chore(deps)(deps): Bump the all-python-dependencies group across 1 directory with 6 updates

[dependabot]

Bumps the all-python-dependencies group with 6 updates in the /backend directory:

Package	From	To
openpyxl	3.1.2	3.1.5
xlsxwriter	3.1.9	3.2.9
fastapi	0.109.0	0.128.0
uvicorn	0.25.0	0.40.0
python-multipart	0.0.6	0.0.22
python-dateutil	2.8.2	2.9.0.post0

Updates openpyxl from 3.1.2 to 3.1.5

Updates xlsxwriter from 3.1.9 to 3.2.9

Changelog

Sourced from xlsxwriter's changelog.

Release 3.2.9 - September 16 2025

• Removed the py.typed file since it was causing a lot of downstream CI failures where consumers weren't handling the xlsxwriter types correctly or taking them into account.

  The file will be re-added once the xlsxwriter typing is more comprehensive.

Release 3.2.8 - September 14 2025

• Fixed mypy implicit export error caused by the Workbook() type annotations changes in v3.2.7 and v3.2.6.

  :issue:1154.

Release 3.2.7 - September 13 2025

• Fixed typing issue in Workbook() constructor.

  :issue:1152.

Release 3.2.6 - September 12 2025

• Added an option to position custom data labels in the same way that the data labels can be positioned for the entire series.

  :feature:1147.

• Add border, fill, gradient and pattern formatting options for chart titles and also chart axis titles.

  :feature:957.

• Add additional type annotations. This is an ongoing refactoring.

  :feature:1123.

Release 3.2.5 - June 17 2025

• Fixed issue where a test function was made public incorrectly which caused warnings about a missing xlsxwriter.test module.

... (truncated)

Commits

• e943bee Prep for release 3.2.9
• 392bd9e typing: remove py.typed file
• eb99afe Prep for release 3.2.8
• 5ec2982 workbook: add explicit export for mypy compatibility
• ca85cbb Prep for release 3.2.7
• 3710251 typing: add more supported types to Workbook() constructor
• 27db7a1 Prep for release 3.2.6
• f050676 docs: add CI spell check
• 60f708c chart: add axis title formatting
• 53dc08e chart: add chart title formatting options
• Additional commits viewable in compare view

Updates fastapi from 0.109.0 to 0.128.0

Release notes

Sourced from fastapi's releases.

0.128.0

Breaking Changes

• ➖ Drop support for pydantic.v1. PR #14609 by @​tiangolo.

Internal

• ✅ Run performance tests only on Pydantic v2. PR #14608 by @​tiangolo.

0.127.1

Refactors

• 🔊 Add a custom FastAPIDeprecationWarning. PR #14605 by @​tiangolo.

Docs

• 📝 Add documentary to website. PR #14600 by @​tiangolo.

Translations

• 🌐 Update translations for de (update-outdated). PR #14602 by @​nilslindemann.
• 🌐 Update translations for de (update-outdated). PR #14581 by @​nilslindemann.

Internal

• 🔧 Update pre-commit to use local Ruff instead of hook. PR #14604 by @​tiangolo.
• ✅ Add missing tests for code examples. PR #14569 by @​YuriiMotov.
• 👷 Remove lint job from test CI workflow. PR #14593 by @​YuriiMotov.
• 👷 Update secrets check. PR #14592 by @​tiangolo.
• 👷 Run CodSpeed tests in parallel to other tests to speed up CI. PR #14586 by @​tiangolo.
• 🔨 Update scripts and pre-commit to autofix files. PR #14585 by @​tiangolo.

0.127.0

Breaking Changes

• 🔊 Add deprecation warnings when using pydantic.v1. PR #14583 by @​tiangolo.

Translations

• 🔧 Add LLM prompt file for Korean, generated from the existing translations. PR #14546 by @​tiangolo.
• 🔧 Add LLM prompt file for Japanese, generated from the existing translations. PR #14545 by @​tiangolo.

Internal

• ⬆️ Upgrade OpenAI model for translations to gpt-5.2. PR #14579 by @​tiangolo.

0.126.0

Upgrades

• ➖ Drop support for Pydantic v1, keeping short temporary support for Pydantic v2's pydantic.v1. PR #14575 by @​tiangolo.

... (truncated)

Commits

• 8322a44 🔖 Release version 0.128.0
• 4b2cfcf 📝 Update release notes
• e300630 ➖ Drop support for pydantic.v1 (#14609)
• 1b3bea8 📝 Update release notes
• 34e8841 ✅ Run performance tests only on Pydantic v2 (#14608)
• cd90c78 🔖 Release version 0.127.1
• 93f4dfd 📝 Update release notes
• 535b5da 🔊 Add a custom FastAPIDeprecationWarning (#14605)
• 6b53786 📝 Update release notes
• d98f4eb 🔧 Update pre-commit to use local Ruff instead of hook (#14604)
• Additional commits viewable in compare view

Updates uvicorn from 0.25.0 to 0.40.0

Release notes

Sourced from uvicorn's releases.

Version 0.40.0

What's Changed

• Drop Python 3.9 by @​Kludex in Kludex/uvicorn#2772

Full Changelog: Kludex/uvicorn@0.39.0...0.40.0

Version 0.39.0

What's Changed

• explicitly start ASGI run with empty context by @​pmeier in Kludex/uvicorn#2742
• fix(websockets): Send close frame on ASGI return by @​Kludex in Kludex/uvicorn#2769

New Contributors

• @​pmeier made their first contribution in Kludex/uvicorn#2742

Full Changelog: Kludex/uvicorn@0.38.0...0.39.0

Version 0.38.0

What's Changed

• Support Python 3.14 by @​Kludex in Kludex/uvicorn#2723

---

New Contributors

• @​NGANAMODEIJunior made their first contribution in Kludex/uvicorn#2713

Full Changelog: Kludex/uvicorn@0.37.0...0.38.0

Version 0.37.0

What's Changed

• Add --timeout-worker-healthcheck setting by @​Kludex in Kludex/uvicorn#2711
• Add os.PathLike[str] type to ssl_ca_certs by @​rnv812 in Kludex/uvicorn#2676

New Contributors

• @​LincolnPuzey made their first contribution in Kludex/uvicorn#2669
• @​rnv812 made their first contribution in Kludex/uvicorn#2676

Full Changelog: Kludex/uvicorn@0.36.1...0.37.0

Version 0.36.1

What's Changed

• Raise an exception when calling removed Config.setup_event_loop() by @​Kludex in Kludex/uvicorn#2709

Full Changelog: Kludex/uvicorn@0.36.0...0.36.1

Version 0.36.0

Added

• Support custom IOLOOPs by @​gnir-work in Kludex/uvicorn#2435

... (truncated)

Changelog

Sourced from uvicorn's changelog.

0.40.0 (December 21, 2025)

Remove

• Drop support for Python 3.9 (#2772)

0.39.0 (December 21, 2025)

Fixed

• Send close frame on ASGI return for WebSockets (#2769)
• Explicitly start ASGI run with empty context (#2742)

0.38.0 (October 18, 2025)

Added

• Support Python 3.14 (#2723)

0.37.0 (September 23, 2025)

Added

• Add --timeout-worker-healthcheck option (#2711)
• Add os.PathLike[str] type to ssl_ca_certs (#2676)

0.36.1 (September 23, 2025)

Fixed

• Raise an exception when calling removed Config.setup_event_loop() (#2709)

0.36.0 (September 20, 2025)

Added

• Support custom IOLOOPs (#2435)
• Allow to provide importable string in --http, --ws and --loop (#2658)

0.35.0 (June 28, 2025)

Added

• Add WebSocketsSansIOProtocol (#2540)

Changed

• Refine help message for option --proxy-headers (#2653)

0.34.3 (June 1, 2025)

... (truncated)

Commits

• 9ff6004 Version 0.40.0 (#2773)
• 19df042 Drop Python 3.9 (#2772)
• 865ce7c Run strict mypy on test suite (#2771)
• 4f40b84 Version 0.39.0 (#2770)
• 5692dfc fix(websockets): Send close frame on ASGI return (#2769)
• 4194764 chore(deps): bump the github-actions group with 2 updates (#2763)
• d94bf28 explicitly start ASGI run with empty context (#2742)
• 8ae0bcb chore(deps): bump the github-actions group with 2 updates (#2748)
• 4744ff9 Add groups configuration for GitHub Actions (#2747)
• 0391372 chore(deps): bump astral-sh/setup-uv from 6.8.0 to 7.1.2 (#2746)
• Additional commits viewable in compare view

Updates python-multipart from 0.0.6 to 0.0.22

Release notes

Sourced from python-multipart's releases.

Version 0.0.22

What's Changed

• Drop directory path from filename in File 9433f4b.

---

Full Changelog: Kludex/python-multipart@0.0.21...0.0.22

Version 0.0.21

What's Changed

• Add support for Python 3.14 and drop EOL 3.8 and 3.9 by @​hugovk in Kludex/python-multipart#216

New Contributors

• @​waketzheng made their first contribution in Kludex/python-multipart#203

Full Changelog: Kludex/python-multipart@0.0.20...0.0.21

Version 0.0.20

What's Changed

• Handle messages containing only end boundary, fixes #38 by @​jhnstrk in Kludex/python-multipart#142

New Contributors

• @​Mr-Sunglasses made their first contribution in Kludex/python-multipart#185

Full Changelog: Kludex/python-multipart@0.0.19...0.0.20

Version 0.0.19

What's Changed

• Don't warn when CRLF is found after last boundary by @​Kludex in Kludex/python-multipart#193

---

Full Changelog: Kludex/python-multipart@0.0.18...0.0.19

Version 0.0.18

What's Changed

• Hard break if found data after last boundary on MultipartParser by @​Kludex in Kludex/python-multipart#189

---

Full Changelog: Kludex/python-multipart@0.0.17...0.0.18

Version 0.0.17

What's Changed

• Handle PermissionError in fallback code for old import name by @​defnull in Kludex/python-multipart#182

---

... (truncated)

Changelog

Sourced from python-multipart's changelog.

0.0.22 (2026-01-25)

• Drop directory path from filename in File 9433f4b.

0.0.21 (2025-12-17)

• Add support for Python 3.14 and drop EOL 3.8 and 3.9 #216.

0.0.20 (2024-12-16)

• Handle messages containing only end boundary #142.

0.0.19 (2024-11-30)

• Don't warn when CRLF is found after last boundary on MultipartParser #193.

0.0.18 (2024-11-28)

• Hard break if found data after last boundary on MultipartParser #189.

0.0.17 (2024-10-31)

• Handle PermissionError in fallback code for old import name #182.

0.0.16 (2024-10-27)

• Add dunder attributes to multipart package #177.

0.0.15 (2024-10-27)

• Replace FutureWarning to PendingDeprecationWarning #174.
• Add missing files to SDist #171.

0.0.14 (2024-10-24)

• Fix import scheme for multipart module (#168).

0.0.13 (2024-10-20)

• Rename import to python_multipart #166.

0.0.12 (2024-09-29)

• Improve error message when boundary character does not match #124.
• Add mypy strict typing #140.
• Enforce 100% coverage #159.

0.0.11 (2024-09-28)

• Improve performance, especially in data with many CR-LF #137.

... (truncated)

Commits

• bea7bbb Version 0.0.22 (#222)
• 0fb59a9 chore: add return type on test (#221)
• 9433f4b Merge commit from fork
• d5c91ec Bump the github-actions group with 2 updates (#219)
• 5a90631 bump uv (#218)
• 1f72955 Version 0.0.21 (#217)
• 47ecfed Add support for Python 3.14 and drop EOL 3.8 and 3.9 (#216)
• f18b709 Bump the github-actions group across 1 directory with 4 updates (#214)
• b388e9a chore: use depedency-groups in pyproject.toml (#212)
• 6113e75 Bump the github-actions group across 1 directory with 3 updates (#210)
• Additional commits viewable in compare view

Updates python-dateutil from 2.8.2 to 2.9.0.post0

Release notes

Sourced from python-dateutil's releases.

2.9.0.post0

Version 2.9.0.post0 (2024-03-01)

Bugfixes

• Pinned setuptools_scm to <8, which should make the generated _version.py file compatible with all supported versions of Python.

2.9.0

Version 2.9.0 (2024-02-29)

Data updates

• Updated tzdata version to 2024a. (gh pr #1342)

Features

• Made all dateutil submodules lazily imported using PEP 562. On Python 3.7+, things like import dateutil; dateutil.tz.gettz("America/New_York") will now work without explicitly importing dateutil.tz, with the import occurring behind the scenes on first use. The old behavior remains on Python 3.6 and earlier. Fixed by Orson Adams. (gh issue #771, gh pr #1007)

Bugfixes

• Removed a call to datetime.utcfromtimestamp, which is deprecated as of Python 3.12. Reported by Hugo van Kemenade (gh pr #1284), fixed by Thomas Grainger (gh pr #1285).

Documentation changes

• Added note into docs and tests where relativedelta would return last day of the month only if the same day on a different month resolves to a date that doesn't exist. Reported by @​hawkEye-01 (gh issue #1167). Fixed by @​Mifrill (gh pr #1168)

Changelog

Sourced from python-dateutil's changelog.

Version 2.9.0.post0 (2024-03-01)

Bugfixes

• Pinned setuptools_scm to <8, which should make the generated _version.py file compatible with all supported versions of Python.

Version 2.9.0 (2024-02-29)

Data updates

• Updated tzdata version to 2024a. (gh pr #1342)

Features

• Made all dateutil submodules lazily imported using PEP 562 <https://www.python.org/dev/peps/pep-0562/>_. On Python 3.7+, things like import dateutil; dateutil.tz.gettz("America/New_York") will now work without explicitly importing dateutil.tz, with the import occurring behind the scenes on first use. The old behavior remains on Python 3.6 and earlier. Fixed by Orson Adams. (gh issue #771, gh pr #1007)

Bugfixes

• Removed a call to datetime.utcfromtimestamp, which is deprecated as of Python 3.12. Reported by Hugo van Kemenade (gh pr #1284), fixed by Thomas Grainger (gh pr #1285).

Documentation changes

• Added note into docs and tests where relativedelta would return last day of the month only if the same day on a different month resolves to a date that doesn't exist. Reported by @​hawkEye-01 (gh issue #1167). Fixed by @​Mifrill (gh pr #1168)

Commits

• 1ae8077 Merge pull request #1346 from pganssle/release_2.9.0.post0
• ee6de9d Update news to prepare for release
• 9780d32 Pin setuptools_scm to <8
• db9d018 Merge pull request #1343 from pganssle/release_2.9.0
• 423ca2f Run updatezinfo before build
• edd3fd4 Update NEWS file
• fe02d02 Run towncrier with Python 3.11
• 9c7524a Fix MANIFEST.in pattern
• 6de58f5 Update classifiers to include Python 3.12
• 8fe0cab Merge pull request #1342 from pganssle/update_zoneinfo
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: backend, dependencies, python. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.