chore(deps): bump the package-updates group across 1 directory with 13 updates

[dependabot]

Updates the requirements on django-health-check, django-storages[s3], django, environs[django], psycopg2-binary, sentry-sdk, granian, bandit[toml], commitizen, coverage, django-stubs, pyrefly and ruff to permit the latest version.
Updates django-health-check from 4.2.2 to 4.4.0

Release notes

Sourced from django-health-check's releases.

4.4.0

What's Changed

• Resolve #724 -- Add public dataclass field as OpenMetric label by @​RemiDesgrange in codingjoe/django-health-check#725

New Contributors

• @​RemiDesgrange made their first contribution in codingjoe/django-health-check#725

Full Changelog: codingjoe/django-health-check@4.3.1...4.4.0

4.3.1

What's Changed

• Clean up storage probe files when validation fails by @​M-Hassan-Raza in codingjoe/django-health-check#717

New Contributors

• @​M-Hassan-Raza made their first contribution in codingjoe/django-health-check#717

Full Changelog: codingjoe/django-health-check@4.3.0...4.3.1

4.3.0

What's Changed

• Ref #701 -- Add support for a custom executor for synchronous checks by @​codingjoe in codingjoe/django-health-check#716

Full Changelog: codingjoe/django-health-check@4.2.2...4.3.0

Commits

• e480bc0 Resolve #724 -- Add public dataclass field as OpenMetric label (#725)
• e56c871 Clean up storage probe files when validation fails (#717)
• 3421a3c Update copilot review instructions
• c674d2f Revert "Update celery requirement from >=5.0.0 to >=5.6.3"
• 04a22e5 Revert "Update flit-core requirement from >=3.2 to >=3.12.0"
• 4d47e8a Revert "Update aio-pika requirement from >=9.0.0 to >=9.6.2"
• e0d4479 Revert "Update django requirement from >=5.2 to >=5.2.13"
• 8994dcc Revert "Update confluent-kafka requirement from >=2.0.0 to >=2.14.0"
• 1f31638 Ref #701 -- Add support for a custom executor for synchronous checks (#716)
• b79e960 Bump actions/upload-pages-artifact from 4 to 5
• Additional commits viewable in compare view

Updates django-storages[s3] to 1.14.6

Changelog

Sourced from django-storages[s3]'s changelog.

1.14.6 (2025-04-01)

---

Google Cloud

• Add option to sign URLs via IAM Blob API ([#1427](https://github.com/jschneier/django-storages/issues/1427)_)

S3

• Fix exists calls when using SSE-C ([#1451](https://github.com/jschneier/django-storages/issues/1451)_)
• Default url_protocol to https: if set to None ([#1483](https://github.com/jschneier/django-storages/issues/1483)_)

.. _#1427: jschneier/django-storages#1427 .. _#1451: jschneier/django-storages#1451 .. _#1483: jschneier/django-storages#1483

1.14.5 (2025-02-15)

---

General

• Revert exists() behavior to pre-1.14.4 semantics with additional hardening for Django versions < 4.2 to fix CVE-2024-39330. This change matches the eventual behavior Django itself shipped with. ([#1484](https://github.com/jschneier/django-storages/issues/1484), [#1486](https://github.com/jschneier/django-storages/issues/1486))
• Add support for Django 5.1 ([#1444](https://github.com/jschneier/django-storages/issues/1444)_)

Azure

• Deprecated: The setting AZURE_API_VERSION/api_version setting is deprecated in favor of the new AZURE_CLIENT_OPTIONS setting. A future version will remove support for this setting.
• Add AZURE_CLIENT_OPTIONS settings to enable customization of all BlobServiceClient parameters such as api_version and all retry* options. ([#1432](https://github.com/jschneier/django-storages/issues/1432)_)

Dropbox

• As part of the above hardening fix a bug was uncovered whereby a root_path setting would be applied multiple times during save() ([#1484](https://github.com/jschneier/django-storages/issues/1484)_)
• Fix setting OAuth2 access token via env var ([#1452](https://github.com/jschneier/django-storages/issues/1452)_)

FTP

• Fix incorrect exists() results due to an errant appended slash ([#1438](https://github.com/jschneier/django-storages/issues/1438)_)

Google Cloud

... (truncated)

Commits

• 3658c3d Bump version for release (#1497)
• d51b0bf Release version 1.14.6 (#1496)
• 6ef553d [s3] Default url_protocol to https: if set to None (#1483)
• 80031d3 [docs/azure] Fix broken link (#1492)
• 8363be3 [s3] Pass object parameters to head_object in exists (#1451)
• aa8a82e [docs/gcloud] Clean-up querystring auth language (#1489)
• 758ad6f [gcloud] Add option to sign URLs via IAM Blob API (#1427)
• 03566dc Add missing CHANGELOG entry for Dropbox fix (#1488)
• 3c0fe9f Release version 1.14.5 (#1487)
• 5db357a Apply additional validation in overwrite path (#1486)
• Additional commits viewable in compare view

Updates django from 5.2.13 to 6.0.5

Commits

• 8f8ad09 [6.0.x] Bumped version for 6.0.5 release.
• 44ad76e [6.0.x] Fixed CVE-2026-6907 -- Prevented caching of requests when Vary header...
• 1b0184a [6.0.x] Fixed CVE-2026-35192 -- Ensured Vary header is sent when setting sess...
• ad8f9e1 [6.0.x] Fixed CVE-2026-5766 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE in Memory...
• 990ab01 [6.0.x] Fixed #37039 -- Removed outdated note from QuerySet.iterator() docs.
• f0c269f [6.0.x] Fixed typo in stub release notes for 5.2.14.
• 8bcd15b [6.0.x] Fixed #37067 -- Added trailing slash in django_file_prefixes().
• 3cdec64 [6.0.x] Refs CVE-2026-25674 -- Clarified role of umask in upload permissions.
• 5dd5c70 [6.0.x] Added stub release notes and release date for 6.0.5 and 5.2.14.
• 8ee7341 [6.0.x] Refs #373, #34122 -- Removed warning that ForeignObject is an interna...
• Additional commits viewable in compare view

Updates environs[django] to 15.0.1

Changelog

Sourced from environs[django]'s changelog.

15.0.1 (2026-04-06)

Bug fixes:

• Exported environment variables take precedence over .env files (regression from 15.0.0) (#464). Thanks DougEdey-Slice for reporting.

15.0.0 (2026-03-31)

Features:

• Env.read_env no longer mutates os.environ (#393). Values from .env files are loaded into the Env instance only. This comes with two breaking changes:
  • Env.read_env is now an instance method rather than a @staticmethod. Env.read_env() -> env.read_env()
  • The verbose parameter of read_env is been removed.

Other changes:

• Drop support for marshmallow 3, which is EOL. marshmallow>=4.0.0 is supported.
• Minor typing improvements (#463).

14.6.0 (2026-02-19)

Bug fixes:

• Fix variable expansion with other characters (#359). Thanks flymanzhao for reporting and veeceey for the PR.

Other changes:

• Update lowest supported marshmallow version to 3.26.2 (#448). Thanks whyscream for the PR.

14.5.0 (2025-11-02)

Features:

• Add strip_whitespace param to FileAwareEnv (#431). Thanks eandersons for the suggestion and PR.

Other changes:

• Drop support for Python 3.9, which is EOL.

14.4.0 (2025-10-29)

Features:

• Add support for ISO 8601 durations to env.timedelta. (#434). Thanks lucas-bremond for the suggestion and PR.

... (truncated)

Commits

• c6e5941 Bump version and update changelog
• 9c51c66 Fix precedence of os.environ over .env (#465)
• 4654e60 Fix GH links
• df03407 Bump version and update changelog
• ad5942c Minor typing improvements (#463)
• 1df5387 read_env does not mutate os.environ (#462)
• b3fc5e8 Drop marshmallow 3 (#461)
• b7bdc47 Bump the all-dependencies group with 9 updates (#460)
• 3ece1ac Bump astral-sh/setup-uv from 6 to 7 (#459)
• 96f7b95 Update dependabot config for uv updates
• Additional commits viewable in compare view

Updates psycopg2-binary from 2.9.11 to 2.9.12

Changelog

Sourced from psycopg2-binary's changelog.

Current release

What's new in psycopg 2.9.12 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Fix infinite loop with malformed interval (:ticket:1835).

What's new in psycopg 2.9.11 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Add support for Python 3.14.
• Avoid a segfault passing more arguments than placeholders if Python is built with assertions enabled (:ticket:[#1791](https://github.com/psycopg/psycopg2/issues/1791)).
• Add riscv64 platform binary packages (:ticket:[#1813](https://github.com/psycopg/psycopg2/issues/1813)).
• ~psycopg2.errorcodes map and ~psycopg2.errors classes updated to PostgreSQL 18.
• Drop support for Python 3.8.

What's new in psycopg 2.9.10 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Add support for Python 3.13.
• Receive notifications on commit (:ticket:[#1728](https://github.com/psycopg/psycopg2/issues/1728)).
• ~psycopg2.errorcodes map and ~psycopg2.errors classes updated to PostgreSQL 17.
• Drop support for Python 3.7.

What's new in psycopg 2.9.9 ^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Add support for Python 3.12.
• Drop support for Python 3.6.

What's new in psycopg 2.9.8 ^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Wheel package bundled with PostgreSQL 16 libpq in order to add support for recent features, such as sslcertmode.

What's new in psycopg 2.9.7 ^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Fix propagation of exceptions raised during module initialization (:ticket:[#1598](https://github.com/psycopg/psycopg2/issues/1598)).

... (truncated)

Commits

• 3a6d9d6 ci: include almalinux in whieel building
• ebca6bf chore: bump to version 3.9.12
• 0196f02 build(deps): bump pypa/cibuildwheel from 3.3.1 to 3.4.0
• d157bdc build(deps): bump docker/setup-qemu-action from 3 to 4
• 7fccc0f build(deps): bump actions/upload-artifact from 6 to 7
• d52a61e chore: bump dependency libraries
• b231d72 chore: fix building binary images
• 6d76e84 Merge pull request #1836 from psycopg/fix-1835
• f7e314c fix: overflow in malformed interval
• eb905c1 docs: replace bare except clause with except Exception
• Additional commits viewable in compare view

Updates sentry-sdk from 2.57.0 to 2.59.0

Release notes

Sourced from sentry-sdk's releases.

2.59.0

New Features ✨

Langchain

• Record run_name as gen_ai.function_id on Invoke Agent Spans by @​alexander-alderman-webb in #5926
• Record run_name in on_tool_start by @​alexander-alderman-webb in #5925
• Record run_name in on_chat_model_start by @​alexander-alderman-webb in #5924

Other

• (ci) Cancel in-progress PR workflows on new commit push by @​joshuarli in #5994
• (consts) Add updated span convention constants to SPANDATA by @​ericapisani in #6093
• (fastapi) Support span streaming in active thread tracking by @​ericapisani in #6118
• (httpx) Migrate to span first by @​ericapisani in #6084
• (huggingface_hub) Migrate to span first by @​ericapisani in #6124
• (mcp) Migrate to span first by @​ericapisani in #6131
• Add db.driver.name spans to database integrations by @​ericapisani in #6082

Bug Fixes 🐛

We've put additional data that might contain sensitive information, like GraphQL documents, behind the send_default_pii option.

Httpx

• Consistently early-exit when adding request source by @​alexander-alderman-webb in #6151
• Set code.namespace and code.function instead of code.function.name in span streaming by @​alexander-alderman-webb in #6150

Langchain

• Record run_name as gen_ai.function_id for text completions by @​alexander-alderman-webb in #6073
• Set agent name as gen_ai.agent.name for chat and tool spans by @​alexander-alderman-webb in #5877

Other

• (asgi) Use inspect.iscoroutinefunction on Python 3.14+ by @​alexander-alderman-webb in #6135
• (batcher) Reset lock and flusher in child after fork by @​ericapisani in #6163
• (google_genai) Redact binary data in inline_data and fix multi-part message extraction by @​ericapisani in #5977
• (grpc) Add isolation_scope to async server interceptor by @​robinvd in #5940
• (metrics,logs) Don't attach span_id if no active span by @​sentrivana in #6162
• (monitor) Release Monitor._thread_lock after fork (#6148) by @​vokracko in #6159
• (openai-agents) Resolve agent from bindings for openai-agents >= 0.14 by @​ericapisani in #6102
• (profiler) Stop nulling buffer on teardown by @​ericapisani in #6075
• (quart) Use inspect.iscoroutinefunction when Quart does by @​alexander-alderman-webb in #6133
• (security) Prevent GitHub script injection in update-tox workflow by @​fix-it-felix-sentry in #6171
• (starlette/fastapi) Use inspect.iscoroutinefunction when Starlette does by @​alexander-alderman-webb in #6134
• (tornado) Make sure context manager doesn't double yield by @​sentrivana in #6152
• Introduce _get_current_streamed_span() to keep types backwards compatible by @​alexander-alderman-webb in #6177

Internal Changes 🔧

... (truncated)

Changelog

Sourced from sentry-sdk's changelog.

2.59.0

New Features ✨

Langchain

• Record run_name as gen_ai.function_id on Invoke Agent Spans by @​alexander-alderman-webb in #5926
• Record run_name in on_tool_start by @​alexander-alderman-webb in #5925
• Record run_name in on_chat_model_start by @​alexander-alderman-webb in #5924

Other

• (ci) Cancel in-progress PR workflows on new commit push by @​joshuarli in #5994
• (consts) Add updated span convention constants to SPANDATA by @​ericapisani in #6093
• (fastapi) Support span streaming in active thread tracking by @​ericapisani in #6118
• (httpx) Migrate to span first by @​ericapisani in #6084
• (huggingface_hub) Migrate to span first by @​ericapisani in #6124
• (mcp) Migrate to span first by @​ericapisani in #6131
• Add db.driver.name spans to database integrations by @​ericapisani in #6082

Bug Fixes 🐛

We've put additional data that might contain sensitive information, like GraphQL documents, behind the send_default_pii option.

Httpx

• Consistently early-exit when adding request source by @​alexander-alderman-webb in #6151
• Set code.namespace and code.function instead of code.function.name in span streaming by @​alexander-alderman-webb in #6150

Langchain

• Record run_name as gen_ai.function_id for text completions by @​alexander-alderman-webb in #6073
• Set agent name as gen_ai.agent.name for chat and tool spans by @​alexander-alderman-webb in #5877

Other

• (asgi) Use inspect.iscoroutinefunction on Python 3.14+ by @​alexander-alderman-webb in #6135
• (batcher) Reset lock and flusher in child after fork by @​ericapisani in #6163
• (google_genai) Redact binary data in inline_data and fix multi-part message extraction by @​ericapisani in #5977
• (grpc) Add isolation_scope to async server interceptor by @​robinvd in #5940
• (metrics,logs) Don't attach span_id if no active span by @​sentrivana in #6162
• (monitor) Release Monitor._thread_lock after fork (#6148) by @​vokracko in #6159
• (openai-agents) Resolve agent from bindings for openai-agents >= 0.14 by @​ericapisani in #6102
• (profiler) Stop nulling buffer on teardown by @​ericapisani in #6075
• (quart) Use inspect.iscoroutinefunction when Quart does by @​alexander-alderman-webb in #6133
• (security) Prevent GitHub script injection in update-tox workflow by @​fix-it-felix-sentry in #6171
• (starlette/fastapi) Use inspect.iscoroutinefunction when Starlette does by @​alexander-alderman-webb in #6134
• (tornado) Make sure context manager doesn't double yield by @​sentrivana in #6152
• Introduce _get_current_streamed_span() to keep types backwards compatible by @​alexander-alderman-webb in #6177

... (truncated)

Commits

• 689cb97 Update CHANGELOG.md
• 397dda9 release: 2.59.0
• c0c254a test: Rename file (#6194)
• d90a923 ref(batcher): Only flush the bucket that triggered the flush event (#6168)
• 6436518 ci: 🤖 Update test matrix with new releases (05/04) (#6186)
• 98294ce fix: Introduce _get_current_streamed_span() to keep types backwards compati...
• 66b3c6b test(fastmcp): Span streaming tests (#6167)
• b5735ab fix(batcher): Reset lock and flusher in child after fork (#6163)
• fc3eab4 fix(metrics,logs): Don't attach span_id if no active span (#6162)
• 8e5bd96 test: Assert presence of profile chunks after shutdown (#6174)
• Additional commits viewable in compare view

Updates granian from 2.7.3 to 2.7.4

Release notes

Sourced from granian's releases.

Granian 2.7.4

Patch release

Changes since 2.7.3:

• Fix a bug in ASGI protocol leading to panics on malformed websocket subprotocol headers
• Fix a bug in RSGI and WSGI protocols leading to panics on malformed response headers
• Bump dependencies

Commits

• 84af73d Bump dependencies
• e155a82 Avoid panics on RSGI and WSGI response headers parsing
• 765203d Avoid panics on ASGI websocket subprotocols parsing
• 88ed683 Bump version to 2.7.4
• bdd5b0f Update bench harness (#837)
• See full diff in compare view

Updates bandit[toml] to 1.9.4

Release notes

Sourced from bandit[toml]'s releases.

1.9.4

What's Changed

• chore: fixed some typos in comments by @​jakob1379 in PyCQA/bandit#1351
• Bump docker/login-action from 3.6.0 to 3.7.0 by @​dependabot[bot] in PyCQA/bandit#1353
• Bump docker/build-push-action from 6.18.0 to 6.19.2 by @​dependabot[bot] in PyCQA/bandit#1357
• Fix B613 crash when reading from stdin by @​worksbyfriday in PyCQA/bandit#1361
• Include filename in nosec 'no failed test' warning by @​worksbyfriday in PyCQA/bandit#1363
• Fix B615 false positive when revision is set via variable by @​worksbyfriday in PyCQA/bandit#1358
• Lower version guard in check_ast_node to Python 3.12 by @​rcgray in PyCQA/bandit#1355
• Fix B106 reporting wrong line number on multiline function calls by @​worksbyfriday in PyCQA/bandit#1360

New Contributors

• @​jakob1379 made their first contribution in PyCQA/bandit#1351
• @​worksbyfriday made their first contribution in PyCQA/bandit#1361
• @​rcgray made their first contribution in PyCQA/bandit#1355

Full Changelog: PyCQA/bandit@1.9.3...1.9.4

Commits

• 92ae8b8 Fix B106 reporting wrong line number on multiline function calls (#1360)
• c8c8a55 Lower version guard in check_ast_node to Python 3.12 (#1355)
• 8f2f928 Fix B615 false positive when revision is set via variable (#1358)
• e27493f Include filename in nosec 'no failed test' warning (#1363)
• b69b336 Fix B613 crash when reading from stdin (#1361)
• e418b79 Bump docker/build-push-action from 6.18.0 to 6.19.2 (#1357)
• ff646fd Bump docker/login-action from 3.6.0 to 3.7.0 (#1353)
• c0def6c chore: fixed some typos in comments (#1351)
• 765f00d Limit B614 to torch.load deserializers (#1348)
• 06fbbab Bump docker/setup-buildx-action from 3.11.1 to 3.12.0 (#1347)
• Additional commits viewable in compare view

Updates commitizen from 4.13.10 to 4.15.1

Release notes

Sourced from commitizen's releases.

v4.15.1 (2026-05-06)

Fix

• security: prevent command injection via shell=True (CWE-78) (#1941)

v4.15.0 (2026-05-03)

Feat

• version: add MANUAL_VERSION, --next and --patch to version command (#1724)

v4.14.0 (2026-05-03)

Feat

• add --allow-no-commit to changelog command (#1868)

Commits

• efb1a7d bump: version 4.15.0 → 4.15.1
• 0cc88a5 fix(security): prevent command injection via shell=True (CWE-78) (#1941)
• 509ef91 docs(cli/screenshots): update CLI screenshots
• 9b53b63 ci: rebase before push in screenshots workflow (#1942)
• bdcf27b docs(cli/screenshots): update CLI screenshots
• b4f4209 bump: version 4.14.0 → 4.15.0
• b5e0840 feat(version): add MANUAL_VERSION, --next and --patch to version command (#1724)
• d157e09 docs(cli/screenshots): update CLI screenshots
• 06850b2 docs: update AGENTS.md with CI/linting guidance and known pitfalls (#1940)
• 35ffe03 docs(cli/screenshots): update CLI screenshots
• Additional commits viewable in compare view

Updates coverage from 7.13.5 to 7.14.0

Changelog

Sourced from coverage's changelog.

Version 7.14.0 — 2026-05-10

• Feature: now when running one of the reporting commands, if there are parallel data files that need combining, they will be implicitly combined before creating the report. There is no option to avoid the combination; let us know if you have a use case that requires it. Thanks, Tim Hatch <pull 2162_>. Closes issue 1781.

• Fix: the output from combine was too verbose, listing each file considered. Now it shows a single line with the counts of files combined, files skipped, and files with errors. The -q flag suppresses this line. The old detailed lines are available with the new --debug=combine option.

• Fix: running a Python file through a symlink now sets the sys.path correctly, matching regular Python behavior. Fixes issue 2157_.

• Fix: Collector.flush_data could fail with "RuntimeError: Set changed size during iteration" when a tracer in another thread added a line to the per-file set that add_lines (or add_arcs) was iterating. The values passed to CoverageData are now snapshotted via dict.copy() and set.copy(), which are atomic under the GIL. Thanks, Alex Vandiver <pull 2165_>_.

• Fix: the soft keyword lazy is now bolded in HTML reports.

• We are no longer testing eventlet support. Eventlet started issuing stern deprecation warnings that break our tests. Our support code is still there.

.. _issue 1781: coveragepy/coveragepy#1781 .. _issue 2157: coveragepy/coveragepy#2157 .. _pull 2162: coveragepy/coveragepy#2162 .. _pull 2165: coveragepy/coveragepy#2165

.. _changes_7-13-5:

Commits

• 646351b docs: sample HTML for 7.14.0
• 39cd015 docs: prep for 7.14.0
• 649e8aa docs: thanks Alex Vandiver for #2165
• 8cd392e fix: snapshot data in Collector.flush_data to avoid threading race (#2165)
• c48e0ed fix: less output for combining
• c2a3a28 docs: explain the change from #2162
• 1cd47aa fix: implicit combine-during-report now removes the combined data files
• 2d99fd7 feat: automatically combine coverage in report, thanks Tim Hatch (#2162)
• 9fbdcdf fix: lazy soft keywords are bolded
• 5de7d02 build: oops, misplaced quote
• Additional commits viewable in compare view

Updates django-stubs from 5.2.9 to 6.0.4

Commits

• 928eec4 Version 6.0.4 release (#3375)
• a994204 Update dependency mypy to v2 (#3374)
• ec8107b Update dependency pyrefly to v0.64.0 (#3373)
• 28d997b Remove unused get_field_lookup_exact_type from helpers (#3372)
• d312d60 Update dependency django to v5.2.14 (#3371)
• f20e490 Update Django to 6.0.5 (#3369)
• 6d9d0e2 Resolve default_alias for positional Aggregate in annotate() (#3362)
• 6dd9231 Update int128/hide-comment-action action to v1.58.0 (#3368)
• e270482 Update dependency psycopg to v3.3.4 (#3365)
• cfb0f9a Update dependency pyrefly to v0.63.1 (#3367)
• Additional commits viewable in compare view

Updates pyrefly from 0.60.2 to 0.64.1

Release notes

Sourced from pyrefly's releases.

Pyrefly v0.64.1

Full Changelog: facebook/pyrefly@0.64.0...0.64.1

Pyrefly v0.64.0

Status : BETA Release date: May 05, 2026

Pyrefly v0.64.0 bundles 190 commits from 20 contributors.

---

✨ New & Improved

Area	What's new
Type Checking	- You can now pass generic or overloaded callables to higher-order functions and Pyrefly will preserve their structure in the return type. For example, identity(identity) now correctly returns a generic callable instead of degrading to Unknown. - Same-scope class rebinds (like Real = Dummy after class Real) are now checked against the original class as if it were an implicit type[Real] annotation, preventing silent type changes and fixing spurious constructor-call errors. - Generic classes with missing type arguments in lax mode now default to Any instead of raising variance errors, improving consistency with how we handle other incomplete types. - Pydantic field_validator decorators with mode='before' and mode='plain' are now supported, allowing validators to accept broader input types before coercion. - Spurious unpack diagnostics are no longer emitted when the right-hand side involves Never (e.g. a, b, c = never() or a, b = (never(), 1)). The unpack solver is now Never-aware, recognizing that the producing expression cannot complete and any error message at the unpack site would be misleading. - assert statements now check that __bool__ is callable on the test expression, matching the behavior already in place for if, while, and ternary expressions (and aligning with mypy and pyright).
Language Server	- The language server now advertises both source.fixAll and source.fixAll.pyrefly code action kinds, enabling selective fix-on-save configuration across editors that implement the LSP protocol. - Document highlights now correctly distinguish between read and write references, setting DocumentHighlightKind::WRITE for assignments and declarations. - Go-to-definition on relative imports in site-packages files now correctly resolves to the package source instead of returning null when a pyproject.toml exists at the project root. - Notebook cell index resolution has been fixed to prevent mismatches between code cells and markdown cells, eliminating panics and incorrect byte offset calculations in Jupyter notebooks. - Cross-module "find references" (external references) is now enabled by default, returning references across the entire project rather than just the current file. - A new quick fix turns the existing "Did you mean Foo.BAR?" diagnostic note for missing enum members into a code action that replaces the offending string literal with the proper enum member access. - A new # pyrefly: ignore quick fix inserts a suppression comment for the diagnostic at the cursor, automatically merging into an existing pyrefly-ignore directive on the same line or on a comment-only line above when present. - Numeric parameter defaults now preserve their source spelling (e.g. 0o777, 0xFF, 0b101) in hover and signature display rather than being normalized to decimal. - Code actions documentation has been added to the IDE Supported Features page, covering quick fixes and source.fixAll.pyrefly configuration.
Onboarding & VS Code Extension	- A redesigned unconfigured-project experience: when no pyrefly.toml is found, Pyrefly auto-detects nearby mypy.ini, pyrightconfig.json, or [tool.mypy]/[tool.pyright] sections in pyproject.toml and synthesizes an in-memory configuration migrated from those settings (using the legacy or default preset respectively). With no detectable configuration, the new basic preset is used. - A new python.pyrefly.typeCheckingMode workspace setting (auto / off / basic / legacy / default / strict, default auto) lets users pick a preset for files not covered by an explicit Pyrefly configuration, directly from the VS Code settings UI. The legacy python.pyrefly.displayTypeErrors setting is now deprecated, with values transparently mapped to the new model. - A new python.pyrefly.disableTypeErrors workspace setting provides a clean per-workspace kill switch for diagnostics, independent of the type-checking mode. - The VS Code status bar has been redesigned: it now shows the active preset (e.g. "Pyrefly (Legacy)", "Pyrefly (Basic)") and the tooltip explains why that preset was chosen and links to the relevant docs. - After a pyrefly check on an unconfigured project, the CLI now prints a short upsell to stderr explaining what configuration was synthesized and pointing at pyrefly init. The message is routed to... Description has been truncated