deps(python)(deps): bump the python-minor-patch group across 1 directory with 3 updates

[dependabot]

Bumps the python-minor-patch group with 3 updates in the / directory: transformers, fastapi and uvicorn.

Updates transformers from 5.0.0rc3 to 5.12.0

Release notes

Sourced from transformers's releases.

Release v5.12.0

New Model additions

MiniMax-M3-VL

MiniMax-M3-VL is the vision-language member of the MiniMax-M3 family that pairs a CLIP-style vision tower with 3D rotary position embeddings with the MiniMax-M3 text backbone. It uses a mixed dense/sparse Mixture-of-Experts decoder with SwiGLU-OAI gated experts and a lightning indexer for block-sparse attention. The model processes images through a Conv3d patch embedding system and includes specialized components for efficient multimodal understanding and generation.

Links: Documentation

• Add minimax m3vl (#46600) by @​ArthurZucker in #46600

PP-OCRv6: update documentation and slow tests (#46576)

The official weights for PP-OCRv6 are out: PP-OCRv6 is a lightweight OCR system that combines architectural innovation with data-centric optimization. It redesigns the backbone, detection neck, and recognition neck around a unified MetaFormer-style building block with structural reparameterization. Three model tiers (medium, small, tiny) share the same block primitives, covering deployment scenarios from server to edge.

• PP-OCRv6: update documentation and slow tests (#46576) by @ zhang-prog

Add Parakeet-RNNT (#46331)

ParakeetForRNNT: a Fast Conformer Encoder + an RNN-T (RNN Transducer) decoder

• RNN-T Decoder: Standard neural transducer:
  • LSTM prediction network maintains language context across token predictions.
    • Joint network combines encoder and decoder outputs.
    • Greedy transducer decoding for inference: a blank emission advances the encoder frame by one, a non-blank emission stays on the same frame.

• Add Parakeet-RNNT (#46331) by @​eustlb

Bugfixes and improvements

• [CI] don't export OTELs within the tests (#46602) by @​tarekziade in #46602
• [CI] capture checkers output in OTEL (#46601) by @​tarekziade in #46601
• Lfm2: thread seq_idx through ShortConv for packed/varlen inputs (#46588) by @​ChangyiYang in #46588
• put output_hidden_states into filter_output_hidden_states (#46422) by @​molbap in #46422
• a11 for checkers (#46599) by @​tarekziade in #46599
• Fix stop string matching for byte-fragment tokens (#46530) by @​Incheonkirin in #46530
• [DiffusionGemma] better docs and links (#46569) by @​gante in #46569
• Require trust_remote_code to run a local-directory custom_generate (#46483) by @​LinZiyuu in #46483
• Fix torchaudio version not tied to torch version in docker file (#46594) by @​ydshieh in #46594
• [CI] Enable PR CI for all fork PRs via security gate (#46591) by @​ydshieh in #46591
• [CB] [Minor] Add parameter to tune default compile level (#46533) by @​remi-or in #46533
• Make DiffusionGemma trainable (#46568) by @​kashif in #46568

... (truncated)

Commits

• e0e7504 Revert "fix security issue with allow all kernels"
• 7904f30 fix security issue with allow all kernels
• d77d573 fix kernel path
• f7999c7 v5.12.0
• 4c5d4fd Add minimax m3vl (#46600)
• 5957e6f [CI] capture checkers output in OTEL (#46601)
• 2d68208 Lfm2: thread seq_idx through ShortConv for packed/varlen inputs (#46588)
• 0627d52 put output_hidden_states into filter_output_hidden_states (#46422)
• cd67dbf a11 for checkers (#46599)
• a16a9c7 Fix stop string matching for byte-fragment tokens (#46530)
• Additional commits viewable in compare view

Updates fastapi from 0.136.3 to 0.137.0

Release notes

Sourced from fastapi's releases.

0.137.0

Breaking Changes

• ♻️ Refactor internals to preserve APIRouter and APIRoute instances. PR #15745 by @​tiangolo.

Unblocks ✨ SO MANY THINGS ✨

Before this, router.include_router(other_router) would take each path operation from other_router and "clone" it, or recreate it from scratch.

This would mean that in the end there was only one top level router, part of the app.

The way it is structured here is that there are a few additional classes to handle intermediate metadata for router and route inclusion. That way the information of "router X includes Y and Y includes Z" is stored somewhere, without affecting (recreating / clonning) the final route.

Non Objectives

Dependencies for 404: previously I intended to support dependencies that would be executed even for 404, but that would conflict with the fact that a router could not find a match, but the next router did find a match. Executing dependencies in the router that did not find a match would not make sense, they could consume the request, body, etc. This original idea was discarded.

Specific Breaking Changes

Now router.routes is no longer a plain list of APIRoute objects, it can contain these intermediate objects that can contain additional routers, forming a tree.

Any logic that depended on iterating on the router.routes directly would be affected, that logic cannot expect to be able to extract data from a plain list of routes, as it's no longer a plain list but a tree.

Additionally, any logic that iterated on router.routes to modify them would now also see these new objects, and would not see all the routes in the app.

router.routes should be considered an internal implementation detail, only passed around to the FastAPI functions that need it.

Features

• Adding routes (path operations) after a router is included now works, they are reflected as they are not copied.
• Including subrouter in mainrouter can be done before adding routes (path operations) to subrouter, because now the the entire object is stored instead of copying the routes.
• As routes are not copied, in some cases that might save some memory.

Alpha Features

This is not documented yet, so it's not officially supported yet and could change in the future.

But, as APIRoute and APIRouter instances are now preserved, they could be customized.

APIRouter has two new methods, .matches() and .handle(), counterpart to the existing ones in APIRoute. With this a router could customize how it matches and handles requests. For example, it could match only requests that include some specific header, for example for handling versions in headers.

Still, for now, consider this very experimental and potentially changing and breaking in the future.

Future Features Enabled

• Custom APIRoute subclasses (undocumented, but alraedy works as desccribed above)
• Custom APIRouter subclasses (undocumented, but already works as described above)
• Dependencies per router
• Exception handlers per router
• Middleware per router

... (truncated)

Commits

• 9a9c4ad 🔖 Release version 0.137.0 (#15748)
• c6d5897 📝 Update release notes
• 31d097f 📝 Update release notes (#15747)
• ba609a8 📝 Update release notes
• 8e1d774 ♻️ Refactor internals to preserve APIRouter and APIRoute instances (#15745)
• 016ab76 📝 Update release notes
• e2fcd55 🔧 Update sponsors: remove TalorData (#15744)
• d3e6a29 📝 Update release notes
• e4b6a36 🔧 Update sponsors: remove ExoFlare (#15736)
• 944fb70 📝 Update release notes
• Additional commits viewable in compare view

Updates uvicorn from 0.48.0 to 0.49.0

Release notes

Sourced from uvicorn's releases.

Version 0.49.0

What's Changed

• Bump httptools minimum version to 0.8.0 by @​Kludex in Kludex/uvicorn#2962
• Consume duplicate forwarding headers in ProxyHeadersMiddleware (reverses the 0.48.0 behavior of ignoring them) by @​Kludex in Kludex/uvicorn#2971

Full Changelog: Kludex/uvicorn@0.48.0...0.49.0

Changelog

Sourced from uvicorn's changelog.

0.49.0 (June 3, 2026)

Changed

• Bump httptools minimum version to 0.8.0 (#2962)
• Consume duplicate forwarding headers in ProxyHeadersMiddleware (reverses the 0.48.0 behavior of ignoring them) (#2971)

Commits

• 3ef2e3e Version 0.49.0 (#2973)
• eeb64b1 Consume duplicate forwarding headers in ProxyHeadersMiddleware (#2971)
• 630f4ac Make the watchfiles reload tests deterministic (#2972)
• 9154922 chore(deps): bump the github-actions group across 1 directory with 6 updates ...
• 739727a Migrate docs deploy from Cloudflare Pages to Workers (#2967)
• be4a240 Gate docs preview deploy on Cloudflare token presence (#2966)
• c489d7e Bump httptools minimum version to 0.8.0 (#2962)
• 9f547bd Skip docs preview deploy for Dependabot PRs (#2961)
• 44446b8 Migrate documentation from MkDocs Material to Zensical (#2959)
• cfd659c Bump pymdown-extensions to 10.21.3 (#2958)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Assignees

The following users could not be added as assignees: POWDER-RANGER/civwatch-maintainers. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Labels

The following labels could not be found: automated. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.