Skip to content

deps(uv): bump the uv-minor-patch group across 1 directory with 34 updates#1101

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/uv-minor-patch-5c60af90d2
Open

deps(uv): bump the uv-minor-patch group across 1 directory with 34 updates#1101
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/uv-minor-patch-5c60af90d2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor

Bumps the uv-minor-patch group with 34 updates in the / directory:

Package From To
anyio 4.13.0 4.14.0
certifi 2026.5.20 2026.6.17
fastapi 0.136.3 0.138.0
greenlet 3.5.1 3.5.2
matplotlib 3.10.9 3.11.0
numpy 2.4.6 2.5.0
pypdf 6.13.3 6.14.2
scipy 1.17.1 1.18.0
sqlalchemy 2.0.50 2.0.51
webauthn 2.7.1 2.8.0
redis 8.0.0 8.0.1
sentence-transformers 5.5.1 5.6.0
mutagen 1.47.0 1.48.0
pillow-heif 1.3.0 1.4.0
hypothesis 6.155.3 6.155.7
httpx2 2.3.0 2.4.0
maturin 1.14.0 1.14.1
pytest 9.0.3 9.1.1
ruff 0.15.17 0.15.18
ast-serialize 0.3.0 0.5.0
cbor2 6.0.1 6.1.2
cyclonedx-python-lib 11.7.0 11.11.0
distlib 0.4.0 0.4.3
filelock 3.29.0 3.29.4
httpcore2 2.3.0 2.4.0
lxml 6.1.0 6.1.1
narwhals 2.20.0 2.22.1
platformdirs 4.9.6 4.10.0
pyopenssl 26.2.0 26.3.0
python-discovery 1.3.0 1.4.2
soupsieve 2.8.3 2.8.4
stevedore 5.7.0 5.8.0
tzlocal 5.3.1 5.4.3
virtualenv 21.3.1 21.5.1

Updates anyio from 4.13.0 to 4.14.0

Release notes

Sourced from anyio's releases.

4.14.0

  • Added support for Python 3.15

  • Added an asynchronous implementation of the itertools module (#998; PR by @​11kkw)

  • Added the local_port parameter to connect_tcp() to allow binding to a specific local port before connecting (#1067; PR by @​nullwiz)

  • Added support for custom capacity limiters in async path and file I/O functions and classes

  • Added the create_task() task group method for easier asyncio migration (returns a TaskHandle) (#1098)

  • Changed TaskGroup.start_soon() to return a TaskHandle

  • Added an option for TaskGroup.start() to return a TaskHandle (which then contains the start value in the start_value property)

  • Added the cancel() convenience method to TaskGroup as a shortcut for cancelling the task group's cancel scope

  • Improved the error message when a known backend is not installed to suggest the install command (#1115; PR by @​EmmanuelNiyonshuti)

  • Improved anyio.Path to preserve subclass types by returning Self in methods that return path objects (#1130; PR by @​EmmanuelNiyonshuti)

  • Changed the parameter type annotation in anyio.Path.write_bytes() to accept any ReadableBuffer, thus allowing it to accept bytearray and memoryview to match pathlib.Path.write_bytes() (#1135; PR by @​SAY-5)

  • Changed several type annotations to only accept callables returning coroutine-like objects instead of arbitrary awaitables:

    • TaskGroup.start_soon()
    • TaskGroup.start()
    • anyio.from_thread.run()

    This reverts an earlier change from v3.7.0 which was made in error. (#1153)

  • Changed anyio.run to support callables returning arbitrary awaitables at runtime on all backends. Previously, this only worked on asyncio (#1171; PR by @​gschaffner)

  • Changed several classes (and their subclasses) to have __slots__ (with __weakref__):

    • anyio.CancelScope
    • anyio.CapacityLimiter
    • anyio.Condition
    • anyio.Event
    • anyio.Lock
    • anyio.ResourceGuard
    • anyio.Semaphore
  • Fixed cancellation exception escaping a cancel scope when triggered via check_cancelled() in a worker thread (#1113)

  • Fixed TaskGroup raising AttributeError instead of a clear error when entered more than once (#1109; PR by @​bahtya)

  • Fixed lost type information when passing arguments to lru_cache (#1104; PR by @​Graeme22)

  • Fixed test resumption after KeyboardInterrupt in async generator fixtures on the asyncio backend (#1060; PR by @​EmmanuelNiyonshuti)

... (truncated)

Commits
  • ffe9133 Bumped up the version
  • f8b9f01 Fixed asyncio lock waiter deadlocks after cancellation (#1145)
  • d517ee1 [pre-commit.ci] pre-commit autoupdate (#1176)
  • 550b68e Make anyio.run support Awaitable at runtime on all backends (#1171)
  • 29a5e04 Fixed FastAPI test run
  • 4d752ac Updated downstream test setups for FastAPI and Anthropic MCP
  • ebdc950 Added task handle support to start() and start_soon() (#1153)
  • f32bfb8 Fixed test suite compatibility issues with Pytest 9.1.0
  • 85f7e8e Added __slots__ to several classes
  • b7ea84c [pre-commit.ci] pre-commit autoupdate (#1165)
  • Additional commits viewable in compare view

Updates certifi from 2026.5.20 to 2026.6.17

Commits

Updates fastapi from 0.136.3 to 0.138.0

Release notes

Sourced from fastapi's releases.

0.138.0

Features

  • ✨ Add support for app.frontend("/", directory="dist") and router.frontend("/", directory="dist"). PR #15800 by @​tiangolo.

Docs

Translations

Internal

0.137.2

Features

  • ✨ Add iter_route_contexts() for advanced use cases that used to use router.routes (e.g. Jupyverse). PR #15785 by @​tiangolo.

Translations

Internal

... (truncated)

Commits

Updates greenlet from 3.5.1 to 3.5.2

Changelog

Sourced from greenlet's changelog.

3.5.2 (2026-06-17)

  • The minimum supported version of Python 3.15 is now 3.15b2.
  • Fix some garbage-collection related crashes on free-threaded Python 3.15. Thanks to Kumar Aditya in PR [#511](https://github.com/python-greenlet/greenlet/issues/511) <https://github.com/python-greenlet/greenlet/pull/511>_.
  • Improve garbage collection of greenlets. This mostly applies to Python 3.15. Thanks to Kumar Aditya in PR [#512](https://github.com/python-greenlet/greenlet/issues/512) <https://github.com/python-greenlet/greenlet/pull/512>_.
Commits
  • 0b64e9c Preparing release 3.5.2
  • 3e28d27 Add change note for #512 [skip ci]
  • 6563c5e Merge pull request #512 from kumaraditya303/ft-mem
  • ab6eff6 add ignore for win 3.10
  • 41f5349 revert back to fails_leakcheck_on_py314_or_less
  • b0aac05 set fail-fast=false and if condition correctly
  • 2f87f31 rename to ignores_leakcheck_on_py314_or_less
  • 28bbde3 add comments
  • 35206b8 fix test and restrict tp_is_gc < 3.15
  • abdbab5 fix gil enabled
  • Additional commits viewable in compare view

Updates matplotlib from 3.10.9 to 3.11.0

Release notes

Sourced from matplotlib's releases.

REL: v3.11.0

The largest change within this release is a complete overhaul of text and font processing. Through the use of libraqm, HarfBuzz, SheenBidi, and an updated release of FreeType, all text should now support modern font features, enabling full internationalization in all languages. Not all features of these libraries are supported yet, but we expect this work to enable further improvements in an easier manner.

Outside of text handling, there are several improvements to 3D Axes, performance, new accessible colour sequences, flexible figure management, and more. See the release notes for more information.

REL: v3.11.0rc2

This is the second release candidate for the meso release 3.11.0.

This release candidate fixes some problems with downstream packages, removes some missed deprecations, and corrects some additional minor bugs.

REL: v3.11.0rc1

After an extended development stretch, we are pleased to announce the first release candidate of Matplotlib 3.11.0.

The largest change within this release is a complete overhaul of text and font processing. Through the use of libraqm, HarfBuzz, SheenBidi, and an updated release of FreeType, all text should now support modern font features, enabling full internationalization in all languages. Not all features of these libraries are supported yet, but we expect this work to enable further improvements in an easier manner. Due to the update to the font rendering stack, we cannot guarantee that text will be bit-for-bit perfect with previous releases, so if you are using Matplotlib for testing, it may be necessary to introduce/raise a tolerance within your tests.

Outside of text handling, there are several improvements to 3D Axes, performance, new accessible colour sequences, flexible figure management, and more. Final release notes are still being curated, but you may browse the list of new features, API changes, and all issues/pull requests on the milestone.

As a note for downstream packagers, the font libraries have only been tested against the versions bundled with the wheels. It may be possible to expand the range of requirements, or that a requirement is too broad. Please report any issues you have building against external dependencies.

Commits
  • 69c7534 REL: v3.11.0
  • b7d912b DOC: Set 3.11 as preferred stable release
  • 7c3d502 Update Security Policy for 3.11
  • 964e73d DOC: Prepare GitHub stats for 3.11 final
  • bfa2633 Bump font manager version to final release
  • d0603b2 Merge pull request #31873 from meeseeksmachine/auto-backport-of-pr-31706-on-v...
  • edf5ebc Backport PR #31706: Fix clabel manual index
  • c0e80b7 Merge pull request #31872 from meeseeksmachine/auto-backport-of-pr-31868-on-v...
  • 2a14854 Backport PR #31868: DOC: Move errorbar examples to the statistics sections
  • ea43d96 Merge pull request #31871 from meeseeksmachine/auto-backport-of-pr-31870-on-v...
  • Additional commits viewable in compare view

Updates numpy from 2.4.6 to 2.5.0

Release notes

Sourced from numpy's releases.

v2.5.0 (June 21, 2026)

NumPy 2.5.0 Release Notes

Numpy 2.5.0 is a transitional release. It drops support for Python 3.11, marking the end of distutils, and expires a large number of deprecations made in the 2.0.x release. It also improves free threading and brings sorting into compliance with the array-api standard with the addition of descending sorts. There is also a fair amount of preparation for Python 3.15, which will be supported starting with the first rc.

This release supports Python versions 3.12-3.14.

Highlights

  • Distutils has been removed,
  • Many expired deprecations, see below,
  • Many new deprecations, see below,
  • Many static typing improvements.
  • Improved support for free threading,
  • Support for descending sorts,

See New Features below for other additions.

Deprecations

  • numpy.char.chararray is deprecated. Use an ndarray with a string or bytes dtype instead.

    (gh-30605)

  • numpy.take now correctly checks if the result can be cast to the provided out=out under the same-kind rule. A DeprecationWarning is given now when this check fails. Previously, take incorrectly checked if out could be cast to the result (the wrong direction). This deprecation also affects compress and possibly other functions. (Future versions of NumPy may tighten the casting check further.)

    (gh-30615)

  • The numpy.char.[as]array functions are deprecated. Use an numpy.[as]array with a string or bytes dtype instead.

    (gh-30802)

  • Setting the dtype attribute is deprecated because mutating an array is unsafe if an array is shared, especially by multiple threads. As an alternative, you can create a view with a new dtype via array.view(dtype=new_dtype).

    (gh-29244)

... (truncated)

Changelog

Sourced from numpy's changelog.

This is a walkthrough of the NumPy 2.4.0 release on Linux, which will be the first feature release using the numpy/numpy-release <https://github.com/numpy/numpy-release>__ repository.

The commands can be copied into the command line, but be sure to replace 2.4.0 with the correct version. This should be read together with the :ref:general release guide <prepare_release>.

Facility preparation

Before beginning to make a release, use the requirements/*_requirements.txt files to ensure that you have the needed software. Most software can be installed with pip, but some will require apt-get, dnf, or whatever your system uses for software. You will also need a GitHub personal access token (PAT) to push the documentation. There are a few ways to streamline things:

  • Git can be set up to use a keyring to store your GitHub personal access token. Search online for the details.

Prior to release

Add/drop Python versions

When adding or dropping Python versions, multiple config and CI files need to be edited in addition to changing the minimum version in pyproject.toml. Make these changes in an ordinary PR against main and backport if necessary. We currently release wheels for new Python versions after the first Python RC once manylinux and cibuildwheel support that new Python version.

Backport pull requests

Changes that have been marked for this release must be backported to the maintenance/2.4.x branch.

Update 2.4.0 milestones

Look at the issues/prs with 2.4.0 milestones and either push them off to a later version, or maybe remove the milestone. You may need to add a milestone.

Check the numpy-release repo

... (truncated)

Commits
  • 6910b28 Merge pull request #31706 from charris/prepare-2.5.0-release
  • e0acd2b REL: Prepare for the NumPy 2.5.0 release.
  • 8d928b7 Merge pull request #31704 from charris/backport-31649
  • c2055ba MAINT: update openblas to 0.3.33.112.0 (#31649)
  • ce17c81 Merge pull request #31703 from charris/backport-31609
  • 3de6203 BUG: fix StringDType distinct-allocator bugs and add tests (#31609)
  • c723971 Merge pull request #31700 from charris/backport-31694
  • 64513b2 MAINT: Bump pypa/cibuildwheel from 3.4.1 to 4.1.0
  • 04707f0 Merge pull request #31698 from charris/try-fix-emscripten
  • 5cf0686 MAINT: Try to fix emscripten wheel build.
  • Additional commits viewable in compare view

Updates pypdf from 6.13.3 to 6.14.2

Release notes

Sourced from pypdf's releases.

Version 6.14.2, 2026-06-23

What's new

Security (SEC)

Full Changelog

Version 6.14.1, 2026-06-23

What's new

Security (SEC)

Full Changelog

Version 6.14.0, 2026-06-22

What's new

Security (SEC)

New Features (ENH)

Robustness (ROB)

Full Changelog

Changelog

Sourced from pypdf's changelog.

Version 6.14.2, 2026-06-23

Security (SEC)

  • Avoid infinite loops for incomplete ASCII85 and ASCIIHex inline images (#3892)

Full Changelog

Version 6.14.1, 2026-06-23

Security (SEC)

  • Detect end of stream during inline image end marker detection (#3891)

Full Changelog

Version 6.14.0, 2026-06-22

Security (SEC)

  • Apply general limit for requested image size (#3888)
  • Speed up recovery when reading broken cross-reference table (#3887)

New Features (ENH)

  • Check whether image is displayed on a given page (#3738)

Robustness (ROB)

  • Several fixes

Full Changelog

Commits
  • 2266ee8 REL: 6.14.2
  • 5a33a46 SEC: Avoid infinite loops for incomplete ASCII85 and ASCIIHex inline images (...
  • 1ee4e58 REL: 6.14.1
  • ec3b145 SEC: Detect end of stream during inline image end marker detection (#3891)
  • c6cd82e ROB: Tolerate malformed inline image settings in _read_inline_image (#3889)
  • 0ae42ba ROB: Tolerate malformed page label entries in get_label_from_nums (#3884)
  • 50617b5 ROB: Tolerate malformed Tm operand count in extract_text (#3877)
  • 86e5a82 MAINT: Improve readability (#3874)
  • 83cb25f DEV: Fix sample files commit
  • 06588ec REL: 6.14.0
  • Additional commits viewable in compare view

Updates scipy from 1.17.1 to 1.18.0

Release notes

Sourced from scipy's releases.

SciPy 1.18.0 Release Notes

SciPy 1.18.0 is the culmination of 6 months of hard work. It contains many new features, numerous bug-fixes, improved test coverage and better documentation. There have been a number of deprecations and API changes in this release, which are documented below. All users are encouraged to upgrade to this release, as there are a large number of bug-fixes and optimizations. Before upgrading, we recommend that users check that their own code does not use deprecated SciPy functionality (to do so, run your code with python -Wd and check for DeprecationWarning s). Our development attention will now shift to bug-fix releases on the 1.18.x branch, and on adding new features on the main branch.

This release requires Python 3.12-3.14 and NumPy 2.0.0 or greater.

Highlights of this release

  • SciPy now supports three different build modes for BLAS and LAPACK LP64/ILP64 support, and machinery is provided for downstream cython_lapack consumers to gracefully handle LP64/ILP64 backend builds. ILP64 support has been substantially improved across the SciPy library.
  • Remaining Fortran to C translations have been completed---an experimental Fortran-free build option is now available to developers for testing purposes. Developer feedback is welcome on Fortran-free builds.
  • scipy.signal.whittaker_henderson now provides access to Whittaker-Henderson smoothing of a discrete signal.
  • A large number of scipy.stats functions now support lazy arrays and JAX JIT. Array API support has been improved substantially in SciPy, with at least 21 functions gaining new support in this release. 16 scipy.stats functions have also gained support for MArray input.

New features

scipy.fft improvements

  • SciPy's internal FFT backend has switched from pocketfft to its successor package ducc0.fft, which features several incremental improvements. The most significant of those from SciPy's perspective is probably that storage requirements for internally cached plans have been significantly reduced for most long 1D transforms. Plans that require more storage than 1MB will no longer be cached; this mainly affects huge 1D transforms of prime and near-prime sizes.

scipy.interpolate improvements

... (truncated)

Commits
  • 54ef542 REL: 1.18.0 release commit
  • a45e463 Merge pull request #25395 from tylerjereddy/treddy_prep_1.18.0_final
  • ee2442e TYP, MAINT, TST: PR 25395 revisions
  • 3225154 DOC: PR 25395 revisions
  • 14c7bd7 TYP: Fix mypy errors with pytest==9.1.0 (#25410)
  • 71522e9 DOC: revise SciPy 1.18.0 release notes
  • 92f8482 MAINT: fix errors from pytest 9.1 (#25378)
  • 7b27bf4 TST, MAINT: modernize spatial tests for pytest 10 (#25376)
  • d05b640 Merge pull request #25347 from tylerjereddy/treddy_version_bump_1.18.0rc3
  • e60fe8b REL: set to 1.18.0rc3 unreleased
  • Additional commits viewable in compare view

Updates sqlalchemy from 2.0.50 to 2.0.51

Release notes

Sourced from sqlalchemy's releases.

2.0.51

Released: June 15, 2026

orm

  • [orm] [bug] Fixed issue where _orm.subqueryload() combined with PropComparator.of_type() and PropComparator.and_() would silently drop the additional filter criteria, causing all related objects to be loaded instead of only those matching the filter. The LoaderCriteriaOption was being constructed against the base entity rather than the effective entity indicated by PropComparator.of_type(). Pull request courtesy Arya Rizky.

    References: #13207

  • [orm] [bug] Fixed bug where a failure during tpc_prepare() within _orm.Session.commit() for a two-phase session would raise IllegalStateChangeError instead of the original database exception. The internal _prepare_impl() method's error handler was unable to invoke _orm.SessionTransaction.rollback() due to a state-change guard, preventing proper cleanup and masking the underlying error.

    References: #13356

engine

  • [engine] [bug] Fixed issue where Result.freeze() would lose track of ambiguous column names present in the original CursorResult, causing key-based access on the thawed result to silently return a value instead of raising InvalidRequestError. The SimpleResultMetaData now accepts and propagates ambiguous key information so that frozen, thawed, and pickled results raise consistently for duplicate column names. Pull request courtesy Saurabh Kohli.

    References: #9427

sql

  • [sql] [bug] Fixed issue where _sql.StatementLambdaElement would proxy attribute access through the cached "expected" expression rather than the resolved expression, causing stale closure-bound parameter values to be used when a lambda statement was extended with non-lambda criteria such as an additional .where() clause. Courtesy cjc0013.

    References: #10827

... (truncated)

Commits

Updates webauthn from 2.7.1 to 2.8.0

Release notes

Sourced from webauthn's releases.

v2.8.0

Changes:

  • "android-key" attestation verification is more tolerant of X.509 leaf certificates with values that violate ASN.1 DER parsing rules (#277)
  • Dependencies have been updated, including cbor2>=5.6.5,<6.0.0 (#269, h/t @​typestring; #272), and cryptography>=46.0.0 and pyOpenSSL>=26.0.0 (#278)
  • Two expired trust anchors have been retired (#279)
  • A new trust anchor for "android-key" attestation has been added (#268)
  • TPM manufacturer IDs are now normalized during "tpm" attestation verification to prevent casing-related lookup issues (#275)
  • Registration verification will more consistently raise webauthn.helpers.exceptions.InvalidRegistrationResponse when encountering bad data. Likewise, authentication verification will more consistently raise webauthn.helpers.exceptions.InvalidAuthenticationResponse when encountering bad data (#271, #273, #276, #280)
  • A docstring typo in verify_authentication_response() has been fixed (#266, h/t @​Densaugeo)

v2.8.0-alpha1

🚨🚨🚨THIS RELEASE IS UNSUPPORTED. OFFICIAL PQC SUPPORT WILL ARRIVE IN A FUTURE RELEASE🚨🚨🚨

Changes:

  • verify_registration_response() and verify_authentication_response() now support use of ML-DSA public keys for authenticators with PQC support. Run pip install dilithium-py to enable this capability (#260)
Changelog

Sourced from webauthn's changelog.

v2.8.0

Changes:

  • "android-key" attestation verification is more tolerant of X.509 leaf certificates with values that violate ASN.1 DER parsing rules (#277)
  • Dependencies have been updated, including cbor2>=5.6.5,<6.0.0 (#269, h/t @​typestring; #272), and cryptography>=46.0.0 and pyOpenSSL>=26.0.0 (#278)
  • Two expired trust anchors have been retired (#279)
  • A new trust anchor for "android-key" attestation has been added (#268)
  • TPM manufacturer IDs are now normalized during "tpm" attestation verification to prevent casing-related lookup issues (#275)
  • Registration verification will more consistently raise webauthn.helpers.exceptions.InvalidRegistrationResponse when encountering bad data. Likewise, authentication verification will more consistently raise webauthn.helpers.exceptions.InvalidAuthenticationResponse when encountering bad data (#271, #273, #276, #280)
  • A docstring typo in verify_authentication_response() has been fixed (#266, h/t @​Densaugeo)
Commits
  • 4a4295f Update CHANGELOG for v2.8.0 (addendum 1)
  • 748f6f2 Merge pull request #280 from duo-labs/more-exception-handling-auth
  • f02a707 Add some tests around parse error handling
  • 6c35856 Handle clientDataJSON and authData auth errors
  • 99c5256 Update CHANGELOG for v2.8.0
  • 755bf0f Bump version to v2.8.0
  • b416811 Merge pull request #279 from duo-labs/retire-expired-trust-anchors
  • 7840f30 Retire google_hardware_attestation_root_1
  • 3ec92d5 Retire globalsign_r2
  • cdb96c2 Merge pull request #278 from duo-labs/migrate-dx-to-uv
  • Additional commits viewable in compare view

Updates redis from 8.0.0 to 8.0.1

Release notes

Sourced from redis's releases.

8.0.1

Changes

🐛 Bug Fixes

  • Fix Unix socket maintenance notification handling and tests (#4097)
  • Fix async cluster node connection release on write errors (#4111)
  • Fixed async MultiDBClient with underlying RedisCluster (#4108)
  • Fix hiredis readiness checks for high file descriptors (#4115)
  • fix(search): parse RESP3 FT.SEARCH responses with bytes-typed keys (#4109)
  • Fixing pubsub's listen method to be blocking. (#4119)
  • fix(asyncio): release pooled connection when Pipeline.reset() is cancelled (#4123)
  • Avoid per-check fd allocation in hiredis _socket_can_read() — use poll() instead of a per-call selector (#4118)

🧰 Maintenance

  • Updating PyJWT dependency. (#4100)
  • Update CI badge in README.md (#4099)
  • Add missing url query argument parser for ssl_min_version (#4047)
  • ci: least-privilege permissions on spellcheck (read) and stale-issues (job-level write for actions/stale) (#4080)
  • Bumping github-versions actions (#4102)
  • Updating lib version + supported Redis versions in README.md + updating the Redis versions in CI test matrix (#4092)

We'd like to thank all the contributors who worked on this release! @​violuke @​mokashang @​arpitjain099 @​coredumperror @​elena-kolevska @​vladvildanov @​petyaslavova

Commits
  • 7c0fd11 Updating lib version to 8.0.1
  • b7a4d7d Avoid per-check fd allocation in hiredis _socket_can_read() — use poll() ...
  • eec778e fix(asyncio): release pooled connection when Pipeline.reset() is cancelled (#...
  • 08e01bb Fixing pubsub's listen method to be blocking. (#4119)
  • 3d5257a fix(search): parse RESP3 FT.SEARCH responses with bytes-typed keys (#4109)
  • cce28ff Fix hiredis readiness checks for high file descriptors (#4115)
  • e20691c Fixed async MultiDBClient with underlying RedisCluster (#4108)
  • ea37fcc Fix async cluster node connection release on write errors (#4111)
  • f4146fa Updating lib version + supported Redis versions in README.md + updating the R...
  • d47674e Bumping github-versions actions (#4102)
  • Additional commits viewable in compare view

Updates sentence-transformers from 5.5.1 to 5.6.0

Release notes

Sourced from sentence-transformers's releases.

v5.6.0 - Fixes for Causal LM Rerankers, Hard-Negative Mining, and More

This minor version is a correctness- and robustness-focused release. It fixes a silent scoring bug for causal-LM rerankers, corrects several hard-negative mining and GIST loss edge cases, restores TSDAE on transformers v5, and adds Apple Silicon (MPS) support for the cached losses.

The headline fix affects chat-template models that read the final token position, i.e. causal-LM rerankers (like Qwen3-Reranker) and last-token-pooling embedders: when an over-long input was truncated, the chat template's trailing suffix (e.g. the assistant prefill the model scores from) was silently dropped, producing wrong scores with no error. There's also a forward-looking deprecation: loading local custom code without trust_remote_code=True now warns, and will require it from v6.0.

Install this version with

# Training + Inference
pip install sentence-transformers[train]==5.6.0
Inference only, use one of:
pip install sentence-transformers==5.6.0
pip install sentence-transformers[onnx-gpu]==5.6.0
pip install sentence-transformers[onnx]==5.6.0
pip install sentence-transformers[openvino]==5.6.0
Multimodal dependencies (optional):
pip install sentence-transformers[image]==5.6.0
pip install sentence-transformers[audio]==5.6.0
pip install sentence-transformers[video]==5.6.0
Or combine as needed:
pip install sentence-transformers[train,onnx,image]==5.6.0

Fixed silently wrong scores when truncation drops chat-template suffixes (#3787)

Chat-template models render the full conversation to a flat string before tokenizing, so when the rendered input is longer than the tokenizer's model_max_length, the tokenizer truncates it from the right and drops the template's trailing suffix: the fixed tokens a template appends after the content, e.g. a prompt, instruction, [/INST], or a trailing EOS. For models that read the final token position, this silently corrupted the result:

  • causal-LM rerankers (e.g. Qwen/Qwen3-Reranker-0.6B) score a pair from the last token's yes/no logits, and
  • last-token-pooling embedders read the final hidden state.

When the suffix was truncated away, that final position landed mid-document instead of after the prefill, so the score or embedding came from the wrong place.

Transformer.preprocess now detects when truncation drops the suffix and splices it back onto the tail of each truncated row. Because the fix lives in the shared base Transformer, it applies across SentenceTransformer, CrossEncoder, and SparseEncoder. It's enabled by default and saved to the model configuration. Pass processing_kwargs={"chat_template": {"restore_suffix": False}} to opt back into raw truncation.

Hard-negative mining and GIST loss correctness (

…dates

Bumps the uv-minor-patch group with 34 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [anyio](https://github.com/agronholm/anyio) | `4.13.0` | `4.14.0` |
| [certifi](https://github.com/certifi/python-certifi) | `2026.5.20` | `2026.6.17` |
| [fastapi](https://github.com/fastapi/fastapi) | `0.136.3` | `0.138.0` |
| [greenlet](https://github.com/python-greenlet/greenlet) | `3.5.1` | `3.5.2` |
| [matplotlib](https://github.com/matplotlib/matplotlib) | `3.10.9` | `3.11.0` |
| [numpy](https://github.com/numpy/numpy) | `2.4.6` | `2.5.0` |
| [pypdf](https://github.com/py-pdf/pypdf) | `6.13.3` | `6.14.2` |
| [scipy](https://github.com/scipy/scipy) | `1.17.1` | `1.18.0` |
| [sqlalchemy](https://github.com/sqlalchemy/sqlalchemy) | `2.0.50` | `2.0.51` |
| [webauthn](https://github.com/duo-labs/py_webauthn) | `2.7.1` | `2.8.0` |
| [redis](https://github.com/redis/redis-py) | `8.0.0` | `8.0.1` |
| [sentence-transformers](https://github.com/huggingface/sentence-transformers) | `5.5.1` | `5.6.0` |
| [mutagen](https://github.com/quodlibet/mutagen) | `1.47.0` | `1.48.0` |
| [pillow-heif](https://github.com/bigcat88/pillow_heif) | `1.3.0` | `1.4.0` |
| [hypothesis](https://github.com/HypothesisWorks/hypothesis) | `6.155.3` | `6.155.7` |
| [httpx2](https://github.com/pydantic/httpx2) | `2.3.0` | `2.4.0` |
| [maturin](https://github.com/pyo3/maturin) | `1.14.0` | `1.14.1` |
| [pytest](https://github.com/pytest-dev/pytest) | `9.0.3` | `9.1.1` |
| [ruff](https://github.com/astral-sh/ruff) | `0.15.17` | `0.15.18` |
| [ast-serialize](https://github.com/mypyc/ast_serialize) | `0.3.0` | `0.5.0` |
| [cbor2](https://github.com/agronholm/cbor2) | `6.0.1` | `6.1.2` |
| [cyclonedx-python-lib](https://github.com/CycloneDX/cyclonedx-python-lib) | `11.7.0` | `11.11.0` |
| [distlib](https://github.com/pypa/distlib) | `0.4.0` | `0.4.3` |
| [filelock](https://github.com/tox-dev/py-filelock) | `3.29.0` | `3.29.4` |
| [httpcore2](https://github.com/pydantic/httpx2) | `2.3.0` | `2.4.0` |
| [lxml](https://github.com/lxml/lxml) | `6.1.0` | `6.1.1` |
| [narwhals](https://github.com/narwhals-dev/narwhals) | `2.20.0` | `2.22.1` |
| [platformdirs](https://github.com/tox-dev/platformdirs) | `4.9.6` | `4.10.0` |
| [pyopenssl](https://github.com/pyca/pyopenssl) | `26.2.0` | `26.3.0` |
| [python-discovery](https://github.com/tox-dev/python-discovery) | `1.3.0` | `1.4.2` |
| [soupsieve](https://github.com/facelessuser/soupsieve) | `2.8.3` | `2.8.4` |
| [stevedore](https://docs.openstack.org/stevedore) | `5.7.0` | `5.8.0` |
| [tzlocal](https://github.com/regebro/tzlocal) | `5.3.1` | `5.4.3` |
| [virtualenv](https://github.com/pypa/virtualenv) | `21.3.1` | `21.5.1` |



Updates `anyio` from 4.13.0 to 4.14.0
- [Release notes](https://github.com/agronholm/anyio/releases)
- [Commits](agronholm/anyio@4.13.0...4.14.0)

Updates `certifi` from 2026.5.20 to 2026.6.17
- [Commits](certifi/python-certifi@2026.05.20...2026.06.17)

Updates `fastapi` from 0.136.3 to 0.138.0
- [Release notes](https://github.com/fastapi/fastapi/releases)
- [Commits](fastapi/fastapi@0.136.3...0.138.0)

Updates `greenlet` from 3.5.1 to 3.5.2
- [Changelog](https://github.com/python-greenlet/greenlet/blob/master/CHANGES.rst)
- [Commits](python-greenlet/greenlet@3.5.1...3.5.2)

Updates `matplotlib` from 3.10.9 to 3.11.0
- [Release notes](https://github.com/matplotlib/matplotlib/releases)
- [Commits](matplotlib/matplotlib@v3.10.9...v3.11.0)

Updates `numpy` from 2.4.6 to 2.5.0
- [Release notes](https://github.com/numpy/numpy/releases)
- [Changelog](https://github.com/numpy/numpy/blob/main/doc/RELEASE_WALKTHROUGH.rst)
- [Commits](numpy/numpy@v2.4.6...v2.5.0)

Updates `pypdf` from 6.13.3 to 6.14.2
- [Release notes](https://github.com/py-pdf/pypdf/releases)
- [Changelog](https://github.com/py-pdf/pypdf/blob/main/CHANGELOG.md)
- [Commits](py-pdf/pypdf@6.13.3...6.14.2)

Updates `scipy` from 1.17.1 to 1.18.0
- [Release notes](https://github.com/scipy/scipy/releases)
- [Commits](scipy/scipy@v1.17.1...v1.18.0)

Updates `sqlalchemy` from 2.0.50 to 2.0.51
- [Release notes](https://github.com/sqlalchemy/sqlalchemy/releases)
- [Changelog](https://github.com/sqlalchemy/sqlalchemy/blob/main/CHANGES.rst)
- [Commits](https://github.com/sqlalchemy/sqlalchemy/commits)

Updates `webauthn` from 2.7.1 to 2.8.0
- [Release notes](https://github.com/duo-labs/py_webauthn/releases)
- [Changelog](https://github.com/duo-labs/py_webauthn/blob/master/CHANGELOG.md)
- [Commits](duo-labs/py_webauthn@v2.7.1...v2.8.0)

Updates `redis` from 8.0.0 to 8.0.1
- [Release notes](https://github.com/redis/redis-py/releases)
- [Changelog](https://github.com/redis/redis-py/blob/master/CHANGES)
- [Commits](redis/redis-py@v8.0.0...v8.0.1)

Updates `sentence-transformers` from 5.5.1 to 5.6.0
- [Release notes](https://github.com/huggingface/sentence-transformers/releases)
- [Commits](huggingface/sentence-transformers@v5.5.1...v5.6.0)

Updates `mutagen` from 1.47.0 to 1.48.0
- [Release notes](https://github.com/quodlibet/mutagen/releases)
- [Changelog](https://github.com/quodlibet/mutagen/blob/main/NEWS)
- [Commits](quodlibet/mutagen@release-1.47.0...release-1.48.0)

Updates `pillow-heif` from 1.3.0 to 1.4.0
- [Release notes](https://github.com/bigcat88/pillow_heif/releases)
- [Changelog](https://github.com/bigcat88/pillow_heif/blob/master/CHANGELOG.md)
- [Commits](bigcat88/pillow_heif@v1.3.0...v1.4.0)

Updates `hypothesis` from 6.155.3 to 6.155.7
- [Release notes](https://github.com/HypothesisWorks/hypothesis/releases)
- [Commits](HypothesisWorks/hypothesis@v6.155.3...v6.155.7)

Updates `httpx2` from 2.3.0 to 2.4.0
- [Release notes](https://github.com/pydantic/httpx2/releases)
- [Changelog](https://github.com/pydantic/httpx2/blob/main/src/httpx2/CHANGELOG.md)
- [Commits](pydantic/httpx2@v2.3.0...v2.4.0)

Updates `maturin` from 1.14.0 to 1.14.1
- [Release notes](https://github.com/pyo3/maturin/releases)
- [Changelog](https://github.com/PyO3/maturin/blob/main/Changelog.md)
- [Commits](PyO3/maturin@v1.14.0...v1.14.1)

Updates `pytest` from 9.0.3 to 9.1.1
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](pytest-dev/pytest@9.0.3...9.1.1)

Updates `ruff` from 0.15.17 to 0.15.18
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ruff@0.15.17...0.15.18)

Updates `ast-serialize` from 0.3.0 to 0.5.0
- [Commits](mypyc/ast_serialize@v0.3.0...v0.5.0)

Updates `cbor2` from 6.0.1 to 6.1.2
- [Release notes](https://github.com/agronholm/cbor2/releases)
- [Commits](agronholm/cbor2@6.0.1...6.1.2)

Updates `cyclonedx-python-lib` from 11.7.0 to 11.11.0
- [Release notes](https://github.com/CycloneDX/cyclonedx-python-lib/releases)
- [Changelog](https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md)
- [Commits](CycloneDX/cyclonedx-python-lib@v11.7.0...v11.11.0)

Updates `distlib` from 0.4.0 to 0.4.3
- [Release notes](https://github.com/pypa/distlib/releases)
- [Changelog](https://github.com/pypa/distlib/blob/master/CHANGES.rst)
- [Commits](pypa/distlib@0.4.0...0.4.3)

Updates `filelock` from 3.29.0 to 3.29.4
- [Release notes](https://github.com/tox-dev/py-filelock/releases)
- [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst)
- [Commits](tox-dev/filelock@3.29.0...3.29.4)

Updates `httpcore2` from 2.3.0 to 2.4.0
- [Release notes](https://github.com/pydantic/httpx2/releases)
- [Commits](pydantic/httpx2@v2.3.0...v2.4.0)

Updates `lxml` from 6.1.0 to 6.1.1
- [Release notes](https://github.com/lxml/lxml/releases)
- [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt)
- [Commits](lxml/lxml@lxml-6.1.0...lxml-6.1.1)

Updates `narwhals` from 2.20.0 to 2.22.1
- [Release notes](https://github.com/narwhals-dev/narwhals/releases)
- [Commits](narwhals-dev/narwhals@v2.20.0...v2.22.1)

Updates `platformdirs` from 4.9.6 to 4.10.0
- [Release notes](https://github.com/tox-dev/platformdirs/releases)
- [Changelog](https://github.com/tox-dev/platformdirs/blob/main/docs/changelog.rst)
- [Commits](tox-dev/platformdirs@4.9.6...4.10.0)

Updates `pyopenssl` from 26.2.0 to 26.3.0
- [Changelog](https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst)
- [Commits](pyca/pyopenssl@26.2.0...26.3.0)

Updates `python-discovery` from 1.3.0 to 1.4.2
- [Release notes](https://github.com/tox-dev/python-discovery/releases)
- [Changelog](https://github.com/tox-dev/python-discovery/blob/main/docs/changelog.rst)
- [Commits](tox-dev/python-discovery@1.3.0...1.4.2)

Updates `soupsieve` from 2.8.3 to 2.8.4
- [Release notes](https://github.com/facelessuser/soupsieve/releases)
- [Commits](facelessuser/soupsieve@2.8.3...2.8.4)

Updates `stevedore` from 5.7.0 to 5.8.0

Updates `tzlocal` from 5.3.1 to 5.4.3
- [Changelog](https://github.com/regebro/tzlocal/blob/master/CHANGES.txt)
- [Commits](regebro/tzlocal@5.3.1...5.4.3)

Updates `virtualenv` from 21.3.1 to 21.5.1
- [Release notes](https://github.com/pypa/virtualenv/releases)
- [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst)
- [Commits](pypa/virtualenv@21.3.1...21.5.1)

---
updated-dependencies:
- dependency-name: anyio
  dependency-version: 4.14.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: certifi
  dependency-version: 2026.6.17
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: fastapi
  dependency-version: 0.138.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: greenlet
  dependency-version: 3.5.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: uv-minor-patch
- dependency-name: matplotlib
  dependency-version: 3.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: numpy
  dependency-version: 2.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: pypdf
  dependency-version: 6.14.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: scipy
  dependency-version: 1.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: sqlalchemy
  dependency-version: 2.0.51
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: uv-minor-patch
- dependency-name: webauthn
  dependency-version: 2.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: redis
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: uv-minor-patch
- dependency-name: sentence-transformers
  dependency-version: 5.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: mutagen
  dependency-version: 1.48.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: pillow-heif
  dependency-version: 1.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: hypothesis
  dependency-version: 6.155.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: uv-minor-patch
- dependency-name: httpx2
  dependency-version: 2.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: maturin
  dependency-version: 1.14.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: uv-minor-patch
- dependency-name: pytest
  dependency-version: 9.1.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: ruff
  dependency-version: 0.15.18
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: uv-minor-patch
- dependency-name: ast-serialize
  dependency-version: 0.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: cbor2
  dependency-version: 6.1.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: cyclonedx-python-lib
  dependency-version: 11.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: distlib
  dependency-version: 0.4.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: uv-minor-patch
- dependency-name: filelock
  dependency-version: 3.29.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: uv-minor-patch
- dependency-name: httpcore2
  dependency-version: 2.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: lxml
  dependency-version: 6.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: uv-minor-patch
- dependency-name: narwhals
  dependency-version: 2.22.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: platformdirs
  dependency-version: 4.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: pyopenssl
  dependency-version: 26.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: python-discovery
  dependency-version: 1.4.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: soupsieve
  dependency-version: 2.8.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: uv-minor-patch
- dependency-name: stevedore
  dependency-version: 5.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: tzlocal
  dependency-version: 5.4.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
- dependency-name: virtualenv
  dependency-version: 21.5.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants