⬆ Bump the python-packages group across 1 directory with 6 updates

[dependabot]

Bumps the python-packages group with 6 updates in the / directory:

Package	From	To
fastapi	0.136.1	0.136.3
ruff	0.15.12	0.15.14
uvicorn	0.46.0	0.48.0
ty	0.0.35	0.0.40
prek	0.3.13	0.4.3
zizmor	1.24.1	1.25.2

Updates fastapi from 0.136.1 to 0.136.3

Release notes

Sourced from fastapi's releases.

0.136.3

Refactors

• ♻️ Do not accept underscore headers when using convert_underscores=True (the default). PR #15589 by @​tiangolo.

0.136.2

Refactors

• ♻️ Validate Server Sent Event fields to avoid applications from sending broken data. PR #15588 by @​tiangolo.

Docs

• 📝 Document --entrypoint CLI option. PR #15464 by @​YuriiMotov.
• 📝 Update and simplify docs about help and management. PR #15583 by @​tiangolo.
• 📝 Add docs references to central contributing docs. PR #15580 by @​tiangolo.
• 📝 Update security policy. PR #15577 by @​tiangolo.
• 🍱 Update sponsors: TalorData image. PR #15562 by @​tiangolo.
• 📝 Update docs, simplify usage of admonitions, only default ones. PR #15553 by @​tiangolo.
• 📝 Fix image URLs in index.md. PR #15534 by @​YuriiMotov.
• ✏️ Fix Azkaban spelling typo in virtual-environments.md‎. PR #15463 by @​isaacbernat.
• 💄 Improve layout and styling. PR #15462 by @​alejsdev.
• 💄 Refactor opinions section with interactive tabs and new logos. PR #15458 by @​alejsdev.
• 📝 Add FastAPI Conf '26 announcement to docs. PR #15457 by @​alejsdev.

Translations

• 🌐 Improve translation consistency in ‎docs/pt/docs/advanced/generate-clients.md‎. PR #15456 by @​Will-thom.
• 🌐 Update translations for ja (update-outdated). PR #15530 by @​tiangolo.
• 🌐 Update translations for uk (update-outdated). PR #15529 by @​tiangolo.
• 🌐 Update translations for pt (update-outdated). PR #15528 by @​tiangolo.
• 🌐 Update translations for de (update-outdated). PR #15527 by @​tiangolo.
• 🌐 Update translations for tr (update-outdated). PR #15526 by @​tiangolo.
• 🌐 Update translations for ko (update-outdated). PR #15525 by @​tiangolo.
• 🌐 Update translations for zh-hant (update-outdated). PR #15524 by @​tiangolo.
• 🌐 Update translations for fr (update-outdated). PR #15522 by @​tiangolo.
• 🌐 Update translations for es (update-outdated). PR #15523 by @​tiangolo.
• 🌐 Update translations for zh (update-outdated). PR #15520 by @​tiangolo.
• 🌐 Update translations for ru (update-outdated). PR #15521 by @​tiangolo.
• 🌐 Fix typos in Spanish LLM-prompt. PR #15472 by @​crr004.

Internal

• ✅ Update tests, don't double dispose the engine. PR #15587 by @​tiangolo.
• ⚡️ Speed up test suite via caching and fixture scopes to make it ~24% faster. PR #13583 by @​dikos1337.
• 🔥 Remove config files now in central GitHub repo. PR #15585 by @​tiangolo.
• ⬆ Bump urllib3 from 2.6.3 to 2.7.0. PR #15502 by @​dependabot[bot].
• ⬆ Bump idna from 3.11 to 3.15. PR #15565 by @​dependabot[bot].
• ⬆ Bump cloudflare/wrangler-action from 3.15.0 to 4.0.0. PR #15571 by @​dependabot[bot].
• 🔧 Migrate docs from MkDocs to Zensical. PR #15563 by @​tiangolo.
• 🔒️ Only allow team members to modify dependencies. PR #15548 by @​svlandeg.

... (truncated)

Commits

• 8206485 🔖 Release version 0.136.3
• c910e01 📝 Update release notes
• 063b5bf ♻️ Do not accept underscore headers when using convert_underscores=True (th...
• 22b02e2 🔖 Release version 0.136.2
• 3b252a2 📝 Update release notes
• c7fb785 ♻️ Validate Server Sent Event fields to avoid applications from sending broke...
• cb83b83 📝 Update release notes
• 00f805c ✅ Update tests, don't double dispose the engine (#15587)
• 3675137 📝 Update release notes
• 7b57e42 📝 Document --entrypoint CLI option (#15464)
• Additional commits viewable in compare view

Updates ruff from 0.15.12 to 0.15.14

Release notes

Sourced from ruff's releases.

0.15.14

Release Notes

Released on 2026-05-21.

Preview features

• [airflow] Implement airflow-task-implicit-multiple-outputs (AIR202) (#25152)
• [flake8-use-pathlib] Mark PTH101 fix as unsafe when first argument is a class attribute annotated as int (#25086)
• [pylint] Implement too-many-try-statements (W0717) (#23970)
• [ruff] Add incorrect-decorator-order (RUF074) (#23461)
• [ruff] Add fallible-context-manager (RUF075) (#22844)

Bug fixes

• Fix lambda formatting in interpolated string expressions (#25144)
• Treat generic frozenset annotations as immutable (#25251)
• [flake8-type-checking] Avoid strict behavior when future-annotations are enabled (TC001, TC002, TC003) (#25035)
• [pylint] Avoid false positives in else clause (PLR1733) (#25177)

Rule changes

• [flake8-comprehensions] Skip C417 for lambdas with positional-only parameters (#25272)
• [flake8-simplify] Preserve f-string source verbatim in SIM101 fix (#25061)

Performance

• Avoid unnecessary parser lookahead for operators (#25290)

Documentation

• Update code example setting Neovim LSP log level (#25284)

Other changes

• Add full PEP 798 support (#25104)
• Add a parser recursion limit (#24810)
• Update various ruff_python_stdlib APIs (#25273)

Contributors

• @​ocaballeror
• @​lerebear
• @​samuelcolvin
• @​baltasarblanco
• @​aconal-com
• @​anishgirianish
• @​JelleZijlstra
• @​AlexWaygood
• @​ntBre

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.14

Released on 2026-05-21.

Preview features

• [airflow] Implement airflow-task-implicit-multiple-outputs (AIR202) (#25152)
• [flake8-use-pathlib] Mark PTH101 fix as unsafe when first argument is a class attribute annotated as int (#25086)
• [pylint] Implement too-many-try-statements (W0717) (#23970)
• [ruff] Add incorrect-decorator-order (RUF074) (#23461)
• [ruff] Add fallible-context-manager (RUF075) (#22844)

Bug fixes

• Fix lambda formatting in interpolated string expressions (#25144)
• Treat generic frozenset annotations as immutable (#25251)
• [flake8-type-checking] Avoid strict behavior when future-annotations are enabled (TC001, TC002, TC003) (#25035)
• [pylint] Avoid false positives in else clause (PLR1733) (#25177)

Rule changes

• [flake8-comprehensions] Skip C417 for lambdas with positional-only parameters (#25272)
• [flake8-simplify] Preserve f-string source verbatim in SIM101 fix (#25061)

Performance

• Avoid unnecessary parser lookahead for operators (#25290)

Documentation

• Update code example setting Neovim LSP log level (#25284)

Other changes

• Add full PEP 798 support (#25104)
• Add a parser recursion limit (#24810)
• Update various ruff_python_stdlib APIs (#25273)

Contributors

• @​ocaballeror
• @​lerebear
• @​samuelcolvin
• @​baltasarblanco
• @​aconal-com
• @​anishgirianish
• @​JelleZijlstra
• @​AlexWaygood
• @​ntBre
• @​adityasingh2400

... (truncated)

Commits

• 9ad2da3 Bump 0.15.14 (#25295)
• c714e84 [ty] Modernize setup of union types in mdtests (#25291)
• 8a8e35e [flake8-comprehensions] Skip C417 for lambdas with positional-only parame...
• aea5ed4 Avoid unnecessary parser lookahead for operators (#25290)
• e9d72bb [ty] Allow enum member accesses on self (#25077)
• 6cbd59b Set exclude-newer = "7 days" in our PEP-723 scripts (#25285)
• 9999a39 Update code example on how to update Neovim LSP log level (#25284)
• 67d8c54 [ty] Retain recursively-defined state in binary expressions (#25277)
• 25a3191 [ty] Refine Callable class-decorator fallback for unknown results (#25250)
• c423054 Add a recursion limit to the parser (#24810)
• Additional commits viewable in compare view

Updates uvicorn from 0.46.0 to 0.48.0

Release notes

Sourced from uvicorn's releases.

Version 0.48.0

What's Changed

• Default ssl_ciphers to None and use OpenSSL defaults by @​Kludex in Kludex/uvicorn#2940
• Ignore duplicate forwarding headers in ProxyHeadersMiddleware by @​Kludex in Kludex/uvicorn#2944

Full Changelog: Kludex/uvicorn@0.47.0...0.48.0

Version 0.47.0

What's Changed

• Eagerly import the ASGI app in the parent process by @​Kludex in Kludex/uvicorn#2919
• Add ssl_context_factory for custom SSLContext configuration by @​Kludex in Kludex/uvicorn#2920
• Treat fd=0 as a valid file descriptor with reload/workers by @​eltoder in Kludex/uvicorn#2927

Full Changelog: Kludex/uvicorn@0.46.0...0.47.0

Changelog

Sourced from uvicorn's changelog.

0.48.0 (May 24, 2026)

Changed

• Default ssl_ciphers to None and use OpenSSL defaults (#2940)

Fixed

• Ignore duplicate forwarding headers in ProxyHeadersMiddleware (#2944)

0.47.0 (May 14, 2026)

Added

• Add ssl_context_factory for custom SSLContext configuration (#2920)

Changed

• Eagerly import the ASGI app in the parent process (#2919)

Fixed

• Treat fd=0 as a valid file descriptor with reload/workers (#2927)

Commits

• 73e84e5 Version 0.48.0 (#2951)
• 45ea116 Ignore duplicate forwarding headers in ProxyHeadersMiddleware (#2944)
• dd4394c chore(deps): bump idna from 3.11 to 3.15 (#2941)
• abe0781 Default ssl_ciphers to None and use OpenSSL defaults (#2940)
• 479a2c0 Version 0.47.0 (#2937)
• 89347fd Add 7-day cooldown for dependency resolution via uv exclude-newer (#2936)
• 767315b Drop unused contents/actions permissions from zizmor workflow (#2935)
• f25ee43 chore(deps): bump urllib3 from 2.6.3 to 2.7.0 (#2933)
• 8782666 Fix typo in docs/deployment/index.md. (#2932)
• ad5ff87 Treat fd=0 as a valid file descriptor with reload/workers (#2927)
• Additional commits viewable in compare view

Updates ty from 0.0.35 to 0.0.40

Release notes

Sourced from ty's releases.

0.0.40

Release Notes

Released on 2026-05-27.

Bug fixes

• Accept complete enum-literal alias unions as enums (#25341)
• Fix diagnostics in ignored folders after adding new files (#25236)
• Show LiteralString when hovering over an inline of a literal string in an IDE (#25373)

LSP server

• Follow aliases when attempting to map a definition in a stub file to its "real" runtime definition (#25328)
• Treat Python notebook text documents as Python sources (#25393)
• Fix autocompletion for elements inside incomplete list comprehensions (#25326)

Diagnostics

• Add a subdiagnostic help message to invalid-generic-class diagnostics regarding incompatible variance (#25385)

Core type checking

• Ignore and reject annotations on non-name targets (#25324)
• Infer class attributes assigned by metaclass initialization (#25342)
• Reject inconsistent generic bases in "dynamic" classes created using type(...), types.new_type(...), etc. (#25413)
• Resolve enum names for all unions arms in Literal enum subsets (#25379)
• Support typing.TypeForm (#25334)
• Fix many issues in the generics solver by using constraint sets more widely to solve type variables (#24540)

Contributors

• @​anuraaga
• @​dcreager
• @​charliermarsh
• @​MichaReiser
• @​Dev-X25874

Install ty 0.0.40

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/ty/releases/download/0.0.40/ty-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://releases.astral.sh/github/ty/releases/download/0.0.40/ty-installer.ps1 | iex"
</tr></table> 

... (truncated)

Changelog

Sourced from ty's changelog.

0.0.40

Released on 2026-05-27.

Bug fixes

• Accept complete enum-literal alias unions as enums (#25341)
• Fix diagnostics in ignored folders after adding new files (#25236)
• Show LiteralString when hovering over an inline of a literal string in an IDE (#25373)

LSP server

• Follow aliases when attempting to map a definition in a stub file to its "real" runtime definition (#25328)
• Treat Python notebook text documents as Python sources (#25393)
• Fix autocompletion for elements inside incomplete list comprehensions (#25326)

Diagnostics

• Add a subdiagnostic help message to invalid-generic-class diagnostics regarding incompatible variance (#25385)

Core type checking

• Ignore and reject annotations on non-name targets (#25324)
• Infer class attributes assigned by metaclass initialization (#25342)
• Reject inconsistent generic bases in "dynamic" classes created using type(...), types.new_type(...), etc. (#25413)
• Resolve enum names for all unions arms in Literal enum subsets (#25379)
• Support typing.TypeForm (#25334)
• Fix many issues in the generics solver by using constraint sets more widely to solve type variables (#24540)

Contributors

• @​anuraaga
• @​dcreager
• @​charliermarsh
• @​MichaReiser
• @​Dev-X25874

0.0.39

Released on 2026-05-22.

This release removes the Python 3.9 branches from our vendored standard library stubs. ty now only has "full" support for Python 3.10 and later, but will still report version-specific syntax errors and other diagnostics when --python-version 3.9 is provided via the CLI.

Bug fixes

• Avoid panicking on __new__ assignments to classes (#25282)
• Preserve declaration order when synthesizing class fields (#25249)
• Respect dict-compatible fallbacks in TypedDict unions (#25242)

... (truncated)

Commits

• 7b95bc2 Bump version to 0.0.40 (#3554)
• 54c7498 Update prek dependencies (#3546)
• 0d8540a docs: set Eglot :language-id so ty works with python-base-mode (#3532)
• 8f1cee0 scripts/update_schemastore: add text=True to git revision check_output calls ...
• 32b654a docs: add Flycheck note to Emacs editor integration (#3528)
• 4e1b4e7 docs: fix broken link and minor wording in suppression.md (#3527)
• 0205125 Bump version to 0.0.39 (#3516)
• ae8058d Update maturin to v1.13.3 (#3494)
• 33b60f8 Update prek dependencies (#3495)
• 1d3efc1 Bump version to 0.0.38 (#3492)
• Additional commits viewable in compare view

Updates prek from 0.3.13 to 0.4.3

Release notes

Sourced from prek's releases.

0.4.3

Release Notes

Released on 2026-05-27.

Bug fixes

• Ignore stat-only hook rewrites (#2131)

Sponsorship

If prek saves time for you or your team, please consider sponsoring the project on GitHub Sponsors. It helps keep new features, performance work, and maintenance moving.

Contributors

• @​stevbev

Install prek 0.4.3

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/j178/prek/releases/download/v0.4.3/prek-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/j178/prek/releases/download/v0.4.3/prek-installer.ps1 | iex"

Install prebuilt binaries via Homebrew

brew install prek

Download prek 0.4.3

File	Platform	Checksum
prek-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
prek-x86_64-apple-darwin.tar.gz	Intel macOS	checksum
prek-aarch64-pc-windows-msvc.zip	ARM64 Windows	checksum
prek-i686-pc-windows-msvc.zip	x86 Windows	checksum
prek-x86_64-pc-windows-msvc.zip	x64 Windows	checksum
prek-aarch64-unknown-linux-gnu.tar.gz	ARM64 Linux	checksum
prek-i686-unknown-linux-gnu.tar.gz	x86 Linux	checksum

... (truncated)

Changelog

Sourced from prek's changelog.

0.4.3

Released on 2026-05-27.

Bug fixes

• Ignore stat-only hook rewrites (#2131)

Sponsorship

If prek saves time for you or your team, please consider sponsoring the project on GitHub Sponsors. It helps keep new features, performance work, and maintenance moving.

Contributors

• @​stevbev

0.4.2

Released on 2026-05-26.

Highlights

0.4.2 is mainly about making prek run faster in large repos.

prek now does less git diff work. After hooks run, prek uses diff checks to detect files changed by hooks. If a hook modifies files, prek marks that hook as failed. That is important, but full diff snapshots can be slow in big repos, especially when they happen after every hook group.

We skip the expensive diff path in two common cases: built-in hooks that prek knows are read-only, and clean worktrees where a cheap dirty check is enough unless a hook actually changes files. In the right large-repo workload, skipping that work can make runs up to 10x faster.

Workspace mode is faster too. Hooks have historically been too serial. Priority-based concurrency helped, but it required users to choose good priority values. Now sibling projects at the same workspace depth run in parallel automatically. Their files do not overlap, so this is safe and needs no extra config. For multi-project workspaces, this can dramatically reduce total hook time.

Sponsorship

If prek saves time for you or your team, please consider sponsoring the project on GitHub Sponsors. It helps keep new features, performance work, and maintenance moving.

Enhancements

... (truncated)

Commits

• 02bb73f Bump version to 0.4.3 (#2132)
• 0f64ff9 Ignore stat-only hook rewrites (#2131)
• de77cc9 Bump version to 0.4.2 (#2126)
• c54be46 Simplify hook progress folding (#2125)
• e908f82 Add link to comprehensive list of open-source projects using prek (#938)
• 7cd6ba4 Run same-depth projects concurrently (#2110)
• bbb3810 Lock file maintenance (#2123)
• 7d5282c Update Rust crate quick-xml to 0.40 (#2121)
• 97130ea Update dependency uv to v0.11.14 (#2118)
• 480f4bf Update pre-commit hook crate-ci/typos to v1.46.2 (#2120)
• Additional commits viewable in compare view

Updates zizmor from 1.24.1 to 1.25.2

Release notes

Sourced from zizmor's releases.

v1.25.2

Bug Fixes 🐛🔗

• Fixed a bug where the unpinned-tools audit would incorrectly flag the aquasecurity/trivy-action action as installing an unpinned tool version, rather than aquasecurity/setup-trivy (#2018)

v1.25.1

Bug Fixes 🐛🔗

• Fixed a bug where the cache-poisoning audit would fail to consider release events as exempt from cache usage findings when filtered by a tag condition (#2004)

• Fixed a typo when suggesting --fix flags for findings (#2010)

  Many thanks to @​0xdea for implementing this fix!

• Fixed a typo in unpinned-tools annotations (#2008)

  Many thanks to @​martincostello for implementing this fix!

• Fixed a bug where the github-app audit would incorrectly flag some safe uses of actions/create-github-app-token as unsafe (#2011)

v1.25.0

New Features 🌈🔗

• zizmor's finding severities can now be remapped on a per-audit basis. See the configuration for details (#1913)

  Many thanks to @​Proximyst for proposing and implementing this improvement!

• New audit: github-app detects dangerous usages of GitHub App installation tokens (#1926)

• New audit: [unpinned-tools] detects actions that install tools without pinning to a specific version (#1820)

• zizmor now accepts the --no-ignores flag to disable all ignore comments and configurations when reporting findings (#1935)

• zizmor's LSP now honors the --persona flag on the CLI (#1943)

• zizmor is now aware of Docker-based action definitions, in addition to the pre-existing support for "composite" actions (#1965)

Enhancements🔗

• Recommend gh issue edit --add-label / gh pr edit --add-label as a replacement for actions-ecosystem/action-add-labels in superfluous-actions

• Recommend gh issue edit --remove-label / gh pr edit --remove-label as a replacement for actions-ecosystem/action-remove-labels in superfluous-actions

• Recommend jq as a replacement for sergeysova/jq-action in superfluous-actions

• Recommend git add, git commit, and git push as a replacement for stefanzweifel/git-auto-commit-action in superfluous-actions

• Recommend git add, git commit, and git push as a replacement for EndBug/add-and-commit in superfluous-actions

• tibdex/github-app-token is now recognized as an archived action by archived-uses (#1910)

... (truncated)

Changelog

Sourced from zizmor's changelog.

1.25.2

Bug Fixes 🐛

• Fixed a bug where the [unpinned-tools] audit would incorrectly flag the @​aquasecurity/trivy-action action as installing an unpinned tool version, rather than @​aquasecurity/setup-trivy (#2018)

1.25.1

Bug Fixes 🐛

• Fixed a bug where the [cache-poisoning] audit would fail to consider release events as exempt from cache usage findings when filtered by a tag condition (#2004)

• Fixed a typo when suggesting --fix flags for findings (#2010)

  Many thanks to @​0xdea for implementing this fix!

• Fixed a typo in [unpinned-tools] annotations (#2008)

  Many thanks to @​martincostello for implementing this fix!

• Fixed a bug where the [github-app] audit would incorrectly flag some safe uses of @​actions/create-github-app-token as unsafe (#2011)

1.25.0

New Features 🌈

• zizmor's finding severities can now be remapped on a per-audit basis. See the configuration for details (#1913)

  Many thanks to @​Proximyst for proposing and implementing this improvement!

• New audit: [github-app] detects dangerous usages of GitHub App installation tokens (#1926)

• New audit: [unpinned-tools] detects actions that install tools without pinning to a specific version (#1820)

• zizmor now accepts the --no-ignores flag to disable all ignore comments and configurations when reporting findings (#1935)

• zizmor's LSP now honors the --persona flag on the CLI (#1943)

• zizmor is now aware of Docker-based action definitions, in addition to the pre-existing support for "composite" actions (#1965)

... (truncated)

Commits

• b50d8f6 zizmor 1.25.2 (#2022)
• e8c9648 Bump rustls-webpki to 0.103.13 (#2021)
• 9e19bde Bump aws-lc crates (#2020)
• 49cb189 Bump rand to 0.9.4 (#2019)
• bfdb649 unpinned-tools: fix trivy action being detected (#2018)
• 9300d3b ww/release (#2016)
• 331917a chore: drop serde_yaml rename (#2015)
• 506f085 github-app: test repositories, not repository (#2011)
• 53dea37 unpinned-tools, docs: fix typos (#2008)
• 8068e11 fix: replace --fix=unsafe with --fix=unsafe-only in suggestion (#2010)
• Additional commits viewable in compare view