Skip to content

Bump the prod-dependencies group across 1 directory with 6 updates#115

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/prod-dependencies-e37ac11bf1
Open

Bump the prod-dependencies group across 1 directory with 6 updates#115
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/prod-dependencies-e37ac11bf1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 11, 2026

Copy link
Copy Markdown
Contributor

Bumps the prod-dependencies group with 6 updates in the / directory:

Package From To
beautifulsoup4 4.14.3 4.15.0
fastexcel 0.19.0 0.20.2
lxml 6.0.2 6.1.1
polars 1.38.1 1.41.2
pyarrow 23.0.1 24.0.0
requests 2.32.5 2.34.2

Updates beautifulsoup4 from 4.14.3 to 4.15.0

Updates fastexcel from 0.19.0 to 0.20.2

Release notes

Sourced from fastexcel's releases.

v0.20.2

What's Changed

Full Changelog: ToucanToco/fastexcel@v0.20.1...v0.20.2

v0.20.1

What's Changed

Full Changelog: ToucanToco/fastexcel@v0.20.0...v0.20.1

Commits

Updates lxml from 6.0.2 to 6.1.1

Changelog

Sourced from lxml's changelog.

6.1.1 (2026-05-18)

Bugs fixed

6.1.0 (2026-04-17)

This release fixes a possible external entity injection (XXE) vulnerability in iterparse() and the ETCompatXMLParser.

Features added

  • GH#486: The HTML ARIA accessibility attributes were added to the set of safe attributes in lxml.html.defs. This allows lxml_html_clean to pass them through. Patch by oomsveta.

  • The default chunk size for reading from file-likes in iterparse() is now configurable with a new chunk_size argument.

Bugs fixed

  • LP#2146291: The resolve_entities option was still set to True for iterparse and ETCompatXMLParser, allowing for external entity injection (XXE) when using these parsers without setting this option explicitly. The default was now changed to 'internal' only (as for the normal XML and HTML parsers since lxml 5.0). Issue found by Sihao Qiu as CVE-2026-41066.

6.0.4 (2026-04-12)

Bugs fixed

  • LP#2148019: Spurious MemoryError during namespace cleanup.

... (truncated)

Commits
  • b4a4c59 Build: Fix build in Py3.8.
  • a116dcb Fix typo: type annotions -> type annotations in PEP 560 comments (GH-504)
  • 7287a75 Prepare release of 6.1.1.
  • 5927a6d Add missing "xlink:href" to the known HTML link attributes.
  • 23efeb4 Build: Fix build in Py3.8.
  • 2c0563b Build: Add bug patch for libxslt 1.1.43 and apply it during the static librar...
  • 8a35fcc Fix doctest in PyPy3.9.
  • 43722f4 Update changelog.
  • 8747040 Name version of option change in docstring.
  • 6c36e6c Fix pypistats URL in download statistics script.
  • Additional commits viewable in compare view

Updates polars from 1.38.1 to 1.41.2

Release notes

Sourced from polars's releases.

Python Polars 1.41.2

🚀 Performance improvements

  • Update to new jemalloc (#27797)
  • Do not materialize ScalarColumn in Column split_at (#27782)
  • Avoid materializing broadcast in array.shift (#27740)
  • Avoid materializing broadcast list in list.sample(n) and list.sample(frac) (#27679)

✨ Enhancements

  • Update to new jemalloc (#27797)

🐞 Bug fixes

  • Broken link to AI Policy corrected (#27793)
  • Update to new jemalloc (#27797)

📖 Documentation

  • Update Polars On-Prem version stamp (#27799)
  • Broken link to AI Policy corrected (#27793)
  • Add release dates to the On-Prem releases page (#27787)
  • Improve on-prem docs (#27788)
  • Add query profiler video to On-Prem user guide (#27786)
  • Add EKS/AKS/GKE guides (#27774)
  • Add Polars On-Prem 0.4.2 (#27780)

🛠️ Other improvements

  • Run Pyrefly on _utils and functions (#27789)
  • Harden against async blocking deadlocks (take 2) (#27767)

Thank you to all our contributors for making this release possible! @​ButteryPaws, @​EndPositive, @​Kevin-Patyk, @​MarcoGorelli, @​TNieuwdorp, @​azimafroozeh, @​carnarez, @​kdn36, @​lun3x, @​orlp and @​ritchie46

Python Polars 1.41.1

🚀 Performance improvements

  • Adaptive size dispatch to hashset or radix sort + capacity-aware reset in agg_n_unique (#27719)

✨ Enhancements

  • Allow deeper expressions (#27768)

🐞 Bug fixes

  • Raise length mismatch in multiple sort_by in group_by (#27772)
  • Respect min_samples for rolling_by ops with nulls (#27706)
  • Fix memory usage regression affecting TPCH Q22 (#27758)
  • Add POLARS_ALLOW_NESTED_CSPE env var and make nested CSPE opt-in (#27765)

... (truncated)

Commits

Updates pyarrow from 23.0.1 to 24.0.0

Release notes

Sourced from pyarrow's releases.

Apache Arrow 24.0.0

Release Notes URL: https://arrow.apache.org/release/24.0.0.html

Apache Arrow 24.0.0 RC0

Release Notes: Release Candidate: 24.0.0 RC0

Commits
  • 31b4b6c MINOR: [Release] Update versions for 24.0.0
  • 06dbc17 MINOR: [Release] Update .deb/.rpm changelogs for 24.0.0
  • a021d80 MINOR: [Release] Update CHANGELOG.md for 24.0.0
  • 2d6b12c GH-49716: [C++] FixedShapeTensorType::Deserialize should strictly validate se...
  • a74cb6a GH-49697: [C++][CI] Check IPC file body bounds are in sync with decoder outco...
  • 871a0c6 GH-49676: [Python][Packaging] Fix gRPC docker image layer being too big for h...
  • f9203b3 GH-49586: [C++][CI] StructToStructSubset test failure with libc++ 22.1.1 (#49...
  • fe298b4 GH-49628: [Python][Interchange protocol] Suppress warnings for pandas 4.0.0 a...
  • 1f94910 GH-49252: [GLib] Deprecate Feather features (#49673)
  • 5ba5c3c GH-49671: [CI][Docs] Don't run jobs for push by Dependabot (#49672)
  • Additional commits viewable in compare view

Updates requests from 2.32.5 to 2.34.2

Release notes

Sourced from requests's releases.

v2.34.2

2.34.2 (2026-05-14)

  • Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2342-2026-05-14

v2.34.1

2.34.1 (2026-05-13)

Bugfixes

  • Widened json input type from dict and list to Mapping and Sequence. (#7436)
  • Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
  • Response.reason moved from str | None to str to improve handling for users. (#7437)
  • Fixed a bug where some bodies with custom __getattr__ implementations weren't being properly detected as Iterables. (#7433)

New Contributors

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2341-2026-05-13

v2.34.0

2.34.0 (2026-05-11)

Announcements

  • Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue.

    Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for helping review and test the types ahead of the release. (#7272)

Improvements

  • Digest Auth hashing algorithms have added usedforsecurity=False to clarify security considerations. (#7310)
  • Requests added support for Python 3.15 based on beta1. Downstream projects should be able to start testing prior to its release in October. (#7422)
  • Requests added support for Python 3.14t. (#7419)

Bugfixes

  • Response.history no longer contains a reference to itself, preventing accidental looping when traversing the history list. (#7328)
  • Requests no longer performs greedy matching on no_proxy domains. The

... (truncated)

Changelog

Sourced from requests's changelog.

2.34.2 (2026-05-14)

  • Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

2.34.1 (2026-05-13)

Bugfixes

  • Widened json input type from dict and list to Mapping and Sequence. (#7436)
  • Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
  • Response.reason moved from str | None to str to improve handling for users. (#7437)
  • Fixed a bug where some bodies with custom __getattr__ implementations weren't being properly detected as Iterables. (#7433)

2.34.0 (2026-05-11)

Announcements

  • Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue.

    Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for helping review and test the types ahead of the release. (#7272)

Improvements

  • Digest Auth hashing algorithms have added usedforsecurity=False to clarify security considerations. (#7310)
  • Requests added support for Python 3.15 based on beta1. Downstream projects should be able to start testing prior to its release in October. (#7422)
  • Requests added support for Python 3.14t. (#7419)

Bugfixes

  • Response.history no longer contains a reference to itself, preventing accidental looping when traversing the history list. (#7328)
  • Requests no longer performs greedy matching on no_proxy domains. The proxy_bypass implementation has been updated with CPython's fix from bpo-39057. (#7427)
  • Requests no longer incorrectly strips duplicate leading slashes in URI paths. This should address user issues with specific presigned URLs. Note the full fix requires urllib3 2.7.0+. (#7315)

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the prod-dependencies group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [beautifulsoup4](https://www.crummy.com/software/BeautifulSoup/bs4/) | `4.14.3` | `4.15.0` |
| [fastexcel](https://github.com/ToucanToco/fastexcel) | `0.19.0` | `0.20.2` |
| [lxml](https://github.com/lxml/lxml) | `6.0.2` | `6.1.1` |
| [polars](https://github.com/pola-rs/polars) | `1.38.1` | `1.41.2` |
| [pyarrow](https://github.com/apache/arrow) | `23.0.1` | `24.0.0` |
| [requests](https://github.com/psf/requests) | `2.32.5` | `2.34.2` |



Updates `beautifulsoup4` from 4.14.3 to 4.15.0

Updates `fastexcel` from 0.19.0 to 0.20.2
- [Release notes](https://github.com/ToucanToco/fastexcel/releases)
- [Commits](ToucanToco/fastexcel@v0.19.0...v0.20.2)

Updates `lxml` from 6.0.2 to 6.1.1
- [Release notes](https://github.com/lxml/lxml/releases)
- [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt)
- [Commits](lxml/lxml@lxml-6.0.2...lxml-6.1.1)

Updates `polars` from 1.38.1 to 1.41.2
- [Release notes](https://github.com/pola-rs/polars/releases)
- [Commits](pola-rs/polars@py-1.38.1...py-1.41.2)

Updates `pyarrow` from 23.0.1 to 24.0.0
- [Release notes](https://github.com/apache/arrow/releases)
- [Commits](apache/arrow@apache-arrow-23.0.1...apache-arrow-24.0.0)

Updates `requests` from 2.32.5 to 2.34.2
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.32.5...v2.34.2)

---
updated-dependencies:
- dependency-name: beautifulsoup4
  dependency-version: 4.15.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: fastexcel
  dependency-version: 0.20.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: lxml
  dependency-version: 6.1.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: polars
  dependency-version: 1.41.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: pyarrow
  dependency-version: 24.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: prod-dependencies
- dependency-name: requests
  dependency-version: 2.34.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants