Bump the pip group across 1 directory with 20 updates

[dependabot]

Bumps the pip group with 20 updates in the / directory:

Package	From	To
black	26.3.1	26.5.1
requests	2.33.1	2.34.2
faker	40.15.0	40.19.1
boto3	1.43.6	1.43.14
botocore	1.43.6	1.43.14
certifi	2026.4.22	2026.5.20
click	8.3.3	8.4.1
fastapi	0.136.1	0.136.3
fastapi-cloud-cli	0.17.1	0.18.0
httptools	0.7.1	0.8.0
idna	3.13	3.16
pydantic-settings	2.14.0	2.14.1
pydantic-core	2.46.4	2.47.0
pyjwt	2.12.1	2.13.0
python-multipart	0.0.27	0.0.29
rich-toolkit	0.19.7	0.19.10
sentry-sdk	2.59.0	2.60.0
starlette	1.0.0	1.1.0
uvicorn	0.46.0	0.48.0
watchfiles	1.1.1	1.2.0

Updates black from 26.3.1 to 26.5.1

Release notes

Sourced from black's releases.

26.5.1

Stable style

• Fix unstable formatting of annotated assignments whose subscript annotation contains an inline comment (e.g. x: list[ # pyright: ignore[...]) (#5130)
• Preserve inline comments (including # type: ignore) immediately before a # fmt: skip line, avoiding AST equivalence failures (#5139)

Packaging

• Correct the version in the published executables (#5137)

Documentation

• Add Neovim integration guide covering conform.nvim, ALE, and simple command approaches (#5124)

26.5.0

Highlights

• Add support for unpacking in comprehensions (PEP 798) and for lazy imports (PEP 810), both new syntactic features in Python 3.15 (#5048)
• Python 3.15 is now supported. Compiled wheels are not yet provided for Python 3.15, so performance may be slower than on existing Python versions. Wheels will be provided once Python 3.15 is later in its release cycle. (#5127)

Stable style

• Fix # fmt: skip being ignored in nested if expressions with parenthesized in clauses (#4903)
• Add syntactic support for Python 3.15 (#5048)
• Fix crash when an f-string follows a # fmt: off comment inside brackets (#5097)
• Preserve multiline compound statement headers when # fmt: skip is placed on the colon line (#5117)

Preview style

• Improve heuristics around whether blank lines should appear before, within and after groups of same-name decorated functions (such as @overload groups) in .pyi stub files (#5021)
• Fix blank lines being removed between a function and a decorated class in .pyi stub files (#5092)
• Prevent string merger from creating unsplittable long lines when a pragma comment (e.g. # type: ignore) follows the closing bracket (#5096)

Packaging

• Run CI on 3.15 (#5127)

Output

... (truncated)

Changelog

Sourced from black's changelog.

Version 26.5.1

Stable style

• Fix unstable formatting of annotated assignments whose subscript annotation contains an inline comment (e.g. x: list[ # pyright: ignore[...]) (#5130)
• Preserve inline comments (including # type: ignore) immediately before a # fmt: skip line, avoiding AST equivalence failures (#5139)

Packaging

• Correct the version in the published executables (#5137)

Documentation

• Add Neovim integration guide covering conform.nvim, ALE, and simple command approaches (#5124)

Version 26.5.0

Highlights

• Add support for unpacking in comprehensions (PEP 798) and for lazy imports (PEP 810), both new syntactic features in Python 3.15 (#5048)
• Python 3.15 is now supported. Compiled wheels are not yet provided for Python 3.15, so performance may be slower than on existing Python versions. Wheels will be provided once Python 3.15 is later in its release cycle. (#5127)

Stable style

• Fix # fmt: skip being ignored in nested if expressions with parenthesized in clauses (#4903)
• Add syntactic support for Python 3.15 (#5048)
• Fix crash when an f-string follows a # fmt: off comment inside brackets (#5097)
• Preserve multiline compound statement headers when # fmt: skip is placed on the colon line (#5117)

Preview style

• Improve heuristics around whether blank lines should appear before, within and after groups of same-name decorated functions (such as @overload groups) in .pyi stub files (#5021)
• Fix blank lines being removed between a function and a decorated class in .pyi stub files (#5092)
• Prevent string merger from creating unsplittable long lines when a pragma comment (e.g. # type: ignore) follows the closing bracket (#5096)

Packaging

• Run CI on 3.15 (#5127)

... (truncated)

Commits

• 87928e6 Prepare release 26.5.1 (#5140)
• c970a49 Preserve comments before fmt: skip lines (#5139)
• 5809338 Preserve inline comments inside annotation subscripts (#5130)
• 61361b7 docs: add Neovim integration guide and fix http link (#5124)
• ebe6018 CI Hotfixes (#5136)
• 9cbd95f Fix publish binaries again on Windows (#5134)
• 3dc8e6c Add new changelog (#5132)
• 6d0fff0 Fix publish binaries workflow (#5133)
• d2490e2 Prepare release 26.5.0 (#5131)
• 2b13ea7 Preserve multiline headers with fmt skip (#5117)
• Additional commits viewable in compare view

Updates requests from 2.33.1 to 2.34.2

Release notes

Sourced from requests's releases.

v2.34.2

2.34.2 (2026-05-14)

• Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2342-2026-05-14

v2.34.1

2.34.1 (2026-05-13)

Bugfixes

• Widened json input type from dict and list to Mapping and Sequence. (#7436)
• Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
• Response.reason moved from str | None to str to improve handling for users. (#7437)
• Fixed a bug where some bodies with custom __getattr__ implementations weren't being properly detected as Iterables. (#7433)

New Contributors

• @​k223kim made their first contribution in psf/requests#7433

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2341-2026-05-13

v2.34.0

2.34.0 (2026-05-11)

Announcements

• Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue.

  Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for helping review and test the types ahead of the release. (#7272)

Improvements

• Digest Auth hashing algorithms have added usedforsecurity=False to clarify security considerations. (#7310)
• Requests added support for Python 3.15 based on beta1. Downstream projects should be able to start testing prior to its release in October. (#7422)
• Requests added support for Python 3.14t. (#7419)

Bugfixes

• Response.history no longer contains a reference to itself, preventing accidental looping when traversing the history list. (#7328)
• Requests no longer performs greedy matching on no_proxy domains. The

... (truncated)

Changelog

Sourced from requests's changelog.

2.34.2 (2026-05-14)

• Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

2.34.1 (2026-05-13)

Bugfixes

• Widened json input type from dict and list to Mapping and Sequence. (#7436)
• Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
• Response.reason moved from str | None to str to improve handling for users. (#7437)
• Fixed a bug where some bodies with custom __getattr__ implementations weren't being properly detected as Iterables. (#7433)

2.34.0 (2026-05-11)

Announcements

• Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue.

  Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for helping review and test the types ahead of the release. (#7272)

Improvements

• Digest Auth hashing algorithms have added usedforsecurity=False to clarify security considerations. (#7310)
• Requests added support for Python 3.15 based on beta1. Downstream projects should be able to start testing prior to its release in October. (#7422)
• Requests added support for Python 3.14t. (#7419)

Bugfixes

• Response.history no longer contains a reference to itself, preventing accidental looping when traversing the history list. (#7328)
• Requests no longer performs greedy matching on no_proxy domains. The proxy_bypass implementation has been updated with CPython's fix from bpo-39057. (#7427)
• Requests no longer incorrectly strips duplicate leading slashes in URI paths. This should address user issues with specific presigned URLs. Note the full fix requires urllib3 2.7.0+. (#7315)

Commits

• 6e83187 v2.34.2
• 84d10f0 Move Request.headers back to Mapping (#7441)
• b7b549b v2.34.1
• e511bc7 Fix mutability issues with headers input types (#7431)
• 5691f59 Update JsonType containers to read-based collections (#7436)
• 2144213 Constrain Response.reason to str (#7437)
• 6404f34 Fix prepare_body stream detection for __getattr__-based file wrappers (#7...
• 0b401c7 v2.34.0
• 86b378d Align Session.get parameters with requests.get (#7429)
• a4f9a59 Port bpo-39057 to Requests (#7427)
• Additional commits viewable in compare view

Updates faker from 40.15.0 to 40.19.1

Release notes

Sourced from faker's releases.

Release v40.19.1

See CHANGELOG.md.

Release v40.19.0

See CHANGELOG.md.

Release v40.18.0

See CHANGELOG.md.

Release v40.17.0

See CHANGELOG.md.

Release v40.16.0

See CHANGELOG.md.

Changelog

Sourced from faker's changelog.

v40.19.1 - 2026-05-22

• Fix shared state mutation in en_IN pincode_in_state (#2369). Thanks @​RedZapdos123.

v40.19.0 - 2026-05-22

• Add uuid1 and uuid7 providers to misc provider (#2344). Thanks @​Krishnachaitanyakc.

v40.18.0 - 2026-05-14

• Add automotive providers for ar_DZ and fr_DZ locales. Thanks @​othmane099.
• Add phone_number provider for ar_DZ and fr_DZ locales. Thanks @​othmane099.

v40.17.0 - 2026-05-14

• Add am_ET phone_number provider for Ethiopia. Thanks @​jasur-py.

v40.16.0 - 2026-05-14

• Fix duplicate phone number prefix 145 in zh_CN locale. Thanks @​r266-tec.

Commits

• 3e9b7b0 Bump version: 40.19.0 → 40.19.1
• fea0515 📝 Update CHANGELOG.md
• a2af511 fix(en_IN): avoid shared state mutation in pincode_in_state (#2369)
• fbb59f3 Bump version: 40.18.0 → 40.19.0
• bd0f6da 📝 Update CHANGELOG.md
• 822a14d 💄 lint code
• a1a1b2a feat: Add uuid1 and uuid7 providers to misc provider (#2344)
• 44c45e0 Bump version: 40.17.0 → 40.18.0
• 87d8b40 📝 Update CHANGELOG.md
• 8a7fa46 💄 Lint code
• Additional commits viewable in compare view

Updates boto3 from 1.43.6 to 1.43.14

Commits

• 07953b0 Merge branch 'release-1.43.14'
• 25c77c3 Bumping version to 1.43.14
• 5e64afc Add changelog entries from botocore
• 97921f4 Merge branch 'release-1.43.13'
• 4e58a35 Merge branch 'release-1.43.13' into develop
• 1307ac2 Bumping version to 1.43.13
• c75c901 Add changelog entries from botocore
• d3f2433 Merge branch 'release-1.43.12'
• d5eddf9 Merge branch 'release-1.43.12' into develop
• 93f3a42 Bumping version to 1.43.12
• Additional commits viewable in compare view

Updates botocore from 1.43.6 to 1.43.14

Commits

• f23ff3b Merge branch 'release-1.43.14'
• 7feaf2f Bumping version to 1.43.14
• d3e4393 Update endpoints model
• 5204755 Update to latest models
• 89a5ca0 Improving caching of S3 endpoints by omitting unused parameters (#3692)
• 8bd61f7 Merge branch 'release-1.43.13'
• b6f2c74 Merge branch 'release-1.43.13' into develop
• 9cfdcaf Bumping version to 1.43.13
• 656fd57 Update to latest models
• 280497b Merge customizations for Bedrock AgentCore Control
• Additional commits viewable in compare view

Updates certifi from 2026.4.22 to 2026.5.20

Commits

• d7ea151 2026.05.20 (#413)
• See full diff in compare view

Updates click from 8.3.3 to 8.4.1

Release notes

Sourced from click's releases.

8.4.1

This is the Click 8.4.1 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/click/8.4.1/ Changes: https://click.palletsprojects.com/page/changes/#version-8-4-1 Milestone: https://github.com/pallets/click/milestone/32?closed=1

• get_parameter_source() is available during eager callbacks and type conversion again. #3458 #3484
• Zsh completion scripts parse correctly on Windows. #3277 # 3466
• Shell completion of Choice Enum values produces a valid completion result. #3015
• Fix empty byte-string handling in echo. #3487
• Fix closed file error with echo_via_pager. #3449

8.4.0

This is the Click 8.4.0 feature release. A feature release may include new features, remove previously deprecated code, add new deprecation, or introduce potentially breaking changes.

We encourage everyone to upgrade. You can read more about our Version Support Policy on our website.

PyPI: https://pypi.org/project/click/8.4.0/ Changes: https://click.palletsprojects.com/page/changes/#version-8-4-0 Milestone https://github.com/pallets/click/milestone/30

• ParamType typing improvements. #3371

  • :class:ParamType is now a generic abstract base class, parameterized by its converted value type.
  • :meth:~ParamType.convert return types are narrowed on all concrete types (str for :class:STRING, int for :class:INT, etc.).
  • :meth:~ParamType.to_info_dict returns specific :class:~typing.TypedDict subclasses instead of dict[str, Any].
  • :class:CompositeParamType and the number-range base are now generic with abstract methods.

• Refactor convert_type to extract type inference into a private _guess_type helper, and add :func:typing.overload signatures. #3372

• Parameter typing improvements. #2805

  • :class:Parameter is now an abstract base class, making explicit that it cannot be instantiated directly.
  • :attr:Parameter.name is now str instead of str | None. When expose_value=False, the name is set to "" instead of None.
  • The ctx parameter of :meth:Parameter.get_error_hint is now typed as Context | None, matching the runtime behavior.

• Split string values from default_map for parameters with nargs > 1 or :class:Tuple type, matching environment variable behavior.

... (truncated)

Changelog

Sourced from click's changelog.

Version 8.4.1

Released 2026-05-21

• get_parameter_source() is available during eager callbacks and type conversion again. :issue:3458 :issue:3484
• Zsh completion scripts parse correctly on Windows. :issue:3277 :pr:3466
• Shell completion of Choice Enum values produces a valid completion result. :issue:3015
• Fix empty byte-string handling in echo. :issue:3487
• Fix closed file error with echo_via_pager. :issue:3449

Version 8.4.0

Released 2026-05-17

• :class:ParamType typing improvements. :pr:3371

  • :class:ParamType is now a generic abstract base class, parameterized by its converted value type.
  • :meth:~ParamType.convert return types are narrowed on all concrete types (str for :class:STRING, int for :class:INT, etc.).
  • :meth:~ParamType.to_info_dict returns specific :class:~typing.TypedDict subclasses instead of dict[str, Any].
  • :class:CompositeParamType and the number-range base are now generic with abstract methods.

• Refactor convert_type to extract type inference into a private _guess_type helper, and add :func:typing.overload signatures. :pr:3372

• :class:Parameter typing improvements. :pr:2805

  • :class:Parameter is now an abstract base class, making explicit that it cannot be instantiated directly.
  • :attr:Parameter.name is now str instead of str | None. When expose_value=False, the name is set to "" instead of None.
  • The ctx parameter of :meth:Parameter.get_error_hint is now typed as Context | None, matching the runtime behavior.

• Split string values from default_map for parameters with nargs > 1 or :class:Tuple type, matching environment variable behavior. :issue:2745 :pr:3364

• Auto-detect type=UNPROCESSED for flag_value of non-basic types (not str, int, float, or bool), so programmer-provided Python objects like classes and enum members are passed through unchanged instead of being stringified. Previously type=click.UNPROCESSED had to be set explicitly. :issue:2012 :pr:3363

... (truncated)

Commits

• 6eeb50e release version 8.4.1
• 67921d5 change log and doc fixes (#3495)
• 9c41f46 Fix changelog and version admonitions
• 6cb3477 fix skip condition
• 5ee8e31 fix I/O operation on closed file error with CliRunner and echo_via_pager (#3482)
• becbde5 pager doesn't close std streams
• a5f5aa6 Handle empty bytes in echo (#3493)
• 4d3db84 handle empty bytes in echo
• d42f15b Fix get_parameter_source() during type conversion and eager callbacks (#3484)
• 0baa8db Document ctx.params bypass with test and doc
• Additional commits viewable in compare view

Updates fastapi from 0.136.1 to 0.136.3

Release notes

Sourced from fastapi's releases.

0.136.3

Refactors

• ♻️ Do not accept underscore headers when using convert_underscores=True (the default). PR #15589 by @​tiangolo.

0.136.2

Refactors

• ♻️ Validate Server Sent Event fields to avoid applications from sending broken data. PR #15588 by @​tiangolo.

Docs

• 📝 Document --entrypoint CLI option. PR #15464 by @​YuriiMotov.
• 📝 Update and simplify docs about help and management. PR #15583 by @​tiangolo.
• 📝 Add docs references to central contributing docs. PR #15580 by @​tiangolo.
• 📝 Update security policy. PR #15577 by @​tiangolo.
• 🍱 Update sponsors: TalorData image. PR #15562 by @​tiangolo.
• 📝 Update docs, simplify usage of admonitions, only default ones. PR #15553 by @​tiangolo.
• 📝 Fix image URLs in index.md. PR #15534 by @​YuriiMotov.
• ✏️ Fix Azkaban spelling typo in virtual-environments.md‎. PR #15463 by @​isaacbernat.
• 💄 Improve layout and styling. PR #15462 by @​alejsdev.
• 💄 Refactor opinions section with interactive tabs and new logos. PR #15458 by @​alejsdev.
• 📝 Add FastAPI Conf '26 announcement to docs. PR #15457 by @​alejsdev.

Translations

• 🌐 Improve translation consistency in ‎docs/pt/docs/advanced/generate-clients.md‎. PR #15456 by @​Will-thom.
• 🌐 Update translations for ja (update-outdated). PR #15530 by @​tiangolo.
• 🌐 Update translations for uk (update-outdated). PR #15529 by @​tiangolo.
• 🌐 Update translations for pt (update-outdated). PR #15528 by @​tiangolo.
• 🌐 Update translations for de (update-outdated). PR #15527 by @​tiangolo.
• 🌐 Update translations for tr (update-outdated). PR #15526 by @​tiangolo.
• 🌐 Update translations for ko (update-outdated). PR #15525 by @​tiangolo.
• 🌐 Update translations for zh-hant (update-outdated). PR #15524 by @​tiangolo.
• 🌐 Update translations for fr (update-outdated). PR #15522 by @​tiangolo.
• 🌐 Update translations for es (update-outdated). PR #15523 by @​tiangolo.
• 🌐 Update translations for zh (update-outdated). PR #15520 by @​tiangolo.
• 🌐 Update translations for ru (update-outdated). PR #15521 by @​tiangolo.
• 🌐 Fix typos in Spanish LLM-prompt. PR #15472 by @​crr004.

Internal

• ✅ Update tests, don't double dispose the engine. PR #15587 by @​tiangolo.
• ⚡️ Speed up test suite via caching and fixture scopes to make it ~24% faster. PR #13583 by @​dikos1337.
• 🔥 Remove config files now in central GitHub repo. PR #15585 by @​tiangolo.
• ⬆ Bump urllib3 from 2.6.3 to 2.7.0. PR #15502 by @​dependabot[bot].
• ⬆ Bump idna from 3.11 to 3.15. PR #15565 by @​dependabot[bot].
• ⬆ Bump cloudflare/wrangler-action from 3.15.0 to 4.0.0. PR #15571 by @​dependabot[bot].
• 🔧 Migrate docs from MkDocs to Zensical. PR #15563 by @​tiangolo.
• 🔒️ Only allow team members to modify dependencies. PR #15548 by @​svlandeg.

... (truncated)

Commits

• 8206485 🔖 Release version 0.136.3
• c910e01 📝 Update release notes
• 063b5bf ♻️ Do not accept underscore headers when using convert_underscores=True (th...
• 22b02e2 🔖 Release version 0.136.2
• 3b252a2 📝 Update release notes
• c7fb785 ♻️ Validate Server Sent Event fields to avoid applications from sending broke...
• cb83b83 📝 Update release notes
• 00f805c ✅ Update tests, don't double dispose the engine (#15587)
• 3675137 📝 Update release notes
• 7b57e42 📝 Document --entrypoint CLI option (#15464)
• Additional commits viewable in compare view

Updates fastapi-cloud-cli from 0.17.1 to 0.18.0

Release notes

Sourced from fastapi-cloud-cli's releases.

0.18.0

Features

• 🚸 Show Top-3 files larger than threshold on deploy command. PR #190 by @​YuriiMotov.
• ✨ Show if there's a new fastapi-cloud-cli version available. PR #201 by @​patrick91.

Refactors

• ♻️ Rename app_slug parameter of _get_app to app_id. PR #192 by @​YuriiMotov.
• ♻️ Improve message around application directory. PR #191 by @​patrick91.

Internal

• 🔒️ Only allow team members to modify dependencies. PR #197 by @​svlandeg.
• ⬆ Bump urllib3 from 2.6.3 to 2.7.0. PR #194 by @​dependabot[bot].
• ⬆ Bump fastar from 0.10.0 to 0.11.0. PR #188 by @​dependabot[bot].
• 🔒️ Add zizmor and fix audit findings. PR #183 by @​YuriiMotov.
• ⬆️ Bump ty from 0.0.21 to 0.0.35 and error on warnings. PR #195 by @​svlandeg.
• ⬆ Bump actions/labeler from 6.0.1 to 6.1.0. PR #193 by @​dependabot[bot].

Changelog

Sourced from fastapi-cloud-cli's changelog.

0.18.0 (2026-05-22)

Features

• 🚸 Show Top-3 files larger than threshold on deploy command. PR #190 by @​YuriiMotov.
• ✨ Show if there's a new fastapi-cloud-cli version available. PR #201 by @​patrick91.

Refactors

• ♻️ Rename app_slug parameter of _get_app to app_id. PR #192 by @​YuriiMotov.
• ♻️ Improve message around application directory. PR #191 by @​patrick91.

Internal

• 🔒️ Only allow team members to modify dependencies. PR #197 by @​svlandeg.
• ⬆ Bump urllib3 from 2.6.3 to 2.7.0. PR #194 by @​dependabot[bot].
• ⬆ Bump fastar from 0.10.0 to 0.11.0. PR #188 by @​dependabot[bot].
• 🔒️ Add zizmor and fix audit findings. PR #183 by @​YuriiMotov.
• ⬆️ Bump ty from 0.0.21 to 0.0.35 and error on warnings. PR #195 by @​svlandeg.
• ⬆ Bump actions/labeler from 6.0.1 to 6.1.0. PR #193 by @​dependabot[bot].

Commits

• 26541b2 🔖 Release version 0.18.0
• d342356 📝 Update release notes
• 1ca104f 🚸 Show Top-3 files larger than threshold on deploy command (#190)
• 32a17b8 📝 Update release notes
• 18b4a43 ✨ Show if there's a new fastapi-cloud-cli version available (#201)
• ce2110b 📝 Update release notes
• 4916f02 🔒️ Only allow team members to modify dependencies (#197)
• 8dae1ac 📝 Update release notes
• 0780b89 ⬆ Bump urllib3 from 2.6.3 to 2.7.0 (#194)
• 8790640 📝 Update release notes
• Additional commits viewable in compare view

Updates httptools from 0.7.1 to 0.8.0

Release notes

Sourced from httptools's releases.

v0.8.0

Changes

• Add http-parser and llhttp licenses into the wheels (#135) (by @​justeph in c398a157)

• Mark cython module as free-threading compatible (#139) (by @​kumaraditya303 in 28d1db15)

• Fix all typing issues (#134) (by @​Kludex in a9bda0ed)

• Bump llhttp to 9.4.1 (#145) (by @​fantix in e3e8d71e)

• Security: fix URL truncation issue (#144) (by @​fantix in a0283f07 for #142)

• Allow building with latest setuptools (#138) (by @​OldManYellsAtCloud in c403ad1a)

Commits

• cf10ce6 httptools 0.8.0
• a0283f0 security: fix URL truncation issue (#144)
• 05e6b8e ci: add freethreading 3.14 to the CI matrix (#146)
• e3e8d71 Bump llhttp to 9.4.1 (#145)
• a9bda0e Fix all typing issues (#134)
• 28d1db1 mark cython module as free-threading compatible (#139)
• c403ad1 Allow building with latest setuptools (#138)
• c398a15 Add http-parser and llhttp licenses into the wheels (#135)
• 4cfdabd ci: fix release workflow (#132)
• ef71da9 Post-release version bump
• See full diff in compare view

Updates idna from 3.13 to 3.16

Changelog

Sourced from idna's changelog.

3.16 (2026-05-22)

• Add a command-line interface (python -m idna, also available as the idna script). Encodes or decodes one or more domains supplied as arguments or on standard input, with options to select A-label or U-label output and control error handling.
• Raise the minimum supported Python version to 3.9
• Various code quality improvements

3.15 (2026-05-12)

• Enforce DNS-length cap on individual labels early in check_label, short-circuiting contextual-rule processing for oversized input while staying compatible with UTS 46 usage.
• Tidy core helpers: hoist bidi category sets to module-level frozensets (avoiding per-codepoint list construction), simplify length checks, and reuse the shared _unicode_dots_re from idna.core in the codec module.
• Use raise ... from err for proper exception chaining and switch internal string formatting to f-strings.
• Allow flit_core 4.x in the build backend.
• Expand the ruff lint set (flake8-bugbear, flake8-simplify, pyupgrade, perflint) and apply the surfaced fixes; pin lint CI to Python 3.14.
• Add Dependabot configuration for GitHub Actions.
• Convert README and HISTORY from reStructuredText to Markdown.
• Reference CVE-2026-45409 for the 3.14 advisory in place of the initial GHSA identifier.

Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for contributions to this release.

3.14 (2026-05-10)

• Removed opportunity to process long inputs into quadratic time by rejecting oversize inputs up-front. Closes a bypass of the CVE-2024-3651 mitigation. [CVE-2026-45409]

Thanks to Stan Ulbrych for reporting the issue.

Commits

• 6d1a0de Release 3.16
• 4e6cbe2 Demote installation instruction to usage section
• 223533c Merge branch 'readme-simplification' into release-3.16
• b1640b2 Bump version to 3.16rc0
• 3a86113 Update history for 3.16 release
• d4bc9e7 Merge pull request #246 from kjd/python-3.9
• a21d9fc Update deprecation policy
• b464926 Raise minimum Python to 3.9 and modernize typing
• 7f3b15e Explicit example not needed
• 7530c70 Remove unnecessary print()
• Additional commits viewable in compare view

Updates pydantic-settings from 2.14.0 to 2.14.1

Release notes

Sourced from pydantic-settings's releases.

v2.14.1

What's Changed

• Bump the python-packages group with 4 updates by @​dependabot[bot] in pydantic/pydantic-settings#850
• Bump the python-packages group with 5 updates by @​dependabot[bot] in pydantic/pydantic-settings#854
• Bump the github-actions group with 3 updates by @​dependabot[bot] in pydantic/pydantic-settings#853
• Bump the python-packages group with 2 updates by