Skip to content

deps(py): bump the uv-prod-minor-patch group across 1 directory with 5 updates#89

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/uv-prod-minor-patch-fdbe4bcca8
Open

deps(py): bump the uv-prod-minor-patch group across 1 directory with 5 updates#89
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/uv-prod-minor-patch-fdbe4bcca8

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 27, 2026
edited
Loading

Bumps the uv-prod-minor-patch group with 5 updates in the / directory:

Package From To
click 8.3.2 8.3.3
pydantic 2.12.5 2.13.3
pydantic-settings 2.13.1 2.14.0
sentry-sdk 2.57.0 2.58.0
uvicorn 0.43.0 0.46.0

Updates click from 8.3.2 to 8.3.3

Release notes

Sourced from click's releases.

8.3.3

This is the Click 8.3.3 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/click/8.3.3/ Changes: https://click.palletsprojects.com/page/changes/#version-8-3-3 Milestone: https://github.com/pallets/click/milestone/30

  • Use :func:shlex.split to split pager and editor commands into argv lists for :class:subprocess.Popen, removing shell=True. #1026 #1477 #2775
  • Fix TypeError when rendering help for an option whose default value is an object that doesn't support equality comparison with strings, such as semver.Version. #3298 #3299
  • Fix pager test pollution under parallel execution by using pytest's tmp_path fixture instead of a shared temporary file path. #3238
  • Treat Sentinel.UNSET values in a default_map as absent, so they fall through to the next default source instead of being used as the value. #3224 #3240
  • Patch pdb.Pdb in CliRunner isolation so pdb.set_trace(), breakpoint(), and debuggers subclassing pdb.Pdb (ipdb, pdbpp) can interact with the real terminal instead of the captured I/O streams. #654 #824 #843 #951 #3235
  • Add optional randomized parallel test execution using pytest-randomly and pytest-xdist to detect test pollution and race conditions. #3151
  • Add contributor documentation for running stress tests, randomized parallel tests, and Flask smoke tests. #3151 #3177
  • Show custom show_default string in prompts, matching the existing help text behavior. #2836 #2837 #3165 #3262 #3280 #3328
  • Fix default=True with boolean flag_value always returning the flag_value instead of True. The default=True to flag_value substitution now only applies to non-boolean flags, where True acts as a sentinel meaning "activate this flag by default". For boolean flags, default=True is returned as a literal value. #3111 #3239
  • Mark make_default_short_help as private API. #3189 #3250
  • CliRunner's redirected streams now expose the original file descriptor via fileno(), so that faulthandler, subprocess, and other C-level consumers no longer crash with io.UnsupportedOperation. #2865
  • Change :class:ParameterSource to an :class:~enum.IntEnum and reorder its members from most to least explicit, so values can be compared to check whether a parameter was explicitly provided. #2879 #3248
Changelog

Sourced from click's changelog.

Version 8.3.3

Released 2026-04-20

  • Use :func:shlex.split to split pager and editor commands into argv lists for :class:subprocess.Popen, removing shell=True. :issue:1026 :pr:1477 :pr:2775
  • Fix TypeError when rendering help for an option whose default value is an object that doesn't support equality comparison with strings, such as semver.Version. :issue:3298 :pr:3299
  • Fix pager test pollution under parallel execution by using pytest's tmp_path fixture instead of a shared temporary file path. :pr:3238
  • Treat Sentinel.UNSET values in a default_map as absent, so they fall through to the next default source instead of being used as the value. :issue:3224 :pr:3240
  • Patch pdb.Pdb in CliRunner isolation so pdb.set_trace(), breakpoint(), and debuggers subclassing pdb.Pdb (ipdb, pdbpp) can interact with the real terminal instead of the captured I/O streams. :issue:654 :issue:824 :issue:843 :pr:951 :pr:3235
  • Add optional randomized parallel test execution using pytest-randomly and pytest-xdist to detect test pollution and race conditions. :pr:3151
  • Add contributor documentation for running stress tests, randomized parallel tests, and Flask smoke tests. :pr:3151 :pr:3177
  • Show custom show_default string in prompts, matching the existing help text behavior. :issue:2836 :pr:2837 :pr:3165 :pr:3262 :pr:3280 :pr:3328
  • Fix default=True with boolean flag_value always returning the flag_value instead of True. The default=True to flag_value substitution now only applies to non-boolean flags, where True acts as a sentinel meaning "activate this flag by default". For boolean flags, default=True is returned as a literal value. :issue:3111 :pr:3239
  • Mark make_default_short_help as private API. :issue:3189 :pr:3250
  • CliRunner's redirected streams now expose the original file descriptor via fileno(), so that faulthandler, subprocess, and other C-level consumers no longer crash with io.UnsupportedOperation. :issue:2865
  • Change :class:ParameterSource to an :class:~enum.IntEnum and reorder its members from most to least explicit, so values can be compared to check whether a parameter was explicitly provided. :issue:2879 :pr:3248
Commits
  • c06d2d0 Release 8.3.3
  • f1f191e Apply format guidelines to commits since latest 8.3.2 release (#3343)
  • bb59ba0 Apply format guidelines to commits since latest 8.3.2 release
  • 4a35225 Reduce blast-radius of UNSET in default_map (#3240)
  • c07bb93 Merge branch 'stable' into unset-in-default-map
  • c7e1ba8 Reorder ParameterSource (#3248)
  • 76552ff Show default string in prompt (#3328)
  • ac5cec5 Reorder ParameterSource from most to least explicit
  • 8c452e0 Merge branch 'stable' into show-default-string-in-prompt
  • 8c95c73 Reconcile default value passing and default activation (#3239)
  • Additional commits viewable in compare view

Updates pydantic from 2.12.5 to 2.13.3

Release notes

Sourced from pydantic's releases.

v2.13.3 2026-04-20

v2.13.3 (2026-04-20)

What's Changed

Fixes

Full Changelog: pydantic/pydantic@v2.13.2...v2.13.3

v2.13.2 2026-04-17

v2.13.2 (2026-04-17)

What's Changed

Fixes

  • Fix ValidationInfo.field_name missing with model_validate_json() by @​Viicos in #13084

Full Changelog: pydantic/pydantic@v2.13.1...v2.13.2

v2.13.1 2026-04-15

v2.13.1 (2026-04-15)

What's Changed

Fixes

Full Changelog: pydantic/pydantic@v2.13.0...v2.13.1

v2.13.0 2026-04-13

v2.13.0 (2026-04-13)

The highlights of the v2.13 release are available in the blog post. Several minor changes (considered non-breaking changes according to our versioning policy) are also included in this release. Make sure to look into them before upgrading.

This release contains the updated pydantic.v1 namespace, matching version 1.10.26 which includes support for Python 3.14.

What's Changed

See the beta releases for all changes sinces 2.12.

Packaging

  • Add zizmor for GitHub Actions workflow linting by @​Viicos in #13039
  • Update jiter to v0.14.0 to fix a segmentation fault on musl Linux by @​Viicos in #13064

... (truncated)

Changelog

Sourced from pydantic's changelog.

v2.13.3 (2026-04-20)

GitHub release

What's Changed

Fixes

v2.13.2 (2026-04-17)

GitHub release

What's Changed

Fixes

  • Fix ValidationInfo.field_name missing with model_validate_json() by @​Viicos in #13084

v2.13.1 (2026-04-15)

GitHub release

What's Changed

Fixes

v2.13.0 (2026-04-13)

GitHub release

The highlights of the v2.13 release are available in the blog post. Several minor changes (considered non-breaking changes according to our versioning policy) are also included in this release. Make sure to look into them before upgrading.

This release contains the updated pydantic.v1 namespace, matching version 1.10.26 which includes support for Python 3.14.

What's Changed

See the beta releases for all changes sinces 2.12.

New Features

  • Allow default factories of private attributes to take validated model data by @​Viicos in #13013

Changes

... (truncated)

Commits
  • 9e9a111 Fix backported test
  • 1ec8c6a Prepare release v2.13.3
  • fb4f204 Handle AttributeError subclasses with from_attributes
  • ca3ddd1 Prepare release v2.13.2
  • 000e823 Fix ValidationInfo.field_name missing with model_validate_json()
  • d45d8be Prepare release 2.13.1
  • 54aca60 Fix ValidationInfo.data missing with model_validate_json()
  • 46bf4fa Fix Pydantic release workflow (#13067)
  • 1b359ed Prepare release v2.13.0 (#13065)
  • b1bf194 Fix model equality when using runtime extra configuration (#13062)
  • Additional commits viewable in compare view

Updates pydantic-settings from 2.13.1 to 2.14.0

Release notes

Sourced from pydantic-settings's releases.

v2.14.0

What's Changed

New Contributors

Full Changelog: pydantic/pydantic-settings@v2.13.1...v2.14.0

Commits
  • 8916bee Prepare release 2.14.0 (#848)
  • 39e551c Fix CLI descriptions lost under python -OO by falling back to `json_schema_...
  • 9ed7f48 Bump the python-packages group with 4 updates (#847)
  • 617c690 Fix cli_ignore_unknown_args=True not working on subcommands (#844)
  • 577c05f Add note about Mypy plugin for BaseSettings.__init__() (#842)
  • 2355bc5 Fix CliPositionalArg[list[CustomType]] crash for custom types (#839)
  • 16bd6fd Introduce zizmor (#838)
  • df8b239 Bump boto3 from 1.42.82 to 1.42.83 in the python-packages group (#837)
  • c5401a2 Introduce yamlfmt (#836)
  • 953e28e Bump the python-packages group with 3 updates (#833)
  • Additional commits viewable in compare view

Updates sentry-sdk from 2.57.0 to 2.58.0

Release notes

Sourced from sentry-sdk's releases.

2.58.0

New Features ✨

Bug Fixes 🐛

Anthropic

Pydantic Ai

Other

Internal Changes 🔧

Litellm

Other

Other

... (truncated)

Changelog

Sourced from sentry-sdk's changelog.

2.58.0

New Features ✨

Bug Fixes 🐛

Anthropic

Pydantic Ai

Other

Internal Changes 🔧

Litellm

Other

Other

Commits
  • ce445d9 release: 2.58.0
  • c0c0e9c feat(litellm): Add async callbacks (#5969)
  • ea74b63 test(litellm): Replace mocks with httpx types in rate-limit test (#5975)
  • 06ed1bc test(litellm): Replace mocks with httpx types in embedding tests (#5970)
  • 66ef2e6 test(litellm): Replace mocks with httpx types in nonstreaming `completion()...
  • 96ebbf6 fix(litellm): Avoid double span exits when streaming (#5933)
  • 7e22b5d build(deps): bump actions/github-script from 8.0.0 to 9.0.0 (#5979)
  • 35151a9 build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 (#5980)
  • d1c5b53 build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1 (#5981)
  • e255aaf build(deps): bump getsentry/testing-ai-sdk-integrations from 6b1f51ec8af03e19...
  • Additional commits viewable in compare view

Updates uvicorn from 0.43.0 to 0.46.0

Release notes

Sourced from uvicorn's releases.

Version 0.46.0

What's Changed

Full Changelog: Kludex/uvicorn@0.45.0...0.46.0

Version 0.45.0

What's Changed

New Contributors

Full Changelog: Kludex/uvicorn@0.44.0...0.45.0

Version 0.44.0

What's Changed

Full Changelog: Kludex/uvicorn@0.43.0...0.44.0

Changelog

Sourced from uvicorn's changelog.

0.46.0 (April 23, 2026)

Added

  • Support ws_max_size in wsproto implementation (#2915)
  • Support ws_ping_interval and ws_ping_timeout in wsproto implementation (#2916)

Changed

  • Use bytearray for incoming WebSocket message buffer in websockets-sansio (#2917)

0.45.0 (April 21, 2026)

Added

  • Add --reset-contextvars flag to isolate ASGI request context (#2912)
  • Accept os.PathLike for log_config (#2905)
  • Accept log_level strings case-insensitively (#2907)

Changed

  • Revert "Emit http.disconnect on server shutdown for streaming responses" (#2913)
  • Revert "Explicitly start ASGI run with empty context" (#2911)

Fixed

  • Preserve forwarded client ports in proxy headers middleware (#2903)
  • Raise helpful ImportError when PyYAML is missing for YAML log config (#2906)

0.44.0 (April 6, 2026)

Added

  • Implement websocket keepalive pings for websockets-sansio (#2888)
Commits
  • b224045 Version 0.46.0 (#2918)
  • 7375b5b Use bytearray for incoming WebSocket message buffer in websockets-sansio (#...
  • d438fb1 Support ws_ping_interval and ws_ping_timeout in wsproto implementation ...
  • 3e6b964 Support ws_max_size in wsproto implementation (#2915)
  • 2c423bd Version 0.45.0 (#2914)
  • 7f027f8 Revert "Emit http.disconnect on server shutdown for streaming responses" (#...
  • 73a80c3 Add --reset-contextvars flag to isolate ASGI request context (#2912)
  • 45c0b56 Revert empty context for ASGI runs (#2911)
  • 850d926 Raise helpful ImportError when PyYAML is missing for YAML log config (#2906)
  • fdcacb4 Accept log_level strings case-insensitively (#2907)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
deps(py): bump the uv-prod-minor-patch group across 1 directory with …
087056a 
…5 updates

Bumps the uv-prod-minor-patch group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [click](https://github.com/pallets/click) | `8.3.2` | `8.3.3` |
| [pydantic](https://github.com/pydantic/pydantic) | `2.12.5` | `2.13.3` |
| [pydantic-settings](https://github.com/pydantic/pydantic-settings) | `2.13.1` | `2.14.0` |
| [sentry-sdk](https://github.com/getsentry/sentry-python) | `2.57.0` | `2.58.0` |
| [uvicorn](https://github.com/Kludex/uvicorn) | `0.43.0` | `0.46.0` |



Updates `click` from 8.3.2 to 8.3.3
- [Release notes](https://github.com/pallets/click/releases)
- [Changelog](https://github.com/pallets/click/blob/main/CHANGES.rst)
- [Commits](pallets/click@8.3.2...8.3.3)

Updates `pydantic` from 2.12.5 to 2.13.3
- [Release notes](https://github.com/pydantic/pydantic/releases)
- [Changelog](https://github.com/pydantic/pydantic/blob/main/HISTORY.md)
- [Commits](pydantic/pydantic@v2.12.5...v2.13.3)

Updates `pydantic-settings` from 2.13.1 to 2.14.0
- [Release notes](https://github.com/pydantic/pydantic-settings/releases)
- [Commits](pydantic/pydantic-settings@v2.13.1...v2.14.0)

Updates `sentry-sdk` from 2.57.0 to 2.58.0
- [Release notes](https://github.com/getsentry/sentry-python/releases)
- [Changelog](https://github.com/getsentry/sentry-python/blob/master/CHANGELOG.md)
- [Commits](getsentry/sentry-python@2.57.0...2.58.0)

Updates `uvicorn` from 0.43.0 to 0.46.0
- [Release notes](https://github.com/Kludex/uvicorn/releases)
- [Changelog](https://github.com/Kludex/uvicorn/blob/main/docs/release-notes.md)
- [Commits](Kludex/uvicorn@0.43.0...0.46.0)

---
updated-dependencies:
- dependency-name: click
  dependency-version: 8.3.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: uv-prod-minor-patch
- dependency-name: pydantic
  dependency-version: 2.13.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-prod-minor-patch
- dependency-name: pydantic-settings
  dependency-version: 2.14.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-prod-minor-patch
- dependency-name: sentry-sdk
  dependency-version: 2.58.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-prod-minor-patch
- dependency-name: uvicorn
  dependency-version: 0.46.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: uv-prod-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Apr 27, 2026
@greptile-apps
Copy link
Copy Markdown

greptile-apps Bot commented Apr 27, 2026

PR author is in the excluded authors list.

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 27, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedpypi/​sentry-sdk@​2.57.0 ⏵ 2.58.094100100100100
Updatedpypi/​click@​8.3.2 ⏵ 8.3.396 +1100100100100
Updatedpypi/​uvicorn@​0.43.0 ⏵ 0.46.098 +1100100100100
Updatedpypi/​pydantic@​2.12.5 ⏵ 2.13.3100 +1100100100100
Updatedpypi/​pydantic-settings@​2.13.1 ⏵ 2.14.0100 +1100100100100

View full report

@codacy-production
Copy link
Copy Markdown

codacy-production Bot commented Apr 27, 2026

Codacy's Analysis Summary

0 new issue (≤ 0 issue)
0 new security issue
0 complexity
0 duplications
More details

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

Run reviewer

TIP This summary will be updated as you push new changes. Give us feedback

codacy-production[bot]
codacy-production Bot reviewed Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown

@codacy-production codacy-production Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates five primary production dependencies (Click, Pydantic, Pydantic-settings, Sentry-sdk, and Uvicorn). While the direct version bumps are compliant with the requirements, a security vulnerability (CVE-2026-28684) has been identified in the pinned version of python-dotenv within the uv.lock file. As this package is a dependency of pydantic-settings (which is being updated), this security risk should be addressed before merging. Additionally, the lack of automated test verification for these critical infrastructure components is a significant concern.

About this PR

  • The PR updates critical infrastructure dependencies (Pydantic, Uvicorn, Sentry) but does not include any accompanying test executions or verification evidence to ensure compatibility with existing application code.
1 comment outside of the diff
uv.lock

line 417 🔴 HIGH RISK
The pinned version of python-dotenv (1.2.1) is vulnerable to CVE-2026-28684. This vulnerability allows for arbitrary file overwriting via symbolic links. Although this dependency was not explicitly updated in the current group bump, it is a dependency of pydantic-settings and should be updated to version 1.2.2 to mitigate security risks.

Try running the following command to address this: uv update python-dotenv

Test suggestions

  • Regression testing of CLI commands to verify Click 8.3.3 behavior (particularly the removal of shell=True in subprocess calls)
  • Validation of model data and ValidationInfo integrity in Pydantic 2.13.3
  • Verify Sentry SDK 2.58.0 error capture and new redaction logic for AI image URLs
  • Verify Uvicorn 0.46.0 server lifecycle and WebSocket message handling (especially wsproto implementation changes)
Prompt proposal for missing tests 
Consider implementing these tests if applicable:
1. Regression testing of CLI commands to verify Click 8.3.3 behavior (particularly the removal of shell=True in subprocess calls)
2. Validation of model data and ValidationInfo integrity in Pydantic 2.13.3
3. Verify Sentry SDK 2.58.0 error capture and new redaction logic for AI image URLs
4. Verify Uvicorn 0.46.0 server lifecycle and WebSocket message handling (especially wsproto implementation changes)

TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@codacy-production codacy-production[bot] codacy-production[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants