⬆️ Bump the uv-dependencies group with 13 updates

[dependabot]

Bumps the uv-dependencies group with 13 updates:

Package	From	To
pydantic	2.13.3	2.13.4
pydantic-core	2.46.3	2.46.4
setuptools	81.0.0	82.0.1
mypy	1.20.2	2.0.0
types-python-dateutil	2.9.0.20260408	2.9.0.20260508
types-pyyaml	6.0.12.20260408	6.0.12.20260508
urllib3	2.6.3	2.7.0
authlib	1.7.1	1.7.2
cuda-bindings	12.9.6	12.9.4
hf-xet	1.5.0rc0	1.5.0
librt	0.9.0	0.10.0
nvidia-cuda-nvrtc-cu12	12.6.85	12.6.77
nvidia-nccl-cu12	2.28.9	2.27.5

Updates pydantic from 2.13.3 to 2.13.4

Release notes

Sourced from pydantic's releases.

v2.13.4 2026-05-06

v2.13.4 (2026-05-06)

What's Changed

Packaging

• Bump libc from 0.2.155 to 0.2.185 by @​Viicos in #13109
• Adapt pydantic-core linker flags on macOS by @​washingtoneg and @​Viicos in #13147

Fixes

• Preserve RootModel core metadata by @​Viicos in #13129

Full Changelog: pydantic/pydantic@v2.13.3...v2.13.4

Changelog

Sourced from pydantic's changelog.

v2.13.4 (2026-05-06)

GitHub release

What's Changed

Packaging

• Bump libc from 0.2.155 to 0.2.185 by @​Viicos in #13109
• Adapt pydantic-core linker flags on macOS by @​washingtoneg and @​Viicos in #13147

Fixes

• Preserve RootModel core metadata by @​Viicos in #13129

Commits

• cf67d4b Fix linting
• f0d8a21 Prepare release v2.13.4
• 5e3fe1d Check for pydantic tag pattern in CI
• 7f9edcc Document tagging conventions
• b46a0c9 Adapt pydantic-core linker flags on macOS
• 50629c8 Update to PyPy 7.3.22
• 8522ebb Preserve RootModel core metadata
• a37f3af Adapt MISSING sentinel test to work with unreleased typing_extensions ver...
• 909259a Remove Logfire example in documentation
• 2c4174c Bump libc from 0.2.155 to 0.2.185
• See full diff in compare view

Updates pydantic-core from 2.46.3 to 2.46.4

Commits

• cf67d4b Fix linting
• f0d8a21 Prepare release v2.13.4
• 5e3fe1d Check for pydantic tag pattern in CI
• 7f9edcc Document tagging conventions
• b46a0c9 Adapt pydantic-core linker flags on macOS
• 50629c8 Update to PyPy 7.3.22
• 8522ebb Preserve RootModel core metadata
• a37f3af Adapt MISSING sentinel test to work with unreleased typing_extensions ver...
• 909259a Remove Logfire example in documentation
• 2c4174c Bump libc from 0.2.155 to 0.2.185
• See full diff in compare view

Updates setuptools from 81.0.0 to 82.0.1

Changelog

Sourced from setuptools's changelog.

v82.0.1

Bugfixes

• Fix the loading of launcher manifest.xml file. (#5047)
• Replaced deprecated json.__version__ with fixture in tests. (#5186)

Improved Documentation

• Add advice about how to improve predictability when installing sdists. (#5168)

Misc

• #4941, #5157, #5169, #5175

v82.0.0

Deprecations and Removals

• pkg_resources has been removed from Setuptools. Most common uses of pkg_resources have been superseded by the importlib.resources <https://docs.python.org/3/library/importlib.resources.html>_ and importlib.metadata <https://docs.python.org/3/library/importlib.metadata.html>_ projects. Projects and environments relying on pkg_resources for namespace packages or other behavior should depend on older versions of setuptools. (#3085)

Commits

• 5a13876 Bump version: 82.0.0 → 82.0.1
• 51ab8f1 Avoid using (deprecated) 'json.version' in tests (#5194)
• f9c37b2 Docs/CI: Fix intersphinx references (#5195)
• 8173db2 Docs: Fix intersphinx references
• 09bafbc Fix past tense on newsfragment
• 461ea56 Add news fragment
• c4ffe53 Avoid using (deprecated) 'json.version' in tests
• 749258b Cleanup pkg_resources dependencies and configuration (#5175)
• 2019c16 Parse ext-module.define-macros from pyproject.toml as list of tuples (#5169)
• b809c86 Sync setuptools schema with validate-pyproject (#5157)
• Additional commits viewable in compare view

Updates mypy from 1.20.2 to 2.0.0

Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next Release

Mypy 2.0

We’ve just uploaded mypy 2.0.0 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features, performance improvements and bug fixes. There are also changes to options and defaults. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

Enable --local-partial-types by Default

This flag affects the inference of types based on assignments in other scopes. For now, explicitly disabling this continues to be supported, but this support will be removed in the future as the legacy behaviour is hard to support with other current and future features in mypy, like the daemon or the new implementation of flexible redefinitions.

Contributed by Ivan Levkivskyi, Jukka Lehtosalo, Shantanu in PR 21163.

Enable --strict-bytes by Default

Per PEP 688, mypy no longer treats bytearray and memoryview values as assignable to the bytes type.

Contributed by Shantanu in PR 18371.

New Behavior for --allow-redefinition

The --allow-redefinition flag now behaves like --allow-redefinition-new in mypy 1.20 and earlier. The new behavior is generally more flexible. For example, you can have different types for a variable in different blocks:

# mypy: allow-redefinition
def foo(cond: bool) -> None:
if cond:
for x in ["a", "b"]:
# Type of "x" is "str" here
...
else:
for x in [1, 2]:
# Type of "x" is "int" here
...

... (truncated)

Commits

• 7a76500 Remove +dev from version
• 5a3ab3b Changelog for mypy 2.0 (#21422)
• f9c86e2 Some changelog updates for 2.0 (#21413)
• 519eaf1 Bump librt to 0.10.0 (#21415)
• 158a620 Fix negative narrowing for containers (#21411)
• e556eb9 Try fixing mypy mypyc wheels (#21392)
• f2c9797 Expose --num-workers and --native-parser (#21387)
• db0cb2f Bump ast-serialize cache version (#21388)
• 1090ca6 Bump ast-serialize version to 0.3.0 only (#21391)
• 714ca9f [mypyc] Add note about librt.strings thread safety (#21383)
• Additional commits viewable in compare view

Updates types-python-dateutil from 2.9.0.20260408 to 2.9.0.20260508

Commits

• See full diff in compare view

Updates types-pyyaml from 6.0.12.20260408 to 6.0.12.20260508

Commits

• See full diff in compare view

Updates urllib3 from 2.6.3 to 2.7.0

Release notes

Sourced from urllib3's releases.

2.7.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

• Decompression-bomb safeguards of the streaming API were bypassed:

  1. When HTTPResponse.drain_conn() was called after the response had been read and decompressed partially. (Reported by @​Cycloctane)
  2. During the second HTTPResponse.read(amt=N) or HTTPResponse.stream(amt=N) call when the response was decompressed using the official Brotli library. (Reported by @​kimkou2024)

  See GHSA-mf9v-mfxr-j63j for details.

• HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by @​christos-spearbit)

Deprecations and Removals

• Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (urllib3/urllib3#3763)
• Removed support for end-of-life Python 3.9. (urllib3/urllib3#3720)
• Removed support for end-of-life PyPy3.10. (urllib3/urllib3#4979)
• Bumped the minimum supported pyOpenSSL version to 19.0.0. (urllib3/urllib3#3777)

Bugfixes

• Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. (urllib3/urllib3#3636)
• Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True. (urllib3/urllib3#4967)
• Fixed HTTPResponse.stream() and HTTPResponse.read_chunked() to handle amt=0. (urllib3/urllib3#3793)
• Updated _TYPE_BODY type alias to include missing Iterable[str], matching the documented and runtime behavior of chunked request bodies. (urllib3/urllib3#3798)
• Fixed LocationParseError when paths resembling schemeless URIs were passed to HTTPConnectionPool.urlopen(). (urllib3/urllib3#3352)
• Fixed BaseHTTPResponse.readinto() type annotation to accept memoryview in addition to bytearray, matching the io.RawIOBase.readinto contract and enabling use with io.BufferedReader without type errors. (urllib3/urllib3#3764)

Changelog

Sourced from urllib3's changelog.

2.7.0 (2026-05-07)

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

• Decompression-bomb safeguards of the streaming API were bypassed:

  1. When HTTPResponse.drain_conn() was called after the response had been read and decompressed partially.
  2. During the second HTTPResponse.read(amt=N) or HTTPResponse.stream(amt=N) call when the response was decompressed using the official Brotli <https://pypi.org/project/brotli/>__ library.

  See GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>__ for details.

• HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc>__)

Deprecations and Removals

• Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. ([#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763>__)
• Removed support for end-of-life Python 3.9. ([#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720>__)
• Removed support for end-of-life PyPy3.10. ([#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979>__)
• Bumped the minimum supported pyOpenSSL version to 19.0.0. ([#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777>__)

Bugfixes

• Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. ([#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636>__)
• Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True.

... (truncated)

Commits

• 9a950b9 Release 2.7.0
• 5ec0de4 Merge commit from fork
• 2bdcc44 Merge commit from fork
• f45b0df Fix a misleading example for ProxyManager (#4970)
• 577193c Switch to nightly PyPy3.11 in CI for now (#4984)
• e90af45 Avoid infinite loop in HTTPResponse.read_chunked when amt=0 (#4974)
• 67ed74f Bump dev dependencies (#4972)
• 3abd481 Upgrade mypy to version 1.20.2 (#4978)
• 2b8725d Drop support for EOL PyPy3.10 (#4979)
• 2944b2a Upgrade setup-chrome and setup-firefox to fix warnings (#4973)
• Additional commits viewable in compare view

Updates authlib from 1.7.1 to 1.7.2

Release notes

Sourced from authlib's releases.

v1.7.2

What's Changed

• Fix the readme links by @​azmeuk in authlib/authlib#886
• Allow non-recommended algorithms in ClientSecretJWT and PrivateKey by @​azmeuk in authlib/authlib#887
• Validate BCP47 language tags with a regex by @​azmeuk in authlib/authlib#873
• Fix RFC7523 signing with non RSA keys by @​azmeuk in authlib/authlib#884

Full Changelog: authlib/authlib@v1.7.1...v1.7.2

Commits

• a0b76fa chore: bump to 1.7.2
• c85c7f2 Merge pull request #884 from azmeuk/852-rfc7523-key-import
• a3b2add Merge pull request #873 from azmeuk/bcp47
• f2578ea fix: Import RSAKey in auth.py for additional key support
• b57182c fix: fallback support RSAKey when client_secret is text
• 4e75902 Merge branch 'main' into 852-rfc7523-key-import
• 5eb4a86 Merge pull request #887 from azmeuk/883-alg
• 5633f37 fix: allow non-recommended algorithms in ClientSecretJWT and PrivateKeyJWT
• 4c8e7b3 Merge pull request #886 from azmeuk/885-readme
• 23b333e docs: fix the readme links
• Additional commits viewable in compare view

Updates cuda-bindings from 12.9.6 to 12.9.4

Commits

• 573345b build: backport ftcompat fix (#1112)
• 1b578c2 bump version (#1099)
• cc8f6d6 ci: replace single gating check with vanilla skipping (#1008) [no-ci] (#1056)
• 9b579bc test_nvvm.py simplification / use llvmlite in toolshed/ only (#1047) (#1053)
• 41420f9 Backport #986 & #1005 (#1042)
• e2b9f60 Backport removal of pywin32 to 12.9.x (#1044)
• cef4cf8 ci: remove spurious free-threading builds (#1006)
• e1fe60a chore: sync test-matrix to main (#1004)
• 553adf7 Backport #962 and #969 to 12.9.x (#992)
• 8b8b84c Remove llvmlite from test dependencies in cuda_bindings/pyproject.toml (#98...
• Additional commits viewable in compare view

Updates hf-xet from 1.5.0rc0 to 1.5.0

Release notes

Sourced from hf-xet's releases.

[hf-xet v1.5.0] Session based API

Replaces the old upload_files / download_files / hash_files Python functions with a new object-oriented API that exposes XetSession and its child objects directly as PyO3 classes. This gives Python callers full control over session lifecycle, connection pooling, and progress reporting.

The previous module-level functions are kept under hf_xet/src/legacy/ and remain importable as from hf_xet import upload_files etc., but now emit DeprecationWarning.

New Python API

import hf_xet
Optional: create a custom config (immutable; use .with_config() to derive updates)
config = hf_xet.XetConfig().with_config("data.max_concurrent_file_ingestion", 8)
Create session; config is optional (defaults to XetConfig() with HF_XET_* env overrides)
session = hf_xet.XetSession(config=config)
Upload — multiple files, bytes, and streaming within one commit
with session.new_upload_commit(
endpoint="https://cas.xethub.hf.co",
token="jwt", token_expiry_unix_secs=9999999999,
token_refresh_url="https://…/xet-write-token/main",
token_refresh_headers={"Authorization": "Bearer hf_…"},
) as commit:
h1 = commit.start_upload_file("/path/to/model.bin")
h2 = commit.start_upload_file("/path/to/tokenizer.json", sha256="f2358d9a…")
h3 = commit.start_upload_bytes(b"...", name="config.json")
with commit.start_upload_stream(name="big.bin") as stream:
for chunk in produce_chunks():
    stream.write(chunk)

on normal exit: wait_to_finish() is called automatically
on exception:   abort() is called automatically
SHA-256 sentinels
commit.start_upload_file("/path/to/model.bin", sha256=hf_xet.COMPUTE_SHA256)  # default
commit.start_upload_file("/path/to/model.bin", sha256=hf_xet.SKIP_SHA256)     # skip
Progress callback — receives (GroupProgressReport, dict[UniqueID, ItemProgressReport])
def on_progress(group, items):
bar.n = group.total_bytes_completed
bar.refresh()
with session.new_upload_commit(
token_refresh_url="https://…/xet-write-token/main",
token_refresh_headers={"Authorization": "Bearer hf_…"},
progress_callback=on_progress,
progress_interval_ms=100,
) as commit:
commit.start_upload_file("/path/to/model.bin")
</tr></table>

... (truncated)

Commits

• See full diff in compare view

Updates librt from 0.9.0 to 0.10.0

Commits

• 1d5e9b2 Bump version to 0.10.0
• 963673e Sync mypy and add smoke tests (#38)
• See full diff in compare view

Updates nvidia-cuda-nvrtc-cu12 from 12.6.85 to 12.6.77

Updates nvidia-nccl-cu12 from 2.28.9 to 2.27.5

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions