chore(deps): uv: bump the all-python group across 1 directory with 9 updates

[dependabot]

Bumps the all-python group with 9 updates in the /agent directory:

Package	From	To
boto3	1.43.9	1.43.17
bedrock-agentcore	1.9.1	1.12.0
claude-agent-sdk	0.2.82	0.2.87
fastapi	0.136.1	0.136.3
uvicorn	0.47.0	0.48.0
aws-opentelemetry-distro	0.17.0	0.17.1
cedarpy	4.8.0	4.8.3
ruff	0.15.12	0.15.15
ty	0.0.35	0.0.40

Updates boto3 from 1.43.9 to 1.43.17

Commits

• 8083432 Merge branch 'release-1.43.17'
• 22c6474 Bumping version to 1.43.17
• 11f25f2 Add changelog entries from botocore
• 045d573 Update copy test (#4790)
• 6ffdfa1 Merge branch 'release-1.43.16'
• 284d2fa Merge branch 'release-1.43.16' into develop
• c4ad31c Bumping version to 1.43.16
• c7c604f Add changelog entries from botocore
• ecbbf11 Merge branch 'release-1.43.15'
• 8574b5d Merge branch 'release-1.43.15' into develop
• Additional commits viewable in compare view

Updates bedrock-agentcore from 1.9.1 to 1.12.0

Release notes

Sourced from bedrock-agentcore's releases.

Bedrock AgentCore SDK v1.12.0

Installation

pip install bedrock-agentcore==1.12.0

What's Changed

See CHANGELOG.md for details.

What's Changed

• feat: add async support to MemorySessionManager by @​nborges-aws in aws/bedrock-agentcore-sdk-python#478
• add metadata support for LTM by @​nborges-aws in aws/bedrock-agentcore-sdk-python#481
• fix: out-of-scope variable in catch block by @​nborges-aws in aws/bedrock-agentcore-sdk-python#497
• Release v1.12.0 by @​agentcore-devx-automation[bot] in aws/bedrock-agentcore-sdk-python#498

Full Changelog: aws/bedrock-agentcore-sdk-python@v1.11.0...v1.12.0

Bedrock AgentCore SDK v1.11.0

Installation

pip install bedrock-agentcore==1.11.0

What's Changed

See CHANGELOG.md for details.

What's Changed

• test: add OTEL span content leakage integration tests by @​jesseturner21 in aws/bedrock-agentcore-sdk-python#485
• fix: stop retrying after successful payment signing is rejected by merchant by @​rajuans in aws/bedrock-agentcore-sdk-python#492
• feat(evaluation): add DatasetClient and dataset management service provider by @​jariy17 in aws/bedrock-agentcore-sdk-python#491
• fix(payments): drop unsupported paymentConnectorId + add http_request plugin tool + EIP-3009 timing fix by @​aidandaly24 in aws/bedrock-agentcore-sdk-python#493
• Release v1.11.0 by @​agentcore-devx-automation[bot] in aws/bedrock-agentcore-sdk-python#495

New Contributors

• @​rajuans made their first contribution in aws/bedrock-agentcore-sdk-python#492

Full Changelog: aws/bedrock-agentcore-sdk-python@v1.10.0...v1.11.0

Bedrock AgentCore SDK v1.10.0

Installation

pip install bedrock-agentcore==1.10.0

What's Changed

See CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from bedrock-agentcore's changelog.

[1.12.0] - 2026-05-28

Added

• feat: add async support to MemorySessionManager (#478) (76edb16)

Fixed

• fix: out-of-scope variable in catch block (#497) (4054115)

Other Changes

• add metadata support for LTM (#481) (80c4b11)

[1.11.0] - 2026-05-22

Fixed

• fix: stop retrying after successful payment signing is rejected by merchant (#492) (0b2b34f)

Other Changes

• fix(payments): drop unsupported paymentConnectorId + add http_request plugin tool + EIP-3009 timing fix (#493) (d5428b2)
• feat(evaluation): add DatasetClient and dataset management service provider (#491) (29287c2)
• test: add OTEL span content leakage integration tests (#485) (c311682)

[1.10.0] - 2026-05-19

Added

• feat: expandi custom request header forwarding to match runtime allowlist (#483) (5fde434)

Other Changes

• chore: replace all github.token/GITHUB_TOKEN with GitHub App token (#475) (b64a0d9)

Commits

• 7d6d4f4 Release v1.12.0 (#498)
• 4054115 fix: out-of-scope variable in catch block (#497)
• 80c4b11 add metadata support for LTM (#481)
• 76edb16 feat: add async support to MemorySessionManager (#478)
• 1042d58 chore: bump version to 1.11.0 (#495)
• d5428b2 fix(payments): drop unsupported paymentConnectorId + add http_request plugin ...
• 29287c2 feat(evaluation): add DatasetClient and dataset management service provider (...
• 0b2b34f fix: stop retrying after successful payment signing is rejected by merchant (...
• c311682 test: add OTEL span content leakage integration tests (#485)
• 76c8d89 chore: bump version to 1.10.0 (#486)
• Additional commits viewable in compare view

Updates claude-agent-sdk from 0.2.82 to 0.2.87

Release notes

Sourced from claude-agent-sdk's releases.

v0.2.87

Internal/Other Changes

• Updated bundled Claude CLI to version 2.1.150
• Switched CI workflows from static API key to Workload Identity Federation for Claude authentication, using short-lived tokens instead of long-lived secrets (#984)

---

PyPI: https://pypi.org/project/claude-agent-sdk/0.2.87/

pip install claude-agent-sdk==0.2.87

v0.2.86

Internal/Other Changes

• Updated bundled Claude CLI to version 2.1.149

---

PyPI: https://pypi.org/project/claude-agent-sdk/0.2.86/

pip install claude-agent-sdk==0.2.86

v0.2.85

Internal/Other Changes

• Updated bundled Claude CLI to version 2.1.148

---

PyPI: https://pypi.org/project/claude-agent-sdk/0.2.85/

pip install claude-agent-sdk==0.2.85

v0.2.84

Internal/Other Changes

... (truncated)

Changelog

Sourced from claude-agent-sdk's changelog.

0.2.87

Internal/Other Changes

• Updated bundled Claude CLI to version 2.1.150
• Switched CI workflows from static API key to Workload Identity Federation for Claude authentication, using short-lived tokens instead of long-lived secrets (#984)

0.2.86

Internal/Other Changes

• Updated bundled Claude CLI to version 2.1.149

0.2.85

Internal/Other Changes

• Updated bundled Claude CLI to version 2.1.148

0.2.84

Internal/Other Changes

• Updated bundled Claude CLI to version 2.1.147

0.2.83

Internal/Other Changes

• Updated bundled Claude CLI to version 2.1.146

Commits

• 9970096 docs: update changelog for v0.2.87
• 2237c9e chore: release v0.2.87
• a6146c2 chore: bump bundled CLI version to 2.1.150
• 3471a9f Use workload identity federation for Claude auth in CI workflows (#984)
• 095a8b3 docs: update changelog for v0.2.86
• dd06657 chore: release v0.2.86
• 1113acf chore: bump bundled CLI version to 2.1.149
• 2a3720d docs: update changelog for v0.2.85
• eee6bf4 chore: release v0.2.85
• 0bc333f chore: bump bundled CLI version to 2.1.148
• Additional commits viewable in compare view

Updates fastapi from 0.136.1 to 0.136.3

Release notes

Sourced from fastapi's releases.

0.136.3

Refactors

• ♻️ Do not accept underscore headers when using convert_underscores=True (the default). PR #15589 by @​tiangolo.

0.136.2

Refactors

• ♻️ Validate Server Sent Event fields to avoid applications from sending broken data. PR #15588 by @​tiangolo.

Docs

• 📝 Document --entrypoint CLI option. PR #15464 by @​YuriiMotov.
• 📝 Update and simplify docs about help and management. PR #15583 by @​tiangolo.
• 📝 Add docs references to central contributing docs. PR #15580 by @​tiangolo.
• 📝 Update security policy. PR #15577 by @​tiangolo.
• 🍱 Update sponsors: TalorData image. PR #15562 by @​tiangolo.
• 📝 Update docs, simplify usage of admonitions, only default ones. PR #15553 by @​tiangolo.
• 📝 Fix image URLs in index.md. PR #15534 by @​YuriiMotov.
• ✏️ Fix Azkaban spelling typo in virtual-environments.md‎. PR #15463 by @​isaacbernat.
• 💄 Improve layout and styling. PR #15462 by @​alejsdev.
• 💄 Refactor opinions section with interactive tabs and new logos. PR #15458 by @​alejsdev.
• 📝 Add FastAPI Conf '26 announcement to docs. PR #15457 by @​alejsdev.

Translations

• 🌐 Improve translation consistency in ‎docs/pt/docs/advanced/generate-clients.md‎. PR #15456 by @​Will-thom.
• 🌐 Update translations for ja (update-outdated). PR #15530 by @​tiangolo.
• 🌐 Update translations for uk (update-outdated). PR #15529 by @​tiangolo.
• 🌐 Update translations for pt (update-outdated). PR #15528 by @​tiangolo.
• 🌐 Update translations for de (update-outdated). PR #15527 by @​tiangolo.
• 🌐 Update translations for tr (update-outdated). PR #15526 by @​tiangolo.
• 🌐 Update translations for ko (update-outdated). PR #15525 by @​tiangolo.
• 🌐 Update translations for zh-hant (update-outdated). PR #15524 by @​tiangolo.
• 🌐 Update translations for fr (update-outdated). PR #15522 by @​tiangolo.
• 🌐 Update translations for es (update-outdated). PR #15523 by @​tiangolo.
• 🌐 Update translations for zh (update-outdated). PR #15520 by @​tiangolo.
• 🌐 Update translations for ru (update-outdated). PR #15521 by @​tiangolo.
• 🌐 Fix typos in Spanish LLM-prompt. PR #15472 by @​crr004.

Internal

• ✅ Update tests, don't double dispose the engine. PR #15587 by @​tiangolo.
• ⚡️ Speed up test suite via caching and fixture scopes to make it ~24% faster. PR #13583 by @​dikos1337.
• 🔥 Remove config files now in central GitHub repo. PR #15585 by @​tiangolo.
• ⬆ Bump urllib3 from 2.6.3 to 2.7.0. PR #15502 by @​dependabot[bot].
• ⬆ Bump idna from 3.11 to 3.15. PR #15565 by @​dependabot[bot].
• ⬆ Bump cloudflare/wrangler-action from 3.15.0 to 4.0.0. PR #15571 by @​dependabot[bot].
• 🔧 Migrate docs from MkDocs to Zensical. PR #15563 by @​tiangolo.
• 🔒️ Only allow team members to modify dependencies. PR #15548 by @​svlandeg.

... (truncated)

Commits

• 8206485 🔖 Release version 0.136.3
• c910e01 📝 Update release notes
• 063b5bf ♻️ Do not accept underscore headers when using convert_underscores=True (th...
• 22b02e2 🔖 Release version 0.136.2
• 3b252a2 📝 Update release notes
• c7fb785 ♻️ Validate Server Sent Event fields to avoid applications from sending broke...
• cb83b83 📝 Update release notes
• 00f805c ✅ Update tests, don't double dispose the engine (#15587)
• 3675137 📝 Update release notes
• 7b57e42 📝 Document --entrypoint CLI option (#15464)
• Additional commits viewable in compare view

Updates uvicorn from 0.47.0 to 0.48.0

Release notes

Sourced from uvicorn's releases.

Version 0.48.0

What's Changed

• Default ssl_ciphers to None and use OpenSSL defaults by @​Kludex in Kludex/uvicorn#2940
• Ignore duplicate forwarding headers in ProxyHeadersMiddleware by @​Kludex in Kludex/uvicorn#2944

Full Changelog: Kludex/uvicorn@0.47.0...0.48.0

Changelog

Sourced from uvicorn's changelog.

0.48.0 (May 24, 2026)

Changed

• Default ssl_ciphers to None and use OpenSSL defaults (#2940)

Fixed

• Ignore duplicate forwarding headers in ProxyHeadersMiddleware (#2944)

Commits

• 73e84e5 Version 0.48.0 (#2951)
• 45ea116 Ignore duplicate forwarding headers in ProxyHeadersMiddleware (#2944)
• dd4394c chore(deps): bump idna from 3.11 to 3.15 (#2941)
• abe0781 Default ssl_ciphers to None and use OpenSSL defaults (#2940)
• See full diff in compare view

Updates aws-opentelemetry-distro from 0.17.0 to 0.17.1

Release notes

Sourced from aws-opentelemetry-distro's releases.

Release v0.17.1

What's Changed

• feat(agent-observability): add AWS_GENAI_CONTENT_EXTRACTION_OPT_OUT env var to allow disabling LLO content extraction from spans (#741)
• fix(mcp-instrumentation): suppress MCP /ping spans when agent observability is enabled (#748)
• fix: pin urllib3 to 2.7.0 to fix CVE-2026-44431 and CVE-2026-44432 (#753)

Upstream Components

• opentelemetry-api - 1.40.0
• opentelemetry-sdk - 1.40.0
• opentelemetry-exporter-otlp-proto-grpc - 1.40.0
• opentelemetry-exporter-otlp-proto-http - 1.40.0
• opentelemetry-propagator-b3 - 1.40.0
• opentelemetry-propagator-jaeger - 1.40.0
• opentelemetry-exporter-otlp-proto-common - 1.40.0
• opentelemetry-sdk-extension-aws - 2.1.0
• opentelemetry-propagator-aws-xray - 1.0.2
• opentelemetry-distro - 0.61b0
• opentelemetry-processor-baggage - 0.61b0
• opentelemetry-propagator-ot-trace - 0.61b0
• opentelemetry-instrumentation - 0.61b0
• opentelemetry-instrumentation-aws-lambda - 0.61b0
• opentelemetry-instrumentation-aio-pika - 0.61b0
• opentelemetry-instrumentation-aiohttp-client - 0.61b0
• opentelemetry-instrumentation-aiokafka - 0.61b0
• opentelemetry-instrumentation-aiopg - 0.61b0
• opentelemetry-instrumentation-asgi - 0.61b0
• opentelemetry-instrumentation-asyncpg - 0.61b0
• opentelemetry-instrumentation-boto - 0.61b0
• opentelemetry-instrumentation-boto3sqs - 0.61b0
• opentelemetry-instrumentation-botocore - 0.61b0
• opentelemetry-instrumentation-celery - 0.61b0
• opentelemetry-instrumentation-confluent-kafka - 0.61b0
• opentelemetry-instrumentation-dbapi - 0.61b0
• opentelemetry-instrumentation-django - 0.61b0
• opentelemetry-instrumentation-elasticsearch - 0.61b0
• opentelemetry-instrumentation-falcon - 0.61b0
• opentelemetry-instrumentation-fastapi - 0.61b0
• opentelemetry-instrumentation-flask - 0.61b0
• opentelemetry-instrumentation-grpc - 0.61b0
• opentelemetry-instrumentation-httpx - 0.61b0
• opentelemetry-instrumentation-jinja2 - 0.61b0
• opentelemetry-instrumentation-kafka-python - 0.61b0
• opentelemetry-instrumentation-logging - 0.61b0
• opentelemetry-instrumentation-mysql - 0.61b0
• opentelemetry-instrumentation-mysqlclient - 0.61b0
• opentelemetry-instrumentation-pika - 0.61b0
• opentelemetry-instrumentation-psycopg2 - 0.61b0
• opentelemetry-instrumentation-pymemcache - 0.61b0
• opentelemetry-instrumentation-pymongo - 0.61b0

... (truncated)

Changelog

Sourced from aws-opentelemetry-distro's changelog.

v0.17.1 - 2026-05-22

• feat(agent-observability): add AWS_GENAI_CONTENT_EXTRACTION_OPT_OUT env var to allow disabling LLO content extraction from spans (#741)
• fix(mcp-instrumentation): suppress MCP /ping spans when agent observability is enabled (#748)
• fix: pin urllib3 to 2.7.0 to fix CVE-2026-44431 and CVE-2026-44432 (#753)

Commits

• 2b12d7e Reapply "Rerun lambda layer release (#717)" (#737) (#757)
• 7cae68b chore: remove Python 3.9 EKS E2E test (#756)
• 967cc6b Pre-release: Update version to 0.17.1 (#755)
• 4d0faad fix: pin urllib3 to 2.7.0 to fix CVE-2026-44431 and CVE-2026-44432 (#753)
• 7bf2836 feat: agentcore feature patches (#751)
• b8917a4 Revert "Rerun lambda layer release (#717)" (#737)
• See full diff in compare view

Updates cedarpy from 4.8.0 to 4.8.3

Release notes

Sourced from cedarpy's releases.

cedarpy v4.8.3

Patch release fixing a behavior regression introduced in 4.8.2. Cedar Policy engine version is unchanged at v4.8.2.

If you upgraded to 4.8.2 and noticed that AuthzResult.diagnostics.reasons started reporting your @id("...") annotation value instead of the parser-generated policyN id — and you depended on the parser id (policyN) for downstream lookups — 4.8.3 restores reasons to the original behavior while keeping the labeling ergonomics in a parallel map.

Changed

• Behavior change (partial revert of 4.8.2). AuthzResult.diagnostics.reasons and ValidationError.policy_id once again surface the parser-generated PolicyId (e.g., policy0), restoring the 4.8.1 contract that was relied on for multi-tenant disambiguation. The @id("...") annotation value is now exposed in a parallel map keyed by the parser id: Diagnostics.id_annotations_by_reason and ValidationResult.id_annotations_by_policy_id. Entries are present whenever the policy declares an @id annotation, with the literal annotation value as the map value. So @id("foo") contributes "foo", and @id("") / bare @id (which the Cedar docs define as equivalent to @id("")) contributes "". Policies with no @id annotation are omitted from the map. This keeps the 4.8.2 ergonomics gain (recover the @id label without rebuilding the policy set) while preventing identity collapse/collision when two policies share the same @id (#77, #78)

Lookup pattern

result = is_authorized(request, policies, entities)
for pid in result.diagnostics.reasons:                       # ["policy0", "policy1", ...]
    label = result.diagnostics.id_annotations_by_reason.get(pid)
    if label:
        print(f"  matched: {pid} ({label})")
    else:
        print(f"  matched: {pid}")

The same pattern applies to ValidationResult.errors[*].policy_id and ValidationResult.id_annotations_by_policy_id.

Thanks

Thanks to @​aashitk for the high-quality bug report in #77, and to @​Iamrodos for joining the design discussion.

---

Full Changelog: k9securityio/cedar-py@v4.8.2...v4.8.3

cedarpy v4.8.2

v4.8.2 ships three improvements:

• Correctness: invalid schemas now surface as Decision.NoDecision (or validation_passed=False) with a diagnostic, instead of being silently discarded while is_authorized returned a real Allow/Deny based on no schema (#65 - thanks @​rupivbluegreen!).
• Ergonomics: @id("...") annotations on a policy now surface as the human-readable id in AuthzResult.diagnostics.reasons and ValidationError.policy_id, making diagnostics easier to read in logs and tooling (#74, #75 - thanks @​rupivbluegreen for the original feature proposal and work in #66 that started us down this path!).
• Release process robustness:
  • make release now actually builds and tests the release-mode wheel that would ship — the target previously produced an unoptimized dev-profile wheel and ran tests against whatever was installed in the venv, neither of which exercised the artifact. PyPI artifacts were unaffected; this only fixed locally-built wheels.
  • Benchmarks now run in release mode against a synthesized median-of-5 v4.8.0 baseline (make benchmark-compare), and a committed cross-state history (make benchmark-history → tests/benchmark/results/HISTORY.md) records performance across cedar-py development states. Together these make performance regressions easier to detect than the previous debug-mode single-run captures (#69, #71, #72).

Cedar Policy engine version is unchanged (still v4.8.2).

Added

• Behavior change. @id("...") annotations on a policy now surface as the human-readable id in AuthzResult.diagnostics.reasons and ValidationError.policy_id, instead of the auto-generated policy0/policy1/... id. Annotations are inert in Cedar evaluation per the Cedar docs; this is a labeling step on the response surface, not a rename of the underlying PolicyId. An @id with an empty value — either @id("") or value-less @id (which per the Cedar docs is equivalent to @id("")) — falls back to the parser-generated id, since an empty display id is unhelpful for logs and lookups (#29, #74, #75 — thanks @​rupivbluegreen for the original feature proposal and prototype in #66).

Changed

• Behavior change. is_authorized / is_authorized_batch now return Decision.NoDecision with a diagnostic when given an invalid schema, instead of silently discarding the schema and returning a real Allow / Deny. The same path applies in validate_policies (#65 — thanks @​rupivbluegreen).

... (truncated)

Changelog

Sourced from cedarpy's changelog.

[4.8.3] - 2026-05-13

Changed

• Behavior change (partial revert of 4.8.2). AuthzResult.diagnostics.reasons and ValidationError.policy_id once again surface the parser-generated PolicyId (e.g., policy0), restoring the 4.8.1 contract that was relied on for multi-tenant disambiguation. The @id("...") annotation value is now exposed in a parallel map keyed by the parser id: Diagnostics.id_annotations_by_reason and ValidationResult.id_annotations_by_policy_id. Entries are present whenever the policy declares an @id annotation, with the literal annotation value as the map value — so @id("foo") contributes "foo", and @id("") / bare @id (which the Cedar docs define as equivalent to @id("")) contributes "". Policies with no @id annotation are omitted from the map. This keeps the 4.8.2 ergonomics gain (recover the @id label without rebuilding the policy set) while preventing identity collapse when two policies share the same @id (#77)

[4.8.2] - 2026-05-12

Added

• Behavior change. @id("...") annotations on a policy now surface as the human-readable id in AuthzResult.diagnostics.reasons and ValidationError.policy_id, instead of the auto-generated policy0/policy1/... id. Annotations are inert in Cedar evaluation per the Cedar docs; this is a labeling step on the response surface, not a rename of the underlying PolicyId. An @id with an empty value — either @id("") or value-less @id (which per the Cedar docs is equivalent to @id("")) — falls back to the parser-generated id, since an empty display id is unhelpful for logs and lookups (#29, #74, #75)

Changed

• Behavior change. is_authorized / is_authorized_batch now return Decision.NoDecision with a diagnostic when given an invalid schema, instead of silently discarding the schema and returning a real Allow / Deny. The same path applies in validate_policies (#65)

Fixed

• make release now builds and tests a release-mode wheel. The target previously ran maturin build (which defaults to the dev/debug profile) and then ran pytest against whatever cedarpy was currently installed in the venv — neither half tested the wheel that would ship. PyPI artifacts were unaffected (CI already passed --release); this fixes locally-built wheels.

[4.8.1] - 2026-04-22

Dependency update release. No functional or API changes — Cedar Policy engine version is unchanged (still v4.8.2).

Security

• Bump pytest 7.4.0 → 9.0.3 — CVE-2025-71176 (#41)
• Bump wheel 0.40.0 → 0.47.0 — CVE-2026-24049 (#41)
• Bump time 0.3.37 → 0.3.47 — CVE-2026-25727 (#42)
• Bump keccak 0.1.5 → 0.1.6 — GHSA-3288-p39f-rqpv (#42)

Changed

• Removed the stale rustix = "~0.37.25" pin; rustix is now governed by the transitive dep graph (#43)

Build & supply chain

• Switched PyPI publishing from a long-lived API token to PyPI Trusted Publishing (OIDC), with a protected pypi-release deployment environment requiring maintainer approval. All wheels and the sdist for this release ship with SLSA build-provenance attestations (#59)
• Added a Dependabot cooldown policy (7 days for minor/patch bumps, 14 for majors) to reduce exposure to newly-published compromised releases (#44, #45)
• Disabled Dependabot version-update PRs; security-update PRs remain active (#60)

Commits

• b76a0cc Merge pull request #79 from k9securityio/release/4.8.3
• 7d6f31c release: bump version to 4.8.3
• ff5a38d Merge pull request #78 from k9securityio/fix/issue-77-policy-ids-to-annotations
• e1ed9a4 refactor: name id_annotations map by its key + add lookup-pattern demo
• ad603bd refactor: report literal @​id annotation value in id_annotations map
• 8a36d10 fix: surface parser policy ids in diagnostics + add id_annotations map
• 3713638 chore(benchmark): declare v4.8.2 release state in history
• 2353045 Merge pull request #76 from k9securityio/release/4.8.2
• 0bbed30 release: bump version to 4.8.2
• bb48fc5 chore(benchmark): record PR #75 Path B state data
• Additional commits viewable in compare view

Updates ruff from 0.15.12 to 0.15.15

Release notes

Sourced from ruff's releases.

0.15.15

Release Notes

Released on 2026-05-28.

Preview features

• Fix Markdown closing fence handling (#25310)
• [pyflakes] Report duplicate imports in typing.TYPE_CHECKING block (F811) (#22560)

Bug fixes

• [pyflakes] Treat function-scope bare annotations as locals per PEP 526 (F821) (#21540)

Performance

• Avoid redundant TokenValue drops in the lexer (#25300)
• Reduce memory usage by dropping token-excess capacity and improve performance by approximating the initial tokens Vec size (#25354)
• Use ThinVec in AST to shrink Stmt (#25361)

Documentation

• Fix line-length example for --config option (#25389)
• [flake8-comprehensions] Document RecursionError edge case in __len__ (C416) (#25286)
• [mccabe] Improve example (C901) (#25287)
• [pyupgrade] Clarify fix safety docs (UP007, UP045) (#25288)
• [refurb] Document FURB192 exception change for empty sequences (#25317)
• [ruff] Document false negative for user-defined types (RUF013) (#25289)

Formatter

• Fix formatting of lambdas nested within f-strings (#25398)

Server

• Return code action for codeAction/resolve requests that contain no or no valid URL (#25365)

Other changes

• Expand semantic syntax errors for invalid walruses (#25415)

Contributors

• @​chirizxc
• @​ntBre
• @​adityasingh2400
• @​charliermarsh
• @​fallintoplace
• @​martin-schlossarek
• @​MichaReiser

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.15

Released on 2026-05-28.

Preview features

• Fix Markdown closing fence handling (#25310)
• [pyflakes] Report duplicate imports in typing.TYPE_CHECKING block (F811) (#22560)

Bug fixes

• [pyflakes] Treat function-scope bare annotations as locals per PEP 526 (F821) (#21540)

Performance

• Avoid redundant TokenValue drops in the lexer (#25300)
• Reduce memory usage by dropping token-excess capacity and improve performance by approximating the initial tokens Vec size (#25354)
• Use ThinVec in AST to shrink Stmt (#25361)

Documentation

• Fix line-length example for --config option (#25389)
• [flake8-comprehensions] Document RecursionError edge case in __len__ (C416) (#25286)
• [mccabe] Improve example (C901) (#25287)
• [pyupgrade] Clarify fix safety docs (UP007, UP045) (#25288)
• [refurb] Document FURB192 exception change for empty sequences (#25317)
• [ruff] Document false negative for user-defined types (RUF013) (#25289)

Formatter

• Fix formatting of lambdas nested within f-strings (#25398)

Server

• Return code action for codeAction/resolve requests that contain no or no valid URL (#25365)

Other changes

• Expand semantic syntax errors for invalid walruses (#25415)

Contributors

• @​chirizxc
• @​ntBre
• @​adityasingh2400
• @​charliermarsh
• @​fallintoplace
• @​martin-schlossarek
• @​MichaReiser
• @​Ruchir28

... (truncated)

Commits

• db5aa0a Bump 0.15.15 (#25431)
• 366fe21 [ty] Improve diagnostics for syntax errors in forward annotations (#25158)
• e2e1e64 [ty] Remove excess capacity from more Salsa cached collections (#25411)
• 1bd77e1 [ty] Use diagnostic message as tie breaker when sorting (#25424)
• 7e1bc1e Add agent skills for working on ty (#25422)
• 574e107 Expand semantic syntax errors for invalid walruses (#25415)
• 4a7ca06 [ty] Display docs for matching parameter when hovering over the name of an ar...
• 5432709 Refine a few agents instructions (#25423)
• 3cb09eb [ty] Support typing.TypeForm (#25334)
• c8cd59f [ty] Infer class attributes assigned by metaclass initialization (#25342)
• Additional commits viewable in compare view

Updates ty from 0.0.35 to 0.0.40

Release notes

Sourced from ty's releases.

0.0.40

Release Notes

Released on 2026-05-27.

Bug fixes

• Accept complete enum-literal alias unions as enums (#25341)
• Fix diagnostics in ignored folders after adding new files (#25236)
• Show LiteralString when hovering over an inline of a literal string in an IDE (#25373)

LSP server

• Follow aliases when attempting to map a definition in a stub file to its "real" runtime definition (#25328)
• Treat Python notebook text documents as Python sources (#25393)
• Fix autocompletion for elements inside incomplete list comprehensions (#25326)

Diagnostics

• Add a subdiagnostic help message to invalid-generic-class diagnostics regarding incompatible variance (#25385)

Core type checking

• Ignore and reject annotations on non-name targets (#25324)
• Infer class attributes assigned by metaclass initialization (#25342)
• Reject inconsistent generic bases in "dynamic" classes created using type(...), types.new_type(...), etc. (#25413)
• Resolve enum names for all unions arms in Literal enum subsets (#25379)
• Support typing.TypeForm (#25334)
• Fix many issues in the generics solver by using constraint sets more widely to solve type variables (#24540)

Contributors

• @​anuraaga
• @​dcreager
• @​charliermarsh
• @​MichaReiser
• @​Dev-X25874

Install ty 0.0.40

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astr...
Description has been truncated

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.