 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.4/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-4 Milestone: https://github.com/pallets/werkzeug/milestone/42?closed=1

... (truncated)

Changelog

Sourced from werkzeug's changelog.

Version 3.1.8

Released 2026-04-02

  • Request.host and get_host return the empty string if the header is missing or has invalid characters. :issue:3142

Version 3.1.7

Released 2026-03-23

  • parse_list_header preserves partially quoted items, discards empty items, and returns empty for unclosed quoted values. :pr:3128
  • WWWAuthenticate.to_header does not produce a trailing space when there are no parameters. :issue:3127
  • Transfer-Encoding is parsed as a set. :pr:3134
  • Request.host, get_host, and host_is_trusted validate the characters of the value. An empty value is no longer allowed. A Unix socket server address is ignored. The trusted_list argument to host_is_trusted is optional. :pr:3113
  • Fix multipart form parser handling of newline at boundary. :issue:3088
  • Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. :issue:3108
  • merge_slashes merges any number of consecutive slashes. :issue:3121

Version 3.1.6

Released 2026-02-19

  • safe_join on Windows does not allow special devices names in multi-segment paths. :ghsa:29vq-49wr-vm6x
  • Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. :issue:3108

Version 3.1.5

Released 2026-01-08

  • safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. :ghsa:87hc-h4r5-73f7
  • The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. :issue:3065 :issue:3077

... (truncated)

Commits

Updates pydantic from 1 to 1.10.13

Changelog

Sourced from pydantic's changelog.

v2.14.0a1 (2026-05-22)

GitHub release

What's Changed

Packaging

Changes

Fixes

  • Add Mypy plugin workaround for dynamic models defined in functions by @​ilevkivskyi in #13177
  • Fallback to create_model() overload definition when __base__ is set to a type variable in the Mypy plugin by @​cyphercodes in #13146

New Contributors

v2.13.4 (2026-05-06)

GitHub release

What's Changed

Packaging

Fixes

v2.13.3 (2026-04-20)

GitHub release

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the uv group with 1 update in the /baml_language/sdks/python/rust/bridge_python directory: [pytest](https://github.com/pytest-dev/pytest).
Bumps the uv group with 4 updates in the /integ-tests/python directory: [flask](https://github.com/pallets/flask), [h11](https://github.com/python-hyper/h11), [idna](https://github.com/kjd/idna) and [pyasn1](https://github.com/pyasn1/pyasn1).
Bumps the uv group with 1 update in the /integ-tests/python-v1 directory: [pydantic](https://github.com/pydantic/pydantic).


Updates `pytest` from 9.0.2 to 9.0.3
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](pytest-dev/pytest@9.0.2...9.0.3)

Updates `flask` from 3.0.3 to 3.1.3
- [Release notes](https://github.com/pallets/flask/releases)
- [Changelog](https://github.com/pallets/flask/blob/main/CHANGES.rst)
- [Commits](pallets/flask@3.0.3...3.1.3)

Updates `h11` from 0.14.0 to 0.16.0
- [Commits](python-hyper/h11@v0.14.0...v0.16.0)

Updates `idna` from 3.10 to 3.15
- [Release notes](https://github.com/kjd/idna/releases)
- [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.md)
- [Commits](kjd/idna@v3.10...v3.15)

Updates `pyasn1` from 0.6.1 to 0.6.3
- [Release notes](https://github.com/pyasn1/pyasn1/releases)
- [Changelog](https://github.com/pyasn1/pyasn1/blob/main/CHANGES.rst)
- [Commits](pyasn1/pyasn1@v0.6.1...v0.6.3)

Updates `werkzeug` from 3.0.6 to 3.1.8
- [Release notes](https://github.com/pallets/werkzeug/releases)
- [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst)
- [Commits](pallets/werkzeug@3.0.6...3.1.8)

Updates `pydantic` from 1 to 1.10.13
- [Release notes](https://github.com/pydantic/pydantic/releases)
- [Changelog](https://github.com/pydantic/pydantic/blob/main/HISTORY.md)
- [Commits](pydantic/pydantic@v1.0...v1.10.13)

---
updated-dependencies:
- dependency-name: pytest
  dependency-version: 9.0.3
  dependency-type: direct:development
  dependency-group: uv
- dependency-name: flask
  dependency-version: 3.1.3
  dependency-type: direct:production
  dependency-group: uv
- dependency-name: h11
  dependency-version: 0.16.0
  dependency-type: indirect
  dependency-group: uv
- dependency-name: idna
  dependency-version: '3.15'
  dependency-type: indirect
  dependency-group: uv
- dependency-name: pyasn1
  dependency-version: 0.6.3
  dependency-type: indirect
  dependency-group: uv
- dependency-name: werkzeug
  dependency-version: 3.1.8
  dependency-type: indirect
  dependency-group: uv
- dependency-name: pydantic
  dependency-version: 1.10.13
  dependency-type: direct:production
  dependency-group: uv
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jul 8, 2026
@vercel

vercel Bot commented Jul 8, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
beps Ready Ready Preview, Comment Jul 8, 2026 10:16pm
promptfiddle Ready Ready Preview, Comment Jul 8, 2026 10:16pm
promptfiddle2 Ready Ready Preview, Comment Jul 8, 2026 10:16pm

Request Review

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

⏭️ Performance benchmarks were skipped

Perf benchmarks (CodSpeed) are opt-in on pull requests — they no longer run on every push. They always run automatically after merge to canary/main.

To run them on this PR, do any of the following, then push a commit (or re-run CI):

  • Add RUN_CODSPEED=1 to the PR description, or
  • Include run-perf or /perf in the PR title or any commit message.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

Binary size checks passed

7 passed

Artifact Platform File Gzip Gated on Baseline Delta Status
baml-cli Linux 🔒 22.0 MB 9.4 MB file 21.5 MB +425.4 KB (+2.0%) OK
packed-program Linux 🔒 15.9 MB 6.7 MB file 15.6 MB +281.6 KB (+1.8%) OK
baml-cli macOS 🔒 16.9 MB 8.2 MB file 16.6 MB +348.0 KB (+2.1%) OK
packed-program macOS 🔒 12.3 MB 5.9 MB file 12.1 MB +232.0 KB (+1.9%) OK
baml-cli Windows 🔒 18.5 MB 8.4 MB file 18.1 MB +354.8 KB (+2.0%) OK
packed-program Windows 🔒 13.2 MB 5.9 MB file 13.0 MB +223.8 KB (+1.7%) OK
bridge_wasm WASM 14.7 MB 🔒 4.2 MB gzip 4.1 MB +113.2 KB (+2.8%) OK

🔒 = the size this artifact is GATED on (ceiling + delta). Binaries gate on file size (installed binary); WASM gates on gzip (download size). The other size is shown for information only.


Generated by cargo size-gate · workflow run

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants