Skip to content

Build(deps): Bump the uv group across 3 directories with 4 updates#307

Merged
luarss merged 1 commit into
masterfrom
dependabot/uv/backend/uv-10afd3064f
Jun 20, 2026
Merged

Build(deps): Bump the uv group across 3 directories with 4 updates#307
luarss merged 1 commit into
masterfrom
dependabot/uv/backend/uv-10afd3064f

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 20, 2026

Copy link
Copy Markdown
Contributor

Bumps the uv group with 3 updates in the /backend directory: langsmith, pypdf and vcrpy.
Bumps the uv group with 2 updates in the /evaluation directory: langsmith and vcrpy.
Bumps the uv group with 1 update in the /frontend directory: pydantic-settings.

Updates langsmith from 0.8.4 to 0.8.18

Release notes

Sourced from langsmith's releases.

v0.8.18

What's Changed

Full Changelog: langchain-ai/langsmith-sdk@v0.8.17...v0.8.18

v0.8.17

What's Changed

New Contributors

Full Changelog: langchain-ai/langsmith-sdk@v0.8.16...v0.8.17

v0.8.16

What's Changed

... (truncated)

Commits
  • 31c2bf6 release(py): 0.8.18 (#3063)
  • 8955b68 chore: reconcile bumpversion config and mandate release process for agents (#...
  • 411401f test(python): fix integration assertions for updated attachment error message...
  • 9c55156 Merge commit from fork
  • 5b2bd8d chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates ...
  • d8642f9 chore(deps): bump the npm_and_yarn group across 4 directories with 4 updates ...
  • 953c2e5 chore(deps-dev): bump langchain-anthropic from 1.4.4 to 1.4.6 in /python (#3044)
  • 5513699 chore(deps): bump starlette from 1.0.1 to 1.3.1 in /python (#3039)
  • 8becdef chore(deps): bump cryptography from 46.0.7 to 48.0.1 in /python (#3038)
  • 1a9c522 chore(deps): bump aiohttp from 3.14.0 to 3.14.1 in /python (#3037)
  • Additional commits viewable in compare view

Updates pypdf from 6.13.0 to 6.13.3

Release notes

Sourced from pypdf's releases.

Version 6.13.3, 2026-06-17

What's new

Security (SEC)

Performance Improvements (PI)

Robustness (ROB)

Maintenance (MAINT)

Full Changelog

Version 6.13.2, 2026-06-10

What's new

Security (SEC)

Robustness (ROB)

Full Changelog

Version 6.13.1, 2026-06-08

What's new

Security (SEC)

Full Changelog

Changelog

Sourced from pypdf's changelog.

Version 6.13.3, 2026-06-17

Security (SEC)

  • Apply MAX_DECLARED_STREAM_LENGTH to streams without length as well (#3871)

Performance Improvements (PI)

  • Avoid per-pixel getpixel loop for 1-bit indexed images (#3854)

Robustness (ROB)

  • Several fixes

Maintenance (MAINT)

  • Make mypy assert messages consistent (#3849)

Full Changelog

Version 6.13.2, 2026-06-10

Security (SEC)

  • Detect multi-hop cyclic /Pages trees in _flatten to prevent SIGSEGV (#3847)

Robustness (ROB)

  • Fix UnboundLocalError in _read_standard_xref_table on a malformed entry (#3841)
  • Raise PdfStreamError on non-hexadecimal bytes in hex readers (#3832)

Full Changelog

Version 6.13.1, 2026-06-08

Security (SEC)

  • Prevent infinite loops when processing threads/articles (#3839)

Full Changelog

Commits
  • 9aa05e7 REL: 6.13.3
  • bbd083d SEC: Apply MAX_DECLARED_STREAM_LENGTH to streams without length as well (#3871)
  • d5cd266 ROB: Guard text operators against missing operands in extract_text (#3861)
  • 82f1f90 ROB: Tolerate malformed /Limits in index2label (#3858)
  • 0276a6f PI: Avoid per-pixel getpixel loop for 1-bit indexed images (#3854)
  • 41a9c3c MAINT: Make mypy assert messages consistent (#3849)
  • d1bba60 MAINT: Increase readability of PdfDocCommon (#3834)
  • 53b6fbc DEV: Bump codecov/codecov-action from 6.0.1 to 7.0.0 (#3859)
  • e07c223 MAINT: Enforce G004 (no f-strings in logging) (#3845)
  • 5270f76 ROB: Guard zero unitsPerEm in from_truetype_font_file (#3846)
  • Additional commits viewable in compare view

Updates vcrpy from 8.1.1 to 8.2.1

Release notes

Sourced from vcrpy's releases.

v8.2.1

What's Changed

  • SECURITY: Cassettes are now loaded with a safe YAML loader, preventing arbitrary code execution when a cassette from an untrusted source is loaded. Previously a crafted cassette containing a Python object tag (e.g. !!python/object/apply:os.system) would execute code on load, including via the normal vcr.use_cassette() path. Existing cassettes (including file-upload/streaming bodies) continue to load. Advisory: GHSA-rpj2-4hq8-938g — thanks @​RamiAltai and @​EQSTLab for the reports.
  • Validate record_mode and raise a clear error on an invalid value (#208)
  • Recommend pytest-recording over the unmaintained pytest-vcr in the docs (#986)

Full Changelog: kevin1024/vcrpy@v8.2.0...v8.2.1

v8.2.0

What's Changed

  • Add support for httpx 2.x (#993) - thanks @​dsfaccini
  • Patch httpx transports instead of httpcore (#972) - thanks @​seowalex
  • Fix aiohttp 3.14 compatibility: AsyncStreamReaderMixin removed and ClientResponse now requires stream_writer (#995) - thanks @​dsfaccini
  • Account for modified requests when storing played cassettes, so drop_unused_requests honours before_record_request filtering (#962) - thanks @​jamesbraza
  • Make the request URL available on VCRHTTPResponse (#976) - thanks @​dAnjou
  • Improve error message when a matching request has already been consumed (#985) - thanks @​Polandia94
  • Fix body check in convert_body_to_unicode to use an explicit type check (#982) - thanks @​Polandia94
  • Add env proxy cassette regression test (#994) - thanks @​tine1117
  • Remove milestone references from docs (#984) - thanks @​Polandia94
  • CI: bump sphinx-rtd-theme from 3.0.2 to 3.1.0 (#973)

Full Changelog: kevin1024/vcrpy@v8.1.1...v8.2.0

Changelog

Sourced from vcrpy's changelog.

Changelog

All help in providing PRs to close out bug issues is appreciated. Even if that is providing a repo that fully replicates issues. We have very generous contributors that have added these to bug issues which meant another contributor picked up the bug and closed it out.

  • 8.2.1

    • SECURITY: Load cassettes with a safe YAML loader, preventing arbitrary code execution when a cassette from an untrusted source is loaded (GHSA-rpj2-4hq8-938g) - thanks @​RamiAltai and @​EQSTLab
    • Validate record_mode and raise a clear error on an invalid value (#208)
    • Recommend pytest-recording over the unmaintained pytest-vcr in the docs (#986)

  • 8.2.0

    • Add support for httpx 2.x (#993) - thanks @​dsfaccini
    • Patch httpx transports instead of httpcore (#972) - thanks @​seowalex
    • Fix aiohttp 3.14 compatibility: AsyncStreamReaderMixin removed and ClientResponse now requires stream_writer (#995) - thanks @​dsfaccini
    • Account for modified requests when storing played cassettes, so drop_unused_requests honours before_record_request filtering (#962) - thanks @​jamesbraza
    • Make the request URL available on VCRHTTPResponse (#976) - thanks @​dAnjou
    • Improve error message when a matching request has already been consumed (#985) - thanks @​Polandia94
    • Fix body check in convert_body_to_unicode to use an explicit type check (#982) - thanks @​Polandia94
    • Add env proxy cassette regression test (#994) - thanks @​tine1117
    • Remove milestone references from docs (#984) - thanks @​Polandia94
    • CI: bump sphinx-rtd-theme from 3.0.2 to 3.1.0 (#973)

  • 8.1.1

    • Fix sync requests in async contexts for HTTPX (#965) - thanks @​seowalex
    • CI: bump peter-evans/create-pull-request from 7 to 8 (#969)

  • 8.1.0

  • 8.0.0

    • BREAKING: Drop support for Python 3.9 (major version bump) - thanks @​jairhenrique
    • BREAKING: Drop support for urllib3 < 2 - fixes CVE warnings from urllib3 1.x (#926, #880) - thanks @​jairhenrique
    • New feature: drop_unused_requests option to remove unused interactions from cassettes (#763) - thanks @​danielnsilva
    • Rewrite httpx support to patch httpcore instead of httpx (#943) - thanks @​seowalex
      • Fixes httpx.ResponseNotRead exceptions (#832, #834)
      • Fixes KeyError: 'follow_redirects' (#945)
      • Adds support for custom httpx transports
    • Fix HTTPS proxy handling - proxy address no longer ends up in cassette URIs (#809, #914) - thanks @​alga
    • Fix iscoroutinefunction deprecation warning on Python 3.14 - thanks @​kloczek
    • Only log message if response is appended - thanks @​talfus-laddus
    • Optimize urllib.parse calls - thanks @​Martin-Brunthaler
    • Fix CI for Ubuntu 24.04 - thanks @​hartwork
    • Various CI improvements: migrate to uv, update GitHub Actions - thanks @​jairhenrique
    • Various linting and test improvements - thanks @​jairhenrique and @​hartwork

... (truncated)

Commits
  • 8531203 Release v8.2.1
  • 045acb1 Use a safe YAML loader for cassettes to prevent code execution
  • de43f46 Fix lint failures from merged PRs (codespell + ruff UP032)
  • 514c374 Validate record_mode and raise a clear error on invalid values
  • b736cad docs: recommend pytest-recording over unmaintained pytest-vcr
  • 06758c9 Release v8.2.0
  • 6554837 Add env proxy cassette regression test (#994)
  • 62cf5e1 Accounting for modified requests when storing played cassettes, with a test (...
  • 13f201a make url available in VCRHTTPResponse (#976)
  • d57b553 improve error message on repeated requestt (#985)
  • Additional commits viewable in compare view

Updates langsmith from 0.8.4 to 0.8.18

Release notes

Sourced from langsmith's releases.

v0.8.18

What's Changed

Full Changelog: langchain-ai/langsmith-sdk@v0.8.17...v0.8.18

v0.8.17

What's Changed

New Contributors

Full Changelog: langchain-ai/langsmith-sdk@v0.8.16...v0.8.17

v0.8.16

What's Changed

... (truncated)

Commits
  • 31c2bf6 release(py): 0.8.18 (#3063)
  • 8955b68 chore: reconcile bumpversion config and mandate release process for agents (#...
  • 411401f test(python): fix integration assertions for updated attachment error message...
  • 9c55156 Merge commit from fork
  • 5b2bd8d chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates ...
  • d8642f9 chore(deps): bump the npm_and_yarn group across 4 directories with 4 updates ...
  • 953c2e5 chore(deps-dev): bump langchain-anthropic from 1.4.4 to 1.4.6 in /python (#3044)
  • 5513699 chore(deps): bump starlette from 1.0.1 to 1.3.1 in /python (#3039)
  • 8becdef chore(deps): bump cryptography from 46.0.7 to 48.0.1 in /python (#3038)
  • 1a9c522 chore(deps): bump aiohttp from 3.14.0 to 3.14.1 in /python (#3037)
  • Additional commits viewable in compare view

Updates vcrpy from 8.1.1 to 8.2.1

Release notes

Sourced from vcrpy's releases.

v8.2.1

What's Changed

  • SECURITY: Cassettes are now loaded with a safe YAML loader, preventing arbitrary code execution when a cassette from an untrusted source is loaded. Previously a crafted cassette containing a Python object tag (e.g. !!python/object/apply:os.system) would execute code on load, including via the normal vcr.use_cassette() path. Existing cassettes (including file-upload/streaming bodies) continue to load. Advisory: GHSA-rpj2-4hq8-938g — thanks @​RamiAltai and @​EQSTLab for the reports.
  • Validate record_mode and raise a clear error on an invalid value (#208)
  • Recommend pytest-recording over the unmaintained pytest-vcr in the docs (#986)

Full Changelog: kevin1024/vcrpy@v8.2.0...v8.2.1

v8.2.0

What's Changed

  • Add support for httpx 2.x (#993) - thanks @​dsfaccini
  • Patch httpx transports instead of httpcore (#972) - thanks @​seowalex
  • Fix aiohttp 3.14 compatibility: AsyncStreamReaderMixin removed and ClientResponse now requires stream_writer (#995) - thanks @​dsfaccini
  • Account for modified requests when storing played cassettes, so drop_unused_requests honours before_record_request filtering (#962) - thanks @​jamesbraza
  • Make the request URL available on VCRHTTPResponse (#976) - thanks @​dAnjou
  • Improve error message when a matching request has already been consumed (#985) - thanks @​Polandia94
  • Fix body check in convert_body_to_unicode to use an explicit type check (#982) - thanks @​Polandia94
  • Add env proxy cassette regression test (#994) - thanks @​tine1117
  • Remove milestone references from docs (#984) - thanks @​Polandia94
  • CI: bump sphinx-rtd-theme from 3.0.2 to 3.1.0 (#973)

Full Changelog: kevin1024/vcrpy@v8.1.1...v8.2.0

Changelog

Sourced from vcrpy's changelog.

Changelog

All help in providing PRs to close out bug issues is appreciated. Even if that is providing a repo that fully replicates issues. We have very generous contributors that have added these to bug issues which meant another contributor picked up the bug and closed it out.

  • 8.2.1

    • SECURITY: Load cassettes with a safe YAML loader, preventing arbitrary code execution when a cassette from an untrusted source is loaded (GHSA-rpj2-4hq8-938g) - thanks @​RamiAltai and @​EQSTLab
    • Validate record_mode and raise a clear error on an invalid value (#208)
    • Recommend pytest-recording over the unmaintained pytest-vcr in the docs (#986)

  • 8.2.0

    • Add support for httpx 2.x (#993) - thanks @​dsfaccini
    • Patch httpx transports instead of httpcore (#972) - thanks @​seowalex
    • Fix aiohttp 3.14 compatibility: AsyncStreamReaderMixin removed and ClientResponse now requires stream_writer (#995) - thanks @​dsfaccini
    • Account for modified requests when storing played cassettes, so drop_unused_requests honours before_record_request filtering (#962) - thanks @​jamesbraza
    • Make the request URL available on VCRHTTPResponse (#976) - thanks @​dAnjou
    • Improve error message when a matching request has already been consumed (#985) - thanks @​Polandia94
    • Fix body check in convert_body_to_unicode to use an explicit type check (#982) - thanks @​Polandia94
    • Add env proxy cassette regression test (#994) - thanks @​tine1117
    • Remove milestone references from docs (#984) - thanks @​Polandia94
    • CI: bump sphinx-rtd-theme from 3.0.2 to 3.1.0 (#973)

  • 8.1.1

    • Fix sync requests in async contexts for HTTPX (#965) - thanks @​seowalex
    • CI: bump peter-evans/create-pull-request from 7 to 8 (#969)

  • 8.1.0

  • 8.0.0

    • BREAKING: Drop support for Python 3.9 (major version bump) - thanks @​jairhenrique
    • BREAKING: Drop support for urllib3 < 2 - fixes CVE warnings from urllib3 1.x (#926, #880) - thanks @​jairhenrique
    • New feature: drop_unused_requests option to remove unused interactions from cassettes (#763) - thanks @​danielnsilva
    • Rewrite httpx support to patch httpcore instead of httpx (#943) - thanks @​seowalex
      • Fixes httpx.ResponseNotRead exceptions (#832, #834)
      • Fixes KeyError: 'follow_redirects' (#945)
      • Adds support for custom httpx transports
    • Fix HTTPS proxy handling - proxy address no longer ends up in cassette URIs (#809, #914) - thanks @​alga
    • Fix iscoroutinefunction deprecation warning on Python 3.14 - thanks @​kloczek
    • Only log message if response is appended - thanks @​talfus-laddus
    • Optimize urllib.parse calls - thanks @​Martin-Brunthaler
    • Fix CI for Ubuntu 24.04 - thanks @​hartwork
    • Various CI improvements: migrate to uv, update GitHub Actions - thanks @​jairhenrique
    • Various linting and test improvements - thanks @​jairhenrique and @​hartwork

... (truncated)

Commits
  • 8531203 Release v8.2.1
  • 045acb1 Use a safe YAML loader for cassettes to prevent code execution
  • de43f46 Fix lint failures from merged PRs (codespell + ruff UP032)
  • 514c374 Validate record_mode and raise a clear error on invalid values
  • b736cad docs: recommend pytest-recording over unmaintained pytest-vcr
  • 06758c9 Release v8.2.0
  • 6554837 Add env proxy cassette regression test (#994)
  • 62cf5e1 Accounting for modified requests when storing played cassettes, with a test (...
  • 13f201a make url available in VCRHTTPResponse (#976)
  • d57b553 improve error message on repeated requestt (#985)
  • Additional commits viewable in compare view

Updates pydantic-settings from 2.14.1 to 2.14.2

Release notes

Sourced from pydantic-settings's releases.

v2.14.2

What's Changed

This is a security patch release.

Security

Fixes GHSA-4xgf-cpjx-pc3j: NestedSecretsSettingsSource with secrets_nested_subdir=True could follow a symbolic link inside secrets_dir pointing outside it, reading out-of-tree files into settings values and bypassing the secrets_dir_max_size cap. Affected versions: >= 2.12.0, < 2.14.2.

Full Changelog: pydantic/pydantic-settings@v2.14.1...v2.14.2

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Build(deps): Bump the uv group across 3 directories with 4 updates
ab04fec 
Bumps the uv group with 3 updates in the /backend directory: [langsmith](https://github.com/langchain-ai/langsmith-sdk), [pypdf](https://github.com/py-pdf/pypdf) and [vcrpy](https://github.com/kevin1024/vcrpy).
Bumps the uv group with 2 updates in the /evaluation directory: [langsmith](https://github.com/langchain-ai/langsmith-sdk) and [vcrpy](https://github.com/kevin1024/vcrpy).
Bumps the uv group with 1 update in the /frontend directory: [pydantic-settings](https://github.com/pydantic/pydantic-settings).


Updates `langsmith` from 0.8.4 to 0.8.18
- [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases)
- [Commits](langchain-ai/langsmith-sdk@v0.8.4...v0.8.18)

Updates `pypdf` from 6.13.0 to 6.13.3
- [Release notes](https://github.com/py-pdf/pypdf/releases)
- [Changelog](https://github.com/py-pdf/pypdf/blob/main/CHANGELOG.md)
- [Commits](py-pdf/pypdf@6.13.0...6.13.3)

Updates `vcrpy` from 8.1.1 to 8.2.1
- [Release notes](https://github.com/kevin1024/vcrpy/releases)
- [Changelog](https://github.com/kevin1024/vcrpy/blob/master/docs/changelog.rst)
- [Commits](kevin1024/vcrpy@v8.1.1...v8.2.1)

Updates `langsmith` from 0.8.4 to 0.8.18
- [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases)
- [Commits](langchain-ai/langsmith-sdk@v0.8.4...v0.8.18)

Updates `vcrpy` from 8.1.1 to 8.2.1
- [Release notes](https://github.com/kevin1024/vcrpy/releases)
- [Changelog](https://github.com/kevin1024/vcrpy/blob/master/docs/changelog.rst)
- [Commits](kevin1024/vcrpy@v8.1.1...v8.2.1)

Updates `pydantic-settings` from 2.14.1 to 2.14.2
- [Release notes](https://github.com/pydantic/pydantic-settings/releases)
- [Commits](pydantic/pydantic-settings@v2.14.1...v2.14.2)

---
updated-dependencies:
- dependency-name: langsmith
  dependency-version: 0.8.18
  dependency-type: direct:production
  dependency-group: uv
- dependency-name: pypdf
  dependency-version: 6.13.3
  dependency-type: direct:production
  dependency-group: uv
- dependency-name: vcrpy
  dependency-version: 8.2.1
  dependency-type: indirect
  dependency-group: uv
- dependency-name: langsmith
  dependency-version: 0.8.18
  dependency-type: direct:production
  dependency-group: uv
- dependency-name: vcrpy
  dependency-version: 8.2.1
  dependency-type: indirect
  dependency-group: uv
- dependency-name: pydantic-settings
  dependency-version: 2.14.2
  dependency-type: indirect
  dependency-group: uv
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 20, 2026
@luarss luarss merged commit 7cbda08 into master Jun 20, 2026
6 checks passed
@luarss luarss deleted the dependabot/uv/backend/uv-10afd3064f branch June 20, 2026 05:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@luarss