Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.6 to
6.5.7.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst">tornado's
changelog</a>.</em></p>
<blockquote>
<h1>Release notes</h1>
<p>.. toctree::
:maxdepth: 2</p>
<p>releases/v6.5.7
releases/v6.5.6
releases/v6.5.5
releases/v6.5.4
releases/v6.5.3
releases/v6.5.2
releases/v6.5.1
releases/v6.5.0
releases/v6.4.2
releases/v6.4.1
releases/v6.4.0
releases/v6.3.3
releases/v6.3.2
releases/v6.3.1
releases/v6.3.0
releases/v6.2.0
releases/v6.1.0
releases/v6.0.4
releases/v6.0.3
releases/v6.0.2
releases/v6.0.1
releases/v6.0.0
releases/v5.1.1
releases/v5.1.0
releases/v5.0.2
releases/v5.0.1
releases/v5.0.0
releases/v4.5.3
releases/v4.5.2
releases/v4.5.1
releases/v4.5.0
releases/v4.4.3
releases/v4.4.2
releases/v4.4.1
releases/v4.4.0
releases/v4.3.0
releases/v4.2.1
releases/v4.2.0
releases/v4.1.0
releases/v4.0.2
releases/v4.0.1
releases/v4.0.0
releases/v3.2.2
releases/v3.2.1</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="48fc2d43d1"><code>48fc2d4</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3633">#3633</a>
from bdarnell/curl-reset-65</li>
<li><a
href="4ae1ddd142"><code>4ae1ddd</code></a>
Release notes and version bump for 6.5.7</li>
<li><a
href="3154caabc9"><code>3154caa</code></a>
curl_httpclient: Reset the curl object before putting it on the
freelist</li>
<li><a
href="7d869c0739"><code>7d869c0</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3631">#3631</a>
from bdarnell/cve-links</li>
<li><a
href="288241f681"><code>288241f</code></a>
docs: Use the correct link syntax</li>
<li><a
href="8da981c0f6"><code>8da981c</code></a>
docs: Add CVE links to 6.5.6 release notes</li>
<li>See full diff in <a
href="https://github.com/tornadoweb/tornado/compare/v6.5.6...v6.5.7">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
[//]: # (dependabot-start)
⚠️ **Dependabot is rebasing this PR** ⚠️
Rebasing might not happen immediately, so don't worry if this takes some
time.
Note: if you make any changes to this PR yourself, they will take
precedence over the rebase.
---
[//]: # (dependabot-end)
Bumps [bleach](https://github.com/mozilla/bleach) from 6.2.0 to 6.4.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/mozilla/bleach/blob/main/CHANGES">bleach's
changelog</a>.</em></p>
<blockquote>
<h2>Version 6.4.0 (June 5th, 2026)</h2>
<p><strong>NOTE: 2026-06-05: Bleach is no longer maintained. There will
be no future
releases including for security issues.</strong>
See issue:
<code><https://github.com/mozilla/bleach/issues/698></code>__</p>
<p><strong>Backwards incompatible changes</strong></p>
<ul>
<li>Dropped support for pypy 3.10. (<a
href="https://redirect.github.com/mozilla/bleach/issues/764">#764</a>)</li>
</ul>
<p><strong>Security fixes</strong></p>
<ul>
<li>
<p>Fix bug 2023812 / GHSA-8rfp-98v4-mmr6.</p>
<p>Fix XSS issue with sanitize_uri_value where disallowed schemes with
Unicode invisible characters wouldn't be rejected.</p>
<p>For example::</p>
<p>import bleach
payload1 = '<!-- raw HTML omitted -->Click<!-- raw HTML omitted -->'
result1 = bleach.clean(payload1)
print(repr(result1))</p>
<p>outputs::</p>
<p>'<!-- raw HTML omitted -->Click<!-- raw HTML omitted -->'</p>
<p>See the advisory for details.</p>
</li>
<li>
<p>Fix GHSA-gj48-438w-jh9v.</p>
<p>Fix issue where URI sanitization wasn't happening in formaction
attributes.</p>
<p>See the advisory for details.</p>
</li>
</ul>
<p><strong>Bug fixes</strong></p>
<ul>
<li>
<p>Add support for pypy 3.11. (<a
href="https://redirect.github.com/mozilla/bleach/issues/764">#764</a>)</p>
</li>
<li>
<p>Drop version max in tinycss2 pin. (<a
href="https://redirect.github.com/mozilla/bleach/issues/772">#772</a>)</p>
<p>This removes one of the things we had to keep checking and updating.
Users
now own the responsibility for correctness with the version of tinycss2
they're using.</p>
</li>
</ul>
<h2>Version 6.3.0 (October 27th, 2025)</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="f0355a7af0"><code>f0355a7</code></a>
fix: fix last release date in CHANGES</li>
<li><a
href="ae4e8a2670"><code>ae4e8a2</code></a>
chore: bleach 6.4.0 and final release</li>
<li><a
href="970df58e9f"><code>970df58</code></a>
fix: uri-sanitization in formaction attributes</li>
<li><a
href="7c4867c323"><code>7c4867c</code></a>
fix: xss bypass in allowed protocol test using unicode invisible
characters</li>
<li><a
href="913ab75992"><code>913ab75</code></a>
fix: reduce redundancy in workflow jobs</li>
<li><a
href="218c15af45"><code>218c15a</code></a>
fix: rework pip caching</li>
<li><a
href="4f0b097bf8"><code>4f0b097</code></a>
fix: fix tox platform restrictions</li>
<li><a
href="e95a79d07b"><code>e95a79d</code></a>
chore: update pytest</li>
<li><a
href="91539d4e80"><code>91539d4</code></a>
Bump actions/cache from 5.0.3 to 5.0.4</li>
<li><a
href="cd47b4ce49"><code>cd47b4c</code></a>
fix: handle left-angle-bracket that's not a tag (<a
href="https://redirect.github.com/mozilla/bleach/issues/733">#733</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/mozilla/bleach/compare/v6.2.0...v6.4.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pytest](https://github.com/pytest-dev/pytest) from 9.0.3 to
9.1.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pytest-dev/pytest/releases">pytest's
releases</a>.</em></p>
<blockquote>
<h2>9.1.0</h2>
<h1>pytest 9.1.0 (2026-06-13)</h1>
<h2>Removals and backward incompatible breaking changes</h2>
<ul>
<li>
<p><a
href="https://redirect.github.com/pytest-dev/pytest/issues/14533">#14533</a>:
When using <code>--doctest-modules</code>, autouse fixtures with
<code>module</code>, <code>package</code> or <code>session</code> scope
that are defined inline in Python test modules (not plugins or
conftests) will now possibly execute twice.</p>
<p>If this is undesirable, move the fixture definition to a
<code>conftest.py</code> file if possible.</p>
<p>Technical explanation for those interested:
When using <!-- raw HTML omitted -->--doctest-modules<!-- raw HTML
omitted -->, pytest possibly collects Python modules twice, once as
<code>pytest.Module</code> and once as a <code>DoctestModule</code>
(depending on the configuration).
Due to improvements in pytest's fixture implementation, if e.g. the
<code>DoctestModule</code> collects a fixture, it is now visible to it
only, and not to the <code>Module</code>.
This means that both need to register the fixtures independently.</p>
</li>
</ul>
<h2>Deprecations (removal in next major release)</h2>
<ul>
<li>
<p><a
href="https://redirect.github.com/pytest-dev/pytest/issues/10819">#10819</a>:
Added a deprecation warning for class-scoped fixtures defined as
instance methods (without <code>@classmethod</code>). Such fixtures set
attributes on a different instance than the test methods use, leading to
unexpected behavior. Use <code>@classmethod</code> decorator instead --
by <code>yastcher</code>.</p>
<p>See <code>10819</code> and <code>14011</code>.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/pytest-dev/pytest/issues/12882">#12882</a>:
Calling <code>request.getfixturevalue()
<pytest.FixtureRequest.getfixturevalue></code> during teardown to
request a fixture that was not already requested is now deprecated and
will become an error in pytest 10.</p>
<p>See <code>dynamic-fixture-request-during-teardown</code> for
details.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13409">#13409</a>:
Using non-<code>~collections.abc.Collection</code> iterables (such as
generators, iterators, or custom iterable objects) for the
<code>argvalues</code> parameter in <code>@pytest.mark.parametrize
<pytest.mark.parametrize ref></code> and
<code>metafunc.parametrize <pytest.Metafunc.parametrize></code> is
now deprecated.</p>
<p>These iterables get exhausted after the first iteration,
leading to tests getting unexpectedly skipped in cases such as running
<code>pytest.main()</code> multiple times,
using class-level parametrize decorators,
or collecting tests multiple times.</p>
<p>See <code>parametrize-iterators</code> for details and
suggestions.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13946">#13946</a>:
The private <code>config.inicfg</code> attribute is now deprecated.
Use <code>config.getini() <pytest.Config.getini></code> to access
configuration values instead.</p>
<p>See <code>config-inicfg</code> for more details.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/pytest-dev/pytest/issues/14004">#14004</a>:
Passing <code>baseid</code> to <code>~pytest.FixtureDef</code> or
<code>nodeid</code> strings to fixture registration APIs is now
deprecated. These are internal pytest APIs that are used by some
plugins.</p>
<p>Use the <code>node</code> parameter instead for fixture scoping. This
enables more robust node-based
matching instead of string prefix matching.
If you've used <code>nodeid=None</code>, pass <code>node=session</code>
instead.</p>
<p>This will be removed in pytest 10.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/pytest-dev/pytest/issues/14335">#14335</a>:
The method of configuring hooks using markers, deprecated since pytest
7.2, is now scheduled to be removed in pytest 10.
See <code>hook-markers</code> for more details.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/pytest-dev/pytest/issues/14434">#14434</a>:
The <code>--pastebin</code> option is now deprecated.</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="b2522cf0b1"><code>b2522cf</code></a>
Prepare release version 9.1.0</li>
<li><a
href="368d2fca78"><code>368d2fc</code></a>
[refactor] Tighten <code>SetComparisonFunction</code> to
<code>Iterator[str]</code> (<a
href="https://redirect.github.com/pytest-dev/pytest/issues/14587">#14587</a>)</li>
<li><a
href="ff77cd8b66"><code>ff77cd8</code></a>
[refactor] Make base assertion comparisons return an iterator instead of
a li...</li>
<li><a
href="0d8491a4ec"><code>0d8491a</code></a>
build(deps): Bump actions/stale from 10.2.0 to 10.3.0</li>
<li><a
href="4a809d9c89"><code>4a809d9</code></a>
Merge pull request <a
href="https://redirect.github.com/pytest-dev/pytest/issues/14568">#14568</a>
from pytest-dev/register-fixture</li>
<li><a
href="5dfa38541b"><code>5dfa385</code></a>
Fix recursion traceback test to cover all styles (<a
href="https://redirect.github.com/pytest-dev/pytest/issues/14582">#14582</a>)</li>
<li><a
href="f52ff0c177"><code>f52ff0c</code></a>
Add <code>pytest.register_fixture</code></li>
<li><a
href="a8ac094e80"><code>a8ac094</code></a>
Merge pull request <a
href="https://redirect.github.com/pytest-dev/pytest/issues/14567">#14567</a>
from pytest-dev/more-visibility-deprecate</li>
<li><a
href="e5620cd21e"><code>e5620cd</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/pytest-dev/pytest/issues/14577">#14577</a>)</li>
<li><a
href="2ce9c6d94e"><code>2ce9c6d</code></a>
Merge pull request <a
href="https://redirect.github.com/pytest-dev/pytest/issues/14540">#14540</a>
from minbang930/fix-14533-doctest-module-fixtures</li>
<li>Additional commits viewable in <a
href="https://github.com/pytest-dev/pytest/compare/9.0.3...9.1.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.5 to
6.5.6.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst">tornado's
changelog</a>.</em></p>
<blockquote>
<h1>Release notes</h1>
<p>.. toctree::
:maxdepth: 2</p>
<p>releases/v6.5.7
releases/v6.5.6
releases/v6.5.5
releases/v6.5.4
releases/v6.5.3
releases/v6.5.2
releases/v6.5.1
releases/v6.5.0
releases/v6.4.2
releases/v6.4.1
releases/v6.4.0
releases/v6.3.3
releases/v6.3.2
releases/v6.3.1
releases/v6.3.0
releases/v6.2.0
releases/v6.1.0
releases/v6.0.4
releases/v6.0.3
releases/v6.0.2
releases/v6.0.1
releases/v6.0.0
releases/v5.1.1
releases/v5.1.0
releases/v5.0.2
releases/v5.0.1
releases/v5.0.0
releases/v4.5.3
releases/v4.5.2
releases/v4.5.1
releases/v4.5.0
releases/v4.4.3
releases/v4.4.2
releases/v4.4.1
releases/v4.4.0
releases/v4.3.0
releases/v4.2.1
releases/v4.2.0
releases/v4.1.0
releases/v4.0.2
releases/v4.0.1
releases/v4.0.0
releases/v3.2.2
releases/v3.2.1</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="aba2569f7e"><code>aba2569</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3626">#3626</a>
from bdarnell/fixes-656</li>
<li><a
href="a24b260e0d"><code>a24b260</code></a>
httpclient_test: Accept an additional error message variant</li>
<li><a
href="a74240a702"><code>a74240a</code></a>
Release notes and version bump for 6.5.6.</li>
<li><a
href="e8fc7edb23"><code>e8fc7ed</code></a>
simple_httpclient: Strip auth headers on cross-origin redirects</li>
<li><a
href="96dc88c2a0"><code>96dc88c</code></a>
speedups: validate mask length</li>
<li><a
href="ff808b33ad"><code>ff808b3</code></a>
http1connection: Enforce max_body_size in _GzipMessageDelegate</li>
<li><a
href="ede4e37f93"><code>ede4e37</code></a>
auth: Correctly parse check_authentication response</li>
<li><a
href="1c178bef88"><code>1c178be</code></a>
Remove obsolete curl force_timeout workaround</li>
<li><a
href="c99d55bb6c"><code>c99d55b</code></a>
Replace deprecated pycurl IOCTLFUNCTION callback with SEEKFUNCTION</li>
<li><a
href="27614316ef"><code>2761431</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3587">#3587</a>
from bdarnell/fix-link</li>
<li>Additional commits viewable in <a
href="https://github.com/tornadoweb/tornado/compare/v6.5.5...v6.5.6">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps `langchain-core` to `1.4.7` for the next patch release and updates
downstream minimum `langchain-core` requirements so package locks
resolve against the new core version.
This also refreshes the runnable snapshots that embed `lc_versions`
metadata so the version consistency check continues to validate
checked-in artifacts.
Validated with `python libs/core/scripts/check_version.py`, `uv lock
--check` across package lockfiles, and the core runnable tests that own
the updated snapshots with local LangSmith tracing env disabled.
Originally a narrow bump of mypy to `1.20` in four packages. Expanded to
get the whole monorepo onto a single, current mypy and a consistent
type-check configuration, so contributors no longer hit different mypy
versions and divergent behavior depending on which package they touch.
### What changed
- **Unified the mypy pin to `>=2.1.0,<2.2.0`** in every mypy-using
package (6 libs + 14 partners), replacing the previously scattered pins
(`1.10`/`1.17`/`1.18`/`1.19`/`1.20`, with assorted upper bounds).
- **Unified the `[tool.mypy]` base per tier:**
- libs: `plugins = ["pydantic.mypy"]`, `strict = true`,
`enable_error_code = "deprecated"`, `warn_unreachable = true`
- partners: `disallow_untyped_defs = true`
- Normalized style (`disallow_untyped_defs = "True"` string → bool,
quote/key consistency).
- **Fixed the 20 real errors** mypy 2.1 surfaces: `redundant-cast` from
improved narrowing (`core`, `langchain-classic`), a `var-annotated` for
`_LOGGED`, a return-type widening in `langchain-groq`'s
`_convert_from_v1_to_groq` (it can legitimately return a bare `str`),
and stale `type-arg`/`unused-ignore` in `langchain-model-profiles`
tests.
### Deliberate non-uniformity (documented inline in the relevant
`pyproject.toml`s)
Going fully byte-identical would surface ~196 additional errors that are
*not* real bugs, so two settings are kept package-appropriate:
- **`warn_unreachable`** is enabled on every strict lib **except
`core`**, where it false-flags intentional defensive code — including
the SSRF / IP-policy guards in `_security/` — as unreachable.
- **`pydantic.mypy` plugin** is used only on `anthropic` and
`perplexity` (their code is authored against it and reports ~99/~132
errors without it). It is *not* added to the other partners, where it
only flags the public alias constructor API (e.g. `ChatGroq(model=...)`)
in tests rather than finding bugs.
- **`ollama`** is left on its `ty` type checker; it does not use mypy.
---------
Co-authored-by: Mason Daugherty <github@mdrxy.com>
Bumps [idna](https://github.com/kjd/idna) from 3.10 to 3.15.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/kjd/idna/blob/master/HISTORY.md">idna's
changelog</a>.</em></p>
<blockquote>
<h2>3.15 (2026-05-12)</h2>
<ul>
<li>Enforce DNS-length cap on individual labels early in
<code>check_label</code>,
short-circuiting contextual-rule processing for oversized input
while staying compatible with UTS 46 usage.</li>
<li>Tidy core helpers: hoist bidi category sets to module-level
frozensets (avoiding per-codepoint list construction), simplify
length checks, and reuse the shared <code>_unicode_dots_re</code> from
<code>idna.core</code> in the codec module.</li>
<li>Use <code>raise ... from err</code> for proper exception chaining
and
switch internal string formatting to f-strings.</li>
<li>Allow <code>flit_core</code> 4.x in the build backend.</li>
<li>Expand the ruff lint set (flake8-bugbear, flake8-simplify,
pyupgrade, perflint) and apply the surfaced fixes; pin lint CI
to Python 3.14.</li>
<li>Add Dependabot configuration for GitHub Actions.</li>
<li>Convert README and HISTORY from reStructuredText to Markdown.</li>
<li>Reference CVE-2026-45409 for the 3.14 advisory in place of the
initial GHSA identifier.</li>
</ul>
<p>Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for
contributions to this release.</p>
<h2>3.14 (2026-05-10)</h2>
<ul>
<li>Removed opportunity to process long inputs into quadratic
time by rejecting oversize inputs up-front. Closes a bypass
of the CVE-2024-3651 mitigation. [CVE-2026-45409]</li>
</ul>
<p>Thanks to Stan Ulbrych for reporting the issue.</p>
<h2>3.13 (2026-04-22)</h2>
<ul>
<li>Correct classification error for codepoint U+A7F1</li>
</ul>
<h2>3.12 (2026-04-21)</h2>
<ul>
<li>Update to Unicode 17.0.0.</li>
<li>Issue a deprecation warning for the transitional argument.</li>
<li>Added lazy-loading to provide some performance improvements.</li>
<li>Removed vestiges of code related to Python 2 support, including
segmentation of data structures specific to Jython.</li>
</ul>
<p>Thanks to Rodrigo Nogueira for contributions to this release.</p>
<h2>3.11 (2025-10-12)</h2>
<ul>
<li>Update to Unicode 16.0.0, including significant changes to UTS46
processing. As a result of Unicode ending support for it, transitional
processing no longer has an effect and returns the same result.</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="af30a092e1"><code>af30a09</code></a>
Release 3.15</li>
<li><a
href="30314d4628"><code>30314d4</code></a>
Pre-release 3.15rc0</li>
<li><a
href="05d4b219aa"><code>05d4b21</code></a>
Merge pull request <a
href="https://redirect.github.com/kjd/idna/issues/237">#237</a> from
kjd/convert-docs-to-markdown</li>
<li><a
href="2987fdba19"><code>2987fdb</code></a>
Convert README and HISTORY from reStructuredText to Markdown</li>
<li><a
href="59fa8002d5"><code>59fa800</code></a>
Merge pull request <a
href="https://redirect.github.com/kjd/idna/issues/236">#236</a> from
kjd/dependabot/github_actions/actions-f3e34333ea</li>
<li><a
href="def69834ce"><code>def6983</code></a>
Merge branch 'master' into
dependabot/github_actions/actions-f3e34333ea</li>
<li><a
href="bbd8004a79"><code>bbd8004</code></a>
Merge pull request <a
href="https://redirect.github.com/kjd/idna/issues/234">#234</a> from
StanFromIreland/patch-1</li>
<li><a
href="edd07c0502"><code>edd07c0</code></a>
Bump github/codeql-action from 3.35.2 to 4.35.2 in the actions
group</li>
<li><a
href="5557db030c"><code>5557db0</code></a>
Merge branch 'master' into patch-1</li>
<li><a
href="f11746cf49"><code>f11746c</code></a>
Merge pull request <a
href="https://redirect.github.com/kjd/idna/issues/235">#235</a> from
StanFromIreland/patch-2</li>
<li>Additional commits viewable in <a
href="https://github.com/kjd/idna/compare/v3.10...v3.15">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/urllib3/urllib3/releases">urllib3's
releases</a>.</em></p>
<blockquote>
<h2>2.7.0</h2>
<h2>🚀 urllib3 is fundraising for HTTP/2 support</h2>
<p><a
href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3
is raising ~$40,000 USD</a> to release HTTP/2 support and ensure
long-term sustainable maintenance of the project after a sharp decline
in financial support. If your company or organization uses Python and
would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and
thousands of other projects <a
href="https://opencollective.com/urllib3">please consider contributing
financially</a> to ensure HTTP/2 support is developed sustainably and
maintained for the long-haul.</p>
<p>Thank you for your support.</p>
<h2>Security</h2>
<p>Addressed high-severity security issues. Impact was limited to
specific use cases detailed in the accompanying advisories; overall user
exposure was estimated to be marginal.</p>
<ul>
<li>
<p>Decompression-bomb safeguards of the streaming API were bypassed:</p>
<ol>
<li>When <code>HTTPResponse.drain_conn()</code> was called after the
response had been read and decompressed partially. (Reported by <a
href="https://github.com/Cycloctane"><code>@Cycloctane</code></a>)</li>
<li>During the second <code>HTTPResponse.read(amt=N)</code> or
<code>HTTPResponse.stream(amt=N)</code> call when the response was
decompressed using the official <a
href="https://pypi.org/project/brotli/">Brotli</a> library. (Reported by
<a
href="https://github.com/kimkou2024"><code>@kimkou2024</code></a>)</li>
</ol>
<p>See GHSA-mf9v-mfxr-j63j for details.</p>
</li>
<li>
<p>HTTP pools created using
<code>ProxyManager.connection_from_url</code> did not strip sensitive
headers specified in <code>Retry.remove_headers_on_redirect</code> when
redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by <a
href="https://github.com/christos-spearbit"><code>@christos-spearbit</code></a>)</p>
</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Used <code>FutureWarning</code> instead of
<code>DeprecationWarning</code> for better visibility of existing
deprecation notices. Rescheduled the removal of deprecated features to
version 3.0. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3763">urllib3/urllib3#3763</a>)</li>
<li>Removed support for end-of-life Python 3.9. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3720">urllib3/urllib3#3720</a>)</li>
<li>Removed support for end-of-life PyPy3.10. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4979">urllib3/urllib3#4979</a>)</li>
<li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3777">urllib3/urllib3#3777</a>)</li>
</ul>
<h2>Bugfixes</h2>
<ul>
<li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was
ignoring decompressed data buffered from previous partial reads. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3636">urllib3/urllib3#3636</a>)</li>
<li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only
part of the response after a partial read when
<code>cache_content=True</code>. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4967">urllib3/urllib3#4967</a>)</li>
<li>Fixed <code>HTTPResponse.stream()</code> and
<code>HTTPResponse.read_chunked()</code> to handle <code>amt=0</code>.
(<a
href="https://redirect.github.com/urllib3/urllib3/issues/3793">urllib3/urllib3#3793</a>)</li>
<li>Updated <code>_TYPE_BODY</code> type alias to include missing
<code>Iterable[str]</code>, matching the documented and runtime behavior
of chunked request bodies. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3798">urllib3/urllib3#3798</a>)</li>
<li>Fixed <code>LocationParseError</code> when paths resembling
schemeless URIs were passed to
<code>HTTPConnectionPool.urlopen()</code>. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3352">urllib3/urllib3#3352</a>)</li>
<li>Fixed <code>BaseHTTPResponse.readinto()</code> type annotation to
accept <code>memoryview</code> in addition to <code>bytearray</code>,
matching the <code>io.RawIOBase.readinto</code> contract and enabling
use with <code>io.BufferedReader</code> without type errors. (<a
href="https://redirect.github.com/urllib3/urllib3/issues/3764">urllib3/urllib3#3764</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's
changelog</a>.</em></p>
<blockquote>
<h1>2.7.0 (2026-05-07)</h1>
<h2>Security</h2>
<p>Addressed high-severity security issues.
Impact was limited to specific use cases detailed in the accompanying
advisories; overall user exposure was estimated to be marginal.</p>
<ul>
<li>
<p>Decompression-bomb safeguards of the streaming API were bypassed:</p>
<ol>
<li>When <code>HTTPResponse.drain_conn()</code> was called after the
response had been
read and decompressed partially.</li>
<li>During the second <code>HTTPResponse.read(amt=N)</code> or
<code>HTTPResponse.stream(amt=N)</code> call when the response was
decompressed
using the official <code>Brotli
<https://pypi.org/project/brotli/></code>__ library.</li>
</ol>
<p>See <code>GHSA-mf9v-mfxr-j63j
<https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j></code>__
for details.</p>
</li>
<li>
<p>HTTP pools created using
<code>ProxyManager.connection_from_url</code> did not strip
sensitive headers specified in
<code>Retry.remove_headers_on_redirect</code> when
redirecting to a different host.
(<code>GHSA-qccp-gfcp-xxvc
<https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc></code>__)</p>
</li>
</ul>
<h2>Deprecations and Removals</h2>
<ul>
<li>Used <code>FutureWarning</code> instead of
<code>DeprecationWarning</code> for better
visibility of existing deprecation notices. Rescheduled the removal of
deprecated features to version 3.0.
(<code>[#3763](https://github.com/urllib3/urllib3/issues/3763)
<https://github.com/urllib3/urllib3/issues/3763></code>__)</li>
<li>Removed support for end-of-life Python 3.9.
(<code>[#3720](https://github.com/urllib3/urllib3/issues/3720)
<https://github.com/urllib3/urllib3/issues/3720></code>__)</li>
<li>Removed support for end-of-life PyPy3.10.
(<code>[#4979](https://github.com/urllib3/urllib3/issues/4979)
<https://github.com/urllib3/urllib3/issues/4979></code>__)</li>
<li>Bumped the minimum supported pyOpenSSL version to 19.0.0.
(<code>[#3777](https://github.com/urllib3/urllib3/issues/3777)
<https://github.com/urllib3/urllib3/issues/3777></code>__)</li>
</ul>
<h2>Bugfixes</h2>
<ul>
<li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was
ignoring decompressed
data buffered from previous partial reads.
(<code>[#3636](https://github.com/urllib3/urllib3/issues/3636)
<https://github.com/urllib3/urllib3/issues/3636></code>__)</li>
<li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only
part of the
response after a partial read when <code>cache_content=True</code>.</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="9a950b92d9"><code>9a950b9</code></a>
Release 2.7.0</li>
<li><a
href="5ec0de499b"><code>5ec0de4</code></a>
Merge commit from fork</li>
<li><a
href="2bdcc44d1e"><code>2bdcc44</code></a>
Merge commit from fork</li>
<li><a
href="f45b0df09d"><code>f45b0df</code></a>
Fix a misleading example for <code>ProxyManager</code> (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4970">#4970</a>)</li>
<li><a
href="577193ca02"><code>577193c</code></a>
Switch to nightly PyPy3.11 in CI for now (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4984">#4984</a>)</li>
<li><a
href="e90af45bb0"><code>e90af45</code></a>
Avoid infinite loop in <code>HTTPResponse.read_chunked</code> when
<code>amt=0</code> (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4974">#4974</a>)</li>
<li><a
href="67ed74fdae"><code>67ed74f</code></a>
Bump dev dependencies (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4972">#4972</a>)</li>
<li><a
href="3abd481097"><code>3abd481</code></a>
Upgrade mypy to version 1.20.2 (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4978">#4978</a>)</li>
<li><a
href="2b8725dfca"><code>2b8725d</code></a>
Drop support for EOL PyPy3.10 (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4979">#4979</a>)</li>
<li><a
href="2944b2a0a6"><code>2944b2a</code></a>
Upgrade <code>setup-chrome</code> and <code>setup-firefox</code> to fix
warnings (<a
href="https://redirect.github.com/urllib3/urllib3/issues/4973">#4973</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/urllib3/urllib3/compare/2.6.3...2.7.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
`ChatFireworks.max_retries` silently did nothing. The old code assigned
the value to a `ChatCompletionV2` sub-object rather than the base
client, and the pinned Fireworks SDK (0.13.0–0.19.20) never honors its
own `_max_retries` attribute on the base client either. Since the
Stainless-generated 1.x SDK that does implement retries is still
pre-release (1.0.1a63 at time of writing), retry responsibility is
ported to the LangChain side until the pin can be bumped.
CVE-2025-71176 (medium severity)
All are dev-only (test dependency group) — no impact on published
packages.
### Why syrupy was also bumped
syrupy 4.x (`<5.0.0`) constrains pytest to `<9.0.0`, blocking the CVE
fix. Widening to `<6.0.0` allows syrupy 5.x which supports pytest 9.x.
## Summary
Bumps `pygments` to `>=2.20.0` across all 21 affected packages to
address [CVE-2026-4539](https://github.com/advisories/GHSA-XXXX) — ReDoS
via inefficient GUID regex in Pygments.
- **Severity:** Low
- **Fixed in:** 2.20.0 (was 2.19.2)
- **Change:** Added `pygments>=2.20.0` to `constraint-dependencies` in
`[tool.uv]` for each package, then ran `uv lock --upgrade-package
pygments` to regenerate lock files.
Closes Dependabot alerts #3435–#3455.
## Release Note
Patch deps
### Test Plan
- [x] CI Green 🙏
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Bumps [requests](https://github.com/psf/requests) from 2.32.5 to 2.33.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/psf/requests/releases">requests's
releases</a>.</em></p>
<blockquote>
<h2>v2.33.0</h2>
<h2>2.33.0 (2026-03-25)</h2>
<p><strong>Announcements</strong></p>
<ul>
<li>📣 Requests is adding inline types. If you have a typed code base
that uses Requests, please take a look at <a
href="https://redirect.github.com/psf/requests/issues/7271">#7271</a>.
Give it a try, and report any gaps or feedback you may have in the
issue. 📣</li>
</ul>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2026-25645 <code>requests.utils.extract_zipped_paths</code> now
extracts contents to a non-deterministic location to prevent malicious
file replacement. This does not affect default usage of Requests, only
applications calling the utility function directly.</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Migrated to a PEP 517 build system using setuptools. (<a
href="https://redirect.github.com/psf/requests/issues/7012">#7012</a>)</li>
</ul>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed an issue where an empty netrc entry could cause malformed
authentication to be applied to Requests on Python 3.11+. (<a
href="https://redirect.github.com/psf/requests/issues/7205">#7205</a>)</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Dropped support for Python 3.9 following its end of support. (<a
href="https://redirect.github.com/psf/requests/issues/7196">#7196</a>)</li>
</ul>
<p><strong>Documentation</strong></p>
<ul>
<li>Various typo fixes and doc improvements.</li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/M0d3v1"><code>@M0d3v1</code></a> made
their first contribution in <a
href="https://redirect.github.com/psf/requests/pull/6865">psf/requests#6865</a></li>
<li><a href="https://github.com/aminvakil"><code>@aminvakil</code></a>
made their first contribution in <a
href="https://redirect.github.com/psf/requests/pull/7220">psf/requests#7220</a></li>
<li><a href="https://github.com/E8Price"><code>@E8Price</code></a> made
their first contribution in <a
href="https://redirect.github.com/psf/requests/pull/6960">psf/requests#6960</a></li>
<li><a href="https://github.com/mitre88"><code>@mitre88</code></a> made
their first contribution in <a
href="https://redirect.github.com/psf/requests/pull/7244">psf/requests#7244</a></li>
<li><a href="https://github.com/magsen"><code>@magsen</code></a> made
their first contribution in <a
href="https://redirect.github.com/psf/requests/pull/6553">psf/requests#6553</a></li>
<li><a
href="https://github.com/Rohan5commit"><code>@Rohan5commit</code></a>
made their first contribution in <a
href="https://redirect.github.com/psf/requests/pull/7227">psf/requests#7227</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25">https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/psf/requests/blob/main/HISTORY.md">requests's
changelog</a>.</em></p>
<blockquote>
<h2>2.33.0 (2026-03-25)</h2>
<p><strong>Announcements</strong></p>
<ul>
<li>📣 Requests is adding inline types. If you have a typed code base
that
uses Requests, please take a look at <a
href="https://redirect.github.com/psf/requests/issues/7271">#7271</a>.
Give it a try, and report
any gaps or feedback you may have in the issue. 📣</li>
</ul>
<p><strong>Security</strong></p>
<ul>
<li>CVE-2026-25645 <code>requests.utils.extract_zipped_paths</code> now
extracts
contents to a non-deterministic location to prevent malicious file
replacement. This does not affect default usage of Requests, only
applications calling the utility function directly.</li>
</ul>
<p><strong>Improvements</strong></p>
<ul>
<li>Migrated to a PEP 517 build system using setuptools. (<a
href="https://redirect.github.com/psf/requests/issues/7012">#7012</a>)</li>
</ul>
<p><strong>Bugfixes</strong></p>
<ul>
<li>Fixed an issue where an empty netrc entry could cause
malformed authentication to be applied to Requests on
Python 3.11+. (<a
href="https://redirect.github.com/psf/requests/issues/7205">#7205</a>)</li>
</ul>
<p><strong>Deprecations</strong></p>
<ul>
<li>Dropped support for Python 3.9 following its end of support. (<a
href="https://redirect.github.com/psf/requests/issues/7196">#7196</a>)</li>
</ul>
<p><strong>Documentation</strong></p>
<ul>
<li>Various typo fixes and doc improvements.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="bc04dfd6da"><code>bc04dfd</code></a>
v2.33.0</li>
<li><a
href="66d21cb07b"><code>66d21cb</code></a>
Merge commit from fork</li>
<li><a
href="8b9bc8fc0f"><code>8b9bc8f</code></a>
Move badges to top of README (<a
href="https://redirect.github.com/psf/requests/issues/7293">#7293</a>)</li>
<li><a
href="e331a288f3"><code>e331a28</code></a>
Remove unused extraction call (<a
href="https://redirect.github.com/psf/requests/issues/7292">#7292</a>)</li>
<li><a
href="753fd08c5e"><code>753fd08</code></a>
docs: fix FAQ grammar in httplib2 example</li>
<li><a
href="774a0b837a"><code>774a0b8</code></a>
docs(socks): same block as other sections</li>
<li><a
href="9c72a41bec"><code>9c72a41</code></a>
Bump github/codeql-action from 4.33.0 to 4.34.1</li>
<li><a
href="ebf7190679"><code>ebf7190</code></a>
Bump github/codeql-action from 4.32.0 to 4.33.0</li>
<li><a
href="0e4ae38f0c"><code>0e4ae38</code></a>
docs: exclude Response.is_permanent_redirect from API docs (<a
href="https://redirect.github.com/psf/requests/issues/7244">#7244</a>)</li>
<li><a
href="d568f47278"><code>d568f47</code></a>
docs: clarify Quickstart POST example (<a
href="https://redirect.github.com/psf/requests/issues/6960">#6960</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/psf/requests/compare/v2.32.5...v2.33.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [nltk](https://github.com/nltk/nltk) from 3.9.3 to 3.9.4.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/nltk/nltk/blob/develop/ChangeLog">nltk's
changelog</a>.</em></p>
<blockquote>
<p>Version 3.9.4 2026-03-24</p>
<ul>
<li>Support Python 3.14</li>
<li>Fix bug in Levenshtein distance when substitution_cost > 2</li>
<li>Fix bug in Treebank detokeniser re quote ordering</li>
<li>Fix bug in Jaro similarity for empty strings</li>
<li>Several security enhancements</li>
<li>Fix GHSA-rf74-v2fm-23pw: unbounded recursion in
JSONTaggedDecoder</li>
<li>Implement TextTiling vocabulary introduction method (Hearst
1997)</li>
<li>Fix ALINE feature matrix errors and add comprehensive tests</li>
<li>Support multiple VerbNet versions, fix longid/shortid regex for
VerbNet ids</li>
<li>Let downloader fallback to md5 when sha256 is unavailable</li>
<li>Several other minor bugfixes and code cleanups</li>
</ul>
<p>Thanks to the following contributors to 3.9.4:
Min-Yen Kan, Eric Kafe, Emily Voss, bowiechen, Hrudhai01,
jancallewaert, Mr-Neutr0n, pollak.peter89, ylwango613,</p>
<p>Version 3.9.3 2026-02-21</p>
<ul>
<li>Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader (<a
href="https://redirect.github.com/nltk/nltk/issues/3468">#3468</a>)</li>
<li>Block path traversal/arbitrary reads in nltk.data for protocol-less
refs (<a
href="https://redirect.github.com/nltk/nltk/issues/3467">#3467</a>)</li>
<li>Block path traversal/abs paths in corpus readers and FS pointers (<a
href="https://redirect.github.com/nltk/nltk/issues/3479">#3479</a>, <a
href="https://redirect.github.com/nltk/nltk/issues/3480">#3480</a>)</li>
<li>Validate external StanfordSegmenter JARs using SHA256 (<a
href="https://redirect.github.com/nltk/nltk/issues/3477">#3477</a>)</li>
<li>Add optional sandbox enforcement for filestring() (<a
href="https://redirect.github.com/nltk/nltk/issues/3485">#3485</a>)</li>
<li>Maintenance: downloader/zipped models, CI/tooling updates</li>
</ul>
<p>Thanks to the following contributors to 3.9.3:
Chris Clauss, Eric Kafe, HyperPS, purificant, Shivansh-Game, Christopher
Smith</p>
<p>Version 3.9.2 2025-10-01</p>
<ul>
<li>Update download checksums to use SHA256 in built index</li>
<li>Fix percentage escape in new-style string formatting</li>
<li>replace shortened URLs using goo.gl</li>
<li>Make Wordnet interoperable with various taggers and tagged
corpora</li>
<li>Fix saving PerceptronTagger</li>
<li>Document how to reproduce old Wordnet studies</li>
<li>properly initialize Portuguese corpus reader</li>
<li>support for mixed rules conversion into Chomsky Normal Form</li>
<li>only import tkinter if a GUI is needed</li>
<li>issue <a
href="https://redirect.github.com/nltk/nltk/issues/2112">#2112</a> with
Corenlp</li>
<li>new environment variable
NLTK_DOWNLOADER_FORCE_INTERACTIVE_SHELL</li>
<li>Lesk defaults to most frequent sense in case of ties</li>
</ul>
<p>Thanks to the following contributors to 3.9.2:
Jose Cols, Peter de Blanc, GeneralPoxter, Eric Kafe, William LaCroix,
Jason Liu,
Samer Masterson, Mike014, purificant, Andrew Ernest Ritz, samertm, Ikram
Ul Haq,
Christopher Smith, Ryan Mannion</p>
<p>Version 3.9.1 2024-08-19</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="ad9c96ba00"><code>ad9c96b</code></a>
Update copyright year</li>
<li><a
href="7edcddfda5"><code>7edcddf</code></a>
Updates for 3.9.4 release</li>
<li><a
href="67a2736f89"><code>67a2736</code></a>
Merge pull request <a
href="https://redirect.github.com/nltk/nltk/issues/3180">#3180</a> from
yzhaoinuw/bug-on-edit_distance_align</li>
<li><a
href="2b17ac5358"><code>2b17ac5</code></a>
Fix edit_distance_align backtrace for high substitution costs</li>
<li><a
href="4b72976a6f"><code>4b72976</code></a>
Merge pull request <a
href="https://redirect.github.com/nltk/nltk/issues/3018">#3018</a> from
JuanIMartinezB/bug/shortid-longid</li>
<li><a
href="8a5619f53a"><code>8a5619f</code></a>
Merge pull request <a
href="https://redirect.github.com/nltk/nltk/issues/3222">#3222</a> from
Syzygy2048/feature/texttiling-vocabulary-introd...</li>
<li><a
href="c6574d755e"><code>c6574d7</code></a>
Merge pull request <a
href="https://redirect.github.com/nltk/nltk/issues/3289">#3289</a> from
ihitamandal/codeflash/optimize-windowdiff-2024-...</li>
<li><a
href="98ff5d9eaa"><code>98ff5d9</code></a>
Merge pull request <a
href="https://redirect.github.com/nltk/nltk/issues/3435">#3435</a> from
Hrudhai01/fix-3260-detokenize-quotes</li>
<li><a
href="aec4fce1b8"><code>aec4fce</code></a>
Merge pull request <a
href="https://redirect.github.com/nltk/nltk/issues/3522">#3522</a> from
ekaf/pathsec</li>
<li><a
href="eec4ee3591"><code>eec4ee3</code></a>
Merge pull request <a
href="https://redirect.github.com/nltk/nltk/issues/3526">#3526</a> from
nltk/update-contributing</li>
<li>Additional commits viewable in <a
href="https://github.com/nltk/nltk/compare/3.9.3...3.9.4">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bump the minimum `langchain-core` dependency to `>=1.2.21` across all 14
partner packages in the monorepo. Aligns partner lower bounds with the
latest core release so consumers pick up recent fixes (notably the
`ModelProfile` schema drift fix from core 1.2.21).
Bumps [orjson](https://github.com/ijl/orjson) from 3.11.5 to 3.11.6.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/ijl/orjson/releases">orjson's
releases</a>.</em></p>
<blockquote>
<h2>3.11.6</h2>
<h3>Changed</h3>
<ul>
<li>orjson now includes code licensed under the Mozilla Public License
2.0 (MPL-2.0).</li>
<li>Drop support for Python 3.9.</li>
<li>ABI compatibility with CPython 3.15 alpha 5.</li>
<li>Build now depends on Rust 1.89 or later instead of 1.85.</li>
</ul>
<h3>Fixed</h3>
<ul>
<li>Fix sporadic crash serializing deeply nested <code>list</code> of
<code>dict</code>.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/ijl/orjson/blob/master/CHANGELOG.md">orjson's
changelog</a>.</em></p>
<blockquote>
<h2>3.11.6 - 2026-01-29</h2>
<h3>Changed</h3>
<ul>
<li>orjson now includes code licensed under the Mozilla Public License
2.0 (MPL-2.0).</li>
<li>Drop support for Python 3.9.</li>
<li>ABI compatibility with CPython 3.15 alpha 5.</li>
<li>Build now depends on Rust 1.89 or later instead of 1.85.</li>
</ul>
<h3>Fixed</h3>
<ul>
<li>Fix sporadic crash serializing deeply nested <code>list</code> of
<code>dict</code>.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="ec02024c38"><code>ec02024</code></a>
3.11.6</li>
<li><a
href="d581687331"><code>d581687</code></a>
build, clippy misc</li>
<li><a
href="4105b29b22"><code>4105b29</code></a>
writer::num</li>
<li><a
href="62bb185b70"><code>62bb185</code></a>
Fix sporadic crash on serializing object close</li>
<li><a
href="d860078a97"><code>d860078</code></a>
PyRef idiom refactors</li>
<li><a
href="343ae2f148"><code>343ae2f</code></a>
Deserializer, Utf8Buffer</li>
<li><a
href="7835f58d1c"><code>7835f58</code></a>
PyBytesRef and other input refactor</li>
<li><a
href="71e0516424"><code>71e0516</code></a>
PyStrRef</li>
<li><a
href="1096df42dc"><code>1096df4</code></a>
MSRV 1.89</li>
<li><a
href="b718e75b8b"><code>b718e75</code></a>
Drop support for python3.9</li>
<li>Additional commits viewable in <a
href="https://github.com/ijl/orjson/compare/3.11.5...3.11.6">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: John Kennedy <65985482+jkennedyvz@users.noreply.github.com>
Co-authored-by: Mason Daugherty <mason@langchain.dev>
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.2 to
6.5.5.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst">tornado's
changelog</a>.</em></p>
<blockquote>
<h1>Release notes</h1>
<p>.. toctree::
:maxdepth: 2</p>
<p>releases/v6.5.5
releases/v6.5.4
releases/v6.5.3
releases/v6.5.2
releases/v6.5.1
releases/v6.5.0
releases/v6.4.2
releases/v6.4.1
releases/v6.4.0
releases/v6.3.3
releases/v6.3.2
releases/v6.3.1
releases/v6.3.0
releases/v6.2.0
releases/v6.1.0
releases/v6.0.4
releases/v6.0.3
releases/v6.0.2
releases/v6.0.1
releases/v6.0.0
releases/v5.1.1
releases/v5.1.0
releases/v5.0.2
releases/v5.0.1
releases/v5.0.0
releases/v4.5.3
releases/v4.5.2
releases/v4.5.1
releases/v4.5.0
releases/v4.4.3
releases/v4.4.2
releases/v4.4.1
releases/v4.4.0
releases/v4.3.0
releases/v4.2.1
releases/v4.2.0
releases/v4.1.0
releases/v4.0.2
releases/v4.0.1
releases/v4.0.0
releases/v3.2.2
releases/v3.2.1
releases/v3.2.0
releases/v3.1.1</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="7d6465056c"><code>7d64650</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3586">#3586</a>
from bdarnell/update-cibw</li>
<li><a
href="d05d59b808"><code>d05d59b</code></a>
build: Bump cibuildwheel to 3.4.0</li>
<li><a
href="c2f46732b0"><code>c2f4673</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3585">#3585</a>
from bdarnell/release-655</li>
<li><a
href="e5f1aa4b6f"><code>e5f1aa4</code></a>
Release notes and version bump for v6.5.5</li>
<li><a
href="78a046f99f"><code>78a046f</code></a>
httputil: Add CRLF to _FORBIDDEN_HEADER_CHARS_RE</li>
<li><a
href="24a2d96ea1"><code>24a2d96</code></a>
web: Validate characters in all cookie attributes.</li>
<li><a
href="119a195e29"><code>119a195</code></a>
httputil: Add limits on multipart form data parsing</li>
<li><a
href="63d4df4eef"><code>63d4df4</code></a>
Merge pull request <a
href="https://redirect.github.com/tornadoweb/tornado/issues/3564">#3564</a>
from bdarnell/release-654</li>
<li><a
href="eadbf9adbe"><code>eadbf9a</code></a>
Release notes and version bump for 6.5.4</li>
<li><a
href="bbc2b1429c"><code>bbc2b14</code></a>
Make sure that the in-operator on HTTPHeaders is case insensitive</li>
<li>Additional commits viewable in <a
href="https://github.com/tornadoweb/tornado/compare/v6.5.2...v6.5.5">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [nltk](https://github.com/nltk/nltk) from 3.9.2 to 3.9.3.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/nltk/nltk/blob/develop/ChangeLog">nltk's
changelog</a>.</em></p>
<blockquote>
<p>Version 3.9.3 2026-02-21</p>
<ul>
<li>Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader (<a
href="https://redirect.github.com/nltk/nltk/issues/3468">#3468</a>)</li>
<li>Block path traversal/arbitrary reads in nltk.data for protocol-less
refs (<a
href="https://redirect.github.com/nltk/nltk/issues/3467">#3467</a>)</li>
<li>Block path traversal/abs paths in corpus readers and FS pointers (<a
href="https://redirect.github.com/nltk/nltk/issues/3479">#3479</a>, <a
href="https://redirect.github.com/nltk/nltk/issues/3480">#3480</a>)</li>
<li>Validate external StanfordSegmenter JARs using SHA256 (<a
href="https://redirect.github.com/nltk/nltk/issues/3477">#3477</a>)</li>
<li>Add optional sandbox enforcement for filestring() (<a
href="https://redirect.github.com/nltk/nltk/issues/3485">#3485</a>)</li>
<li>Maintenance: downloader/zipped models, CI/tooling updates</li>
</ul>
<p>Thanks to the following contributors to 3.9.3:
Chris Clauss, Eric Kafe, HyperPS, purificant, Shivansh-Game, Christopher
Smith</p>
<p>Version 3.9.2 2025-10-01</p>
<ul>
<li>Update download checksums to use SHA256 in built index</li>
<li>Fix percentage escape in new-style string formatting</li>
<li>replace shortened URLs using goo.gl</li>
<li>Make Wordnet interoperable with various taggers and tagged
corpora</li>
<li>Fix saving PerceptronTagger</li>
<li>Document how to reproduce old Wordnet studies</li>
<li>properly initialize Portuguese corpus reader</li>
<li>support for mixed rules conversion into Chomsky Normal Form</li>
<li>only import tkinter if a GUI is needed</li>
<li>issue <a
href="https://redirect.github.com/nltk/nltk/issues/2112">#2112</a> with
Corenlp</li>
<li>new environment variable
NLTK_DOWNLOADER_FORCE_INTERACTIVE_SHELL</li>
<li>Lesk defaults to most frequent sense in case of ties</li>
</ul>
<p>Thanks to the following contributors to 3.9.2:
Jose Cols, Peter de Blanc, GeneralPoxter, Eric Kafe, William LaCroix,
Jason Liu,
Samer Masterson, Mike014, purificant, Andrew Ernest Ritz, samertm, Ikram
Ul Haq,
Christopher Smith, Ryan Mannion</p>
<p>Version 3.9.1 2024-08-19</p>
<ul>
<li>Fixed bug that prevented wordnet from loading</li>
</ul>
<p>Version 3.9 2024-08-18</p>
<ul>
<li>Fix security vulnerability CVE-2024-39705 (breaking change)</li>
<li>Replace pickled models (punkt, chunker, taggers) by new pickle-free
"_tab" packages</li>
<li>No longer sort Wordnet synsets and relations (sort in calling
function when required)</li>
<li>Only strip the last suffix in Wordnet Morphy, thus restricting
synsets() results</li>
<li>Add Python 3.12 support</li>
<li>Many other minor fixes</li>
</ul>
<p>Thanks to the following contributors to 3.8.2:
Tom Aarsen, Cat Lee Ball, Veralara Bernhard, Carlos Brandt, Konstantin
Chernyshev, Michael Higgins,
Eric Kafe, Vivek Kalyan, David Lukes, Rob Malouf, purificant, Alex
Rudnick, Liling Tan, Akihiro Yamazaki.</p>
<p>Version 3.8.1 2023-01-02</p>
<ul>
<li>Resolve RCE vulnerability in localhost WordNet Browser (<a
href="https://redirect.github.com/nltk/nltk/issues/3100">#3100</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="4154eb85e8"><code>4154eb8</code></a>
Merge pull request <a
href="https://redirect.github.com/nltk/nltk/issues/3503">#3503</a> from
ekaf/hotfix-3501</li>
<li><a
href="7a710cbc8b"><code>7a710cb</code></a>
Prepare release 3.9.3</li>
<li><a
href="1056b323af"><code>1056b32</code></a>
Merge pull request <a
href="https://redirect.github.com/nltk/nltk/issues/3468">#3468</a> from
HyperPS/fix/secure-unzip-rce</li>
<li><a
href="7dc5baa98f"><code>7dc5baa</code></a>
Resolve merge conflict in tag mapping using normalized nltk resource
URL</li>
<li><a
href="7ef38b8aa6"><code>7ef38b8</code></a>
Merge pull request <a
href="https://redirect.github.com/nltk/nltk/issues/3467">#3467</a> from
HyperPS/develop</li>
<li><a
href="b2e1164bf8"><code>b2e1164</code></a>
Merge pull request <a
href="https://redirect.github.com/nltk/nltk/issues/3485">#3485</a> from
HyperPS/fix-filestring-sandbox-update</li>
<li><a
href="ac0ce55daa"><code>ac0ce55</code></a>
Merge pull request <a
href="https://redirect.github.com/nltk/nltk/issues/3480">#3480</a> from
HyperPS/fix/filesystem-sandbox-security</li>
<li><a
href="603e34d25a"><code>603e34d</code></a>
Merge pull request <a
href="https://redirect.github.com/nltk/nltk/issues/3479">#3479</a> from
HyperPS/fix/corpusreader-path-traversal</li>
<li><a
href="b63a5014aa"><code>b63a501</code></a>
Merge pull request <a
href="https://redirect.github.com/nltk/nltk/issues/3477">#3477</a> from
HyperPS/fix/stanford-segmenter-rce-sha256</li>
<li><a
href="df38955e50"><code>df38955</code></a>
Merge pull request <a
href="https://redirect.github.com/nltk/nltk/issues/3494">#3494</a> from
ekaf/ewnv</li>
<li>Additional commits viewable in <a
href="https://github.com/nltk/nltk/compare/3.9.2...3.9.3">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/langchain-ai/langchain/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the other-deps group with 1 update in the /libs/text-splitters
directory: [transformers](https://github.com/huggingface/transformers).
Updates `transformers` from 5.1.0 to 5.2.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="7d9754a051"><code>7d9754a</code></a>
Fix unprotected torch import (<a
href="https://redirect.github.com/huggingface/transformers/issues/44055">#44055</a>)</li>
<li><a
href="a0a3d294b6"><code>a0a3d29</code></a>
Fix peft conversion typo (<a
href="https://redirect.github.com/huggingface/transformers/issues/44053">#44053</a>)</li>
<li><a
href="2096db0aa1"><code>2096db0</code></a>
v5.2.0</li>
<li><a
href="73ecc5e314"><code>73ecc5e</code></a>
[fix][wip] GlmMoeDsa: try implement DSA (<a
href="https://redirect.github.com/huggingface/transformers/issues/43912">#43912</a>)</li>
<li><a
href="349e00c1a3"><code>349e00c</code></a>
Fix early image processor return not raising error (<a
href="https://redirect.github.com/huggingface/transformers/issues/43981">#43981</a>)</li>
<li><a
href="2bd902dbc4"><code>2bd902d</code></a>
Update assignee for generate in bug report template (<a
href="https://redirect.github.com/huggingface/transformers/issues/44042">#44042</a>)</li>
<li><a
href="2546978b80"><code>2546978</code></a>
Add a dim check mechanism in Transpose and fix qwen3_vl_moe weight
mapping (#...</li>
<li><a
href="08c4ad95d4"><code>08c4ad9</code></a>
fix(models): Unpack BitNet packed weights to fix CI failure (<a
href="https://redirect.github.com/huggingface/transformers/issues/43721">#43721</a>)</li>
<li><a
href="53f8a08290"><code>53f8a08</code></a>
SINQ quantization strategy integration (adapted for Transformers V5) (<a
href="https://redirect.github.com/huggingface/transformers/issues/43112">#43112</a>)</li>
<li><a
href="9a9231632e"><code>9a92316</code></a>
split out accelerator args builder method (<a
href="https://redirect.github.com/huggingface/transformers/issues/43987">#43987</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/huggingface/transformers/compare/v5.1.0...v5.2.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the other-deps group with 4 updates in the /libs/model-profiles
directory: [pytest](https://github.com/pytest-dev/pytest),
[pytest-watcher](https://github.com/olzhasar/pytest-watcher),
[ruff](https://github.com/astral-sh/ruff) and
[mypy](https://github.com/python/mypy).
Bumps the other-deps group with 3 updates in the /libs/standard-tests
directory: [pytest](https://github.com/pytest-dev/pytest),
[ruff](https://github.com/astral-sh/ruff) and
[pytest-codspeed](https://github.com/CodSpeedHQ/pytest-codspeed).
Bumps the other-deps group with 6 updates in the /libs/text-splitters
directory:
| Package | From | To |
| --- | --- | --- |
| [pytest](https://github.com/pytest-dev/pytest) | `8.4.2` | `9.0.2` |
| [pytest-watcher](https://github.com/olzhasar/pytest-watcher) | `0.4.3`
| `0.6.3` |
| [ruff](https://github.com/astral-sh/ruff) | `0.14.11` | `0.15.0` |
| [types-requests](https://github.com/typeshed-internal/stub_uploader) |
`2.32.4.20250913` | `2.32.4.20260107` |
| [beautifulsoup4](https://www.crummy.com/software/BeautifulSoup/bs4/) |
`4.14.2` | `4.14.3` |
| [transformers](https://github.com/huggingface/transformers) | `4.56.2`
| `5.1.0` |
Updates `pytest` from 8.4.2 to 9.0.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pytest-dev/pytest/releases">pytest's
releases</a>.</em></p>
<blockquote>
<h2>9.0.2</h2>
<h1>pytest 9.0.2 (2025-12-06)</h1>
<h2>Bug fixes</h2>
<ul>
<li>
<p><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13896">#13896</a>:
The terminal progress feature added in pytest 9.0.0 has been disabled by
default, except on Windows, due to compatibility issues with some
terminal emulators.</p>
<p>You may enable it again by passing <code>-p terminalprogress</code>.
We may enable it by default again once compatibility improves in the
future.</p>
<p>Additionally, when the environment variable <code>TERM</code> is
<code>dumb</code>, the escape codes are no longer emitted, even if the
plugin is enabled.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13904">#13904</a>:
Fixed the TOML type of the <code>tmp_path_retention_count</code>
settings in the API reference from number to string.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13946">#13946</a>:
The private <code>config.inicfg</code> attribute was changed in a
breaking manner in pytest 9.0.0.
Due to its usage in the ecosystem, it is now restored to working order
using a compatibility shim.
It will be deprecated in pytest 9.1 and removed in pytest 10.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13965">#13965</a>:
Fixed quadratic-time behavior when handling <code>unittest</code>
subtests in Python 3.10.</p>
</li>
</ul>
<h2>Improved documentation</h2>
<ul>
<li><a
href="https://redirect.github.com/pytest-dev/pytest/issues/4492">#4492</a>:
The API Reference now contains cross-reference-able documentation of
<code>pytest's command-line flags
<command-line-flags></code>.</li>
</ul>
<h2>9.0.1</h2>
<h1>pytest 9.0.1 (2025-11-12)</h1>
<h2>Bug fixes</h2>
<ul>
<li><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13895">#13895</a>:
Restore support for skipping tests via <code>raise
unittest.SkipTest</code>.</li>
<li><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13896">#13896</a>:
The terminal progress plugin added in pytest 9.0 is now automatically
disabled when iTerm2 is detected, it generated desktop notifications
instead of the desired functionality.</li>
<li><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13904">#13904</a>:
Fixed the TOML type of the verbosity settings in the API reference from
number to string.</li>
<li><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13910">#13910</a>:
Fixed <!-- raw HTML omitted -->UserWarning: Do not expect
file_or_dir<!-- raw HTML omitted --> on some earlier Python 3.12 and
3.13 point versions.</li>
</ul>
<h2>Packaging updates and notes for downstreams</h2>
<ul>
<li><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13933">#13933</a>:
The tox configuration has been adjusted to make sure the desired
version string can be passed into its <code>package_env</code> through
the <code>SETUPTOOLS_SCM_PRETEND_VERSION_FOR_PYTEST</code> environment
variable as a part of the release process -- by
<code>webknjaz</code>.</li>
</ul>
<h2>Contributor-facing changes</h2>
<ul>
<li><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13891">#13891</a>,
<a
href="https://redirect.github.com/pytest-dev/pytest/issues/13942">#13942</a>:
The CI/CD part of the release automation is now capable of
creating GitHub Releases without having a Git checkout on
disk -- by <code>bluetech</code> and <code>webknjaz</code>.</li>
<li><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13933">#13933</a>:
The tox configuration has been adjusted to make sure the desired
version string can be passed into its <code>package_env</code> through
the <code>SETUPTOOLS_SCM_PRETEND_VERSION_FOR_PYTEST</code> environment
variable as a part of the release process -- by
<code>webknjaz</code>.</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="3d10b5148e"><code>3d10b51</code></a>
Prepare release version 9.0.2</li>
<li><a
href="188750b725"><code>188750b</code></a>
Merge pull request <a
href="https://redirect.github.com/pytest-dev/pytest/issues/14030">#14030</a>
from pytest-dev/patchback/backports/9.0.x/1e4b01d1f...</li>
<li><a
href="b7d7bef90c"><code>b7d7bef</code></a>
Merge pull request <a
href="https://redirect.github.com/pytest-dev/pytest/issues/14014">#14014</a>
from bluetech/compat-note</li>
<li><a
href="bd08e85ac7"><code>bd08e85</code></a>
Merge pull request <a
href="https://redirect.github.com/pytest-dev/pytest/issues/14013">#14013</a>
from pytest-dev/patchback/backports/9.0.x/922b60377...</li>
<li><a
href="bc78386299"><code>bc78386</code></a>
Add CLI options reference documentation (<a
href="https://redirect.github.com/pytest-dev/pytest/issues/13930">#13930</a>)</li>
<li><a
href="5a4e398ce8"><code>5a4e398</code></a>
Fix docs typo (<a
href="https://redirect.github.com/pytest-dev/pytest/issues/14005">#14005</a>)
(<a
href="https://redirect.github.com/pytest-dev/pytest/issues/14008">#14008</a>)</li>
<li><a
href="d7ae6df394"><code>d7ae6df</code></a>
Merge pull request <a
href="https://redirect.github.com/pytest-dev/pytest/issues/14006">#14006</a>
from pytest-dev/maintenance/update-plugin-list-tmpl...</li>
<li><a
href="556f6a22e1"><code>556f6a2</code></a>
pre-commit: fix rst-lint after new release (<a
href="https://redirect.github.com/pytest-dev/pytest/issues/13999">#13999</a>)
(<a
href="https://redirect.github.com/pytest-dev/pytest/issues/14001">#14001</a>)</li>
<li><a
href="c60fbe63a2"><code>c60fbe6</code></a>
Fix quadratic-time behavior when handling <code>unittest</code> subtests
in Python 3.10 ...</li>
<li><a
href="73d9b01118"><code>73d9b01</code></a>
Merge pull request <a
href="https://redirect.github.com/pytest-dev/pytest/issues/13995">#13995</a>
from nicoddemus/patchback/backports/9.0.x/1b5200c0f...</li>
<li>Additional commits viewable in <a
href="https://github.com/pytest-dev/pytest/compare/8.4.2...9.0.2">compare
view</a></li>
</ul>
</details>
<br />
Updates `pytest-watcher` from 0.4.3 to 0.6.3
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/olzhasar/pytest-watcher/releases">pytest-watcher's
releases</a>.</em></p>
<blockquote>
<h2>v0.6.3</h2>
<h3>Features</h3>
<ul>
<li>Add debug mode activated with <code>PTW_DEBUG</code> environment
variable and improve log messages.</li>
</ul>
<h3>Bugfixes</h3>
<ul>
<li>Fix terminal flushing after menu and header prints.</li>
<li>Use monotonic clock for trigger detection to avoid misbehavior on
clock changes.</li>
</ul>
<h2>v0.6.2</h2>
<h3>Bugfixes</h3>
<ul>
<li>Allow specifying blank patterns via CLI</li>
<li>Fix duplicate command entries in menu</li>
</ul>
<h2>v0.6.1</h2>
<h3>Bugfixes</h3>
<ul>
<li>Trigger tests in interactive mode for carriage return character</li>
</ul>
<h3>Improved Documentation</h3>
<ul>
<li>Add contributing guide</li>
</ul>
<h3>Misc</h3>
<ul>
<li>Integrate <a
href="https://towncrier.readthedocs.io/en/stable/index.html">towncrier</a>
into the development process</li>
</ul>
<h2>v0.6.0</h2>
<h2>Features</h2>
<ul>
<li>Add <code>notify-on-failure</code> flag (and config option) to emit
BEL symbol on test suite failure.</li>
</ul>
<h2>Infrastructure</h2>
<ul>
<li>Migrate from poetry to uv.</li>
<li>Remove tox.</li>
</ul>
<h2>v0.5.0</h2>
<h2>Fixes</h2>
<ul>
<li>Merge arguments passed to the runner from config and CLI instead of
overriding.</li>
</ul>
<h2>Changes</h2>
<ul>
<li>Drop support for Python 3.7 & 3.8</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/olzhasar/pytest-watcher/blob/master/CHANGELOG.md">pytest-watcher's
changelog</a>.</em></p>
<blockquote>
<h2><a
href="https://github.com/olzhasar/pytest-watcher/releases/tag/0.6.3">0.6.3</a>
- 2026-01-11</h2>
<h3>Features</h3>
<ul>
<li>Add debug mode activated with <code>PTW_DEBUG</code> environment
variable and improve log messages.</li>
</ul>
<h3>Bugfixes</h3>
<ul>
<li>Fix terminal flushing after menu and header prints.</li>
<li>Use monotonic clock for trigger detection to avoid misbehavior on
clock changes.</li>
</ul>
<h2><a
href="https://github.com/olzhasar/pytest-watcher/releases/tag/0.6.2">0.6.2</a>
- 2025-12-28</h2>
<h3>Bugfixes</h3>
<ul>
<li>Allow specifying blank patterns via CLI</li>
<li>Fix duplicate command entries in menu</li>
</ul>
<h2><a
href="https://github.com/olzhasar/pytest-watcher/releases/tag/0.6.1">0.6.1</a>
- 2025-12-26</h2>
<h3>Bugfixes</h3>
<ul>
<li>Trigger tests in interactive mode for carriage return character</li>
</ul>
<h3>Improved Documentation</h3>
<ul>
<li>Add contributing guide</li>
</ul>
<h3>Misc</h3>
<ul>
<li>Integrate <a
href="https://towncrier.readthedocs.io/en/stable/index.html">towncrier</a>
into the development process</li>
</ul>
<h2><a
href="https://github.com/olzhasar/pytest-watcher/releases/tag/0.6.0">0.6.0</a>
- 2025-12-22</h2>
<h3>Features</h3>
<ul>
<li>Add notify-on-failure flag (and config option) to emit BEL symbol on
test suite failure.</li>
</ul>
<h3>Infrastructure</h3>
<ul>
<li>Migrate from <code>poetry</code> to <code>uv</code>.</li>
<li>Remove <code>tox</code>.</li>
</ul>
<h2><a
href="https://github.com/olzhasar/pytest-watcher/releases/tag/0.5.0">0.5.0</a>
- 2025-12-21</h2>
<h3>Fixes</h3>
<ul>
<li>Merge arguments passed to the runner from config and CLI instead of
overriding.</li>
</ul>
<h3>Changes</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="c52925b613"><code>c52925b</code></a>
release v0.6.3</li>
<li><a
href="23d49893f7"><code>23d4989</code></a>
Add debug mode. Improve log messages</li>
<li><a
href="e3dffa1cb3"><code>e3dffa1</code></a>
Fix terminal flushing after menu and header prints</li>
<li><a
href="0eeaf6080e"><code>0eeaf60</code></a>
Use monotonic clock for trigger detection</li>
<li><a
href="5ed9d0e262"><code>5ed9d0e</code></a>
Update CHANGELOG. Fix changelog_reader action</li>
<li><a
href="756f005f5d"><code>756f005</code></a>
release v0.6.2</li>
<li><a
href="902aa9e07b"><code>902aa9e</code></a>
Merge pull request <a
href="https://redirect.github.com/olzhasar/pytest-watcher/issues/51">#51</a>
from olzhasar/fix-duplicate-menu</li>
<li><a
href="e6b20d35b9"><code>e6b20d3</code></a>
Allow specifying empty patterns via CLI</li>
<li><a
href="2d522dabf9"><code>2d522da</code></a>
Fix duplicate menu entries</li>
<li><a
href="171e6f1282"><code>171e6f1</code></a>
Fix towncrier CHANGELOG versioning</li>
<li>Additional commits viewable in <a
href="https://github.com/olzhasar/pytest-watcher/compare/v0.4.3...v0.6.3">compare
view</a></li>
</ul>
</details>
<br />
Updates `pytest-asyncio` from 1.2.0 to 1.3.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pytest-dev/pytest-asyncio/releases">pytest-asyncio's
releases</a>.</em></p>
<blockquote>
<h2>pytest-asyncio 1.3.0</h2>
<h1><a
href="https://github.com/pytest-dev/pytest-asyncio/tree/1.3.0">1.3.0</a>
- 2025-11-10</h1>
<h2>Removed</h2>
<ul>
<li>Support for Python 3.9 (<a
href="https://redirect.github.com/pytest-dev/pytest-asyncio/issues/1278">#1278</a>)</li>
</ul>
<h2>Added</h2>
<ul>
<li>Support for pytest 9 (<a
href="https://redirect.github.com/pytest-dev/pytest-asyncio/issues/1279">#1279</a>)</li>
</ul>
<h2>Notes for Downstream Packagers</h2>
<ul>
<li>Tested Python versions include free threaded Python 3.14t (<a
href="https://redirect.github.com/pytest-dev/pytest-asyncio/issues/1274">#1274</a>)</li>
<li>Tests are run in the same pytest process, instead of spawning a
subprocess with <code>pytest.Pytester.runpytest_subprocess</code>. This
prevents the test suite from accidentally using a system installation of
pytest-asyncio, which could result in test errors. (<a
href="https://redirect.github.com/pytest-dev/pytest-asyncio/issues/1275">#1275</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="2e9695fcf8"><code>2e9695f</code></a>
docs: Compile changelog for v1.3.0</li>
<li><a
href="dd0e9ba3fa"><code>dd0e9ba</code></a>
docs: Reference correct issue in news fragment.</li>
<li><a
href="4c31abe5bf"><code>4c31abe</code></a>
Build(deps): Bump nh3 from 0.3.1 to 0.3.2</li>
<li><a
href="13e94770d7"><code>13e9477</code></a>
Link to migration guides from changelog</li>
<li><a
href="4d2cf3c36f"><code>4d2cf3c</code></a>
tests: handle Python 3.14 DefaultEventLoopPolicy deprecation
warnings</li>
<li><a
href="ee3549b6ef"><code>ee3549b</code></a>
test: Remove obsolete test for the event_loop fixture.</li>
<li><a
href="7a67c82c5a"><code>7a67c82</code></a>
tests: Fix failing test by preventing warning conversion to error.</li>
<li><a
href="a17b689a75"><code>a17b689</code></a>
test: add pytest config to isolated test directories</li>
<li><a
href="18afc9df5a"><code>18afc9d</code></a>
fix(tests): replace runpytest_subprocess with runpytest</li>
<li><a
href="cdc6bd1de7"><code>cdc6bd1</code></a>
Add support for pytest 9 and drop Python 3.9 support</li>
<li>Additional commits viewable in <a
href="https://github.com/pytest-dev/pytest-asyncio/compare/v1.2.0...v1.3.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `syrupy` from 4.9.1 to 5.1.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/syrupy-project/syrupy/releases">syrupy's
releases</a>.</em></p>
<blockquote>
<h2>v5.1.0</h2>
<h1><a
href="https://github.com/syrupy-project/syrupy/compare/v5.0.0...v5.1.0">5.1.0</a>
(2026-01-25)</h1>
<h3>Features</h3>
<ul>
<li>add serializer plugin system; plugins for data models (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1062">#1062</a>)
(<a
href="df9bc8f6b3">df9bc8f</a>)</li>
</ul>
<h2>v5.0.0</h2>
<h2>Syrupy 5.0.0</h2>
<p><em>(2025-09-28)</em></p>
<p>This release introduces new features, bug fixes, and a major license
change. It also includes several <strong>breaking changes</strong>, so
please review those carefully before upgrading.</p>
<hr />
<h3>New Features ✨</h3>
<ul>
<li><strong>Add <code>--snapshot-dirname</code> option:</strong> A new
option, <code>--snapshot-dirname</code>, is now available to change the
default directory snapshots are stored in. ([<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/810">#810</a>](<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/810">syrupy-project/syrupy#810</a>))</li>
<li><strong>Remove private underscore prefix:</strong> The unnecessary
underscore prefixes have been removed from public methods for better
code clarity. ([<a
href="8cfc9059d3">8cfc905</a>](<a
href="8cfc9059d3</a>))</li>
</ul>
<hr />
<h3>Bug Fixes 🐛</h3>
<ul>
<li><strong>Fix terminal summary for <code>xdist</code>
workers:</strong> Resolves an issue where the terminal summary was not
displayed correctly with <code>xdist</code> workers. ([<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/978">#978</a>](<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/978">syrupy-project/syrupy#978</a>))</li>
<li><strong>Ensure <code>pytest_assertrepr_compare</code> hook is called
first:</strong> This change ensures that Syrupy's assertion hook takes
precedence, improving compatibility with other plugins. ([<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/984">#984</a>](<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/984">syrupy-project/syrupy#984</a>))</li>
</ul>
<hr />
<h3>Breaking Changes ⚠️</h3>
<ul>
<li>
<p><strong>License change:</strong> The project has switched to the more
permissive <strong>MIT license</strong>. This change applies to all
versions from 5.0.0 and beyond. If you need to use the previous Apache
2.0 license, you must continue to use Syrupy versions 4.x or earlier.
([<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/945">#945</a>](<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/945">syrupy-project/syrupy#945</a>))</p>
</li>
<li>
<p><strong>Python and pytest version requirements:</strong> Syrupy now
requires <strong>Python 3.10</strong> or higher. Support for Python 3.8
has been dropped as it reached its end of life in October 2024. The
minimum required version of <strong>pytest is v8</strong>. ([<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/904">#904</a>](<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/904">syrupy-project/syrupy#904</a>),
[<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1024">#1024</a>](<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1024">syrupy-project/syrupy#1024</a>))</p>
</li>
<li>
<p><strong>Method and constant name changes:</strong> Several methods
and constants have been renamed for improved clarity and to align with
public API standards.</p>
<ul>
<li>
<p><strong><code>SnapshotCollectionStorage</code></strong></p>
<ul>
<li><code>_read_snapshot_collection</code> ->
<code>read_snapshot_collection</code></li>
<li><code>_read_snapshot_data_from_location</code> ->
<code>read_snapshot_data_from_location</code></li>
<li><code>_write_snapshot_collection</code> ->
<code>write_snapshot_collection</code></li>
<li><code>_get_file_basename</code> ->
<code>get_file_basename</code></li>
<li><code>_file_extension</code> -> <code>file_extension</code></li>
</ul>
</li>
<li>
<p><strong><code>AmberDataSerializer</code></strong></p>
<ul>
<li><code>_snapshot_sort_key</code> ->
<code>snapshot_sort_key</code></li>
</ul>
</li>
<li>
<p><strong>Constants</strong></p>
<ul>
<li><code>SNAPSHOT_EMPTY_FOSSIL_KEY</code> ->
<code>SNAPSHOT_EMPTY_COLLECTION_KEY</code></li>
<li><code>SNAPSHOT_UNKNOWN_FOSSIL_KEY</code> ->
<code>SNAPSHOT_UNKNOWN_COLLECTION_KEY</code></li>
</ul>
</li>
</ul>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/syrupy-project/syrupy/blob/main/CHANGELOG.md">syrupy's
changelog</a>.</em></p>
<blockquote>
<h1><a
href="https://github.com/syrupy-project/syrupy/compare/v5.0.0...v5.1.0">5.1.0</a>
(2026-01-25)</h1>
<h3>Features</h3>
<ul>
<li>add serializer plugin system; plugins for data models (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1062">#1062</a>)
(<a
href="df9bc8f6b3">df9bc8f</a>)</li>
</ul>
<h1><a
href="https://github.com/syrupy-project/syrupy/compare/v4.9.1...v5.0.0">5.0.0</a>
(2025-09-28)</h1>
<ul>
<li>Switch to MIT license (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/945">#945</a>)
(<a
href="d74d340f88">d74d340</a>)</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li>Block terminal summary for xdist workers. (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/978">#978</a>)
(<a
href="33a848df7c">33a848d</a>)</li>
<li>ensure syrupy's pytest_assertrepr_compare hook is called first. (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/984">#984</a>)
(<a
href="eb0024d339">eb0024d</a>)</li>
</ul>
<h3>Code Refactoring</h3>
<ul>
<li>remove incorrect private underscore prefix from public methods (<a
href="8cfc9059d3">8cfc905</a>)</li>
</ul>
<h3>Features</h3>
<ul>
<li>add --snapshot-dirname option, close <a
href="https://redirect.github.com/syrupy-project/syrupy/issues/810">#810</a>
(<a
href="27135c7c86">27135c7</a>)</li>
<li>drop support for py3.8, raise min. pytest to v8 (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/904">#904</a>)
(<a
href="a879ff15ad">a879ff1</a>)</li>
<li>update min. python version to 3.10 (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1024">#1024</a>)
(<a
href="16b4113cd5">16b4113</a>)</li>
</ul>
<h3>BREAKING CHANGES</h3>
<ul>
<li>The following methods have been renamed:</li>
</ul>
<p>SnapshotCollectionStorage</p>
<ul>
<li>_read_snapshot_collection -> read_snapshot_collection</li>
<li>_read_snapshot_data_from_location ->
read_snapshot_data_from_location</li>
<li>_write_snapshot_collection -> write_snapshot_collection</li>
<li>_get_file_basename -> get_file_basename</li>
<li>_file_extension -> file_extension</li>
</ul>
<p>AmberDataSerializer</p>
<ul>
<li>_snapshot_sort_key -> snapshot_sort_key</li>
</ul>
<p>Renamed constants to improve clarity:</p>
<p>constants</p>
<ul>
<li>SNAPSHOT_EMPTY_FOSSIL_KEY -> SNAPSHOT_EMPTY_COLLECTION_KEY</li>
<li>SNAPSHOT_UNKNOWN_FOSSIL_KEY ->
SNAPSHOT_UNKNOWN_COLLECTION_KEY</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="7096efdee6"><code>7096efd</code></a>
chore(release): 5.1.0 [skip ci]</li>
<li><a
href="07aa00dd48"><code>07aa00d</code></a>
chore(deps): update dependency attrs to v25 (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1063">#1063</a>)</li>
<li><a
href="1f29ae061e"><code>1f29ae0</code></a>
docs: add bwrob as a contributor for code (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1064">#1064</a>)</li>
<li><a
href="df9bc8f6b3"><code>df9bc8f</code></a>
feat: add serializer plugin system; plugins for data models (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1062">#1062</a>)</li>
<li><a
href="841257deaf"><code>841257d</code></a>
chore(deps): update dependency coverage to v7.13.1 (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1061">#1061</a>)</li>
<li><a
href="2d8dfa7f7b"><code>2d8dfa7</code></a>
chore(deps): update codecov/codecov-action action to v5.5.2 (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1056">#1056</a>)</li>
<li><a
href="f5f9ef7702"><code>f5f9ef7</code></a>
chore(deps): update dependency debugpy to v1.8.18 (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1057">#1057</a>)</li>
<li><a
href="eaeb6ae11f"><code>eaeb6ae</code></a>
chore(deps): update dependency pytest to v9.0.2 (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1055">#1055</a>)</li>
<li><a
href="263b23b768"><code>263b23b</code></a>
chore(deps): update python docker tag to v3.14.1 (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1054">#1054</a>)</li>
<li><a
href="a0dd77b023"><code>a0dd77b</code></a>
chore(deps): update actions/checkout action to v6.0.1 (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1053">#1053</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/syrupy-project/syrupy/compare/v4.9.1...v5.1.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `ruff` from 0.12.12 to 0.15.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/astral-sh/ruff/releases">ruff's
releases</a>.</em></p>
<blockquote>
<h2>0.15.0</h2>
<h2>Release Notes</h2>
<p>Released on 2026-02-03.</p>
<p>Check out the <a href="https://astral.sh/blog/ruff-v0.15.0">blog
post</a> for a migration guide and overview of the changes!</p>
<h3>Breaking changes</h3>
<ul>
<li>
<p>Ruff now formats your code according to the 2026 style guide. See the
formatter section below or in the blog post for a detailed list of
changes.</p>
</li>
<li>
<p>The linter now supports block suppression comments. For example, to
suppress <code>N803</code> for all parameters in this function:</p>
<pre lang="python"><code># ruff: disable[N803]
def foo(
legacyArg1,
legacyArg2,
legacyArg3,
legacyArg4,
): ...
# ruff: enable[N803]
</code></pre>
<p>See the <a
href="https://docs.astral.sh/ruff/linter/#block-level">documentation</a>
for more details.</p>
</li>
<li>
<p>The <code>ruff:alpine</code> Docker image is now based on Alpine 3.23
(up from 3.21).</p>
</li>
<li>
<p>The <code>ruff:debian</code> and <code>ruff:debian-slim</code> Docker
images are now based on Debian 13 "Trixie" instead of Debian
12 "Bookworm."</p>
</li>
<li>
<p>Binaries for the <code>ppc64</code> (64-bit big-endian PowerPC)
architecture are no longer included in our releases. It should still be
possible to build Ruff manually for this platform, if needed.</p>
</li>
<li>
<p>Ruff now resolves all <code>extend</code>ed configuration files
before falling back on a default Python version.</p>
</li>
</ul>
<h3>Stabilization</h3>
<p>The following rules have been stabilized and are no longer in
preview:</p>
<ul>
<li><a
href="https://docs.astral.sh/ruff/rules/blocking-http-call-httpx-in-async-function"><code>blocking-http-call-httpx-in-async-function</code></a>
(<code>ASYNC212</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/blocking-path-method-in-async-function"><code>blocking-path-method-in-async-function</code></a>
(<code>ASYNC240</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/blocking-input-in-async-function"><code>blocking-input-in-async-function</code></a>
(<code>ASYNC250</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/map-without-explicit-strict"><code>map-without-explicit-strict</code></a>
(<code>B912</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/if-exp-instead-of-or-operator"><code>if-exp-instead-of-or-operator</code></a>
(<code>FURB110</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/single-item-membership-test"><code>single-item-membership-test</code></a>
(<code>FURB171</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/missing-maxsplit-arg"><code>missing-maxsplit-arg</code></a>
(<code>PLC0207</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/unnecessary-lambda"><code>unnecessary-lambda</code></a>
(<code>PLW0108</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/unnecessary-empty-iterable-within-deque-call"><code>unnecessary-empty-iterable-within-deque-call</code></a>
(<code>RUF037</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/in-empty-collection"><code>in-empty-collection</code></a>
(<code>RUF060</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/legacy-form-pytest-raises"><code>legacy-form-pytest-raises</code></a>
(<code>RUF061</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/non-octal-permissions"><code>non-octal-permissions</code></a>
(<code>RUF064</code>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md">ruff's
changelog</a>.</em></p>
<blockquote>
<h2>0.15.0</h2>
<p>Released on 2026-02-03.</p>
<p>Check out the <a href="https://astral.sh/blog/ruff-v0.15.0">blog
post</a> for a migration
guide and overview of the changes!</p>
<h3>Breaking changes</h3>
<ul>
<li>
<p>Ruff now formats your code according to the 2026 style guide. See the
formatter section below or in the blog post for a detailed list of
changes.</p>
</li>
<li>
<p>The linter now supports block suppression comments. For example, to
suppress <code>N803</code> for all parameters in this function:</p>
<pre lang="python"><code># ruff: disable[N803]
def foo(
legacyArg1,
legacyArg2,
legacyArg3,
legacyArg4,
): ...
# ruff: enable[N803]
</code></pre>
<p>See the <a
href="https://docs.astral.sh/ruff/linter/#block-level">documentation</a>
for more details.</p>
</li>
<li>
<p>The <code>ruff:alpine</code> Docker image is now based on Alpine 3.23
(up from 3.21).</p>
</li>
<li>
<p>The <code>ruff:debian</code> and <code>ruff:debian-slim</code> Docker
images are now based on Debian 13 "Trixie" instead of Debian
12 "Bookworm."</p>
</li>
<li>
<p>Binaries for the <code>ppc64</code> (64-bit big-endian PowerPC)
architecture are no longer included in our releases. It should still be
possible to build Ruff manually for this platform, if needed.</p>
</li>
<li>
<p>Ruff now resolves all <code>extend</code>ed configuration files
before falling back on a default Python version.</p>
</li>
</ul>
<h3>Stabilization</h3>
<p>The following rules have been stabilized and are no longer in
preview:</p>
<ul>
<li><a
href="https://docs.astral.sh/ruff/rules/blocking-http-call-httpx-in-async-function"><code>blocking-http-call-httpx-in-async-function</code></a>
(<code>ASYNC212</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/blocking-path-method-in-async-function"><code>blocking-path-method-in-async-function</code></a>
(<code>ASYNC240</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/blocking-input-in-async-function"><code>blocking-input-in-async-function</code></a>
(<code>ASYNC250</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/map-without-explicit-strict"><code>map-without-explicit-strict</code></a>
(<code>B912</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/if-exp-instead-of-or-operator"><code>if-exp-instead-of-or-operator</code></a>
(<code>FURB110</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/single-item-membership-test"><code>single-item-membership-test</code></a>
(<code>FURB171</code>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="ce5f7b6127"><code>ce5f7b6</code></a>
Bump 0.15.0 (<a
href="https://redirect.github.com/astral-sh/ruff/issues/23055">#23055</a>)</li>
<li><a
href="b4e40f539c"><code>b4e40f5</code></a>
[ty] Fix <code>__contains__</code> to respect descriptors (<a
href="https://redirect.github.com/astral-sh/ruff/issues/23056">#23056</a>)</li>
<li><a
href="848cb72dc1"><code>848cb72</code></a>
[ty] Fix narrowing of nonlocal variables with conditional assignments
(<a
href="https://redirect.github.com/astral-sh/ruff/issues/22966">#22966</a>)</li>
<li><a
href="da7f33af22"><code>da7f33a</code></a>
[ty] Add a diagnostic for <code>Final</code> without assignment (<a
href="https://redirect.github.com/astral-sh/ruff/issues/23001">#23001</a>)</li>
<li><a
href="e65f9a6b03"><code>e65f9a6</code></a>
Document markdown formatting feature (<a
href="https://redirect.github.com/astral-sh/ruff/issues/22990">#22990</a>)</li>
<li><a
href="c0c1b985c9"><code>c0c1b98</code></a>
Format markdown code blocks with line-by-line regex parse (<a
href="https://redirect.github.com/astral-sh/ruff/issues/22996">#22996</a>)</li>
<li><a
href="9f8f3e196b"><code>9f8f3e1</code></a>
Allow positional-only params with defaults in method overrides (<a
href="https://redirect.github.com/astral-sh/ruff/issues/23037">#23037</a>)</li>
<li><a
href="ef83810e11"><code>ef83810</code></a>
[ty] ecosystem-analyzer: Support bare git repositories (<a
href="https://redirect.github.com/astral-sh/ruff/issues/23054">#23054</a>)</li>
<li><a
href="54dfee4cb8"><code>54dfee4</code></a>
Customize where the <code>fix_title</code> sub-diagnostic appears (<a
href="https://redirect.github.com/astral-sh/ruff/issues/23044">#23044</a>)</li>
<li><a
href="b53460799b"><code>b534607</code></a>
2026 Ruff Formatter Style (<a
href="https://redirect.github.com/astral-sh/ruff/issues/22735">#22735</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/astral-sh/ruff/compare/0.12.12...0.15.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `mypy` from 1.18.2 to 1.19.1
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/python/mypy/blob/master/CHANGELOG.md">mypy's
changelog</a>.</em></p>
<blockquote>
<h3>Mypy 1.19.1</h3>
<ul>
<li>Fix noncommutative joins with bounded TypeVars (Shantanu, PR <a
href="https://redirect.github.com/python/mypy/pull/20345">20345</a>)</li>
<li>Respect output format for cached runs by serializing raw errors in
cache metas (Ivan Levkivskyi, PR <a
href="https://redirect.github.com/python/mypy/pull/20372">20372</a>)</li>
<li>Allow <code>types.NoneType</code> in match cases (A5rocks, PR <a
href="https://redirect.github.com/python/mypy/pull/20383">20383</a>)</li>
<li>Fix mypyc generator regression with empty tuple (BobTheBuidler, PR
<a
href="https://redirect.github.com/python/mypy/pull/20371">20371</a>)</li>
<li>Fix crash involving Unpack-ed TypeVarTuple (Shantanu, PR <a
href="https://redirect.github.com/python/mypy/pull/20323">20323</a>)</li>
<li>Fix crash on star import of redefinition (Ivan Levkivskyi, PR <a
href="https://redirect.github.com/python/mypy/pull/20333">20333</a>)</li>
<li>Fix crash on typevar with forward ref used in other module (Ivan
Levkivskyi, PR <a
href="https://redirect.github.com/python/mypy/pull/20334">20334</a>)</li>
<li>Fail with an explicit error on PyPy (Ivan Levkivskyi, PR <a
href="https://redirect.github.com/python/mypy/pull/20389">20389</a>)</li>
</ul>
<h3>Acknowledgements</h3>
<p>Thanks to all mypy contributors who contributed to this release:</p>
<ul>
<li>A5rocks</li>
<li>BobTheBuidler</li>
<li>bzoracler</li>
<li>Chainfire</li>
<li>Christoph Tyralla</li>
<li>David Foster</li>
<li>Frank Dana</li>
<li>Guo Ci</li>
<li>iap</li>
<li>Ivan Levkivskyi</li>
<li>James Hilton-Balfe</li>
<li>jhance</li>
<li>Joren Hammudoglu</li>
<li>Jukka Lehtosalo</li>
<li>KarelKenens</li>
<li>Kevin Kannammalil</li>
<li>Marc Mueller</li>
<li>Michael Carlstrom</li>
<li>Michael J. Sullivan</li>
<li>Piotr Sawicki</li>
<li>Randolf Scholz</li>
<li>Shantanu</li>
<li>Sigve Sebastian Farstad</li>
<li>sobolevn</li>
<li>Stanislav Terliakov</li>
<li>Stephen Morton</li>
<li>Theodore Ando</li>
<li>Thiago J. Barbalho</li>
<li>wyattscarpenter</li>
</ul>
<p>I’d also like to thank my employer, Dropbox, for supporting mypy
development.</p>
<h2>Mypy 1.18</h2>
<p>We’ve just uploaded mypy 1.18.1 to the Python Package Index (<a
href="https://pypi.org/project/mypy/">PyPI</a>).
Mypy is a static type checker for Python. This release includes new
features, performance</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="412c19a6bd"><code>412c19a</code></a>
Bump version to 1.19.1</li>
<li><a
href="20aea0a6ca"><code>20aea0a</code></a>
Update changelog for 1.19.1 (<a
href="https://redirect.github.com/python/mypy/issues/20414">#20414</a>)</li>
<li><a
href="2b23b50752"><code>2b23b50</code></a>
Serialize raw errors in cache metas (<a
href="https://redirect.github.com/python/mypy/issues/20372">#20372</a>)</li>
<li><a
href="f60f90fb88"><code>f60f90f</code></a>
Fail on PyPy in main instead of setup.py (<a
href="https://redirect.github.com/python/mypy/issues/20389">#20389</a>)</li>
<li><a
href="58d485b4ea"><code>58d485b</code></a>
Fail with an explicit error on PyPy (<a
href="https://redirect.github.com/python/mypy/issues/20384">#20384</a>)</li>
<li><a
href="a4b31a2678"><code>a4b31a2</code></a>
Allow <code>types.NoneType</code> in match cases (<a
href="https://redirect.github.com/python/mypy/issues/20383">#20383</a>)</li>
<li><a
href="8a6eff4784"><code>8a6eff4</code></a>
[mypyc] fix generator regression with empty tuple (<a
href="https://redirect.github.com/python/mypy/issues/20371">#20371</a>)</li>
<li><a
href="70eceea682"><code>70eceea</code></a>
Fix noncommutative joins with bounded TypeVars (<a
href="https://redirect.github.com/python/mypy/issues/20345">#20345</a>)</li>
<li><a
href="3890fc49bf"><code>3890fc4</code></a>
Fix crash involving Unpack-ed TypeVarTuple (<a
href="https://redirect.github.com/python/mypy/issues/20323">#20323</a>)</li>
<li><a
href="c93d917a86"><code>c93d917</code></a>
Fix crash on star import of redefinition (<a
href="https://redirect.github.com/python/mypy/issues/20333">#20333</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/python/mypy/compare/v1.18.2...v1.19.1">compare
view</a></li>
</ul>
</details>
<br />
Updates `pytest` from 8.4.2 to 9.0.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pytest-dev/pytest/releases">pytest's
releases</a>.</em></p>
<blockquote>
<h2>9.0.2</h2>
<h1>pytest 9.0.2 (2025-12-06)</h1>
<h2>Bug fixes</h2>
<ul>
<li>
<p><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13896">#13896</a>:
The terminal progress feature added in pytest 9.0.0 has been disabled by
default, except on Windows, due to compatibility issues with some
terminal emulators.</p>
<p>You may enable it again by passing <code>-p terminalprogress</code>.
We may enable it by default again once compatibility improves in the
future.</p>
<p>Additionally, when the environment variable <code>TERM</code> is
<code>dumb</code>, the escape codes are no longer emitted, even if the
plugin is enabled.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13904">#13904</a>:
Fixed the TOML type of the <code>tmp_path_retention_count</code>
settings in the API reference from number to string.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13946">#13946</a>:
The private <code>config.inicfg</code> attribute was changed in a
breaking manner in pytest 9.0.0.
Due to its usage in the ecosystem, it is now restored to working order
using a compatibility shim.
It will be deprecated in pytest 9.1 and removed in pytest 10.</p>
</li>
<li>
<p><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13965">#13965</a>:
Fixed quadratic-time behavior when handling <code>unittest</code>
subtests in Python 3.10.</p>
</li>
</ul>
<h2>Improved documentation</h2>
<ul>
<li><a
href="https://redirect.github.com/pytest-dev/pytest/issues/4492">#4492</a>:
The API Reference now contains cross-reference-able documentation of
<code>pytest's command-line flags
<command-line-flags></code>.</li>
</ul>
<h2>9.0.1</h2>
<h1>pytest 9.0.1 (2025-11-12)</h1>
<h2>Bug fixes</h2>
<ul>
<li><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13895">#13895</a>:
Restore support for skipping tests via <code>raise
unittest.SkipTest</code>.</li>
<li><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13896">#13896</a>:
The terminal progress plugin added in pytest 9.0 is now automatically
disabled when iTerm2 is detected, it generated desktop notifications
instead of the desired functionality.</li>
<li><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13904">#13904</a>:
Fixed the TOML type of the verbosity settings in the API reference from
number to string.</li>
<li><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13910">#13910</a>:
Fixed <!-- raw HTML omitted -->UserWarning: Do not expect
file_or_dir<!-- raw HTML omitted --> on some earlier Python 3.12 and
3.13 point versions.</li>
</ul>
<h2>Packaging updates and notes for downstreams</h2>
<ul>
<li><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13933">#13933</a>:
The tox configuration has been adjusted to make sure the desired
version string can be passed into its <code>package_env</code> through
the <code>SETUPTOOLS_SCM_PRETEND_VERSION_FOR_PYTEST</code> environment
variable as a part of the release process -- by
<code>webknjaz</code>.</li>
</ul>
<h2>Contributor-facing changes</h2>
<ul>
<li><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13891">#13891</a>,
<a
href="https://redirect.github.com/pytest-dev/pytest/issues/13942">#13942</a>:
The CI/CD part of the release automation is now capable of
creating GitHub Releases without having a Git checkout on
disk -- by <code>bluetech</code> and <code>webknjaz</code>.</li>
<li><a
href="https://redirect.github.com/pytest-dev/pytest/issues/13933">#13933</a>:
The tox configuration has been adjusted to make sure the desired
version string can be passed into its <code>package_env</code> through
the <code>SETUPTOOLS_SCM_PRETEND_VERSION_FOR_PYTEST</code> environment
variable as a part of the release process -- by
<code>webknjaz</code>.</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="3d10b5148e"><code>3d10b51</code></a>
Prepare release version 9.0.2</li>
<li><a
href="188750b725"><code>188750b</code></a>
Merge pull request <a
href="https://redirect.github.com/pytest-dev/pytest/issues/14030">#14030</a>
from pytest-dev/patchback/backports/9.0.x/1e4b01d1f...</li>
<li><a
href="b7d7bef90c"><code>b7d7bef</code></a>
Merge pull request <a
href="https://redirect.github.com/pytest-dev/pytest/issues/14014">#14014</a>
from bluetech/compat-note</li>
<li><a
href="bd08e85ac7"><code>bd08e85</code></a>
Merge pull request <a
href="https://redirect.github.com/pytest-dev/pytest/issues/14013">#14013</a>
from pytest-dev/patchback/backports/9.0.x/922b60377...</li>
<li><a
href="bc78386299"><code>bc78386</code></a>
Add CLI options reference documentation (<a
href="https://redirect.github.com/pytest-dev/pytest/issues/13930">#13930</a>)</li>
<li><a
href="5a4e398ce8"><code>5a4e398</code></a>
Fix docs typo (<a
href="https://redirect.github.com/pytest-dev/pytest/issues/14005">#14005</a>)
(<a
href="https://redirect.github.com/pytest-dev/pytest/issues/14008">#14008</a>)</li>
<li><a
href="d7ae6df394"><code>d7ae6df</code></a>
Merge pull request <a
href="https://redirect.github.com/pytest-dev/pytest/issues/14006">#14006</a>
from pytest-dev/maintenance/update-plugin-list-tmpl...</li>
<li><a
href="556f6a22e1"><code>556f6a2</code></a>
pre-commit: fix rst-lint after new release (<a
href="https://redirect.github.com/pytest-dev/pytest/issues/13999">#13999</a>)
(<a
href="https://redirect.github.com/pytest-dev/pytest/issues/14001">#14001</a>)</li>
<li><a
href="c60fbe63a2"><code>c60fbe6</code></a>
Fix quadratic-time behavior when handling <code>unittest</code> subtests
in Python 3.10 ...</li>
<li><a
href="73d9b01118"><code>73d9b01</code></a>
Merge pull request <a
href="https://redirect.github.com/pytest-dev/pytest/issues/13995">#13995</a>
from nicoddemus/patchback/backports/9.0.x/1b5200c0f...</li>
<li>Additional commits viewable in <a
href="https://github.com/pytest-dev/pytest/compare/8.4.2...9.0.2">compare
view</a></li>
</ul>
</details>
<br />
Updates `syrupy` from 4.9.1 to 5.1.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/syrupy-project/syrupy/releases">syrupy's
releases</a>.</em></p>
<blockquote>
<h2>v5.1.0</h2>
<h1><a
href="https://github.com/syrupy-project/syrupy/compare/v5.0.0...v5.1.0">5.1.0</a>
(2026-01-25)</h1>
<h3>Features</h3>
<ul>
<li>add serializer plugin system; plugins for data models (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1062">#1062</a>)
(<a
href="df9bc8f6b3">df9bc8f</a>)</li>
</ul>
<h2>v5.0.0</h2>
<h2>Syrupy 5.0.0</h2>
<p><em>(2025-09-28)</em></p>
<p>This release introduces new features, bug fixes, and a major license
change. It also includes several <strong>breaking changes</strong>, so
please review those carefully before upgrading.</p>
<hr />
<h3>New Features ✨</h3>
<ul>
<li><strong>Add <code>--snapshot-dirname</code> option:</strong> A new
option, <code>--snapshot-dirname</code>, is now available to change the
default directory snapshots are stored in. ([<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/810">#810</a>](<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/810">syrupy-project/syrupy#810</a>))</li>
<li><strong>Remove private underscore prefix:</strong> The unnecessary
underscore prefixes have been removed from public methods for better
code clarity. ([<a
href="8cfc9059d3">8cfc905</a>](<a
href="8cfc9059d3</a>))</li>
</ul>
<hr />
<h3>Bug Fixes 🐛</h3>
<ul>
<li><strong>Fix terminal summary for <code>xdist</code>
workers:</strong> Resolves an issue where the terminal summary was not
displayed correctly with <code>xdist</code> workers. ([<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/978">#978</a>](<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/978">syrupy-project/syrupy#978</a>))</li>
<li><strong>Ensure <code>pytest_assertrepr_compare</code> hook is called
first:</strong> This change ensures that Syrupy's assertion hook takes
precedence, improving compatibility with other plugins. ([<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/984">#984</a>](<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/984">syrupy-project/syrupy#984</a>))</li>
</ul>
<hr />
<h3>Breaking Changes ⚠️</h3>
<ul>
<li>
<p><strong>License change:</strong> The project has switched to the more
permissive <strong>MIT license</strong>. This change applies to all
versions from 5.0.0 and beyond. If you need to use the previous Apache
2.0 license, you must continue to use Syrupy versions 4.x or earlier.
([<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/945">#945</a>](<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/945">syrupy-project/syrupy#945</a>))</p>
</li>
<li>
<p><strong>Python and pytest version requirements:</strong> Syrupy now
requires <strong>Python 3.10</strong> or higher. Support for Python 3.8
has been dropped as it reached its end of life in October 2024. The
minimum required version of <strong>pytest is v8</strong>. ([<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/904">#904</a>](<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/904">syrupy-project/syrupy#904</a>),
[<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1024">#1024</a>](<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1024">syrupy-project/syrupy#1024</a>))</p>
</li>
<li>
<p><strong>Method and constant name changes:</strong> Several methods
and constants have been renamed for improved clarity and to align with
public API standards.</p>
<ul>
<li>
<p><strong><code>SnapshotCollectionStorage</code></strong></p>
<ul>
<li><code>_read_snapshot_collection</code> ->
<code>read_snapshot_collection</code></li>
<li><code>_read_snapshot_data_from_location</code> ->
<code>read_snapshot_data_from_location</code></li>
<li><code>_write_snapshot_collection</code> ->
<code>write_snapshot_collection</code></li>
<li><code>_get_file_basename</code> ->
<code>get_file_basename</code></li>
<li><code>_file_extension</code> -> <code>file_extension</code></li>
</ul>
</li>
<li>
<p><strong><code>AmberDataSerializer</code></strong></p>
<ul>
<li><code>_snapshot_sort_key</code> ->
<code>snapshot_sort_key</code></li>
</ul>
</li>
<li>
<p><strong>Constants</strong></p>
<ul>
<li><code>SNAPSHOT_EMPTY_FOSSIL_KEY</code> ->
<code>SNAPSHOT_EMPTY_COLLECTION_KEY</code></li>
<li><code>SNAPSHOT_UNKNOWN_FOSSIL_KEY</code> ->
<code>SNAPSHOT_UNKNOWN_COLLECTION_KEY</code></li>
</ul>
</li>
</ul>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/syrupy-project/syrupy/blob/main/CHANGELOG.md">syrupy's
changelog</a>.</em></p>
<blockquote>
<h1><a
href="https://github.com/syrupy-project/syrupy/compare/v5.0.0...v5.1.0">5.1.0</a>
(2026-01-25)</h1>
<h3>Features</h3>
<ul>
<li>add serializer plugin system; plugins for data models (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1062">#1062</a>)
(<a
href="df9bc8f6b3">df9bc8f</a>)</li>
</ul>
<h1><a
href="https://github.com/syrupy-project/syrupy/compare/v4.9.1...v5.0.0">5.0.0</a>
(2025-09-28)</h1>
<ul>
<li>Switch to MIT license (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/945">#945</a>)
(<a
href="d74d340f88">d74d340</a>)</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li>Block terminal summary for xdist workers. (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/978">#978</a>)
(<a
href="33a848df7c">33a848d</a>)</li>
<li>ensure syrupy's pytest_assertrepr_compare hook is called first. (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/984">#984</a>)
(<a
href="eb0024d339">eb0024d</a>)</li>
</ul>
<h3>Code Refactoring</h3>
<ul>
<li>remove incorrect private underscore prefix from public methods (<a
href="8cfc9059d3">8cfc905</a>)</li>
</ul>
<h3>Features</h3>
<ul>
<li>add --snapshot-dirname option, close <a
href="https://redirect.github.com/syrupy-project/syrupy/issues/810">#810</a>
(<a
href="27135c7c86">27135c7</a>)</li>
<li>drop support for py3.8, raise min. pytest to v8 (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/904">#904</a>)
(<a
href="a879ff15ad">a879ff1</a>)</li>
<li>update min. python version to 3.10 (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1024">#1024</a>)
(<a
href="16b4113cd5">16b4113</a>)</li>
</ul>
<h3>BREAKING CHANGES</h3>
<ul>
<li>The following methods have been renamed:</li>
</ul>
<p>SnapshotCollectionStorage</p>
<ul>
<li>_read_snapshot_collection -> read_snapshot_collection</li>
<li>_read_snapshot_data_from_location ->
read_snapshot_data_from_location</li>
<li>_write_snapshot_collection -> write_snapshot_collection</li>
<li>_get_file_basename -> get_file_basename</li>
<li>_file_extension -> file_extension</li>
</ul>
<p>AmberDataSerializer</p>
<ul>
<li>_snapshot_sort_key -> snapshot_sort_key</li>
</ul>
<p>Renamed constants to improve clarity:</p>
<p>constants</p>
<ul>
<li>SNAPSHOT_EMPTY_FOSSIL_KEY -> SNAPSHOT_EMPTY_COLLECTION_KEY</li>
<li>SNAPSHOT_UNKNOWN_FOSSIL_KEY ->
SNAPSHOT_UNKNOWN_COLLECTION_KEY</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="7096efdee6"><code>7096efd</code></a>
chore(release): 5.1.0 [skip ci]</li>
<li><a
href="07aa00dd48"><code>07aa00d</code></a>
chore(deps): update dependency attrs to v25 (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1063">#1063</a>)</li>
<li><a
href="1f29ae061e"><code>1f29ae0</code></a>
docs: add bwrob as a contributor for code (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1064">#1064</a>)</li>
<li><a
href="df9bc8f6b3"><code>df9bc8f</code></a>
feat: add serializer plugin system; plugins for data models (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1062">#1062</a>)</li>
<li><a
href="841257deaf"><code>841257d</code></a>
chore(deps): update dependency coverage to v7.13.1 (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1061">#1061</a>)</li>
<li><a
href="2d8dfa7f7b"><code>2d8dfa7</code></a>
chore(deps): update codecov/codecov-action action to v5.5.2 (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1056">#1056</a>)</li>
<li><a
href="f5f9ef7702"><code>f5f9ef7</code></a>
chore(deps): update dependency debugpy to v1.8.18 (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1057">#1057</a>)</li>
<li><a
href="eaeb6ae11f"><code>eaeb6ae</code></a>
chore(deps): update dependency pytest to v9.0.2 (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1055">#1055</a>)</li>
<li><a
href="263b23b768"><code>263b23b</code></a>
chore(deps): update python docker tag to v3.14.1 (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1054">#1054</a>)</li>
<li><a
href="a0dd77b023"><code>a0dd77b</code></a>
chore(deps): update actions/checkout action to v6.0.1 (<a
href="https://redirect.github.com/syrupy-project/syrupy/issues/1053">#1053</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/syrupy-project/syrupy/compare/v4.9.1...v5.1.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `ruff` from 0.14.11 to 0.15.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/astral-sh/ruff/releases">ruff's
releases</a>.</em></p>
<blockquote>
<h2>0.15.0</h2>
<h2>Release Notes</h2>
<p>Released on 2026-02-03.</p>
<p>Check out the <a href="https://astral.sh/blog/ruff-v0.15.0">blog
post</a> for a migration guide and overview of the changes!</p>
<h3>Breaking changes</h3>
<ul>
<li>
<p>Ruff now formats your code according to the 2026 style guide. See the
formatter section below or in the blog post for a detailed list of
changes.</p>
</li>
<li>
<p>The linter now supports block suppression comments. For example, to
suppress <code>N803</code> for all parameters in this function:</p>
<pre lang="python"><code># ruff: disable[N803]
def foo(
legacyArg1,
legacyArg2,
legacyArg3,
legacyArg4,
): ...
# ruff: enable[N803]
</code></pre>
<p>See the <a
href="https://docs.astral.sh/ruff/linter/#block-level">documentation</a>
for more details.</p>
</li>
<li>
<p>The <code>ruff:alpine</code> Docker image is now based on Alpine 3.23
(up from 3.21).</p>
</li>
<li>
<p>The <code>ruff:debian</code> and <code>ruff:debian-slim</code> Docker
images are now based on Debian 13 "Trixie" instead of Debian
12 "Bookworm."</p>
</li>
<li>
<p>Binaries for the <code>ppc64</code> (64-bit big-endian PowerPC)
architecture are no longer included in our releases. It should still be
possible to build Ruff manually for this platform, if needed.</p>
</li>
<li>
<p>Ruff now resolves all <code>extend</code>ed configuration files
before falling back on a default Python version.</p>
</li>
</ul>
<h3>Stabilization</h3>
<p>The following rules have been stabilized and are no longer in
preview:</p>
<ul>
<li><a
href="https://docs.astral.sh/ruff/rules/blocking-http-call-httpx-in-async-function"><code>blocking-http-call-httpx-in-async-function</code></a>
(<code>ASYNC212</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/blocking-path-method-in-async-function"><code>blocking-path-method-in-async-function</code></a>
(<code>ASYNC240</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/blocking-input-in-async-function"><code>blocking-input-in-async-function</code></a>
(<code>ASYNC250</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/map-without-explicit-strict"><code>map-without-explicit-strict</code></a>
(<code>B912</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/if-exp-instead-of-or-operator"><code>if-exp-instead-of-or-operator</code></a>
(<code>FURB110</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/single-item-membership-test"><code>single-item-membership-test</code></a>
(<code>FURB171</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/missing-maxsplit-arg"><code>missing-maxsplit-arg</code></a>
(<code>PLC0207</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/unnecessary-lambda"><code>unnecessary-lambda</code></a>
(<code>PLW0108</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/unnecessary-empty-iterable-within-deque-call"><code>unnecessary-empty-iterable-within-deque-call</code></a>
(<code>RUF037</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/in-empty-collection"><code>in-empty-collection</code></a>
(<code>RUF060</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/legacy-form-pytest-raises"><code>legacy-form-pytest-raises</code></a>
(<code>RUF061</code>)</li>
<li><a
href="https://docs.astral.sh/ruff/rules/non-octal-permissions"><code>non-octal-permissions</code></a>
(<code>RUF064</code>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md">ruff's
changelog</a>.</em></p>
<blockquote>
<h2>0.15.0</h2>
<p>Released on 2026-02-03.</p>
<p>Check out the <a href="https://astral.sh/blog/ruff-v0.15.0">blog
post</a> for a migration
guide and overview of the changes!</p>
<h3>Breaking changes</h3>
<ul>
<li>
<p>Ruff now formats your code according to the 2026 style guide. See the
formatter section below or in the blog post for a detailed list of
changes.</p>
</li>
<li>
<p>The linter now supports block suppression comments. For example, to
suppress <code>N803</code> for all parameters in this function:</p>
<pre lang="python"><code># ruff: disable[N803]
def foo(
legacyArg1,
legacyArg2,
legacyArg3,
legacyArg4,
): ...
# ruff: enable[N803]
</code></pre>
<p>See the <a
href="https://docs.astral.sh/ruff/linter/#block-level">documentation</a>
for more details.</p>
</li>
<li>
<p>The <code>ruff:alpine</code> Docker image is now based on Alpine 3.23
(up from 3.21).</p>
</li>
<li>
<p>The <code>ruff:debian</code> and <code>ruff:debian-slim</code> Docker
images are now based on Debian 13 "Trixie" instead of Debian
12 "Bookworm."</p>
</li>
<li>
<p>Binaries for the <code>ppc64</code> (64-bit big-endian PowerPC)
architecture are no longer included in our releases. It should still be
possible to build Ruff manually for this platform, if needed.</p>
</li>
<li>
<p>Ruff now resolves all <code>extend</code>ed configuration files
before falling back on a default Python version.</p>
</li>
</ul>
<h3>Stabilization</h3>
<p>The following rules have been stabilized and are no longer in
preview:</p>
<ul>
<li><a href="h...
_Description has been truncated_
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: John Kennedy <65985482+jkennedyvz@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>