Skip to content

deps: bump the dev-deps group across 1 directory with 5 updates#5254

Open
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/uv/dev-deps-4850a1a226
Open

deps: bump the dev-deps group across 1 directory with 5 updates#5254
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/uv/dev-deps-4850a1a226

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 26, 2026

Copy link
Copy Markdown
Contributor

Bumps the dev-deps group with 5 updates in the / directory:

Package From To
django-debug-toolbar 6.3.0 7.0.0
pytest 9.0.3 9.1.1
vcrpy 8.1.1 8.2.1
hypothesis 6.155.2 6.155.7
coverage 7.14.1 7.14.3

Updates django-debug-toolbar from 6.3.0 to 7.0.0

Release notes

Sourced from django-debug-toolbar's releases.

7.0.0

This release features a change to use the shadow DOM. If a project is customizing the Django Debug Toolbar theme via variables a change will be required.

Changelog

  • Updated to render the toolbar in a shadow DOM for better isolation from the rest of the page. This can be disabled with the setting USE_SHADOW_DOM.
  • Note that custom themes overriding CSS variables on :root must move those overrides to #djDebug, and custom panels that rely on external styles or DOM lookups reaching into the toolbar will need updates to work with the shadow DOM.
  • Prevent check from failing when ROOT_URLCONF is not defined.
  • Prevent toolbar storage from failing when serialized panel data contains mapping keys that are not JSON-compatible.
  • Prevent debounce race conditions in the history panel for rapid fetch requests.
  • Added a note to the prerequisites section of the installation docs about requiring an up-to-date browser.
  • Dropped support for Django 4.2 and Django 5.1 .
  • Added graceful degradation for SQL queries that exceed sqlparse's token limits. When SQLParseError is raised, the SQL panel now automatically disables grouping and retries formatting, preventing crashes with large queries.
  • Upgraded the JavaScript code to use modern ECMAScript features using esupgrade.
  • Updated tox configuration to treat DeprecationWarning, ResourceWarning, and PendingDeprecationWarning as errors.
  • Clarified configuration documentation about SHOW_TOOLBAR_CALLBACK needing to respect django.conf.settings.DEBUG to match debug_toolbar_urls.
  • Fixed cookie expires calculation in djdt.cookie.set.
  • Account for the new CULL_PROBABILITY in Django 6.2 in tests.
  • Support Django 6.2's handling of booleans for non-PostgreSQL databases.
  • Changed the SQL panel to show the "Select" and "Explain" action buttons for all queries, not just SELECT statements.
  • Fixed SQL panel handling of binary parameters (e.g. from BinaryField) and GeoDjango PostGIS geometry parameters. EWKB geometry adapters are now serialized and reconstructed so that Select and Explain work correctly on spatial queries.

What's Changed

New Contributors

... (truncated)

Changelog

Sourced from django-debug-toolbar's changelog.

7.0.0 (2026-06-17)

  • Prevent check from failing when ROOT_URLCONF is not defined.
  • Prevent toolbar storage from failing when serialized panel data contains mapping keys that are not JSON-compatible.
  • Prevent debounce race conditions in the history panel for rapid fetch requests.
  • Added a note to the prerequisites section of the installation docs about requiring an up-to-date browser.
  • Dropped support for Django 4.2 and Django 5.1 .
  • Updated to render the toolbar in a shadow DOM for better isolation from the rest of the page. This can be disabled with the setting USE_SHADOW_DOM.
  • Note that custom themes overriding CSS variables on :root must move those overrides to #djDebug, and custom panels that rely on external styles or DOM lookups reaching into the toolbar will need updates to work with the shadow DOM.
  • Added graceful degradation for SQL queries that exceed sqlparse's token limits. When SQLParseError is raised, the SQL panel now automatically disables grouping and retries formatting, preventing crashes with large queries.
  • Upgraded the JavaScript code to use modern ECMAScript features using esupgrade.
  • Updated tox configuration to treat DeprecationWarning, ResourceWarning, and PendingDeprecationWarning as errors.
  • Clarified configuration documentation about SHOW_TOOLBAR_CALLBACK needing to respect django.conf.settings.DEBUG to match debug_toolbar_urls.
  • Fixed cookie expires calculation in djdt.cookie.set.
  • Account for the new CULL_PROBABILITY in Django 6.2 in tests.
  • Support Django 6.2's handling of booleans for non-PostgreSQL databases.
  • Changed the SQL panel to show the "Select" and "Explain" action buttons for all queries, not just SELECT statements.
  • Fixed SQL panel handling of binary parameters (e.g. from BinaryField) and GeoDjango PostGIS geometry parameters. EWKB geometry adapters are now serialized and reconstructed so that Select and Explain work correctly on spatial queries.
Commits
  • 6c66337 Version 7.0.0
  • 44bf141 Update translations
  • 9e844fd Fix binary parameter handling in SQL panel (#2391)
  • c364770 Mention @​gzip_page explicitly as a reason why the toolbar doesn't show up (#2...
  • 7475cf0 Change the SQL panel to show the select and explain buttons for all queries (...
  • 931a234 Bump actions/checkout from 6.0.2 to 6.0.3 in the github-actions group (#2384)
  • e153a97 Bump the minor-npm-dependencies group across 1 directory with 2 updates (#2390)
  • 67f16e4 Bump vite from 8.0.10 to 8.0.16 (#2389)
  • b02d594 Bump @​babel/core from 7.29.0 to 7.29.7 (#2388)
  • 0df3f3a pre-commit autoupdate (#2387)
  • Additional commits viewable in compare view

Updates pytest from 9.0.3 to 9.1.1

Release notes

Sourced from pytest's releases.

9.1.1

pytest 9.1.1 (2026-06-19)

Bug fixes

  • #14220: Fixed a logic bug in pytest.RaisesGroup which would might cause it to display incorrect "It matches FooError() which was paired with BarError" messages.
  • #14591: Fixed a regression in pytest 9.1.0 which caused overriding a parametrized fixture with an indirect @​pytest.mark.parametrize to fail with "duplicate parametrization of '<fixture name>'".
  • #14606: Fixed list-item typing errors from mypy in @pytest.mark.parametrize <pytest.mark.parametrize ref> argvalues parameter.
  • #14608: Fixed a regression in pytest 9.1.0 where conftest.py files located in <invocation dir>/test* were no longer loaded as initial conftests when invoked without arguments. This could cause certain hooks (like pytest_addoption) in these files to not fire.

9.1.0

pytest 9.1.0 (2026-06-13)

Removals and backward incompatible breaking changes

  • #14533: When using --doctest-modules, autouse fixtures with module, package or session scope that are defined inline in Python test modules (not plugins or conftests) will now possibly execute twice.

    If this is undesirable, move the fixture definition to a conftest.py file if possible.

    Technical explanation for those interested: When using --doctest-modules, pytest possibly collects Python modules twice, once as pytest.Module and once as a DoctestModule (depending on the configuration). Due to improvements in pytest's fixture implementation, if e.g. the DoctestModule collects a fixture, it is now visible to it only, and not to the Module. This means that both need to register the fixtures independently.

Deprecations (removal in next major release)

  • #10819: Added a deprecation warning for class-scoped fixtures defined as instance methods (without @classmethod). Such fixtures set attributes on a different instance than the test methods use, leading to unexpected behavior. Use @classmethod decorator instead -- by yastcher.

    See 10819 and 14011.

  • #12882: Calling request.getfixturevalue() <pytest.FixtureRequest.getfixturevalue> during teardown to request a fixture that was not already requested is now deprecated and will become an error in pytest 10.

    See dynamic-fixture-request-during-teardown for details.

  • #13409: Using non-~collections.abc.Collection iterables (such as generators, iterators, or custom iterable objects) for the argvalues parameter in @pytest.mark.parametrize <pytest.mark.parametrize ref> and metafunc.parametrize <pytest.Metafunc.parametrize> is now deprecated.

    These iterables get exhausted after the first iteration, leading to tests getting unexpectedly skipped in cases such as running pytest.main() multiple times, using class-level parametrize decorators, or collecting tests multiple times.

    See parametrize-iterators for details and suggestions.

  • #13946: The private config.inicfg attribute is now deprecated. Use config.getini() <pytest.Config.getini> to access configuration values instead.

    See config-inicfg for more details.

  • #14004: Passing baseid to ~pytest.FixtureDef or nodeid strings to fixture registration APIs is now deprecated. These are internal pytest APIs that are used by some plugins.

... (truncated)

Commits
  • cf470ec Prepare release version 9.1.1
  • e0c8ce6 Merge pull request #14625 from pytest-dev/patchback/backports/9.1.x/a07c31a97...
  • 1b82d16 Merge pull request #14624 from pytest-dev/patchback/backports/9.1.x/b375b79ec...
  • 501c4bc Merge pull request #14596 from bluetech/doc-classmethod
  • b61f588 Merge pull request #14622 from chrisburr/fix-14608-initial-conftest-test-subdir
  • 9a567e0 [automated] Update plugin list (#14617) (#14618)
  • ef8b299 Merge pull request #14620 from pytest-dev/patchback/backports/9.1.x/680f9f3ed...
  • 66abd07 Merge pull request #14220 from bysiber/fix-stale-iexp-raisesgroup
  • 79fbf93 Merge pull request #14612 from pytest-dev/patchback/backports/9.1.x/974ed48b6...
  • 0d312eb Merge pull request #14611 from bluetech/parametrize-argvalues-typing
  • Additional commits viewable in compare view

Updates vcrpy from 8.1.1 to 8.2.1

Release notes

Sourced from vcrpy's releases.

v8.2.1

What's Changed

  • SECURITY: Cassettes are now loaded with a safe YAML loader, preventing arbitrary code execution when a cassette from an untrusted source is loaded. Previously a crafted cassette containing a Python object tag (e.g. !!python/object/apply:os.system) would execute code on load, including via the normal vcr.use_cassette() path. Existing cassettes (including file-upload/streaming bodies) continue to load. Advisory: GHSA-rpj2-4hq8-938g — thanks @​RamiAltai and @​EQSTLab for the reports.
  • Validate record_mode and raise a clear error on an invalid value (#208)
  • Recommend pytest-recording over the unmaintained pytest-vcr in the docs (#986)

Full Changelog: kevin1024/vcrpy@v8.2.0...v8.2.1

v8.2.0

What's Changed

  • Add support for httpx 2.x (#993) - thanks @​dsfaccini
  • Patch httpx transports instead of httpcore (#972) - thanks @​seowalex
  • Fix aiohttp 3.14 compatibility: AsyncStreamReaderMixin removed and ClientResponse now requires stream_writer (#995) - thanks @​dsfaccini
  • Account for modified requests when storing played cassettes, so drop_unused_requests honours before_record_request filtering (#962) - thanks @​jamesbraza
  • Make the request URL available on VCRHTTPResponse (#976) - thanks @​dAnjou
  • Improve error message when a matching request has already been consumed (#985) - thanks @​Polandia94
  • Fix body check in convert_body_to_unicode to use an explicit type check (#982) - thanks @​Polandia94
  • Add env proxy cassette regression test (#994) - thanks @​tine1117
  • Remove milestone references from docs (#984) - thanks @​Polandia94
  • CI: bump sphinx-rtd-theme from 3.0.2 to 3.1.0 (#973)

Full Changelog: kevin1024/vcrpy@v8.1.1...v8.2.0

Changelog

Sourced from vcrpy's changelog.

Changelog

All help in providing PRs to close out bug issues is appreciated. Even if that is providing a repo that fully replicates issues. We have very generous contributors that have added these to bug issues which meant another contributor picked up the bug and closed it out.

  • 8.2.1

    • SECURITY: Load cassettes with a safe YAML loader, preventing arbitrary code execution when a cassette from an untrusted source is loaded (GHSA-rpj2-4hq8-938g) - thanks @​RamiAltai and @​EQSTLab
    • Validate record_mode and raise a clear error on an invalid value (#208)
    • Recommend pytest-recording over the unmaintained pytest-vcr in the docs (#986)

  • 8.2.0

    • Add support for httpx 2.x (#993) - thanks @​dsfaccini
    • Patch httpx transports instead of httpcore (#972) - thanks @​seowalex
    • Fix aiohttp 3.14 compatibility: AsyncStreamReaderMixin removed and ClientResponse now requires stream_writer (#995) - thanks @​dsfaccini
    • Account for modified requests when storing played cassettes, so drop_unused_requests honours before_record_request filtering (#962) - thanks @​jamesbraza
    • Make the request URL available on VCRHTTPResponse (#976) - thanks @​dAnjou
    • Improve error message when a matching request has already been consumed (#985) - thanks @​Polandia94
    • Fix body check in convert_body_to_unicode to use an explicit type check (#982) - thanks @​Polandia94
    • Add env proxy cassette regression test (#994) - thanks @​tine1117
    • Remove milestone references from docs (#984) - thanks @​Polandia94
    • CI: bump sphinx-rtd-theme from 3.0.2 to 3.1.0 (#973)

  • 8.1.1

    • Fix sync requests in async contexts for HTTPX (#965) - thanks @​seowalex
    • CI: bump peter-evans/create-pull-request from 7 to 8 (#969)

  • 8.1.0

  • 8.0.0

    • BREAKING: Drop support for Python 3.9 (major version bump) - thanks @​jairhenrique
    • BREAKING: Drop support for urllib3 < 2 - fixes CVE warnings from urllib3 1.x (#926, #880) - thanks @​jairhenrique
    • New feature: drop_unused_requests option to remove unused interactions from cassettes (#763) - thanks @​danielnsilva
    • Rewrite httpx support to patch httpcore instead of httpx (#943) - thanks @​seowalex
      • Fixes httpx.ResponseNotRead exceptions (#832, #834)
      • Fixes KeyError: 'follow_redirects' (#945)
      • Adds support for custom httpx transports
    • Fix HTTPS proxy handling - proxy address no longer ends up in cassette URIs (#809, #914) - thanks @​alga
    • Fix iscoroutinefunction deprecation warning on Python 3.14 - thanks @​kloczek
    • Only log message if response is appended - thanks @​talfus-laddus
    • Optimize urllib.parse calls - thanks @​Martin-Brunthaler
    • Fix CI for Ubuntu 24.04 - thanks @​hartwork
    • Various CI improvements: migrate to uv, update GitHub Actions - thanks @​jairhenrique
    • Various linting and test improvements - thanks @​jairhenrique and @​hartwork

... (truncated)

Commits
  • 8531203 Release v8.2.1
  • 045acb1 Use a safe YAML loader for cassettes to prevent code execution
  • de43f46 Fix lint failures from merged PRs (codespell + ruff UP032)
  • 514c374 Validate record_mode and raise a clear error on invalid values
  • b736cad docs: recommend pytest-recording over unmaintained pytest-vcr
  • 06758c9 Release v8.2.0
  • 6554837 Add env proxy cassette regression test (#994)
  • 62cf5e1 Accounting for modified requests when storing played cassettes, with a test (...
  • 13f201a make url available in VCRHTTPResponse (#976)
  • d57b553 improve error message on repeated requestt (#985)
  • Additional commits viewable in compare view

Updates hypothesis from 6.155.2 to 6.155.7

Commits
  • 929e5fb Bump hypothesis version to 6.155.7 and update changelog
  • 93ee3c9 Merge pull request #4772 from Liam-DeVoe/recursive-property-thread-safety
  • 0bb0f2f drop more 3.13t
  • de6bd79 drop inbetween
  • ff583cc drop 313t jobs
  • a5474e4 claude: re-trigger CI
  • 55d2b97 claude: re-trigger CI (flaky conjecture-coverage + transient scipy/OpenBLAS b...
  • 0a2bdae claude: fix recursive_property thread-safety; install Python via fresh uv met...
  • 4641d65 Bump hypothesis version to 6.155.6 and update changelog
  • 7d90a93 Merge pull request #4770 from Liam-DeVoe/ignore-up037
  • Additional commits viewable in compare view

Updates coverage from 7.14.1 to 7.14.3

Changelog

Sourced from coverage's changelog.

Version 7.14.3 — 2026-06-22

  • Fix: the default ... exclusion rule now also matches function bodies whose closing return-type bracket is on its own line (for example, after a long -> dict[ ... ] annotation that a formatter has split over multiple lines). Closes issue 2185, thanks Mengjia Shang <pull 2196_>.

  • Fix: On 3.13t, we incorrectly issued Couldn't import C tracer errors. We can't import the C tracer because in 7.14.2 we stopped shipping compiled wheels for 3.13t. Thanks, Hugo van Kemenade <pull 2203_>_.

.. _issue 2185: coveragepy/coveragepy#2185 .. _pull 2196: coveragepy/coveragepy#2196 .. _pull 2203: coveragepy/coveragepy#2203

.. _changes_7-14-2:

Version 7.14.2 — 2026-06-20

  • Fix: some messages were being written to stdout, making coverage json -o - useless for capturing JSON output. Now messages are written to stderr, fixing issue 2197_.

  • Fix: CoverageData kept one SQLite connection per thread that recorded coverage, but never closed them when those threads terminated. On long runs with many short-lived threads this leaked one file descriptor per dead thread, eventually failing with OSError: [Errno 24] Too many open files. Connections belonging to terminated threads are now closed and dropped. Fixes issue 2192. Thanks, Matthew Lloyd <pull 2193_>.

  • Fix: when using sys.monitoring, we were assuming we could use the COVERAGE_ID tool id. But other tools might also assume they could use that id. Pre-allocated ids don't really make sense, so now we search for a usable one instead. Fixes issue 2187_.

  • Following the advice of cibuildwheel <no-13t_>_, we no longer distribute wheels for Python 3.13 free-threaded.

.. _issue 2187: coveragepy/coveragepy#2187 .. _issue 2192: coveragepy/coveragepy#2192 .. _pull 2193: coveragepy/coveragepy#2193 .. _issue 2197: coveragepy/coveragepy#2197 .. _no-13t: https://py-free-threading.github.io/ci/#building-free-threaded-wheels-with-cibuildwheel

.. _changes_7-14-1:

Commits
  • 22f13ea docs: sample HTML for 7.14.3
  • 2ca4e5f docs: prep for 7.14.3
  • 01d714e docs: add changelog entry for #2203
  • f36248d fix: don't emit 'Couldn't import C tracer' warning for 3.13t (#2203)
  • 86d73d1 docs: thanks, Mengjia Shang
  • 3d4ae3c docs: add the #2196 pr link to CHANGES
  • f4b2b4d fix: exclude ... bodies after multi-line return-type annotations (#2185) (#...
  • 1980ed0 chore: bump sigstore/gh-action-sigstore-python (#2201)
  • bca3217 build: since we don't ship 3.13t, don't test it
  • 77550d8 docs: oops, mismatched pull requests
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
deps: bump the dev-deps group across 1 directory with 5 updates
ea63826 
Bumps the dev-deps group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [django-debug-toolbar](https://github.com/django-commons/django-debug-toolbar) | `6.3.0` | `7.0.0` |
| [pytest](https://github.com/pytest-dev/pytest) | `9.0.3` | `9.1.1` |
| [vcrpy](https://github.com/kevin1024/vcrpy) | `8.1.1` | `8.2.1` |
| [hypothesis](https://github.com/HypothesisWorks/hypothesis) | `6.155.2` | `6.155.7` |
| [coverage](https://github.com/coveragepy/coveragepy) | `7.14.1` | `7.14.3` |



Updates `django-debug-toolbar` from 6.3.0 to 7.0.0
- [Release notes](https://github.com/django-commons/django-debug-toolbar/releases)
- [Changelog](https://github.com/django-commons/django-debug-toolbar/blob/main/docs/changes.rst)
- [Commits](django-commons/django-debug-toolbar@6.3.0...7.0.0)

Updates `pytest` from 9.0.3 to 9.1.1
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](pytest-dev/pytest@9.0.3...9.1.1)

Updates `vcrpy` from 8.1.1 to 8.2.1
- [Release notes](https://github.com/kevin1024/vcrpy/releases)
- [Changelog](https://github.com/kevin1024/vcrpy/blob/master/docs/changelog.rst)
- [Commits](kevin1024/vcrpy@v8.1.1...v8.2.1)

Updates `hypothesis` from 6.155.2 to 6.155.7
- [Release notes](https://github.com/HypothesisWorks/hypothesis/releases)
- [Commits](HypothesisWorks/hypothesis@v6.155.2...v6.155.7)

Updates `coverage` from 7.14.1 to 7.14.3
- [Release notes](https://github.com/coveragepy/coveragepy/releases)
- [Changelog](https://github.com/coveragepy/coveragepy/blob/main/CHANGES.rst)
- [Commits](coveragepy/coveragepy@7.14.1...7.14.3)

---
updated-dependencies:
- dependency-name: django-debug-toolbar
  dependency-version: 7.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: dev-deps
- dependency-name: pytest
  dependency-version: 9.1.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dev-deps
- dependency-name: vcrpy
  dependency-version: 8.2.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dev-deps
- dependency-name: hypothesis
  dependency-version: 6.155.7
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-deps
- dependency-name: coverage
  dependency-version: 7.14.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the Maintenance Tag as maintenance if the issue relates to general cleanup, maintenance, etc. Do not delete label. label Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Maintenance Tag as maintenance if the issue relates to general cleanup, maintenance, etc. Do not delete label.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants