Skip to content

Bump the uv group across 1 directory with 16 updates#14

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/uv-ddad49b1ec
Open

Bump the uv group across 1 directory with 16 updates#14
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/uv-ddad49b1ec

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 6, 2026

Copy link
Copy Markdown

Bumps the uv group with 16 updates in the / directory:

Package From To
litestar 2.19.0 2.20.0
cryptography 46.0.3 46.0.6
dbt-common 1.37.2 1.37.3
deepdiff 8.6.1 8.6.2
dynaconf 3.2.12 3.2.13
flask 3.1.2 3.1.3
multipart 1.3.0 1.3.1
nbconvert 7.16.6 7.17.0
nltk 3.9.2 3.9.4
pillow 12.1.0 12.1.1
protobuf 6.33.2 6.33.5
pyasn1 0.6.1 0.6.3
requests 2.32.5 2.33.0
tornado 6.5.4 6.5.5
ujson 5.11.0 5.12.0
werkzeug 3.1.5 3.1.6

Updates litestar from 2.19.0 to 2.20.0

Release notes

Sourced from litestar's releases.

v2.20.0

Sponsors 🌟

Thanks to these incredible business sponsors:

Thanks to these incredible personal sponsors:

New contributors 🎉

Changelog

https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0

Compare Changes litestar-org/litestar@v2.19.0...v2.20.0

Commits
  • b343d5a chore: Release 2.20.0
  • 5b4b826 chore: Typing and linting fixes for 3.8
  • 7fe995f Revert "chore(typing): Various typing fixes (mostly tests)"
  • 06b36f4 fix(allowed hosts): Ensure host names are always properly escaped when used i...
  • eb87703 fix(cors): Ensure allow_origins are properly escaped before constructing regex
  • 85db618 fix(stores): Eliminate possibility of file name collisions during key normali...
  • f57e508 chore: formatting
  • dbf75a4 fix(jwt): Fix tests for new pyjwt version
  • 0b5ddcf chore: Update dependencies
  • c6d0ff2 chore(typing): Various typing fixes (mostly tests)
  • Additional commits viewable in compare view

Updates cryptography from 46.0.3 to 46.0.6

Changelog

Sourced from cryptography's changelog.

46.0.6 - 2026-03-25


* **SECURITY ISSUE**: Fixed a bug where name constraints were not applied
  to peer names during verification when the leaf certificate contains a
  wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug,
  including those used by the Web PKI. Credit to **Oleh Konko (1seal)** for
  reporting the issue. **CVE-2026-34073**

.. _v46-0-5:

46.0.5 - 2026-02-10

  • An attacker could create a malicious public key that reveals portions of your private key when using certain uncommon elliptic curves (binary curves). This version now includes additional security checks to prevent this attack. This issue only affects binary elliptic curves, which are rarely used in real-world applications. Credit to XlabAI Team of Tencent Xuanwu Lab and Atuin Automated Vulnerability Discovery Engine for reporting the issue. CVE-2026-26007
  • Support for SECT* binary elliptic curves is deprecated and will be removed in the next release.

.. v46-0-4:

46.0.4 - 2026-01-27


* `Dropped support for win_arm64 wheels`_.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.

.. _v46-0-3:

Commits

Updates dbt-common from 1.37.2 to 1.37.3

Changelog

Sourced from dbt-common's changelog.

dbt-common 1.37.3 - March 02, 2026

Security

  • Replace os.path.commonprefix() with os.path.commonpath() to preventpath traversal via sibling directories with matching prefixes. (#1)
Commits

Updates deepdiff from 8.6.1 to 8.6.2

Release notes

Sourced from deepdiff's releases.

8.6.2 - Fix (CVE-2025-58367)

Commits

Updates dynaconf from 3.2.12 to 3.2.13

Release notes

Sourced from dynaconf's releases.

3.2.13

What's Changed

Bug Fixes

Full Changelog: dynaconf/dynaconf@3.2.12...3.2.13

Changelog

Sourced from dynaconf's changelog.

3.2.13 - 2026-03-17

Chore

  • fix linting errors and pre-commit config. By Pedro Brochado.
Commits

Updates flask from 3.1.2 to 3.1.3

Release notes

Sourced from flask's releases.

3.1.3

This is the Flask 3.1.3 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.3/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-3

  • The session is marked as accessed for operations that only access the keys but not the values, such as in and len. GHSA-68rp-wp8r-4726
Changelog

Sourced from flask's changelog.

Version 3.1.3

Released 2026-02-18

  • The session is marked as accessed for operations that only access the keys but not the values, such as in and len. :ghsa:68rp-wp8r-4726
Commits
  • 22d9247 release version 3.1.3
  • 089cb86 Merge commit from fork
  • c17f379 request context tracks session access
  • 27be933 start version 3.1.3
  • 4e652d3 Abort if the instance folder cannot be created (#5903)
  • 3d03098 Abort if the instance folder cannot be created
  • 407eb76 document using gevent for async (#5900)
  • ac5664d document using gevent for async
  • 4f79d5b Increase required flit_core version to 3.11 (#5865)
  • fe3b215 Increase required flit_core version to 3.11
  • Additional commits viewable in compare view

Updates multipart from 1.3.0 to 1.3.1

Release notes

Sourced from multipart's releases.

v1.3.1

Full Changelog: defnull/multipart@v1.3.0...v1.3.1

This release contains security fixes. See GHSA-p2m9-wcp5-6qw3

Commits

Updates nbconvert from 7.16.6 to 7.17.0

Release notes

Sourced from nbconvert's releases.

v7.17.0

7.17.0

(Full Changelog)

Enhancements made

Bugs fixed

Maintenance and upkeep improvements

Documentation improvements

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​bollwyvl (activity) | @​Carreau (activity) | @​h3pdesign (activity) | @​hackowitz-af (activity) | @​krassowski (activity) | @​mberlanda (activity) | @​mgorny (activity) | @​minrk (activity) | @​MSeal (activity) | @​QuLogic (activity) | @​salmankadaya (activity) | @​shreve (activity) | @​th3gowtham (activity)

Changelog

Sourced from nbconvert's changelog.

7.17.0

(Full Changelog)

Enhancements made

Bugs fixed

Maintenance and upkeep improvements

Documentation improvements

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​bollwyvl (activity) | @​Carreau (activity) | @​h3pdesign (activity) | @​hackowitz-af (activity) | @​krassowski (activity) | @​mberlanda (activity) | @​mgorny (activity) | @​minrk (activity) | @​MSeal (activity) | @​QuLogic (activity) | @​salmankadaya (activity) | @​shreve (activity) | @​th3gowtham (activity)

Commits

Updates nltk from 3.9.2 to 3.9.4

Changelog

Sourced from nltk's changelog.

Version 3.9.4 2026-03-24

  • Support Python 3.14
  • Fix bug in Levenshtein distance when substitution_cost > 2
  • Fix bug in Treebank detokeniser re quote ordering
  • Fix bug in Jaro similarity for empty strings
  • Several security enhancements
  • Fix GHSA-rf74-v2fm-23pw: unbounded recursion in JSONTaggedDecoder
  • Implement TextTiling vocabulary introduction method (Hearst 1997)
  • Fix ALINE feature matrix errors and add comprehensive tests
  • Support multiple VerbNet versions, fix longid/shortid regex for VerbNet ids
  • Let downloader fallback to md5 when sha256 is unavailable
  • Several other minor bugfixes and code cleanups

Thanks to the following contributors to 3.9.4: Min-Yen Kan, Eric Kafe, Emily Voss, bowiechen, Hrudhai01, jancallewaert, Mr-Neutr0n, pollak.peter89, ylwango613,

Version 3.9.3 2026-02-21

  • Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader (#3468)
  • Block path traversal/arbitrary reads in nltk.data for protocol-less refs (#3467)
  • Block path traversal/abs paths in corpus readers and FS pointers (#3479, #3480)
  • Validate external StanfordSegmenter JARs using SHA256 (#3477)
  • Add optional sandbox enforcement for filestring() (#3485)
  • Maintenance: downloader/zipped models, CI/tooling updates

Thanks to the following contributors to 3.9.3: Chris Clauss, Eric Kafe, HyperPS, purificant, Shivansh-Game, Christopher Smith

Version 3.9.2 2025-10-01

  • Update download checksums to use SHA256 in built index
  • Fix percentage escape in new-style string formatting
  • replace shortened URLs using goo.gl
  • Make Wordnet interoperable with various taggers and tagged corpora
  • Fix saving PerceptronTagger
  • Document how to reproduce old Wordnet studies
  • properly initialize Portuguese corpus reader
  • support for mixed rules conversion into Chomsky Normal Form
  • only import tkinter if a GUI is needed
  • issue #2112 with Corenlp
  • new environment variable NLTK_DOWNLOADER_FORCE_INTERACTIVE_SHELL
  • Lesk defaults to most frequent sense in case of ties

Thanks to the following contributors to 3.9.2: Jose Cols, Peter de Blanc, GeneralPoxter, Eric Kafe, William LaCroix, Jason Liu, Samer Masterson, Mike014, purificant, Andrew Ernest Ritz, samertm, Ikram Ul Haq, Christopher Smith, Ryan Mannion

Version 3.9.1 2024-08-19

... (truncated)

Commits
  • ad9c96b Update copyright year
  • 7edcddf Updates for 3.9.4 release
  • 67a2736 Merge pull request #3180 from yzhaoinuw/bug-on-edit_distance_align
  • 2b17ac5 Fix edit_distance_align backtrace for high substitution costs
  • 4b72976 Merge pull request #3018 from JuanIMartinezB/bug/shortid-longid
  • 8a5619f Merge pull request #3222 from Syzygy2048/feature/texttiling-vocabulary-introd...
  • c6574d7 Merge pull request #3289 from ihitamandal/codeflash/optimize-windowdiff-2024-...
  • 98ff5d9 Merge pull request #3435 from Hrudhai01/fix-3260-detokenize-quotes
  • aec4fce Merge pull request #3522 from ekaf/pathsec
  • eec4ee3 Merge pull request #3526 from nltk/update-contributing
  • Additional commits viewable in compare view

Updates pillow from 12.1.0 to 12.1.1

Release notes

Sourced from pillow's releases.

12.1.1

https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html

Dependencies

Other changes

Commits

Updates protobuf from 6.33.2 to 6.33.5

Release notes

Sourced from protobuf's releases.

Protocol Buffers v34.0-rc1

Announcements

Bazel

Compiler

C++

... (truncated)

Commits

Updates pyasn1 from 0.6.1 to 0.6.3

Release notes

Sourced from pyasn1's releases.

Release 0.6.3

It's a minor release.

  • Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (CVE-2026-30922).
  • Fixed OverflowError from oversized BER length field.
  • Fixed DeprecationWarning stacklevel for deprecated attributes.
  • Fixed asDateTime incorrect fractional seconds parsing.

All changes are noted in the CHANGELOG.

Release 0.6.2

It's a minor release.

  • Fixed continuation octet limits in OID/RELATIVE-OID decoder (CVE-2026-23490).
  • Added support for Python 3.14.
  • Added SECURITY.md policy.
  • Migrated to pyproject.toml packaging.

All changes are noted in the CHANGELOG.

Changelog

Sourced from pyasn1's changelog.

Revision 0.6.3, released 16-03-2026

Revision 0.6.2, released 16-01-2026

Commits
  • af65c3b Prepare release 0.6.3
  • 5a49bd1 Merge commit from fork
  • 5494ba4 Fix asDateTime incorrect fractional seconds parsing (#102)
  • 71f486e Fix DeprecationWarning stacklevel for deprecated attributes (#101)
  • d7cb42d Fix OverflowError from oversized BER length field (#100)
  • e7356f8 Prepare release 0.6.2
  • 3908f14 Merge commit from fork
  • 0a7e067 Add support for Python 3.14 (#97)
  • 33656e9 Create Security Policy
  • fa62307 fix for issue #91: unit tests failing due to missing code (#92)
  • Additional commits viewable in compare view

Updates requests from 2.32.5 to 2.33.0

Release notes

Sourced from requests's releases.

v2.33.0

2.33.0 (2026-03-25)

Announcements

  • 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

  • CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

  • Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

  • Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

  • Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

  • Various typo fixes and doc improvements.

New Contributors

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

Changelog

Sourced from requests's changelog.

2.33.0 (2026-03-25)

Announcements

  • 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback yo...

    Description has been truncated

Bumps the uv group with 16 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [litestar](https://github.com/litestar-org/litestar) | `2.19.0` | `2.20.0` |
| [cryptography](https://github.com/pyca/cryptography) | `46.0.3` | `46.0.6` |
| [dbt-common](https://github.com/dbt-labs/dbt-common) | `1.37.2` | `1.37.3` |
| [deepdiff](https://github.com/qlustered/deepdiff) | `8.6.1` | `8.6.2` |
| [dynaconf](https://github.com/dynaconf/dynaconf) | `3.2.12` | `3.2.13` |
| [flask](https://github.com/pallets/flask) | `3.1.2` | `3.1.3` |
| [multipart](https://github.com/defnull/multipart) | `1.3.0` | `1.3.1` |
| [nbconvert](https://github.com/jupyter/nbconvert) | `7.16.6` | `7.17.0` |
| [nltk](https://github.com/nltk/nltk) | `3.9.2` | `3.9.4` |
| [pillow](https://github.com/python-pillow/Pillow) | `12.1.0` | `12.1.1` |
| [protobuf](https://github.com/protocolbuffers/protobuf) | `6.33.2` | `6.33.5` |
| [pyasn1](https://github.com/pyasn1/pyasn1) | `0.6.1` | `0.6.3` |
| [requests](https://github.com/psf/requests) | `2.32.5` | `2.33.0` |
| [tornado](https://github.com/tornadoweb/tornado) | `6.5.4` | `6.5.5` |
| [ujson](https://github.com/ultrajson/ultrajson) | `5.11.0` | `5.12.0` |
| [werkzeug](https://github.com/pallets/werkzeug) | `3.1.5` | `3.1.6` |



Updates `litestar` from 2.19.0 to 2.20.0
- [Release notes](https://github.com/litestar-org/litestar/releases)
- [Commits](litestar-org/litestar@v2.19.0...v2.20.0)

Updates `cryptography` from 46.0.3 to 46.0.6
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@46.0.3...46.0.6)

Updates `dbt-common` from 1.37.2 to 1.37.3
- [Changelog](https://github.com/dbt-labs/dbt-common/blob/main/CHANGELOG.md)
- [Commits](https://github.com/dbt-labs/dbt-common/commits)

Updates `deepdiff` from 8.6.1 to 8.6.2
- [Release notes](https://github.com/qlustered/deepdiff/releases)
- [Changelog](https://github.com/qlustered/deepdiff/blob/master/CHANGELOG.md)
- [Commits](qlustered/deepdiff@8.6.1...8.6.2)

Updates `dynaconf` from 3.2.12 to 3.2.13
- [Release notes](https://github.com/dynaconf/dynaconf/releases)
- [Changelog](https://github.com/dynaconf/dynaconf/blob/3.2.13/CHANGELOG.md)
- [Commits](dynaconf/dynaconf@3.2.12...3.2.13)

Updates `flask` from 3.1.2 to 3.1.3
- [Release notes](https://github.com/pallets/flask/releases)
- [Changelog](https://github.com/pallets/flask/blob/main/CHANGES.rst)
- [Commits](pallets/flask@3.1.2...3.1.3)

Updates `multipart` from 1.3.0 to 1.3.1
- [Release notes](https://github.com/defnull/multipart/releases)
- [Changelog](https://github.com/defnull/multipart/blob/main/CHANGELOG.rst)
- [Commits](defnull/multipart@v1.3.0...v1.3.1)

Updates `nbconvert` from 7.16.6 to 7.17.0
- [Release notes](https://github.com/jupyter/nbconvert/releases)
- [Changelog](https://github.com/jupyter/nbconvert/blob/main/CHANGELOG.md)
- [Commits](jupyter/nbconvert@v7.16.6...v7.17.0)

Updates `nltk` from 3.9.2 to 3.9.4
- [Changelog](https://github.com/nltk/nltk/blob/develop/ChangeLog)
- [Commits](nltk/nltk@3.9.2...3.9.4)

Updates `pillow` from 12.1.0 to 12.1.1
- [Release notes](https://github.com/python-pillow/Pillow/releases)
- [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst)
- [Commits](python-pillow/Pillow@12.1.0...12.1.1)

Updates `protobuf` from 6.33.2 to 6.33.5
- [Release notes](https://github.com/protocolbuffers/protobuf/releases)
- [Commits](https://github.com/protocolbuffers/protobuf/commits)

Updates `pyasn1` from 0.6.1 to 0.6.3
- [Release notes](https://github.com/pyasn1/pyasn1/releases)
- [Changelog](https://github.com/pyasn1/pyasn1/blob/main/CHANGES.rst)
- [Commits](pyasn1/pyasn1@v0.6.1...v0.6.3)

Updates `requests` from 2.32.5 to 2.33.0
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.32.5...v2.33.0)

Updates `tornado` from 6.5.4 to 6.5.5
- [Changelog](https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst)
- [Commits](tornadoweb/tornado@v6.5.4...v6.5.5)

Updates `ujson` from 5.11.0 to 5.12.0
- [Release notes](https://github.com/ultrajson/ultrajson/releases)
- [Commits](ultrajson/ultrajson@5.11.0...5.12.0)

Updates `werkzeug` from 3.1.5 to 3.1.6
- [Release notes](https://github.com/pallets/werkzeug/releases)
- [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst)
- [Commits](pallets/werkzeug@3.1.5...3.1.6)

---
updated-dependencies:
- dependency-name: litestar
  dependency-version: 2.20.0
  dependency-type: direct:production
  dependency-group: uv
- dependency-name: cryptography
  dependency-version: 46.0.6
  dependency-type: indirect
  dependency-group: uv
- dependency-name: dbt-common
  dependency-version: 1.37.3
  dependency-type: indirect
  dependency-group: uv
- dependency-name: deepdiff
  dependency-version: 8.6.2
  dependency-type: indirect
  dependency-group: uv
- dependency-name: dynaconf
  dependency-version: 3.2.13
  dependency-type: indirect
  dependency-group: uv
- dependency-name: flask
  dependency-version: 3.1.3
  dependency-type: indirect
  dependency-group: uv
- dependency-name: multipart
  dependency-version: 1.3.1
  dependency-type: indirect
  dependency-group: uv
- dependency-name: nbconvert
  dependency-version: 7.17.0
  dependency-type: indirect
  dependency-group: uv
- dependency-name: nltk
  dependency-version: 3.9.4
  dependency-type: indirect
  dependency-group: uv
- dependency-name: pillow
  dependency-version: 12.1.1
  dependency-type: indirect
  dependency-group: uv
- dependency-name: protobuf
  dependency-version: 6.33.5
  dependency-type: indirect
  dependency-group: uv
- dependency-name: pyasn1
  dependency-version: 0.6.3
  dependency-type: indirect
  dependency-group: uv
- dependency-name: requests
  dependency-version: 2.33.0
  dependency-type: indirect
  dependency-group: uv
- dependency-name: tornado
  dependency-version: 6.5.5
  dependency-type: indirect
  dependency-group: uv
- dependency-name: ujson
  dependency-version: 5.12.0
  dependency-type: indirect
  dependency-group: uv
- dependency-name: werkzeug
  dependency-version: 3.1.6
  dependency-type: indirect
  dependency-group: uv
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Apr 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants