Skip to content

build(deps): bump the dependencies group across 1 directory with 5 updates#1126

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/dependencies-9737b7417f
Closed

build(deps): bump the dependencies group across 1 directory with 5 updates#1126
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/dependencies-9737b7417f

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 19, 2026

Copy link
Copy Markdown
Contributor

Updates the requirements on cryptography, boto3, botocore, coverage and mypy to permit the latest version.
Updates cryptography from 46.0.7 to 48.0.0

Changelog

Sourced from cryptography's changelog.

48.0.0 - 2026-05-04


* **BACKWARDS INCOMPATIBLE:** Support for Python 3.8 has been removed.
  ``cryptography`` now requires Python 3.9 or later.
* **BACKWARDS INCOMPATIBLE:** Loading an X.509 CRL whose inner
  ``TBSCertList.signature`` algorithm does not match the outer
  ``signatureAlgorithm`` now raises ``ValueError``. Previously, such CRLs
  were parsed successfully and only rejected during signature validation.
* Added support for :doc:`/hazmat/primitives/asymmetric/mlkem` and
  :doc:`/hazmat/primitives/asymmetric/mldsa` when using OpenSSL 3.5.0 or
  later, in addition to the existing AWS-LC and BoringSSL support. This means
  post-quantum algorithms are now available to users of our wheels.
  • Note: Going forward, we do not guarantee that all functionality
    in cryptography will be available when building against
    OpenSSL. See :doc:/statements/state-of-openssl for more information.

.. _v47-0-0:

47.0.0 - 2026-04-24

  • Support for Python 3.8 is deprecated and will be removed in the next cryptography release.
  • BACKWARDS INCOMPATIBLE: Support for binary elliptic curves (SECT* classes) has been removed. These curves are rarely used and have additional security considerations that make them undesirable.
  • BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.1.x has been removed. OpenSSL 3.0.0 or later is now required. LibreSSL, BoringSSL, and AWS-LC continue to be supported.
  • BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 4.1.
  • BACKWARDS INCOMPATIBLE: Loading keys with unsupported algorithms or keys with unsupported explicit curve encodings now raises :class:~cryptography.exceptions.UnsupportedAlgorithm instead of ValueError. This change affects :func:~cryptography.hazmat.primitives.serialization.load_pem_private_key, :func:~cryptography.hazmat.primitives.serialization.load_der_private_key, :func:~cryptography.hazmat.primitives.serialization.load_pem_public_key, :func:~cryptography.hazmat.primitives.serialization.load_der_public_key, and :meth:~cryptography.x509.Certificate.public_key when called on certificates with unsupported public key algorithms.
  • BACKWARDS INCOMPATIBLE: When parsing elliptic curve private keys, we now reject keys that incorrectly encode a private key of the wrong length because such keys are impossible to process in a constant-time manner. We do not believe keys with this problem are in wide use, however we may revert this change based on the feedback we receive.
  • Deprecated passing 64-bit (8-byte) and 128-bit (16-byte) keys to :class:~cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES. In a

... (truncated)

Commits

Updates boto3 to 1.43.6

Commits

Updates botocore to 1.43.6

Commits

Updates coverage from 7.13.5 to 7.14.0

Changelog

Sourced from coverage's changelog.

Version 7.14.0 — 2026-05-10

  • Feature: now when running one of the reporting commands, if there are parallel data files that need combining, they will be implicitly combined before creating the report. There is no option to avoid the combination; let us know if you have a use case that requires it. Thanks, Tim Hatch <pull 2162_>. Closes issue 1781.

  • Fix: the output from combine was too verbose, listing each file considered. Now it shows a single line with the counts of files combined, files skipped, and files with errors. The -q flag suppresses this line. The old detailed lines are available with the new --debug=combine option.

  • Fix: running a Python file through a symlink now sets the sys.path correctly, matching regular Python behavior. Fixes issue 2157_.

  • Fix: Collector.flush_data could fail with "RuntimeError: Set changed size during iteration" when a tracer in another thread added a line to the per-file set that add_lines (or add_arcs) was iterating. The values passed to CoverageData are now snapshotted via dict.copy() and set.copy(), which are atomic under the GIL. Thanks, Alex Vandiver <pull 2165_>_.

  • Fix: the soft keyword lazy is now bolded in HTML reports.

  • We are no longer testing eventlet support. Eventlet started issuing stern deprecation warnings that break our tests. Our support code is still there.

.. _issue 1781: coveragepy/coveragepy#1781 .. _issue 2157: coveragepy/coveragepy#2157 .. _pull 2162: coveragepy/coveragepy#2162 .. _pull 2165: coveragepy/coveragepy#2165

.. _changes_7-13-5:

Commits
  • 646351b docs: sample HTML for 7.14.0
  • 39cd015 docs: prep for 7.14.0
  • 649e8aa docs: thanks Alex Vandiver for #2165
  • 8cd392e fix: snapshot data in Collector.flush_data to avoid threading race (#2165)
  • c48e0ed fix: less output for combining
  • c2a3a28 docs: explain the change from #2162
  • 1cd47aa fix: implicit combine-during-report now removes the combined data files
  • 2d99fd7 feat: automatically combine coverage in report, thanks Tim Hatch (#2162)
  • 9fbdcdf fix: lazy soft keywords are bolded
  • 5de7d02 build: oops, misplaced quote
  • Additional commits viewable in compare view

Updates mypy from 1.20.2 to 2.1.0

Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next Release

Mypy 2.1

We’ve just uploaded mypy 2.1.0 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features, performance improvements and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

librt.vecs: Fast Growable Array Type for Mypyc

The new librt.vecs module provides an efficient growable array type vec that is optimized for mypyc use. It provides fast, packed arrays with integer and floating point value types, which can be several times faster than list, and tens of times faster than array.array in code compiled using mypyc. It also supports nested vec objects and non-value-type items, such as vec[vec[str]].

Refer to the documentation for the details.

Contributed by Jukka Lehtosalo.

librt.random: Fast Pseudo-Random Number Generation

The new librt.random module provides fast pseudo-random number generation that is optimized for code compiled using mypyc. It can be 3x to 10x faster than the stdlib random module in compiled code.

Refer to the documentation for the details.

Contributed by Jukka Lehtosalo (PR 21433).

Mypyc Improvements

  • Make compilation order with multiple files consistent (Piotr Sawicki, PR 21419)
  • Fix crash on accessing StopAsyncIteration (Piotr Sawicki, PR 21406)
  • Fix incremental compilation with separate flag (Vaggelis Danias, PR 21299)

Fixes to Crashes

  • Fix crash on partial type with --allow-redefinition and global declaration (Jukka Lehtosalo, PR 21428)
  • Fix broken awaitable generator patching (Ivan Levkivskyi, PR 21435)

Changes to Messages

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

…dates

Updates the requirements on [cryptography](https://github.com/pyca/cryptography), [boto3](https://github.com/boto/boto3), [botocore](https://github.com/boto/botocore), [coverage](https://github.com/coveragepy/coveragepy) and [mypy](https://github.com/python/mypy) to permit the latest version.

Updates `cryptography` from 46.0.7 to 48.0.0
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@46.0.7...48.0.0)

Updates `boto3` to 1.43.6
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](boto/boto3@1.42.64...1.43.6)

Updates `botocore` to 1.43.6
- [Commits](boto/botocore@1.42.64...1.43.6)

Updates `coverage` from 7.13.5 to 7.14.0
- [Release notes](https://github.com/coveragepy/coveragepy/releases)
- [Changelog](https://github.com/coveragepy/coveragepy/blob/main/CHANGES.rst)
- [Commits](coveragepy/coveragepy@7.13.5...7.14.0)

Updates `mypy` from 1.20.2 to 2.1.0
- [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md)
- [Commits](python/mypy@v1.20.2...v2.1.0)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 48.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: dependencies
- dependency-name: boto3
  dependency-version: 1.43.6
  dependency-type: direct:production
  dependency-group: dependencies
- dependency-name: botocore
  dependency-version: 1.43.6
  dependency-type: direct:production
  dependency-group: dependencies
- dependency-name: coverage
  dependency-version: 7.14.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: mypy
  dependency-version: 2.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels May 19, 2026
@dependabot @github

dependabot Bot commented on behalf of github May 26, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this May 26, 2026
@dependabot dependabot Bot deleted the dependabot/pip/dependencies-9737b7417f branch May 26, 2026 04:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants