Skip to content

Bump the pip group across 1 directory with 2 updates#45

Open
dependabot[bot] wants to merge 26 commits into
mainfrom
dependabot/pip/uv/helpers/pip-8b5648091b
Open

Bump the pip group across 1 directory with 2 updates#45
dependabot[bot] wants to merge 26 commits into
mainfrom
dependabot/pip/uv/helpers/pip-8b5648091b

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Feb 3, 2026

Copy link
Copy Markdown

Bumps the pip group with 2 updates in the /uv/helpers directory: pip and uv.

Updates pip from 24.0 to 26.0

Changelog

Sourced from pip's changelog.

26.0 (2026-01-30)

Deprecations and Removals

  • Remove support for non-bare project names in egg fragments. Affected users should use the Direct URL requirement syntax <https://packaging.python.org/en/latest/specifications/version-specifiers/#direct-references>. ([#13157](https://github.com/pypa/pip/issues/13157) <https://github.com/pypa/pip/issues/13157>)

Features

  • Display pip's command-line help in colour, if possible. ([#12134](https://github.com/pypa/pip/issues/12134) <https://github.com/pypa/pip/issues/12134>_)

  • Support installing dependencies declared with inline script metadata (:pep:723) with --requirements-from-script. ([#12891](https://github.com/pypa/pip/issues/12891) <https://github.com/pypa/pip/issues/12891>_)

  • Add --all-releases and --only-final options to control pre-release and final release selection during package installation. ([#13221](https://github.com/pypa/pip/issues/13221) <https://github.com/pypa/pip/issues/13221>_)

  • Add --uploaded-prior-to option to only consider packages uploaded prior to a given datetime when the upload-time field is available from a remote index. ([#13625](https://github.com/pypa/pip/issues/13625) <https://github.com/pypa/pip/issues/13625>_)

  • Add --use-feature inprocess-build-deps to request that build dependencies are installed within the same pip install process. This new mechanism is faster, supports --no-clean and --no-cache-dir reliably, and supports prompting for authentication.

    Enabling this feature will also enable --use-feature build-constraints. This feature will become the default in a future pip version. ([#9081](https://github.com/pypa/pip/issues/9081) <https://github.com/pypa/pip/issues/9081>_)

  • pip cache purge and pip cache remove now clean up empty directories and legacy files left by older pip versions. ([#9058](https://github.com/pypa/pip/issues/9058) <https://github.com/pypa/pip/issues/9058>_)

Bug Fixes

  • Fix selecting pre-release versions when only pre-releases match. For example, package>1.0 with versions 1.0, 2.0rc1 now installs 2.0rc1 instead of failing. ([#13746](https://github.com/pypa/pip/issues/13746) <https://github.com/pypa/pip/issues/13746>_)
  • Revisions in version control URLs now must be percent-encoded. For example, use git+https://example.com/repo.git@issue%231 to specify the branch issue#1. If you previously used a branch name containing a % character in a version control URL, you now need to replace it with %25 to ensure correct percent-encoding. ([#13407](https://github.com/pypa/pip/issues/13407) <https://github.com/pypa/pip/issues/13407>_)
  • Preserve original casing when a path is displayed. ([#6823](https://github.com/pypa/pip/issues/6823) <https://github.com/pypa/pip/issues/6823>_)
  • Fix bash completion when the $IFS variable has been modified from its default. ([#13555](https://github.com/pypa/pip/issues/13555) <https://github.com/pypa/pip/issues/13555>_)
  • Precompute Python requirements on each candidate, reducing time of long resolutions. ([#13656](https://github.com/pypa/pip/issues/13656) <https://github.com/pypa/pip/issues/13656>_)
  • Skip redundant work converting version objects to strings when using the importlib.metadata backend. ([#13660](https://github.com/pypa/pip/issues/13660) <https://github.com/pypa/pip/issues/13660>_)
  • Fix pip index versions to honor only-binary/no-binary options. ([#13682](https://github.com/pypa/pip/issues/13682) <https://github.com/pypa/pip/issues/13682>_)
  • Fix fallthrough logic for options, allowing overriding global options with defaults from user config. ([#13703](https://github.com/pypa/pip/issues/13703) <https://github.com/pypa/pip/issues/13703>_)
  • Use a path-segment prefix comparison, not char-by-char. ([#13777](https://github.com/pypa/pip/issues/13777) <https://github.com/pypa/pip/issues/13777>_)

Vendored Libraries

... (truncated)

Commits

Updates uv from 0.8.0 to 0.9.6

Release notes

Sourced from uv's releases.

0.9.6

Release Notes

Released on 2025-10-29.

This release contains an upgrade to Astral's fork of async_zip, which addresses potential sources of ZIP parsing differentials between uv and other Python packaging tooling. See GHSA-pqhf-p39g-3x64 for additional details.

Security

Python

  • Upgrade GraalPy to 25.0.1 (#16401)

Enhancements

  • Add --clear to uv build to remove old build artifacts (#16371)
  • Add --no-create-gitignore to uv build (#16369)
  • Do not error when a virtual environment directory cannot be removed due to a busy error (#16394)
  • Improve hint on pip install --system when externally managed (#16392)
  • Running uv lock --check with outdated lockfile will print that --check was passed, instead of --locked (#16322)
  • Update uv init template for Maturin (#16449)
  • Improve ordering of Python sources in logs (#16463)
  • Restore DockerHub release images and annotations (#16441)

Bug fixes

  • Check for matching Python implementation during uv python upgrade (#16420)
  • Deterministically order --find-links distributions (#16446)
  • Don't panic in uv export --frozen when the lockfile is outdated (#16407)
  • Fix root of uv tree when --package is used with circular dependencies (#15908)
  • Show package list with pip freeze --quiet (#16491)
  • Limit uv auth login pyx.dev retries to 60s (#16498)
  • Add an empty group with uv add --group ... -r ... (#16490)

Documentation

  • Update docs for maturin build backend init template (#16469)
  • Update docs to reflect previous changes to signal forwarding semantics (#16430)
  • Add instructions for installing via MacPorts (#16039)

Install uv 0.9.6

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/uv/releases/download/0.9.6/uv-installer.sh | sh

... (truncated)

Changelog

Sourced from uv's changelog.

0.9.6

Released on 2025-10-29.

This release contains an upgrade to Astral's fork of async_zip, which addresses potential sources of ZIP parsing differentials between uv and other Python packaging tooling. See GHSA-pqhf-p39g-3x64 for additional details.

Security

Python

  • Upgrade GraalPy to 25.0.1 (#16401)

Enhancements

  • Add --clear to uv build to remove old build artifacts (#16371)
  • Add --no-create-gitignore to uv build (#16369)
  • Do not error when a virtual environment directory cannot be removed due to a busy error (#16394)
  • Improve hint on pip install --system when externally managed (#16392)
  • Running uv lock --check with outdated lockfile will print that --check was passed, instead of --locked (#16322)
  • Update uv init template for Maturin (#16449)
  • Improve ordering of Python sources in logs (#16463)
  • Restore DockerHub release images and annotations (#16441)

Bug fixes

  • Check for matching Python implementation during uv python upgrade (#16420)
  • Deterministically order --find-links distributions (#16446)
  • Don't panic in uv export --frozen when the lockfile is outdated (#16407)
  • Fix root of uv tree when --package is used with circular dependencies (#15908)
  • Show package list with pip freeze --quiet (#16491)
  • Limit uv auth login pyx.dev retries to 60s (#16498)
  • Add an empty group with uv add --group ... -r ... (#16490)

Documentation

  • Update docs for maturin build backend init template (#16469)
  • Update docs to reflect previous changes to signal forwarding semantics (#16430)
  • Add instructions for installing via MacPorts (#16039)

0.9.5

Released on 2025-10-21.

This release contains an upgrade to astral-tokio-tar, which addresses a vulnerability in tar extraction on malformed archives with mismatching size information between the ustar header and PAX extensions. While the astral-tokio-tar advisory has been graded as "high" due its potential broader impact, the specific impact to uv is low due to a lack of novel attacker capability. Specifically, uv only processes tar archives from source distributions, which already possess the capability for full arbitrary code execution by design, meaning that an attacker gains no additional capabilities through astral-tokio-tar.

Regardless, we take the hypothetical risk of parser differentials very seriously. Out of an abundance of caution, we have assigned this upgrade an advisory: GHSA-w476-p2h3-79g9

Security

... (truncated)

Commits

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by cubic

Update packaging tools in uv/helpers by bumping pip to 26.0 and uv to 0.9.6. This improves install reliability, performance, and applies upstream security fixes.

  • Dependencies
    • pip: 24.0 → 26.0 (better pre-release selection, faster resolution, stricter VCS URL encoding)
    • uv: 0.8.0 → 0.9.6 (ZIP parsing security fix, build/lock improvements)

Written for commit 93cb5f1. Summary will update on new commits.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

dependabot Bot and others added 26 commits January 23, 2026 21:35
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.17.23)

---
updated-dependencies:
- dependency-name: lodash
  dependency-version: 4.17.23
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [tar](https://github.com/isaacs/node-tar) to 7.5.6 and updates ancestor dependencies [tar](https://github.com/isaacs/node-tar), [@npmcli/arborist](https://github.com/npm/cli/tree/HEAD/workspaces/arborist) and [npm](https://github.com/npm/cli). These dependencies need to be updated together.


Updates `tar` from 6.2.1 to 7.5.6
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v6.2.1...v7.5.6)

Updates `@npmcli/arborist` from 8.0.0 to 9.1.10
- [Release notes](https://github.com/npm/cli/releases)
- [Changelog](https://github.com/npm/cli/blob/latest/workspaces/arborist/CHANGELOG.md)
- [Commits](https://github.com/npm/cli/commits/arborist-v9.1.10/workspaces/arborist)

Updates `npm` from 6.14.18 to 11.8.0
- [Release notes](https://github.com/npm/cli/releases)
- [Changelog](https://github.com/npm/cli/blob/latest/CHANGELOG.md)
- [Commits](npm/cli@v6.14.18...v11.8.0)

---
updated-dependencies:
- dependency-name: tar
  dependency-version: 7.5.6
  dependency-type: indirect
- dependency-name: "@npmcli/arborist"
  dependency-version: 9.1.10
  dependency-type: direct:production
- dependency-name: npm
  dependency-version: 11.8.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
…lpers/multi-6afa301cf6

Bump tar, @npmcli/arborist and npm in /bun/helpers
Bumps [symfony/process](https://github.com/symfony/process) from 7.3.0 to 7.4.5.
- [Release notes](https://github.com/symfony/process/releases)
- [Changelog](https://github.com/symfony/process/blob/8.1/CHANGELOG.md)
- [Commits](symfony/process@v7.3.0...v7.4.5)

---
updated-dependencies:
- dependency-name: symfony/process
  dependency-version: 7.4.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [nuget/helpers/lib/NuGet.Client](https://github.com/NuGet/NuGet.Client) from `2948e02` to `53c7a9c`.
- [Release notes](https://github.com/NuGet/NuGet.Client/releases)
- [Commits](NuGet/NuGet.Client@2948e02...53c7a9c)

---
updated-dependencies:
- dependency-name: nuget/helpers/lib/NuGet.Client
  dependency-version: 53c7a9c9b4a3c31d9adf13fc873f2432eb53768e
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps library/rust from 1.88.0-bookworm to 1.93.0-bookworm.

---
updated-dependencies:
- dependency-name: library/rust
  dependency-version: 1.93.0-bookworm
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [golang.org/x/mod](https://github.com/golang/mod) from 0.26.0 to 0.32.0.
- [Commits](golang/mod@v0.26.0...v0.32.0)

---
updated-dependencies:
- dependency-name: golang.org/x/mod
  dependency-version: 0.32.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [dotnet-sdk](https://github.com/dotnet/sdk) from 9.0.302 to 10.0.102.
- [Release notes](https://github.com/dotnet/sdk/releases)
- [Commits](dotnet/sdk@v9.0.302...v10.0.102)

---
updated-dependencies:
- dependency-name: dotnet-sdk
  dependency-version: 10.0.102
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps the pip-tools group in /python/helpers with 1 update: [pip-tools](https://github.com/jazzband/pip-tools).


Updates `pip-tools` from 7.4.1 to 7.5.2
- [Release notes](https://github.com/jazzband/pip-tools/releases)
- [Changelog](https://github.com/jazzband/pip-tools/blob/main/CHANGELOG.md)
- [Commits](jazzband/pip-tools@7.4.1...v7.5.2)

---
updated-dependencies:
- dependency-name: pip-tools
  dependency-version: 7.5.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: pip-tools
...

Signed-off-by: dependabot[bot] <support@github.com>
…elpers/lib/NuGetUpdater/dotnet-sdk-10.0.102
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to 4.17.23.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.17.23)

---
updated-dependencies:
- dependency-name: lodash
  dependency-version: 4.17.23
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps  and [brace-expansion](https://github.com/juliangruber/brace-expansion). These dependencies needed to be updated together.

Updates `brace-expansion` from 1.1.11 to 1.1.12
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12)

Updates `brace-expansion` from 2.0.1 to 2.0.2
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12)

---
updated-dependencies:
- dependency-name: brace-expansion
  dependency-version: 1.1.12
  dependency-type: indirect
- dependency-name: brace-expansion
  dependency-version: 2.0.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps the npm-dependencies group in /npm_and_yarn/helpers with 3 updates: [@npmcli/arborist](https://github.com/npm/cli/tree/HEAD/workspaces/arborist), [nock](https://github.com/nock/nock) and [semver](https://github.com/npm/node-semver).


Updates `@npmcli/arborist` from 8.0.0 to 9.1.10
- [Release notes](https://github.com/npm/cli/releases)
- [Changelog](https://github.com/npm/cli/blob/latest/workspaces/arborist/CHANGELOG.md)
- [Commits](https://github.com/npm/cli/commits/arborist-v9.1.10/workspaces/arborist)

Updates `nock` from 13.5.6 to 14.0.10
- [Release notes](https://github.com/nock/nock/releases)
- [Changelog](https://github.com/nock/nock/blob/main/CHANGELOG.md)
- [Commits](nock/nock@v13.5.6...v14.0.10)

Updates `semver` from 7.6.3 to 7.7.3
- [Release notes](https://github.com/npm/node-semver/releases)
- [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md)
- [Commits](npm/node-semver@v7.6.3...v7.7.3)

---
updated-dependencies:
- dependency-name: "@npmcli/arborist"
  dependency-version: 9.1.10
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: npm-dependencies
- dependency-name: nock
  dependency-version: 14.0.10
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: npm-dependencies
- dependency-name: semver
  dependency-version: 7.7.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
…nd_yarn/helpers/npm-dependencies-b295cd00ec

Bump the npm-dependencies group in /npm_and_yarn/helpers with 3 updates
Bumps the prod-dependencies group with 1 update in the /composer/helpers/v2 directory: [composer/composer](https://github.com/composer/composer).


Updates `composer/composer` from 2.8.9 to 2.9.4
- [Release notes](https://github.com/composer/composer/releases)
- [Changelog](https://github.com/composer/composer/blob/main/CHANGELOG.md)
- [Commits](composer/composer@2.8.9...2.9.4)

---
updated-dependencies:
- dependency-name: composer/composer
  dependency-version: 2.9.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
…helpers/v2/prod-dependencies-2bf85eb48c

Bump composer/composer from 2.8.9 to 2.9.4 in /composer/helpers/v2 in the prod-dependencies group across 1 directory
)

Bumps the prod-dependencies group with 25 updates in the /updater directory:

| Package | From | To |
| --- | --- | --- |
| [zeitwerk](https://github.com/fxn/zeitwerk) | `2.7.1` | `2.7.4` |
| [parallel](https://github.com/grosser/parallel) | `1.26.3` | `1.27.0` |
| [aws-sdk-codecommit](https://github.com/aws/aws-sdk-ruby) | `1.63.0` | `1.96.0` |
| [aws-sdk-ecr](https://github.com/aws/aws-sdk-ruby) | `1.68.0` | `1.119.0` |
| [commonmarker](https://github.com/gjtorikian/commonmarker) | `2.3.1` | `2.6.3` |
| [excon](https://github.com/excon/excon) | `1.2.5` | `1.3.2` |
| [faraday](https://github.com/lostisland/faraday) | `2.7.11` | `2.14.0` |
| [faraday-retry](https://github.com/lostisland/faraday-retry) | `2.2.0` | `2.4.0` |
| [nokogiri](https://github.com/sparklemotion/nokogiri) | `1.18.9` | `1.19.0` |
| [opentelemetry-api](https://github.com/open-telemetry/opentelemetry-ruby) | `1.5.0` | `1.7.0` |
| [opentelemetry-metrics-api](https://github.com/open-telemetry/opentelemetry-ruby) | `0.3.0` | `0.4.0` |
| [ostruct](https://github.com/ruby/ostruct) | `0.6.1` | `0.6.3` |
| [parser](https://github.com/whitequark/parser) | `3.3.7.1` | `3.3.10.1` |
| [psych](https://github.com/ruby/psych) | `5.1.2` | `5.3.1` |
| [sorbet-runtime](https://github.com/sorbet/sorbet) | `0.5.11952` | `0.6.12903` |
| [stackprof](https://github.com/tmm1/stackprof) | `0.2.25` | `0.2.27` |
| [toml-rb](https://github.com/emancu/toml-rb) | `4.0.0` | `4.1.0` |
| [parseconfig](https://github.com/datafolklabs/ruby-parseconfig) | `1.0.8` | `1.1.2` |
| [http](https://github.com/httprb/http) | `5.1.1` | `5.3.1` |
| [opentelemetry-exporter-otlp](https://github.com/open-telemetry/opentelemetry-ruby) | `0.30.0` | `0.31.1` |
| [opentelemetry-exporter-otlp-logs](https://github.com/open-telemetry/opentelemetry-ruby) | `0.2.0` | `0.2.2` |
| [opentelemetry-exporter-otlp-metrics](https://github.com/open-telemetry/opentelemetry-ruby) | `0.4.0` | `0.6.1` |
| [opentelemetry-instrumentation-excon](https://github.com/open-telemetry/opentelemetry-ruby-contrib) | `0.23.0` | `0.27.0` |
| [opentelemetry-logs-sdk](https://github.com/open-telemetry/opentelemetry-ruby) | `0.2.0` | `0.4.0` |
| [opentelemetry-metrics-sdk](https://github.com/open-telemetry/opentelemetry-ruby) | `0.6.0` | `0.11.2` |



Updates `zeitwerk` from 2.7.1 to 2.7.4
- [Changelog](https://github.com/fxn/zeitwerk/blob/main/CHANGELOG.md)
- [Commits](https://github.com/fxn/zeitwerk/commits)

Updates `parallel` from 1.26.3 to 1.27.0
- [Commits](grosser/parallel@v1.26.3...v1.27.0)

Updates `aws-sdk-codecommit` from 1.63.0 to 1.96.0
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases)
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-codecommit/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-ruby/commits)

Updates `aws-sdk-ecr` from 1.68.0 to 1.119.0
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases)
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-ecr/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-ruby/commits)

Updates `commonmarker` from 2.3.1 to 2.6.3
- [Release notes](https://github.com/gjtorikian/commonmarker/releases)
- [Changelog](https://github.com/gjtorikian/commonmarker/blob/main/CHANGELOG.md)
- [Commits](gjtorikian/commonmarker@v2.3.1...v2.6.3)

Updates `excon` from 1.2.5 to 1.3.2
- [Changelog](https://github.com/excon/excon/blob/master/changelog.txt)
- [Commits](excon/excon@v1.2.5...v1.3.2)

Updates `faraday` from 2.7.11 to 2.14.0
- [Release notes](https://github.com/lostisland/faraday/releases)
- [Changelog](https://github.com/lostisland/faraday/blob/main/CHANGELOG.md)
- [Commits](lostisland/faraday@v2.7.11...v2.14.0)

Updates `faraday-retry` from 2.2.0 to 2.4.0
- [Release notes](https://github.com/lostisland/faraday-retry/releases)
- [Changelog](https://github.com/lostisland/faraday-retry/blob/main/CHANGELOG.md)
- [Commits](lostisland/faraday-retry@v2.2.0...v2.4.0)

Updates `json` from 2.9.1 to 2.11.3
- [Release notes](https://github.com/ruby/json/releases)
- [Changelog](https://github.com/ruby/json/blob/master/CHANGES.md)
- [Commits](ruby/json@v2.9.1...v2.11.3)

Updates `nokogiri` from 1.18.9 to 1.19.0
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](sparklemotion/nokogiri@v1.18.9...v1.19.0)

Updates `opentelemetry-api` from 1.5.0 to 1.7.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-ruby/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-ruby/blob/main/api/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-ruby@opentelemetry-api/v1.5.0...opentelemetry-api/v1.7.0)

Updates `opentelemetry-metrics-api` from 0.3.0 to 0.4.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-ruby/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-ruby/blob/main/metrics_api/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-ruby@opentelemetry-metrics-api/v0.3.0...opentelemetry-metrics-api/v0.4.0)

Updates `ostruct` from 0.6.1 to 0.6.3
- [Release notes](https://github.com/ruby/ostruct/releases)
- [Commits](ruby/ostruct@v0.6.1...v0.6.3)

Updates `parser` from 3.3.7.1 to 3.3.10.1
- [Changelog](https://github.com/whitequark/parser/blob/master/CHANGELOG.md)
- [Commits](whitequark/parser@v3.3.7.1...v3.3.10.1)

Updates `psych` from 5.1.2 to 5.3.1
- [Release notes](https://github.com/ruby/psych/releases)
- [Commits](ruby/psych@v5.1.2...v5.3.1)

Updates `sorbet-runtime` from 0.5.11952 to 0.6.12903
- [Release notes](https://github.com/sorbet/sorbet/releases)
- [Commits](https://github.com/sorbet/sorbet/commits)

Updates `stackprof` from 0.2.25 to 0.2.27
- [Changelog](https://github.com/tmm1/stackprof/blob/master/CHANGELOG.md)
- [Commits](tmm1/stackprof@v0.2.25...v0.2.27)

Updates `toml-rb` from 4.0.0 to 4.1.0
- [Release notes](https://github.com/emancu/toml-rb/releases)
- [Commits](emancu/toml-rb@v4.0.0...v4.1.0)

Updates `parseconfig` from 1.0.8 to 1.1.2
- [Changelog](https://github.com/datafolklabs/ruby-parseconfig/blob/master/Changelog)
- [Commits](https://github.com/datafolklabs/ruby-parseconfig/commits)

Updates `http` from 5.1.1 to 5.3.1
- [Changelog](https://github.com/httprb/http/blob/main/CHANGELOG.md)
- [Commits](httprb/http@v5.1.1...v5.3.1)

Updates `opentelemetry-exporter-otlp` from 0.30.0 to 0.31.1
- [Release notes](https://github.com/open-telemetry/opentelemetry-ruby/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-ruby/blob/main/exporter/otlp/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-ruby@opentelemetry-exporter-otlp/v0.30.0...opentelemetry-exporter-otlp/v0.31.1)

Updates `opentelemetry-exporter-otlp-logs` from 0.2.0 to 0.2.2
- [Release notes](https://github.com/open-telemetry/opentelemetry-ruby/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-ruby/blob/main/exporter/otlp/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-ruby@opentelemetry-exporter-otlp-logs/v0.2.0...opentelemetry-exporter-otlp-logs/v0.2.2)

Updates `opentelemetry-exporter-otlp-metrics` from 0.4.0 to 0.6.1
- [Release notes](https://github.com/open-telemetry/opentelemetry-ruby/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-ruby/blob/main/exporter/otlp-metrics/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-ruby@opentelemetry-exporter-otlp-metrics/v0.4.0...opentelemetry-exporter-otlp-metrics/v0.6.1)

Updates `opentelemetry-instrumentation-excon` from 0.23.0 to 0.27.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-ruby-contrib/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-ruby-contrib/blob/main/instrumentation/excon/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-ruby-contrib@opentelemetry-instrumentation-excon/v0.23.0...opentelemetry-instrumentation-excon/v0.27.0)

Updates `opentelemetry-instrumentation-faraday` from 0.26.0 to 0.31.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-ruby-contrib/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-ruby-contrib/blob/main/instrumentation/faraday/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-ruby-contrib@opentelemetry-instrumentation-faraday/v0.26.0...opentelemetry-instrumentation-faraday/v0.31.0)

Updates `opentelemetry-instrumentation-http` from 0.24.0 to 0.28.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-ruby-contrib/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-ruby-contrib/blob/main/instrumentation/http/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-ruby-contrib@opentelemetry-instrumentation-http/v0.24.0...opentelemetry-instrumentation-http/v0.28.0)

Updates `opentelemetry-instrumentation-net_http` from 0.23.0 to 0.27.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-ruby-contrib/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-ruby-contrib/blob/main/instrumentation/net_http/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-ruby-contrib@opentelemetry-instrumentation-net_http/v0.23.0...opentelemetry-instrumentation-net_http/v0.27.0)

Updates `opentelemetry-logs-sdk` from 0.2.0 to 0.4.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-ruby/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-ruby/blob/main/logs_sdk/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-ruby@opentelemetry-logs-sdk/v0.2.0...opentelemetry-logs-sdk/v0.4.0)

Updates `opentelemetry-metrics-sdk` from 0.6.0 to 0.11.2
- [Release notes](https://github.com/open-telemetry/opentelemetry-ruby/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-ruby/blob/main/metrics_sdk/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-ruby@opentelemetry-metrics-sdk/v0.6.0...opentelemetry-metrics-sdk/v0.11.2)

Updates `opentelemetry-sdk` from 1.8.0 to 1.10.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-ruby/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-ruby/blob/main/sdk/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-ruby@opentelemetry-sdk/v1.8.0...opentelemetry-sdk/v1.10.0)

---
updated-dependencies:
- dependency-name: zeitwerk
  dependency-version: 2.7.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-dependencies
- dependency-name: parallel
  dependency-version: 1.27.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: aws-sdk-codecommit
  dependency-version: 1.96.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: aws-sdk-ecr
  dependency-version: 1.119.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: commonmarker
  dependency-version: 2.6.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: excon
  dependency-version: 1.3.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: faraday
  dependency-version: 2.14.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: faraday-retry
  dependency-version: 2.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: json
  dependency-version: 2.11.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: nokogiri
  dependency-version: 1.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: opentelemetry-api
  dependency-version: 1.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: opentelemetry-metrics-api
  dependency-version: 0.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: ostruct
  dependency-version: 0.6.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-dependencies
- dependency-name: parser
  dependency-version: 3.3.10.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-dependencies
- dependency-name: psych
  dependency-version: 5.3.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: sorbet-runtime
  dependency-version: 0.6.12903
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: stackprof
  dependency-version: 0.2.27
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-dependencies
- dependency-name: toml-rb
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: parseconfig
  dependency-version: 1.1.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: http
  dependency-version: 5.3.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: opentelemetry-exporter-otlp
  dependency-version: 0.31.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: opentelemetry-exporter-otlp-logs
  dependency-version: 0.2.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-dependencies
- dependency-name: opentelemetry-exporter-otlp-metrics
  dependency-version: 0.6.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: opentelemetry-instrumentation-excon
  dependency-version: 0.27.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: opentelemetry-instrumentation-faraday
  dependency-version: 0.31.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: opentelemetry-instrumentation-http
  dependency-version: 0.28.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: opentelemetry-instrumentation-net_http
  dependency-version: 0.27.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: opentelemetry-logs-sdk
  dependency-version: 0.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: opentelemetry-metrics-sdk
  dependency-version: 0.11.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: opentelemetry-sdk
  dependency-version: 1.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the pip group with 2 updates in the /uv/helpers directory: [pip](https://github.com/pypa/pip) and [uv](https://github.com/astral-sh/uv).


Updates `pip` from 24.0 to 26.0
- [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst)
- [Commits](pypa/pip@24.0...26.0)

Updates `uv` from 0.8.0 to 0.9.6
- [Release notes](https://github.com/astral-sh/uv/releases)
- [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md)
- [Commits](astral-sh/uv@0.8.0...0.9.6)

---
updated-dependencies:
- dependency-name: pip
  dependency-version: '26.0'
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: uv
  dependency-version: 0.9.6
  dependency-type: direct:production
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Feb 3, 2026
@coderabbitai

coderabbitai Bot commented Feb 3, 2026

Copy link
Copy Markdown

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

  • 🔍 Trigger a full review

Comment @coderabbitai help to get the list of available commands and usage tips.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file L: python:uv python Pull requests that update python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant