Bump the python-deps group across 1 directory with 10 updates

[dependabot]

Updates the requirements on fastmcp, uvicorn, pydantic, pydantic-settings, pyjwt, pyyaml, pytest, pytest-asyncio, pytest-cov and httpx to permit the latest version.
Updates fastmcp to 3.2.4

Release notes

Sourced from fastmcp's releases.

v3.2.4: Patch Me If You Can

A grab bag of fixes, hardening, and polish.

The headline behavior change: background tasks are now scoped to the authorization context rather than the MCP session, so a task kicked off by an authenticated user survives session churn and stays tied to who started it. This is a breaking change for anyone relying on the old session-scoped semantics.

Security got three meaningful upgrades. FileUpload now validates actual decoded base64 size instead of trusting the client-reported number, so an attacker can't claim "10 bytes" and deliver 10MB. The proxy client stops forwarding inbound HTTP headers to unrelated remote servers — previously a header meant for server A could leak to server B. And AuthKit now auto-binds token audience to the resource URL per RFC 8707, closing a token-reuse gap across MCP resources.

Schema handling had a rough-edges pass. json_schema_to_type no longer crashes on Python keywords, boolean schemas, empty enums, or name collisions, and we added a 232K-schema crash test from APIs.guru to keep it honest. Gemini 2.5 Flash compatibility is fixed by stripping title fields the model rejects. Parameter descriptions are now extracted from docstrings automatically, so your tool signatures document themselves.

Plus a Keycloak OAuth provider for enterprise auth, improvements to ctx.elicit() (new response_title/response_description, deprecation warning when called without response_type), and dozens of smaller fixes across transforms, retry middleware, resource templates, and client disconnect handling.

What's Changed

Breaking Changes ⚠️

• Scope tasks to authorization context, not session by @​chrisguidry in PrefectHQ/fastmcp#3800

Enhancements ✨

• Bump pydocket>=0.19.0, drop fakeredis pin by @​chrisguidry in PrefectHQ/fastmcp#3822
• Add real-world schema crash test (232K schemas from APIs.guru) by @​strawgate in PrefectHQ/fastmcp#3826
• Enable 7 zero-violation ruff rules by @​strawgate in PrefectHQ/fastmcp#3841
• Promote 7 ty rules from ignore to warn by @​strawgate in PrefectHQ/fastmcp#3852
• Replace ___ with hash-based backend tool routing and per-tool prefab resources by @​jlowin in PrefectHQ/fastmcp#3824
• Enable 4 ruff rules (DTZ, ERA, ISC, INP) and fix 9 violations by @​strawgate in PrefectHQ/fastmcp#3842
• Extract parameter descriptions from docstrings by @​jlowin in PrefectHQ/fastmcp#3872
• ci: speed up schema crash test (CSafeLoader + xdist-safe aggregation) by @​jlowin in PrefectHQ/fastmcp#3873
• test: bump OpenAPI init perf threshold to 200ms for Windows CI by @​jlowin in PrefectHQ/fastmcp#3879
• refactor: unify object-schema conversion through _object_schema_to_type by @​jlowin in PrefectHQ/fastmcp#3884
• Add Keycloak OAuth Provider for Enterprise Authentication and local dev by @​stephaneberle9 in PrefectHQ/fastmcp#1937
• Allow auth providers to override protected resource base URLs by @​aaazzam in PrefectHQ/fastmcp#3900
• Enable PERF and T20 ruff rules by @​strawgate in PrefectHQ/fastmcp#3845
• Add response_title and response_description to ctx.elicit() by @​jlowin in PrefectHQ/fastmcp#3912
• Deprecate ctx.elicit() without response_type by @​jlowin in PrefectHQ/fastmcp#3916

Security 🔒

• Validate actual base64 data size in FileUpload, not client-reported size by @​strawgate in PrefectHQ/fastmcp#3816
• Stop forwarding inbound HTTP headers to unrelated remote servers by @​jlowin in PrefectHQ/fastmcp#3837
• AuthKit: auto-bind token audience to resource URL (RFC 8707) by @​jlowin in PrefectHQ/fastmcp#3905

Fixes 🐞

• Version-check is_docket_available() to avoid transitive pydocket crash by @​jlowin in PrefectHQ/fastmcp#3807
• fix: materialize generators before result conversion, handle bytes gracefully by @​strawgate in PrefectHQ/fastmcp#3830
• Fix json_schema_to_type crashes on keywords, boolean schemas, empty enums, and name collisions by @​strawgate in PrefectHQ/fastmcp#3818
• fix: replace or with is not None checks for config/override merging by @​strawgate in PrefectHQ/fastmcp#3833
• fix: TransformedTool sync fn crash and schema mutation by @​strawgate in PrefectHQ/fastmcp#3823
• fix: cross-provider duplicate detection, error visibility, mask propagation by @​strawgate in PrefectHQ/fastmcp#3827
• fix: don't pass HTTP kwargs when transport is unspecified by @​strawgate in PrefectHQ/fastmcp#3838
• fix: strip title fields from tool schemas for Gemini 2.5 Flash compatibility by @​strawgate in PrefectHQ/fastmcp#3861
• fix: retry when LLM returns text instead of calling final_response by @​strawgate in PrefectHQ/fastmcp#3850
• Raise on unhandled content types in sampling handler dispatch chains by @​strawgate in PrefectHQ/fastmcp#3857
• Fix broken code examples in docs by @​strawgate in PrefectHQ/fastmcp#3869
• fix: GoogleGenaiSamplingHandler leaks thought parts and gives unhelpful errors on empty responses by @​strawgate in PrefectHQ/fastmcp#3849

... (truncated)

Changelog

Sourced from fastmcp's changelog.

---

title: "Changelog" icon: "list-check" rss: true tag: NEW

v3.1.1: 'Tis But a Patch

Pins pydantic-monty below 0.0.8 to fix a breaking change in Monty that affects code mode. Monty 0.0.8 removed the external_functions constructor parameter, causing MontySandboxProvider to fail. This patch caps the version so existing installs work correctly.

Fixes 🐞

• Pin pydantic-monty below 0.0.8 to fix code mode by @​jlowin in #3497

Full Changelog: v3.1.0...v3.1.1

v3.1.0: Code to Joy

FastMCP 3.1 is the Code Mode release. The 3.0 architecture introduced providers and transforms as the extensibility layer — 3.1 puts that architecture to work, shipping the most requested capability since launch: servers that can find and execute code on behalf of agents, without requiring clients to know what tools exist.

New Features 🎉

• feat: Search transforms for tool discovery by @​jlowin in #3154
• Add experimental CodeMode transform by @​aaazzam in #3297
• Add Prefab Apps integration for MCP tool UIs by @​jlowin in #3316

Enhancements 🔧

• Lazy-load heavy imports to reduce import time by @​jlowin in #3295
• Add http_client parameter to all token verifiers for connection pooling by @​jlowin in #3300
• Add in-memory caching for token introspection results by @​jlowin in #3298
• Add SessionStart hook to install gh CLI in cloud sessions by @​jlowin in #3308
• Fix ty 0.0.19 type errors by @​jlowin in #3310
• Code Mode: Add resource limits to MontySandboxProvider by @​jlowin in #3326
• Accept transforms as FastMCP init kwarg by @​jlowin in #3324
• Split large test files to comply with loq line limit by @​jlowin in #3328
• Add -m/--module flag to fastmcp run and dev inspector by @​dgenio in #3331
• Add search_result_serializer hook and serialize_tools_for_output_markdown by @​MagnusS0 in #3337
• Add MultiAuth for composing multiple token verification sources by @​jlowin in #3335
• Adds PropelAuth as an AuthProvider by @​andrew-propelauth in #3358
• Replace vendored DI with uncalled-for by @​chrisguidry in #3301
• Decompose CodeMode into composable discovery tools by @​jlowin in #3354
• feat(contrib): auto-sync MCPMixin decorators with from_function signatures by @​AnkeshThakur in #3323
• Add Google GenAI Sampling Handler by @​strawgate in #2977
• Add ListTools, search limit, and catalog size annotation to CodeMode by @​jlowin in #3359
• Allow configuring FastMCP transport setting in the same way as other configuration by @​jvdmr in #1796
• Add include_unversioned option to VersionFilter by @​yangbaechu in #3349

... (truncated)

Commits

• 7d76074 Stop pydantic 2.13 from leaking _WrappedResult docstring into tool output sch...
• b732a4a Overhaul apps docs (#3915)
• 5c2ff1b chore: Update SDK documentation (#3914)
• f4f2ec0 Deprecate ctx.elicit() without response_type (#3916)
• 338b80c chore(deps): bump the uv group across 2 directories with 1 update (#3913)
• 110cd3a Add response_title and response_description to ctx.elicit() (#3912)
• 3117846 chore: Update SDK documentation (#3909)
• 031c7e0 Fix RetryMiddleware not retrying tool errors (#3858)
• 200d79e Enable PERF and T20 ruff rules (#3845)
• 82f310f AuthKit: auto-bind token audience to resource URL (RFC 8707) (#3905)
• Additional commits viewable in compare view

Updates uvicorn to 0.45.0

Release notes

Sourced from uvicorn's releases.

Version 0.45.0

What's Changed

• Preserve forwarded client ports in proxy headers middleware by @​Kludex in Kludex/uvicorn#2903
• Accept os.PathLike for log_config by @​Kludex in Kludex/uvicorn#2905
• Accept log_level strings case-insensitively by @​Kludex in Kludex/uvicorn#2907
• Raise helpful ImportError when PyYAML is missing for YAML log config by @​Kludex in Kludex/uvicorn#2906
• Revert empty context for ASGI runs by @​Kludex in Kludex/uvicorn#2911
• Add --reset-contextvars flag to isolate ASGI request context by @​Kludex in Kludex/uvicorn#2912
• Revert "Emit http.disconnect on server shutdown for streaming responses" (#2829) by @​Kludex in Kludex/uvicorn#2913

New Contributors

• @​Krishnachaitanyakc made their first contribution in Kludex/uvicorn#2870

Full Changelog: Kludex/uvicorn@0.44.0...0.45.0

Changelog

Sourced from uvicorn's changelog.

0.45.0 (April 21, 2026)

Added

• Add --reset-contextvars flag to isolate ASGI request context (#2912)
• Accept os.PathLike for log_config (#2905)
• Accept log_level strings case-insensitively (#2907)

Changed

• Revert "Emit http.disconnect on server shutdown for streaming responses" (#2913)
• Revert "Explicitly start ASGI run with empty context" (#2911)

Fixed

• Preserve forwarded client ports in proxy headers middleware (#2903)
• Raise helpful ImportError when PyYAML is missing for YAML log config (#2906)

0.44.0 (April 6, 2026)

Added

• Implement websocket keepalive pings for websockets-sansio (#2888)

0.43.0 (April 3, 2026)

You can quit Uvicorn now. We heard you, @​pamelafox - all 47 of your Ctrl+C's (thanks for flagging it, and thanks to @​tiangolo for the fix 🙏). See the tweet.

Changed

• Emit http.disconnect ASGI receive() event on server shutting down for streaming responses (#2829)
• Use native context parameter for create_task on Python 3.11+ (#2859)
• Drop cast in ASGI types (#2875)

0.42.0 (March 16, 2026)

Changed

• Use bytearray for request body accumulation to avoid O(n^2) allocation on fragmented bodies (#2845)

Fixed

• Escape brackets and backslash in httptools HEADER_RE regex (#2824)
• Fix multiple issues in websockets sans-io implementation (#2825)

0.41.0 (February 16, 2026)

Added

• Add --limit-max-requests-jitter to stagger worker restarts (#2707)

... (truncated)

Commits

• 2c423bd Version 0.45.0 (#2914)
• 7f027f8 Revert "Emit http.disconnect on server shutdown for streaming responses" (#...
• 73a80c3 Add --reset-contextvars flag to isolate ASGI request context (#2912)
• 45c0b56 Revert empty context for ASGI runs (#2911)
• 850d926 Raise helpful ImportError when PyYAML is missing for YAML log config (#2906)
• fdcacb4 Accept log_level strings case-insensitively (#2907)
• 70f247f Accept os.PathLike for log_config (#2905)
• 18edfa7 Preserve forwarded client ports in proxy headers middleware (#2903)
• 77843e0 Stabilize websocket keepalive ping test (#2904)
• 3703339 chore(deps-dev): bump pytest from 9.0.2 to 9.0.3 (#2902)
• Additional commits viewable in compare view

Updates pydantic to 2.13.3

Release notes

Sourced from pydantic's releases.

v2.13.3 2026-04-20

v2.13.3 (2026-04-20)

What's Changed

Fixes

• Handle AttributeError subclasses with from_attributes by @​Viicos in #13096

Full Changelog: pydantic/pydantic@v2.13.2...v2.13.3

Changelog

Sourced from pydantic's changelog.

v2.13.3 (2026-04-20)

GitHub release

What's Changed

Fixes

• Handle AttributeError subclasses with from_attributes by @​Viicos in #13096

v2.13.2 (2026-04-17)

GitHub release

What's Changed

Fixes

• Fix ValidationInfo.field_name missing with model_validate_json() by @​Viicos in #13084

v2.13.1 (2026-04-15)

GitHub release

What's Changed

Fixes

• Fix ValidationInfo.data missing with model_validate_json() by @​davidhewitt in #13079

v2.13.0 (2026-04-13)

GitHub release

The highlights of the v2.13 release are available in the blog post. Several minor changes (considered non-breaking changes according to our versioning policy) are also included in this release. Make sure to look into them before upgrading.

This release contains the updated pydantic.v1 namespace, matching version 1.10.26 which includes support for Python 3.14.

What's Changed

See the beta releases for all changes sinces 2.12.

New Features

• Allow default factories of private attributes to take validated model data by @​Viicos in #13013

Changes

... (truncated)

Commits

• 9e9a111 Fix backported test
• 1ec8c6a Prepare release v2.13.3
• fb4f204 Handle AttributeError subclasses with from_attributes
• ca3ddd1 Prepare release v2.13.2
• 000e823 Fix ValidationInfo.field_name missing with model_validate_json()
• d45d8be Prepare release 2.13.1
• 54aca60 Fix ValidationInfo.data missing with model_validate_json()
• 46bf4fa Fix Pydantic release workflow (#13067)
• 1b359ed Prepare release v2.13.0 (#13065)
• b1bf194 Fix model equality when using runtime extra configuration (#13062)
• Additional commits viewable in compare view

Updates pydantic-settings to 2.14.0

Release notes

Sourced from pydantic-settings's releases.

v2.14.0

What's Changed

• Fix parsing env vars into Optional Strict types by @​hramezani in pydantic/pydantic-settings#792
• Fix RecursionError with mutually recursive models in CLI by @​hramezani in pydantic/pydantic-settings#794
• Fix env_file from model_config ignored in CliApp.run() (#795) by @​hramezani in pydantic/pydantic-settings#796
• Update dependencies by @​hramezani in pydantic/pydantic-settings#798
• Add Dependabot configuration by @​hramezani in pydantic/pydantic-settings#801
• Bump samuelcolvin/check-python-version from 4.1 to 5 by @​dependabot[bot] in pydantic/pydantic-settings#802
• Bump actions/upload-artifact from 4 to 7 by @​dependabot[bot] in pydantic/pydantic-settings#803
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in pydantic/pydantic-settings#804
• Bump astral-sh/setup-uv from 5 to 7 by @​dependabot[bot] in pydantic/pydantic-settings#805
• Bump actions/setup-python from 5 to 6 by @​dependabot[bot] in pydantic/pydantic-settings#806
• Ignore chardet and group GitHub Actions in Dependabot by @​hramezani in pydantic/pydantic-settings#808
• Bump actions/download-artifact from 4 to 8 in the github-actions group by @​dependabot[bot] in pydantic/pydantic-settings#809
• Bump the python-packages group with 2 updates by @​dependabot[bot] in pydantic/pydantic-settings#810
• Support reading .env files from FIFOs (e.g. 1Password Environments) by @​JacobHayes in pydantic/pydantic-settings#776
• Fix AliasChoices ignored when changing provider priority by @​hramezani in pydantic/pydantic-settings#813
• fix: resolve KeyError in run_subcommand for underscore field names by @​bradykieffer in pydantic/pydantic-settings#799
• Bump the python-packages group with 3 updates by @​dependabot[bot] in pydantic/pydantic-settings#814
• Fix Literal[numeric Enum] coercion for CLI and env vars by @​m9810223 in pydantic/pydantic-settings#811
• Fix nested discriminated unions not discovered by env/CLI providers by @​hramezani in pydantic/pydantic-settings#816
• Bump the python-packages group with 3 updates by @​dependabot[bot] in pydantic/pydantic-settings#820
• CLI ensure env nested max split internally. by @​kschwab in pydantic/pydantic-settings#821
• Bump the python-packages group with 4 updates by @​dependabot[bot] in pydantic/pydantic-settings#824
• Migrate boto3-stubs to types-boto3 by @​hramezani in pydantic/pydantic-settings#831
• Fix CLI not recognizing field name with validate_by_name and AliasChoices by @​hramezani in pydantic/pydantic-settings#826
• Allow customisation of the dotevn setting source to filter variables by @​CaselIT in pydantic/pydantic-settings#832
• Bump the python-packages group with 3 updates by @​dependabot[bot] in pydantic/pydantic-settings#833
• Introduce yamlfmt by @​Viicos in pydantic/pydantic-settings#836
• Bump boto3 from 1.42.82 to 1.42.83 in the python-packages group by @​dependabot[bot] in pydantic/pydantic-settings#837
• Introduce zizmor by @​Viicos in pydantic/pydantic-settings#838
• Fix CliPositionalArg[list[CustomType]] crash for custom types by @​hramezani in pydantic/pydantic-settings#839
• Add note about Mypy plugin for BaseSettings.__init__() by @​Viicos in pydantic/pydantic-settings#842
• Fix cli_ignore_unknown_args=True not working on subcommands by @​hramezani in pydantic/pydantic-settings#844
• Bump the python-packages group with 4 updates by @​dependabot[bot] in pydantic/pydantic-settings#847
• Fix CLI descriptions lost under python -OO by falling back to json_schema_extra by @​hramezani in pydantic/pydantic-settings#843
• Prepare release 2.14.0 by @​hramezani in pydantic/pydantic-settings#848

New Contributors

• @​dependabot[bot] made their first contribution in pydantic/pydantic-settings#802
• @​JacobHayes made their first contribution in pydantic/pydantic-settings#776
• @​bradykieffer made their first contribution in pydantic/pydantic-settings#799
• @​CaselIT made their first contribution in pydantic/pydantic-settings#832

Full Changelog: pydantic/pydantic-settings@v2.13.1...v2.14.0

Commits

• 8916bee Prepare release 2.14.0 (#848)
• 39e551c Fix CLI descriptions lost under python -OO by falling back to `json_schema_...
• 9ed7f48 Bump the python-packages group with 4 updates (#847)
• 617c690 Fix cli_ignore_unknown_args=True not working on subcommands (#844)
• 577c05f Add note about Mypy plugin for BaseSettings.__init__() (#842)
• 2355bc5 Fix CliPositionalArg[list[CustomType]] crash for custom types (#839)
• 16bd6fd Introduce zizmor (#838)
• df8b239 Bump boto3 from 1.42.82 to 1.42.83 in the python-packages group (#837)
• c5401a2 Introduce yamlfmt (#836)
• 953e28e Bump the python-packages group with 3 updates (#833)
• Additional commits viewable in compare view

Updates pyjwt to 2.12.1

Release notes

Sourced from pyjwt's releases.

2.12.1

What's Changed

• Add typing_extensions dependency for Python < 3.11 by @​jpadilla in jpadilla/pyjwt#1151

Full Changelog: jpadilla/pyjwt@2.12.0...2.12.1

Changelog

Sourced from pyjwt's changelog.

v2.12.1 <https://github.com/jpadilla/pyjwt/compare/2.12.0...2.12.1>__

Fixed

- Add missing ``typing_extensions`` dependency for Python < 3.11 in `[#1150](https://github.com/jpadilla/pyjwt/issues/1150) <https://github.com/jpadilla/pyjwt/issues/1150>`__
v2.12.0 &lt;https://github.com/jpadilla/pyjwt/compare/2.11.0...2.12.0&gt;__
Fixed

• Annotate PyJWKSet.keys for pyright by @​tamird in [#1134](https://github.com/jpadilla/pyjwt/issues/1134) <https://github.com/jpadilla/pyjwt/pull/1134>__
• Close HTTPError response to prevent ResourceWarning on Python 3.14 by @​veeceey in [#1133](https://github.com/jpadilla/pyjwt/issues/1133) <https://github.com/jpadilla/pyjwt/pull/1133>__
• Do not keep algorithms dict in PyJWK instances by @​akx in [#1143](https://github.com/jpadilla/pyjwt/issues/1143) <https://github.com/jpadilla/pyjwt/pull/1143>__
• Validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. by @​dmbs335 in GHSA-752w-5fwx-jx9f <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f>__
• Use PyJWK algorithm when encoding without explicit algorithm in [#1148](https://github.com/jpadilla/pyjwt/issues/1148) <https://github.com/jpadilla/pyjwt/pull/1148>__

Added

- Docs: Add ``PyJWKClient`` API reference and document the two-tier caching system (JWK Set cache and signing key LRU cache).
v2.11.0 <https://github.com/jpadilla/pyjwt/compare/2.10.1...2.11.0>__
Fixed

• Enforce ECDSA curve validation per RFC 7518 Section 3.4.
• Fix build system warnings by @​kurtmckee in [#1105](https://github.com/jpadilla/pyjwt/issues/1105) <https://github.com/jpadilla/pyjwt/pull/1105>__
• Validate key against allowed types for Algorithm family in [#964](https://github.com/jpadilla/pyjwt/issues/964) <https://github.com/jpadilla/pyjwt/pull/964>__
• Add iterator for JWKSet in [#1041](https://github.com/jpadilla/pyjwt/issues/1041) <https://github.com/jpadilla/pyjwt/pull/1041>__
• Validate iss claim is a string during encoding and decoding by @​pachewise in [#1040](https://github.com/jpadilla/pyjwt/issues/1040) <https://github.com/jpadilla/pyjwt/pull/1040>__
• Improve typing/logic for options in decode, decode_complete by @​pachewise in [#1045](https://github.com/jpadilla/pyjwt/issues/1045) <https://github.com/jpadilla/pyjwt/pull/1045>__
• Declare float supported type for lifespan and timeout by @​nikitagashkov in [#1068](https://github.com/jpadilla/pyjwt/issues/1068) <https://github.com/jpadilla/pyjwt/pull/1068>__
• Fix SyntaxWarning\s/DeprecationWarning\s caused by invalid escape sequences by @​kurtmckee in [#1103](https://github.com/jpadilla/pyjwt/issues/1103) <https://github.com/jpadilla/pyjwt/pull/1103>__
• Development: Build a shared wheel once to speed up test suite setup times by @​kurtmckee in [#1114](https://github.com/jpadilla/pyjwt/issues/1114) <https://github.com/jpadilla/pyjwt/pull/1114>__
• Development: Test type annotations across all supported Python versions, increase the strictness of the type checking, and remove the mypy pre-commit hook by @​kurtmckee in [#1112](https://github.com/jpadilla/pyjwt/issues/1112) <https://github.com/jpadilla/pyjwt/pull/1112>__

Added

- Support Python 3.14, and test against PyPy 3.10 and 3.11 by @kurtmckee in `[#1104](https://github.com/jpadilla/pyjwt/issues/1104) <https://github.com/jpadilla/pyjwt/pull/1104>`__
- Development: Migrate to ``build`` to test package building in CI by @kurtmckee in `[#1108](https://github.com/jpadilla/pyjwt/issues/1108) <https://github.com/jpadilla/pyjwt/pull/1108>`__
- Development: Improve coverage config and eliminate unused test suite code by @kurtmckee in `[#1115](https://github.com/jpadilla/pyjwt/issues/1115) <https://github.com/jpadilla/pyjwt/pull/1115>`__
</tr></table> 

... (truncated)

Commits

• a4e1a3d Add typing_extensions dependency for Python < 3.11 (#1151)
• bd9700c Use PyJWK algorithm when encoding without explicit algorithm (#1148)
• 051ea34 Merge commit from fork
• 1451d70 fix: do not store reference to algorithms dict on PyJWK (#1143)
• f3ba74c [pre-commit.ci] pre-commit autoupdate (#1145)
• 0318ffa [pre-commit.ci] pre-commit autoupdate (#1141)
• a52753d Bump actions/download-artifact from 7 to 8 (#1142)
• b85050f chore(tests): enable mypy (#1138)
• 1272b26 [pre-commit.ci] pre-commit autoupdate (#1135)
• 99a8728 chore: remove superfluous constants (#1136)
• Additional commits viewable in compare view

Updates pyyaml to 6.0.3

Release notes

Sourced from pyyaml's releases.

6.0.3

What's Changed

• Support for Python 3.14 and free-threading (experimental).

Full Changelog: yaml/pyyaml@6.0.2...6.0.3

Changelog

Sourced from pyyaml's changelog.

6.0.3 (2025-09-25)

• yaml/pyyaml#864 -- Support for Python 3.14 and free-threading (experimental)

6.0.2 (2024-08-06)

• yaml/pyyaml#808 -- Support for Cython 3.x and Python 3.13

6.0.1 (2023-07-18)

• yaml/pyyaml#702 -- pin Cython build dep to < 3.0

6.0 (2021-10-13)

• yaml/pyyaml#327 -- Change README format to Markdown
• yaml/pyyaml#483 -- Add a test for YAML 1.1 types
• yaml/pyyaml#497 -- fix float resolver to ignore . and ._
• yaml/pyyaml#550 -- drop Python 2.7
• yaml/pyyaml#553 -- Fix spelling of “hexadecimal”
• yaml/pyyaml#556 -- fix representation of Enum subclasses
• yaml/pyyaml#557 -- fix libyaml extension compiler warnings
• yaml/pyyaml#560 -- fix ResourceWarning on leaked file descriptors
• yaml/pyyaml#561 -- always require Loader arg to yaml.load()
• yaml/pyyaml#564 -- remove remaining direct distutils usage

5.4.1 (2021-01-20)

• yaml/pyyaml#480 -- Fix stub compat with older pyyaml versions that may unwittingly load it

5.4 (2021-01-19)

• yaml/pyyaml#407 -- Build modernization, remove distutils, fix metadata, build wheels, CI to GHA
• yaml/pyyaml#472 -- Fix for CVE-2020-14343, moves arbitrary python tags to UnsafeLoader
• yaml/pyyaml#441 -- Fix memory leak in implicit resolver setup
• yaml/pyyaml#392 -- Fix py2 copy support for timezone objects
• yaml/pyyaml#378 -- Fix compatibility with Jython

5.3.1 (2020-03-18)

• yaml/pyyaml#386 -- Prevents arbitrary code execution during python/object/new constructor

5.3 (2020-01-06)

• yaml/pyyaml#290 -- Use is instead of equality for comparing with None
• yaml/pyyaml#270 -- Fix typos and stylistic nit
• yaml/pyyaml#309 -- Fix up small typo
• yaml/pyyaml#161 -- Fix handling of slots
• yaml/pyyaml#358 -- Allow calling add_multi_constructor with None
• yaml/pyyaml#285 -- Add use of safe_load() function in README
• yaml/pyyaml#351 -- Fix reader for Unicode code points over 0xFFFF

... (truncated)

Commits

• 49790e7 Release 6.0.3 (#889)
• 41309b0 Release 6.0.2 (#819)
• dd9f0e1 6.0.2rc1 (#809)
• f5527a2 disable CI trigger on PR edits
• b4d80a7 Python 3.12 + musllinux_1_1_x86_64 wheel support
• c42fa3b 6.0.1 release
• ae08bdc block Cython 3.0+ as a build dep (#702)
• f873cfe Add python 3.11 support (#663)
• See full diff in compare view

Updates pytest to 9.0.3

Release notes

Sourced from pytest's releases.

9.0.3

pytest 9.0.3 (2026-04-07)

Bug fixes

• #12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

• #13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

  Previously this resulted in an internal assertion failure during plugin loading.

  Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

• #13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

• #14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

• #14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

• #13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
• #13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
• #14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
• #14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

• #12689: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible on the web interface.

  -- by aleguy02

Commits

• a7d58d7 Prepare release version 9.0.3
• 089d981 Merge pull request #14366 from bluetech/revert-14193-backport
• 8127eaf Revert "Fix: assertrepr_compare respects dict insertion order (#14050) (#14193)"
• 99a7e60 Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/95d8423bd...
• ddee02a Merge pull request #14343 from bluetech/cve-2025-71176-simple
• 74eac69 doc: Update training info (