Skip to content

deps(uv): bump the uv-minor-patch group across 1 directory with 35 updates#1157

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/uv-minor-patch-0cde7f6305
Open

deps(uv): bump the uv-minor-patch group across 1 directory with 35 updates#1157
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/uv-minor-patch-0cde7f6305

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 3, 2026

Copy link
Copy Markdown
Contributor

Bumps the uv-minor-patch group with 35 updates in the / directory:

Package From To
anyio 4.13.0 4.14.1
certifi 2026.5.20 2026.6.17
click 8.4.1 8.4.2
fastapi 0.136.3 0.138.1
greenlet 3.5.1 3.5.3
matplotlib 3.10.9 3.11.0
numpy 2.4.6 2.5.0
pypdf 6.13.3 6.14.2
scipy 1.17.1 1.18.0
sqlalchemy 2.0.50 2.0.51
webauthn 2.7.1 2.8.0
redis 8.0.0 8.0.1
sentence-transformers 5.5.1 5.6.0
mutagen 1.47.0 1.48.1
pillow-heif 1.3.0 1.4.0
hypothesis 6.155.3 6.155.7
httpx2 2.3.0 2.5.0
maturin 1.14.0 1.14.1
pytest 9.0.3 9.1.1
ruff 0.15.17 0.15.20
ast-serialize 0.3.0 0.5.0
cbor2 6.0.1 6.1.2
cyclonedx-python-lib 11.7.0 11.11.0
distlib 0.4.0 0.4.3
filelock 3.29.0 3.29.4
httpcore2 2.3.0 2.5.0
lxml 6.1.0 6.1.1
narwhals 2.20.0 2.22.1
platformdirs 4.9.6 4.10.0
pyopenssl 26.2.0 26.3.0
python-discovery 1.3.0 1.4.2
soupsieve 2.8.3 2.8.4
stevedore 5.7.0 5.8.0
tzlocal 5.3.1 5.4.3
virtualenv 21.3.1 21.5.1

Updates anyio from 4.13.0 to 4.14.1

Release notes

Sourced from anyio's releases.

4.14.1

  • Fixed teardown of higher-scoped async fixtures failing on asyncio with RuntimeError: Attempted to exit cancel scope in a different task than it was entered in when an async test raise an outcome exception (e.g., pytest.skip(), pytest.xfail(), or pytest.fail()) (#1179; PR by @​EmmanuelNiyonshuti)
  • Fixed CapacityLimiter.total_tokens rejecting a value of 0 when the limiter was instantiated outside of an event loop, contradicting the documented behavior of allowing 0 total tokens (#1183; PR by @​nyxst4ck)

4.14.0

  • Added support for Python 3.15

  • Added an asynchronous implementation of the itertools module (#998; PR by @​11kkw)

  • Added the local_port parameter to connect_tcp() to allow binding to a specific local port before connecting (#1067; PR by @​nullwiz)

  • Added support for custom capacity limiters in async path and file I/O functions and classes

  • Added the create_task() task group method for easier asyncio migration (returns a TaskHandle) (#1098)

  • Changed TaskGroup.start_soon() to return a TaskHandle

  • Added an option for TaskGroup.start() to return a TaskHandle (which then contains the start value in the start_value property)

  • Added the cancel() convenience method to TaskGroup as a shortcut for cancelling the task group's cancel scope

  • Improved the error message when a known backend is not installed to suggest the install command (#1115; PR by @​EmmanuelNiyonshuti)

  • Improved anyio.Path to preserve subclass types by returning Self in methods that return path objects (#1130; PR by @​EmmanuelNiyonshuti)

  • Changed the parameter type annotation in anyio.Path.write_bytes() to accept any ReadableBuffer, thus allowing it to accept bytearray and memoryview to match pathlib.Path.write_bytes() (#1135; PR by @​SAY-5)

  • Changed several type annotations to only accept callables returning coroutine-like objects instead of arbitrary awaitables:

    • TaskGroup.start_soon()
    • TaskGroup.start()
    • anyio.from_thread.run()

    This reverts an earlier change from v3.7.0 which was made in error. (#1153)

  • Changed anyio.run to support callables returning arbitrary awaitables at runtime on all backends. Previously, this only worked on asyncio (#1171; PR by @​gschaffner)

  • Changed several classes (and their subclasses) to have __slots__ (with __weakref__):

    • anyio.CancelScope
    • anyio.CapacityLimiter
    • anyio.Condition
    • anyio.Event
    • anyio.Lock
    • anyio.ResourceGuard
    • anyio.Semaphore
  • Fixed cancellation exception escaping a cancel scope when triggered via check_cancelled() in a worker thread (#1113)

  • Fixed TaskGroup raising AttributeError instead of a clear error when entered more than once (#1109; PR by @​bahtya)

... (truncated)

Commits
  • 149b9e9 Bumped up the version
  • 377518c Bump actions/checkout from 6 to 7 in the github-actions group (#1186)
  • b42a2f5 [pre-commit.ci] pre-commit autoupdate (#1185)
  • 3ceb6ff Allow 0 tokens in a CapacityLimiter instantiated outside an event loop (#1183)
  • e10d1db Add missing await to open_file() in file I/O concurrency example (#1182)
  • 1dbc3b6 OutcomeException should not discard test runner_task (#1180)
  • ffe9133 Bumped up the version
  • f8b9f01 Fixed asyncio lock waiter deadlocks after cancellation (#1145)
  • d517ee1 [pre-commit.ci] pre-commit autoupdate (#1176)
  • 550b68e Make anyio.run support Awaitable at runtime on all backends (#1171)
  • Additional commits viewable in compare view

Updates certifi from 2026.5.20 to 2026.6.17

Commits

Updates click from 8.4.1 to 8.4.2

Release notes

Sourced from click's releases.

8.4.2

This is the Click 8.4.1 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/click/8.4.2/ Changes: https://click.palletsprojects.com/page/changes/#version-8-4-2 Milestone: https://github.com/pallets/click/milestone/34

  • Fix Fish shell completion broken in 8.4.0 by #3126. Newlines and tabs in option help text are now escaped, keeping the original completion format while still supporting multi-line help. #3502 #3043 #3504 #3508
  • Deprecated commands and options with empty or missing help text no longer render a stray leading space before the (DEPRECATED) label. #3509
  • A {class}Group with invoke_without_command=True marks its subcommand as optional in the usage help, showing [COMMAND] instead of COMMAND. #3059 #3507
  • echo_via_pager flushes after each write, so passing a generator streams output to the pager incrementally instead of staying hidden until the pipe buffer fills. #3242 #2542 #3534
  • echo_via_pager and get_pager_file no longer close a borrowed stdout stream when no external pager runs, completing the partial I/O operation on closed file fix from #3482. #3449 #3533
  • Fix CLI usage symopsis for optional arguments producing double square brackets [[a|b|c]]... whose type already brackets their metavar. #3578
  • {func}version_option resolves a package_name that does not match an installed distribution as an import (top-level module) name via {func}importlib.metadata.packages_distributions. Packages whose top-level module name differs from their distribution name (PIL vs Pillow, jwt vs PyJWT) no longer raise RuntimeError out of the box. #2331 #1884 #3125 #3582
Changelog

Sourced from click's changelog.

Version 8.4.2

Released 2026-06-24

  • Fix Fish shell completion broken in 8.4.0 by {pr}3126. Newlines and tabs in option help text are now escaped, keeping the original completion format while still supporting multi-line help. {issue}3502 {issue}3043 {pr}3504 {pr}3508
  • Deprecated commands and options with empty or missing help text no longer render a stray leading space before the (DEPRECATED) label. {pr}3509
  • A {class}Group with invoke_without_command=True marks its subcommand as optional in the usage help, showing [COMMAND] instead of COMMAND. {issue}3059 {pr}3507
  • echo_via_pager flushes after each write, so passing a generator streams output to the pager incrementally instead of staying hidden until the pipe buffer fills. {issue}3242 {issue}2542 {pr}3534
  • echo_via_pager and get_pager_file no longer close a borrowed stdout stream when no external pager runs, completing the partial I/O operation on closed file fix from {pr}3482. {issue}3449 {pr}3533
  • Fix CLI usage symopsis for optional arguments producing double square brackets [[a|b|c]]... whose type already brackets their metavar. {pr}3578
  • {func}version_option resolves a package_name that does not match an installed distribution as an import (top-level module) name via {func}importlib.metadata.packages_distributions. Packages whose top-level module name differs from their distribution name (PIL vs Pillow, jwt vs PyJWT) no longer raise RuntimeError out of the box. {issue}2331 {issue}1884 {issue}3125 {pr}3582
Commits
  • b2e30a1 Release version 8.4.2
  • 7a16b20 Fix package_name resolution when module differs from distribution name (#3582)
  • bec5928 Fix package_name resolution when top-level module differs from distribution...
  • 916883a Fix tests to not rely on -Wdefault option (#3591)
  • 09195f6 Fix double-bracketing of choices in synopsis (#3578)
  • 1557e26 Check for warning exception with idiomatic context manager
  • d9ff133 Static typing improvements in click.shell_completion (#3460)
  • 762c97e Fix double-bracketing of choices in synopsis
  • 8929d39 Convert changes to markdown. (#3559)
  • 237be50 Move changes headings down a level.
  • Additional commits viewable in compare view

Updates fastapi from 0.136.3 to 0.138.1

Release notes

Sourced from fastapi's releases.

0.138.1

Refactors

  • ♻️ Refactor Library Skills, make info easier to find for agents. PR #15841 by @​tiangolo.

Internal

0.138.0

Features

  • ✨ Add support for app.frontend("/", directory="dist") and router.frontend("/", directory="dist"). PR #15800 by @​tiangolo.

Docs

Translations

Internal

0.137.2

Features

  • ✨ Add iter_route_contexts() for advanced use cases that used to use router.routes (e.g. Jupyverse). PR #15785 by @​tiangolo.

Translations

... (truncated)

Commits

Updates greenlet from 3.5.1 to 3.5.3

Changelog

Sourced from greenlet's changelog.

3.5.3 (2026-06-26)

  • Fix a crash on free-threaded builds when multiple greenlets were holding a critical section on an object and the GIL for the thread was dropped. See issue 513 <https://github.com/python-greenlet/greenlet/issues/513>_. Thanks to ddorian.

3.5.2 (2026-06-17)

  • The minimum supported version of Python 3.15 is now 3.15b2.
  • Fix some garbage-collection related crashes on free-threaded Python 3.15. Thanks to Kumar Aditya in PR [#511](https://github.com/python-greenlet/greenlet/issues/511) <https://github.com/python-greenlet/greenlet/pull/511>_.
  • Improve garbage collection of greenlets. This mostly applies to Python 3.15. Thanks to Kumar Aditya in PR [#512](https://github.com/python-greenlet/greenlet/issues/512) <https://github.com/python-greenlet/greenlet/pull/512>_.
Commits
  • 6ee8c2c Preparing release 3.5.3
  • 6ec0bbb Merge pull request #514 from python-greenlet/issue513-preserve-crit-section
  • c03a7e6 Py3.13+: Preserve thread state critical_section to prevent crash on free-thre...
  • bc10829 Speed up manylinux test runs by only running the core checks; only start many...
  • c2db75d Back to development: 3.5.3
  • 0b64e9c Preparing release 3.5.2
  • 3e28d27 Add change note for #512 [skip ci]
  • 6563c5e Merge pull request #512 from kumaraditya303/ft-mem
  • ab6eff6 add ignore for win 3.10
  • 41f5349 revert back to fails_leakcheck_on_py314_or_less
  • Additional commits viewable in compare view

Updates matplotlib from 3.10.9 to 3.11.0

Release notes

Sourced from matplotlib's releases.

REL: v3.11.0

The largest change within this release is a complete overhaul of text and font processing. Through the use of libraqm, HarfBuzz, SheenBidi, and an updated release of FreeType, all text should now support modern font features, enabling full internationalization in all languages. Not all features of these libraries are supported yet, but we expect this work to enable further improvements in an easier manner.

Outside of text handling, there are several improvements to 3D Axes, performance, new accessible colour sequences, flexible figure management, and more. See the release notes for more information.

REL: v3.11.0rc2

This is the second release candidate for the meso release 3.11.0.

This release candidate fixes some problems with downstream packages, removes some missed deprecations, and corrects some additional minor bugs.

REL: v3.11.0rc1

After an extended development stretch, we are pleased to announce the first release candidate of Matplotlib 3.11.0.

The largest change within this release is a complete overhaul of text and font processing. Through the use of libraqm, HarfBuzz, SheenBidi, and an updated release of FreeType, all text should now support modern font features, enabling full internationalization in all languages. Not all features of these libraries are supported yet, but we expect this work to enable further improvements in an easier manner. Due to the update to the font rendering stack, we cannot guarantee that text will be bit-for-bit perfect with previous releases, so if you are using Matplotlib for testing, it may be necessary to introduce/raise a tolerance within your tests.

Outside of text handling, there are several improvements to 3D Axes, performance, new accessible colour sequences, flexible figure management, and more. Final release notes are still being curated, but you may browse the list of new features, API changes, and all issues/pull requests on the milestone.

As a note for downstream packagers, the font libraries have only been tested against the versions bundled with the wheels. It may be possible to expand the range of requirements, or that a requirement is too broad. Please report any issues you have building against external dependencies.

Commits
  • 69c7534 REL: v3.11.0
  • b7d912b DOC: Set 3.11 as preferred stable release
  • 7c3d502 Update Security Policy for 3.11
  • 964e73d DOC: Prepare GitHub stats for 3.11 final
  • bfa2633 Bump font manager version to final release
  • d0603b2 Merge pull request #31873 from meeseeksmachine/auto-backport-of-pr-31706-on-v...
  • edf5ebc Backport PR #31706: Fix clabel manual index
  • c0e80b7 Merge pull request #31872 from meeseeksmachine/auto-backport-of-pr-31868-on-v...
  • 2a14854 Backport PR #31868: DOC: Move errorbar examples to the statistics sections
  • ea43d96 Merge pull request #31871 from meeseeksmachine/auto-backport-of-pr-31870-on-v...
  • Additional commits viewable in compare view

Updates numpy from 2.4.6 to 2.5.0

Release notes

Sourced from numpy's releases.

v2.5.0 (June 21, 2026)

NumPy 2.5.0 Release Notes

Numpy 2.5.0 is a transitional release. It drops support for Python 3.11, marking the end of distutils, and expires a large number of deprecations made in the 2.0.x release. It also improves free threading and brings sorting into compliance with the array-api standard with the addition of descending sorts. There is also a fair amount of preparation for Python 3.15, which will be supported starting with the first rc.

This release supports Python versions 3.12-3.14.

Highlights

  • Distutils has been removed,
  • Many expired deprecations, see below,
  • Many new deprecations, see below,
  • Many static typing improvements.
  • Improved support for free threading,
  • Support for descending sorts,

See New Features below for other additions.

Deprecations

  • numpy.char.chararray is deprecated. Use an ndarray with a string or bytes dtype instead.

    (gh-30605)

  • numpy.take now correctly checks if the result can be cast to the provided out=out under the same-kind rule. A DeprecationWarning is given now when this check fails. Previously, take incorrectly checked if out could be cast to the result (the wrong direction). This deprecation also affects compress and possibly other functions. (Future versions of NumPy may tighten the casting check further.)

    (gh-30615)

  • The numpy.char.[as]array functions are deprecated. Use an numpy.[as]array with a string or bytes dtype instead.

    (gh-30802)

  • Setting the dtype attribute is deprecated because mutating an array is unsafe if an array is shared, especially by multiple threads. As an alternative, you can create a view with a new dtype via array.view(dtype=new_dtype).

    (gh-29244)

... (truncated)

Changelog

Sourced from numpy's changelog.

This is a walkthrough of the NumPy 2.4.0 release on Linux, which will be the first feature release using the numpy/numpy-release <https://github.com/numpy/numpy-release>__ repository.

The commands can be copied into the command line, but be sure to replace 2.4.0 with the correct version. This should be read together with the :ref:general release guide <prepare_release>.

Facility preparation

Before beginning to make a release, use the requirements/*_requirements.txt files to ensure that you have the needed software. Most software can be installed with pip, but some will require apt-get, dnf, or whatever your system uses for software. You will also need a GitHub personal access token (PAT) to push the documentation. There are a few ways to streamline things:

  • Git can be set up to use a keyring to store your GitHub personal access token. Search online for the details.

Prior to release

Add/drop Python versions

When adding or dropping Python versions, multiple config and CI files need to be edited in addition to changing the minimum version in pyproject.toml. Make these changes in an ordinary PR against main and backport if necessary. We currently release wheels for new Python versions after the first Python RC once manylinux and cibuildwheel support that new Python version.

Backport pull requests

Changes that have been marked for this release must be backported to the maintenance/2.4.x branch.

Update 2.4.0 milestones

Look at the issues/prs with 2.4.0 milestones and either push them off to a later version, or maybe remove the milestone. You may need to add a milestone.

Check the numpy-release repo

... (truncated)

Commits
  • 6910b28 Merge pull request #31706 from charris/prepare-2.5.0-release
  • e0acd2b REL: Prepare for the NumPy 2.5.0 release.
  • 8d928b7 Merge pull request #31704 from charris/backport-31649
  • c2055ba MAINT: update openblas to 0.3.33.112.0 (#31649)
  • ce17c81 Merge pull request #31703 from charris/backport-31609
  • 3de6203 BUG: fix StringDType distinct-allocator bugs and add tests (#31609)
  • c723971 Merge pull request #31700 from charris/backport-31694
  • 64513b2 MAINT: Bump pypa/cibuildwheel from 3.4.1 to 4.1.0
  • 04707f0 Merge pull request #31698 from charris/try-fix-emscripten
  • 5cf0686 MAINT: Try to fix emscripten wheel build.
  • Additional commits viewable in compare view

Updates pypdf from 6.13.3 to 6.14.2

Release notes

Sourced from pypdf's releases.

Version 6.14.2, 2026-06-23

What's new

Security (SEC)

Full Changelog

Version 6.14.1, 2026-06-23

What's new

Security (SEC)

Full Changelog

Version 6.14.0, 2026-06-22

What's new

Security (SEC)

New Features (ENH)

Robustness (ROB)

Full Changelog

Changelog

Sourced from pypdf's changelog.

Version 6.14.2, 2026-06-23

Security (SEC)

  • Avoid infinite loops for incomplete ASCII85 and ASCIIHex inline images (#3892)

Full Changelog

Version 6.14.1, 2026-06-23

Security (SEC)

  • Detect end of stream during inline image end marker detection (#3891)

Full Changelog

Version 6.14.0, 2026-06-22

Security (SEC)

  • Apply general limit for requested image size (#3888)
  • Speed up recovery when reading broken cross-reference table (#3887)

New Features (ENH)

  • Check whether image is displayed on a given page (#3738)

Robustness (ROB)

  • Several fixes

Full Changelog

Commits
  • 2266ee8 REL: 6.14.2
  • 5a33a46 SEC: Avoid infinite loops for incomplete ASCII85 and ASCIIHex inline images (...
  • 1ee4e58 REL: 6.14.1
  • ec3b145 SEC: Detect end of stream during inline image end marker detection (#3891)
  • c6cd82e ROB: Tolerate malformed inline image settings in _read_inline_image (#3889)
  • 0ae42ba ROB: Tolerate malformed page label entries in get_label_from_nums (#3884)
  • 50617b5 ROB: Tolerate malformed Tm operand count in extract_text (#3877)
  • 86e5a82 MAINT: Improve readability (#3874)
  • 83cb25f DEV: Fix sample files commit
  • 06588ec REL: 6.14.0
  • Additional commits viewable in compare view

Updates scipy from 1.17.1 to 1.18.0

Release notes

Sourced from scipy's releases.

SciPy 1.18.0 Release Notes

SciPy 1.18.0 is the culmination of 6 months of hard work. It contains many new features, numerous bug-fixes, improved test coverage and better documentation. There have been a number of deprecations and API changes in this release, which are documented below. All users are encouraged to upgrade to this release, as there are a large number of bug-fixes and optimizations. Before upgrading, we recommend that users check that their own code does not use deprecated SciPy functionality (to do so, run your code with python -Wd and check for DeprecationWarning s). Our development attention will now shift to bug-fix releases on the 1.18.x branch, and on adding new features on the main branch.

This release requires Python 3.12-3.14 and NumPy 2.0.0 or greater.

Highlights of this release

  • SciPy now supports three different build modes for BLAS and LAPACK LP64/ILP64 support, and machinery is provided for downstream cython_lapack consumers to gracefully handle LP64/ILP64 backend builds. ILP64 support has been substantially improved across the SciPy library.
  • Remaining Fortran to C translations have been completed---an experimental Fortran-free build option is now available to developers for testing purposes. Developer feedback is welcome on Fortran-free builds.
  • scipy.signal.whittaker_henderson now provides access to Whittaker-Henderson smoothing of a discrete signal.
  • A large number of scipy.stats functions now support lazy arrays and JAX JIT. Array API support has been improved substantially in SciPy, with at least 21 functions gaining new support in this release. 16 scipy.stats functions have also gained support for MArray input.

New features

scipy.fft improvements

  • SciPy's internal FFT backend has switched from pocketfft to its successor package ducc0.fft, which features several incremental improvements. The most significant of those from SciPy's perspective is probably that storage requirements for internally cached plans have been significantly reduced for most long 1D transforms. Plans that require more storage than 1MB will no longer be cached; this mainly affects huge 1D transforms of prime and near-prime sizes.

scipy.interpolate improvements

... (truncated)

Commits
  • 54ef542 REL: 1.18.0 release commit
  • a45e463 Merge pull request #25395 from tylerjereddy/treddy_prep_1.18.0_final
  • ee2442e TYP, MAINT, TST: PR 25395 revisions
  • 3225154 DOC: PR 25395 revisions
  • 14c7bd7 TYP: Fix mypy errors with pytest==9.1.0 (#25410)
  • 71522e9 DOC: revise SciPy 1.18.0 release notes
  • 92f8482 MAINT: fix errors from pytest 9.1 (#25378)
  • 7b27bf4 TST, MAINT: modernize spatial tests for pytest 10 (#25376)
  • d05b640 Merge pull request #25347 from tylerjereddy/treddy_version_bump_1.18.0rc3
  • e60fe8b REL: set to 1.18.0rc3 unreleased
  • Additional commits viewable in compare view

Updates sqlalchemy from 2.0.50 to 2.0.51

Release notes

Sourced from sqlalchemy's releases.

2.0.51

Released: June 15, 2026

orm

  • [orm] [bug] Fixed issue where _orm.subqueryload() combined with PropComparator.of_type() and PropComparator.and_() would silently drop the additional filter criteria, causing all related objects to be loaded instead of only those matching the filter. The LoaderCriteriaOption was being constructed against the base entity rather than the effective entity indicated by PropComparator.of_type(). Pull request courtesy Arya Rizky.

    References: #13207

  • [orm] [bug] Fixed bug where a failure during tpc_prepare() within _orm.Session.commit() for a two-phase session would raise IllegalStateChangeError instead of the original database exception. The internal _prepare_impl() method's error handler was unable to invoke _orm.SessionTransaction.rollback() due to a state-change guard, preventing proper cleanup and masking the underlying error.

    References: #13356

engine

  • [engine] [bug] Fixed issue where Result.freeze() would lose track of ambiguous column names present in the original CursorResult, causing key-based access on the thawed result to silently return a value instead of raising InvalidRequestError. The SimpleResultMetaData now accepts and propagates ambiguous key information so that frozen, thawed, and pickled results raise consistently for duplicate column names. Pull request courtesy Saurabh Kohli.

    References: #9427

sql

  • [sql] [bug] Fixed issue where _sql.StatementLambdaElement would proxy attribute access through the cached "expected" expression rather than the resolved expression, causing stale closure-bound parameter values to be used when a lambda statement was extended with non-lambda criteria such as an additional .where() clause. Courtesy cjc0013.

    References: #10827

... (truncated)

Commits

Updates webauthn from 2.7.1 to 2.8.0

Release notes

Sourced from webauthn's releases.

v2.8.0

Changes:

  • "android-key" attestation verification is more tolerant of X.509 leaf certificates with values that violate ASN.1 DER parsing rules (#277)
  • Dependencies have been updated, including cbor2>=5.6.5,<6.0.0 (#269, h/t @​typestring; #272), and cryptography>=46.0.0 and pyOpenSSL>=26.0.0 (#278)
  • Two expired trust anchors have been retired (#279)
  • A new trust anchor for "android-key" attestation has been added (#268)
  • TPM manufacturer IDs are now normalized during "tpm" attestation verification to prevent casing-related lookup issues (#275)
  • Registration verification will more consistently raise webauthn.helpers.exceptions.InvalidRegistrationResponse when encountering bad data. Likewise, authentication verification will more consistently raise webauthn.helpers.exceptions.InvalidAuthenticationResponse when encountering bad data (#271, #273, #276, #280)
  • A docstring typo in verify_authentication_response() has been fixed (#266, h/t @​Densaugeo)

v2.8.0-alpha1

🚨🚨🚨THIS RELEASE IS UNSUPPORTED. OFFICIAL PQC SUPPORT WILL ARRIVE IN A FUTURE RELEASE🚨🚨🚨

Changes:

  • verify_registration_response() and verify_authentication_response() now support use of ML-DSA public keys for authenticators with PQC support. Run pip install dilithium-py to enable this capability (#260)
Changelog

Sourced from webauthn's changelog.

v2.8.0

Changes:

  • "android-key" attestation verification is more tolerant of X.509 leaf certificates with values that violate ASN.1 DER parsing rules (#277)
  • Dependencies have been updated, including cbor2>=5.6.5,<6.0.0 (#269, h/t @​typestring; #272), and cryptography>=46.0.0 and pyOpenSSL>=26.0.0 (#278)
  • Two expired trust anchors have been retired (#279)
  • A new trust anchor for "android-key" attestation has been added (#268)
  • TPM manufacturer IDs are now normalized during "tpm" attestation verification to prevent casing-related lookup issues (#275)
  • Registration verification will more consistently raise webauthn.helpers.exceptions.InvalidRegistrationResponse when encountering bad data. Likewise, authentication verification will more consistently raise webauthn.helpers.exceptions.InvalidAuthenticationResponse when encountering bad data (#271, #273, #276, #280)
  • A docstring typo in verify_authentication_response() has been fixed (#266, h/t @​Densaugeo)
Commits
  • 4a4295f Update CHANGELOG for v2.8.0 (addendum 1)
  • 748f6f2 Merge pull request #280 from duo-labs/more-exception-handling-auth
  • f02a707 Add some tests around parse error handling
  • 6c35856 Handle clientDataJSON and authData auth errors
  • 99c5256 Update CHANGELOG for v2.8.0
  • 755bf0f Bump version to v2.8.0
  • b416811 Merge pull request #279 from duo-labs/retire-expired-trust-anchors
  • 7840f30 Retire google_hardware_attestation_root_1
  • 3ec92d5 Retire globalsign_r2
  • cdb96c2 Merge pull request #278 from duo-labs/migrate-dx-to-uv
  • Additional commits viewable in compare view

Updates redis from 8.0.0 to 8.0.1

Release notes

Sourced from redis's releases.

Description has been truncated

…dates

Bumps the uv-minor-patch group with 35 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [anyio](https://github.com/agronholm/anyio) | `4.13.0` | `4.14.1` |
| [certifi](https://github.com/certifi/python-certifi) | `2026.5.20` | `2026.6.17` |
| [click](https://github.com/pallets/click) | `8.4.1` | `8.4.2` |
| [fastapi](https://github.com/fastapi/fastapi) | `0.136.3` | `0.138.1` |
| [greenlet](https://github.com/python-greenlet/greenlet) | `3.5.1` | `3.5.3` |
| [matplotlib](https://github.com/matplotlib/matplotlib) | `3.10.9` | `3.11.0` |
| [numpy](https://github.com/numpy/numpy) | `2.4.6` | `2.5.0` |
| [pypdf](https://github.com/py-pdf/pypdf) | `6.13.3` | `6.14.2` |
| [scipy](https://github.com/scipy/scipy) | `1.17.1` | `1.18.0` |
| [sqlalchemy](https://github.com/sqlalchemy/sqlalchemy) | `2.0.50` | `2.0.51` |
| [webauthn](https://github.com/duo-labs/py_webauthn) | `2.7.1` | `2.8.0` |
| [redis](https://github.com/redis/redis-py) | `8.0.0` | `8.0.1` |
| [sentence-transformers](https://github.com/huggingface/sentence-transformers) | `5.5.1` | `5.6.0` |
| [mutagen](https://github.com/quodlibet/mutagen) | `1.47.0` | `1.48.1` |
| [pillow-heif](https://github.com/bigcat88/pillow_heif) | `1.3.0` | `1.4.0` |
| [hypothesis](https://github.com/HypothesisWorks/hypothesis) | `6.155.3` | `6.155.7` |
| [httpx2](https://github.com/pydantic/httpx2) | `2.3.0` | `2.5.0` |
| [maturin](https://github.com/pyo3/maturin) | `1.14.0` | `1.14.1` |
| [pytest](https://github.com/pytest-dev/pytest) | `9.0.3` | `9.1.1` |
| [ruff](https://github.com/astral-sh/ruff) | `0.15.17` | `0.15.20` |
| [ast-serialize](https://github.com/mypyc/ast_serialize) | `0.3.0` | `0.5.0` |
| [cbor2](https://github.com/agronholm/cbor2) | `6.0.1` | `6.1.2` |
| [cyclonedx-python-lib](https://github.com/CycloneDX/cyclonedx-python-lib) | `11.7.0` | `11.11.0` |
| [distlib](https://github.com/pypa/distlib) | `0.4.0` | `0.4.3` |
| [filelock](https://github.com/tox-dev/py-filelock) | `3.29.0` | `3.29.4` |
| [httpcore2](https://github.com/pydantic/httpx2) | `2.3.0` | `2.5.0` |
| [lxml](https://github.com/lxml/lxml) | `6.1.0` | `6.1.1` |
| [narwhals](https://github.com/narwhals-dev/narwhals) | `2.20.0` | `2.22.1` |
| [platformdirs](https://github.com/tox-dev/platformdirs) | `4.9.6` | `4.10.0` |
| [pyopenssl](https://github.com/pyca/pyopenssl) | `26.2.0` | `26.3.0` |
| [python-discovery](https://github.com/tox-dev/python-discovery) | `1.3.0` | `1.4.2` |
| [soupsieve](https://github.com/facelessuser/soupsieve) | `2.8.3` | `2.8.4` |
| [stevedore](https://docs.openstack.org/stevedore) | `5.7.0` | `5.8.0` |
| [tzlocal](https://github.com/regebro/tzlocal) | `5.3.1` | `5.4.3` |
| [virtualenv](https://github.com/pypa/virtualenv) | `21.3.1` | `21.5.1` |



Updates `anyio` from 4.13.0 to 4.14.1
- [Release notes](https://github.com/agronholm/anyio/releases)
- [Commits](agronholm/anyio@4.13.0...4.14.1)

Updates `certifi` from 2026.5.20 to 2026.6.17
- [Commits](certifi/python-certifi@2026.05.20...2026.06.17)

Updates `click` from 8.4.1 to 8.4.2
- [Release notes](https://github.com/pallets/click/releases)
- [Changelog](https://github.com/pallets/click/blob/main/CHANGES.md)
- [Commits](pallets/click@8.4.1...8.4.2)

Updates `fastapi` from 0.136.3 to 0.138.1
- [Release notes](https://github.com/fastapi/fastapi/releases)
- [Commits](fastapi/fastapi@0.136.3...0.138.1)

Updates `greenlet` from 3.5.1 to 3.5.3
- [Changelog](https://github.com/python-greenlet/greenlet/blob/master/CHANGES.rst)
- [Commits](python-greenlet/greenlet@3.5.1...3.5.3)

Updates `matplotlib` from 3.10.9 to 3.11.0
- [Release notes](https://github.com/matplotlib/matplotlib/releases)
- [Commits](matplotlib/matplotlib@v3.10.9...v3.11.0)

Updates `numpy` from 2.4.6 to 2.5.0
- [Release notes](https://github.com/numpy/numpy/releases)
- [Changelog](https://github.com/numpy/numpy/blob/main/doc/RELEASE_WALKTHROUGH.rst)
- [Commits](numpy/numpy@v2.4.6...v2.5.0)

Updates `pypdf` from 6.13.3 to 6.14.2
- [Release notes](https://github.com/py-pdf/pypdf/releases)
- [Changelog](https://github.com/py-pdf/pypdf/blob/main/CHANGELOG.md)
- [Commits](py-pdf/pypdf@6.13.3...6.14.2)

Updates `scipy` from 1.17.1 to 1.18.0
- [Release notes](https://github.com/scipy/scipy/releases)
- [Commits](scipy/scipy@v1.17.1...v1.18.0)

Updates `sqlalchemy` from 2.0.50 to 2.0.51
- [Release notes](https://github.com/sqlalchemy/sqlalchemy/releases)
- [Changelog](https://github.com/sqlalchemy/sqlalchemy/blob/main/CHANGES.rst)
- [Commits](https://github.com/sqlalchemy/sqlalchemy/commits)

Updates `webauthn` from 2.7.1 to 2.8.0
- [Release notes](https://github.com/duo-labs/py_webauthn/releases)
- [Changelog](https://github.com/duo-labs/py_webauthn/blob/master/CHANGELOG.md)
- [Commits](duo-labs/py_webauthn@v2.7.1...v2.8.0)

Updates `redis` from 8.0.0 to 8.0.1
- [Release notes](https://github.com/redis/redis-py/releases)
- [Changelog](https://github.com/redis/redis-py/blob/master/CHANGES)
- [Commits](redis/redis-py@v8.0.0...v8.0.1)

Updates `sentence-transformers` from 5.5.1 to 5.6.0
- [Release notes](https://github.com/huggingface/sentence-transformers/releases)
- [Commits](huggingface/sentence-transformers@v5.5.1...v5.6.0)

Updates `mutagen` from 1.47.0 to 1.48.1
- [Release notes](https://github.com/quodlibet/mutagen/releases)
- [Changelog](https://github.com/quodlibet/mutagen/blob/main/NEWS)
- [Commits](quodlibet/mutagen@release-1.47.0...release-1.48.1)

Updates `pillow-heif` from 1.3.0 to 1.4.0
- [Release notes](https://github.com/bigcat88/pillow_heif/releases)
- [Changelog](https://github.com/bigcat88/pillow_heif/blob/master/CHANGELOG.md)
- [Commits](bigcat88/pillow_heif@v1.3.0...v1.4.0)

Updates `hypothesis` from 6.155.3 to 6.155.7
- [Release notes](https://github.com/HypothesisWorks/hypothesis/releases)
- [Commits](HypothesisWorks/hypothesis@v6.155.3...v6.155.7)

Updates `httpx2` from 2.3.0 to 2.5.0
- [Release notes](https://github.com/pydantic/httpx2/releases)
- [Changelog](https://github.com/pydantic/httpx2/blob/main/src/httpx2/CHANGELOG.md)
- [Commits](pydantic/httpx2@v2.3.0...v2.5.0)

Updates `maturin` from 1.14.0 to 1.14.1
- [Release notes](https://github.com/pyo3/maturin/releases)
- [Changelog](https://github.com/PyO3/maturin/blob/main/Changelog.md)
- [Commits](PyO3/maturin@v1.14.0...v1.14.1)

Updates `pytest` from 9.0.3 to 9.1.1
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](pytest-dev/pytest@9.0.3...9.1.1)

Updates `ruff` from 0.15.17 to 0.15.20
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ruff@0.15.17...0.15.20)

Updates `ast-serialize` from 0.3.0 to 0.5.0
- [Commits](mypyc/ast_serialize@v0.3.0...v0.5.0)

Updates `cbor2` from 6.0.1 to 6.1.2
- [Release notes](https://github.com/agronholm/cbor2/releases)
- [Commits](agronholm/cbor2@6.0.1...6.1.2)

Updates `cyclonedx-python-lib` from 11.7.0 to 11.11.0
- [Release notes](https://github.com/CycloneDX/cyclonedx-python-lib/releases)
- [Changelog](https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md)
- [Commits](CycloneDX/cyclonedx-python-lib@v11.7.0...v11.11.0)

Updates `distlib` from 0.4.0 to 0.4.3
- [Release notes](https://github.com/pypa/distlib/releases)
- [Changelog](https://github.com/pypa/distlib/blob/master/CHANGES.rst)
- [Commits](pypa/distlib@0.4.0...0.4.3)

Updates `filelock` from 3.29.0 to 3.29.4
- [Release notes](https://github.com/tox-dev/py-filelock/releases)
- [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst)
- [Commits](tox-dev/filelock@3.29.0...3.29.4)

Updates `httpcore2` from 2.3.0 to 2.5.0
- [Release notes](https://github.com/pydantic/httpx2/releases)
- [Commits](pydantic/httpx2@v2.3.0...v2.5.0)

Updates `lxml` from 6.1.0 to 6.1.1
- [Release notes](https://github.com/lxml/lxml/releases)
- [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt)
- [Commits](lxml/lxml@lxml-6.1.0...lxml-6.1.1)

Updates `narwhals` from 2.20.0 to 2.22.1
- [Release notes](https://github.com/narwhals-dev/narwhals/releases)
- [Commits](narwhals-dev/narwhals@v2.20.0...v2.22.1)

Updates `platformdirs` from 4.9.6 to 4.10.0
- [Release notes](https://github.com/tox-dev/platformdirs/releases)
- [Changelog](https://github.com/tox-dev/platformdirs/blob/main/docs/changelog.rst)
- [Commits](tox-dev/platformdirs@4.9.6...4.10.0)

Updates `pyopenssl` from 26.2.0 to 26.3.0
- [Changelog](https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst)
- [Commits](pyca/pyopenssl@26.2.0...26.3.0)

Updates `python-discovery` from 1.3.0 to 1.4.2
- [Release notes](https://github.com/tox-dev/python-discovery/releases)
- [Changelog](https://github.com/tox-dev/python-discovery/blob/main/docs/changelog.rst)
- [Commits](tox-dev/python-discovery@1.3.0...1.4.2)

Updates `soupsieve` from 2.8.3 to 2.8.4
- [Release notes](https://github.com/facelessuser/soupsieve/releases)
- [Commits](facelessuser/soupsieve@2.8.3...2.8.4)

Updates `stevedore` from 5.7.0 to 5.8.0

Updates `tzlocal` from 5.3.1 to 5.4.3
- [Changelog](https://github.com/regebro/tzlocal/blob/master/CHANGES.txt)
- [Commits](regebro/tzlocal@5.3.1...5.4.3)

Updates `virtualenv` from 21.3.1 to 21.5.1
- [Release notes](https://github.com/pypa/virtualenv/releases)
- [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst)
- [Commits](pypa/virtualenv@21.3.1...21.5.1)

---
updated-dependencies:
- dependency-name: anyio
  dependency-version: 4.14.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: certifi
  dependency-version: 2026.6.17
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: click
  dependency-version: 8.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: uv-minor-patch
- dependency-name: fastapi
  dependency-version: 0.138.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: greenlet
  dependency-version: 3.5.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: uv-minor-patch
- dependency-name: matplotlib
  dependency-version: 3.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: numpy
  dependency-version: 2.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: pypdf
  dependency-version: 6.14.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: scipy
  dependency-version: 1.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: sqlalchemy
  dependency-version: 2.0.51
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: uv-minor-patch
- dependency-name: webauthn
  dependency-version: 2.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: redis
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: uv-minor-patch
- dependency-name: sentence-transformers
  dependency-version: 5.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: mutagen
  dependency-version: 1.48.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: pillow-heif
  dependency-version: 1.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: hypothesis
  dependency-version: 6.155.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: uv-minor-patch
- dependency-name: httpx2
  dependency-version: 2.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: maturin
  dependency-version: 1.14.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: uv-minor-patch
- dependency-name: pytest
  dependency-version: 9.1.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: ruff
  dependency-version: 0.15.20
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: uv-minor-patch
- dependency-name: ast-serialize
  dependency-version: 0.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: cbor2
  dependency-version: 6.1.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: cyclonedx-python-lib
  dependency-version: 11.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: distlib
  dependency-version: 0.4.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: uv-minor-patch
- dependency-name: filelock
  dependency-version: 3.29.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: uv-minor-patch
- dependency-name: httpcore2
  dependency-version: 2.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: lxml
  dependency-version: 6.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: uv-minor-patch
- dependency-name: narwhals
  dependency-version: 2.22.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: platformdirs
  dependency-version: 4.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: pyopenssl
  dependency-version: 26.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: python-discovery
  dependency-version: 1.4.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: soupsieve
  dependency-version: 2.8.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: uv-minor-patch
- dependency-name: stevedore
  dependency-version: 5.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: tzlocal
  dependency-version: 5.4.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: virtualenv
  dependency-version: 21.5.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants