chore(deps): bump the python-dependencies group across 1 directory with 7 updates

[dependabot]

Bumps the python-dependencies group with 7 updates in the / directory:

Package	From	To
bleak	2.0.0	2.1.1
pynacl	1.6.1	1.6.2
cbor2	5.7.1	5.8.0
cryptography	46.0.3	46.0.4
greenlet	3.3.0	3.3.1
sqlalchemy	2.0.45	2.0.46
werkzeug	3.1.4	3.1.5

Updates bleak from 2.0.0 to 2.1.1

Release notes

Sourced from bleak's releases.

v2.1.1

Changed

• Changed default connect timeout for BleakClient from 10 to 30 seconds.

Fixed

• Fixed some cases of BleakError: Could not get GATT services: Unreachable in WinRT backend by adding a retry when getting GATT services.

v2.1.0

Added

• Added bluez parameter to BleakClient.start_notify() to allow forcing using "StartNotify" instead of "AcquireNotify" on BlueZ backend. Fixes #1885.
• Added bleak.args.SizedBuffer type for better type hinting of buffer protocol parameters.

Fixed

• Fixed calling logging.debug() in WinRT backend. Fixes #1882.
• Fixed calling logging.warning() in BlueZ backend.

Changelog

Sourced from bleak's changelog.

2.1.1_ (2025-12-31)

Changed

• Changed default connect timeout for BleakClient from 10 to 30 seconds.

Fixed

• Fixed some cases of BleakError: Could not get GATT services: Unreachable in WinRT backend by adding a retry when getting GATT services.

2.1.0_ (2025-12-28)

Added

• Added bluez parameter to BleakClient.start_notify() to allow forcing using "StartNotify" instead of "AcquireNotify" on BlueZ backend. Fixes #1885.
• Added bleak.args.SizedBuffer type for better type hinting of buffer protocol parameters.

Fixed

• Fixed calling logging.debug() in WinRT backend. Fixes #1882.
• Fixed calling logging.warning() in BlueZ backend.

Commits

• 5d76a62 v2.1.1
• 1f002b8 backends: clean up client timeout comments
• b5490e8 tests: add services arg to BleakClient in some tests
• ba9410f backends/winrt/client: add retry when getting GATT services
• f14a30d bleak: change default BleakClient timeout to 30 seconds
• 848b511 backends/corebluetooth: add helper function for call_soon_threadsafe()
• 6af24ae tests/integration: fix logging.info()
• 66f0b20 tests: Basic integrationtests for BleakClient
• 8a40874 tests/integration: remove add_default_services()
• ede4a03 github: build_and_test if pyproject.toml changes
• Additional commits viewable in compare view

Updates pynacl from 1.6.1 to 1.6.2

Changelog

Sourced from pynacl's changelog.

1.6.2 (2026-01-01)

• Updated libsodium to 1.0.20-stable (2025-12-31 build) to resolve CVE-2025-69277.

Commits

• ecf41f5 changelog and version bump for 1.6.2 (#923)
• 685a5e7 Switch to PyPI trusted publishing (#925)
• 78e0aa3 missed adding these files as part of the libsodium update (#924)
• 9631488 Bump libsodium to the latest 1.0.20 (#922)
• 563b25b Add script to update vendored libsodium (#921)
• d233105 Include libsodium license in wheels (#917)
• cabc3a8 Bump dessant/lock-threads from 5 to 6 (#914)
• f359617 Bump actions/download-artifact from 6.0.0 to 7.0.0 (#915)
• fb6e37f Bump actions/upload-artifact from 5 to 6 (#916)
• 526f992 Bump actions/checkout from 6.0.0 to 6.0.1 (#911)
• Additional commits viewable in compare view

Updates cbor2 from 5.7.1 to 5.8.0

Release notes

Sourced from cbor2's releases.

5.8.0

• Added readahead buffering to C decoder for improved performance. The decoder now uses a 4 KB buffer by default to reduce the number of read calls. Benchmarks show 20-140% performance improvements for decoding operations. (#268; PR by @​andreer)
• Fixed Python decoder not preserving share index when decoding array items containing nested shareable tags, causing shared references to resolve to wrong objects (#267; PR by @​andreer)
• Reset shared reference state at the start of each top-level encode/decode operation (#266; PR by @​andreer)

Commits

• c77cea8 Removed macos-13 from the OS matrix
• 2320d95 Bumped up the version
• 9ff48e3 Updated pre-commit modules
• 22acea4 Updated the version history entry for #268
• c368bb3 Fixed the links and the semver declaration
• fb4ee16 Added a read-ahead buffer to the C decoder (#268)
• 0bcf400 Bump the github-actions group with 5 updates (#269)
• 7aa6cad Added dependabot config for GitHub actions
• 6409f6a Added a security policy
• 403c2ce Fixed nested shareable in arrays (python decoder only) (#267)
• Additional commits viewable in compare view

Updates cryptography from 46.0.3 to 46.0.4

Changelog

Sourced from cryptography's changelog.

46.0.4 - 2026-01-27

* `Dropped support for win_arm64 wheels`_.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.
.. _v46-0-3:

Commits

• e6f44fc bump for 46.0.4 and drop win arm64 due to CI issues (#14217)
• See full diff in compare view

Updates greenlet from 3.3.0 to 3.3.1

Changelog

Sourced from greenlet's changelog.

3.3.1 (2026-01-23)

• Publish Windows ARM binary wheels, where available.
• Fix compilation for 3.14t on Windows.
• Publish Windows 3.14t binary wheels for Intel.
• Switch from Appveyor for Windows to Github Actions.
• Fix compilation on MIPS with GCC 15 and binutils 2.45. See PR 487 by Rosen Penev <https://github.com/python-greenlet/greenlet/pull/487>_. Note that this is not a platform tested by this project's CI.
• Move most project metadata into the static pyproject.toml file. This updates licensing information to use the modern License-Expression field. See PR 480 by mrbean-bremen <https://github.com/python-greenlet/greenlet/pull/480/>_.

Commits

• d1a0a3f Preparing release 3.3.1
• bb11806 Merge pull request #482 from tacaswell/cp315_compat
• 0708965 Change note for #480
• 62ff68f pyproject: It's tool.zest-releaser, not tools.zest-releaser.
• 7081130 Move most of setuptools attributes to pyproject.toml
• b462f75 Add change note for #487.
• 918e888 Merge pull request #486 from python-greenlet/dependabot/github_actions/github...
• c5e2e6f Bump actions/upload-artifact from 5 to 6 in the github-actions group
• 54f257d Merge pull request #487 from neheb/mips
• b2cf41d Merge pull request #490 from python-greenlet/windows-on-github
• Additional commits viewable in compare view

Updates sqlalchemy from 2.0.45 to 2.0.46

Release notes

Sourced from sqlalchemy's releases.

2.0.46

Released: January 21, 2026

typing

• [typing] [bug] Fixed typing issues where ORM mapped classes and aliased entities could not be used as keys in result row mappings or as join targets in select statements. Patterns such as row._mapping[User], row._mapping[aliased(User)], row._mapping[with_polymorphic(...)] (rejected by both mypy and Pylance), and .join(aliased(User)) (rejected by Pylance) are documented and fully supported at runtime but were previously rejected by type checkers. The type definitions for _KeyType and _FromClauseArgument have been updated to accept these ORM entity types.

  References: #13075

postgresql

• [postgresql] [bug] Fixed issue where PostgreSQL JSONB operators _postgresql.JSONB.Comparator.path_match() and _postgresql.JSONB.Comparator.path_exists() were applying incorrect VARCHAR casts to the right-hand side operand when used with newer PostgreSQL drivers such as psycopg. The operators now indicate the right-hand type as JSONPATH, which currently results in no casting taking place, but is also compatible with explicit casts if the implementation were require it at a later point.

  References: #13059

• [postgresql] [bug] Fixed regression in PostgreSQL dialect where JSONB subscription syntax would generate incorrect SQL for cast() expressions returning JSONB, causing syntax errors. The dialect now properly wraps cast expressions in parentheses when using the [] subscription syntax, generating (CAST(...))[index] instead of CAST(...)[index] to comply with PostgreSQL syntax requirements. This extends the fix from #12778 which addressed the same issue for function calls.

  References: #13067

• [postgresql] [bug] Improved the foreign key reflection regular expression pattern used by the PostgreSQL dialect to be more permissive in matching identifier characters, allowing it to correctly handle unicode characters in table and column names. This change improves compatibility with PostgreSQL variants such as CockroachDB that may use different quoting patterns in combination with unicode characters in their identifiers. Pull request courtesy Gord Thompson.

... (truncated)

Commits

• See full diff in compare view

Updates werkzeug from 3.1.4 to 3.1.5

Release notes

Sourced from werkzeug's releases.

3.1.5

This is the Werkzeug 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.5/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-5 Milestone: https://github.com/pallets/werkzeug/milestone/43?closed=1

• safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. GHSA-87hc-h4r5-73f7
• The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. #3065 #3077
• Fix AttributeError when initializing DebuggedApplication with pin_security=False. #3075

Changelog

Sourced from werkzeug's changelog.

Version 3.1.5

Released 2026-01-08

• safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. :ghsa:87hc-h4r5-73f7
• The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. :issue:3065 :issue:3077
• Fix AttributeError when initializing DebuggedApplication with pin_security=False. :issue:3075

Commits

• e3d06f4 release version 3.1.5
• 7ae1d25 Merge commit from fork
• 37797ab safe_join prevents windows special device names with compound extensions
• 3db44c7 fix duplicate reference
• a40f8fa fix class name typo
• 0f76c35 Correct parsing up to a potential partial boundary (#3081)
• 1049dd6 Correct parsing up to a potential partial boundary
• b48878c initialize _pin in debugger (#3078)
• fa0f4f2 initialize _pin
• f637275 start version 3.1.5
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions