Deps: Bump the dependencies group across 1 directory with 5 updates

[dependabot]

Bumps the dependencies group with 5 updates in the / directory:

Package	From	To
mypy	1.18.2	1.19.0
anyio	4.11.0	4.12.0
beautifulsoup4	4.14.2	4.14.3
ruff	0.14.6	0.14.8
urllib3	2.5.0	2.6.0

Updates mypy from 1.18.2 to 1.19.0

Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next Release

Drop Support for Python 3.9

Mypy no longer supports running with Python 3.9, which has reached end-of-life. When running mypy with Python 3.10+, it is still possible to type check code that needs to support Python 3.9 with the --python-version 3.9 argument. Support for this will be dropped in the first half of 2026!

Contributed by Marc Mueller (PR 20156).

Mypy 1.19

We’ve just uploaded mypy 1.19.0 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features, performance improvements and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

Python 3.9 Support Ending Soon

This is the last mypy feature release that supports Python 3.9, which reached end of life in October 2025.

Performance Improvements

• Switch to a more dynamic SCC processing logic (Ivan Levkivskyi, PR 20053)
• Speed up type aliases (Ivan Levkivskyi, PR 19810)

Fixed‑Format Cache Improvements

Mypy uses a cache by default to speed up incremental runs by reusing partial results from earlier runs. Mypy 1.18 added a new binary fixed-format cache representation as an experimental feature. The feature is no longer experimental, and we are planning to enable it by default in a future mypy release (possibly 1.20), since it's faster and uses less space than the original, JSON-based cache format. Use --fixed-format-cache to enable the fixed-format cache.

Mypy now has an extra dependency on the librt PyPI package, as it's needed for cache serialization and deserialization.

Mypy ships with a tool to convert fixed-format cache files to the old JSON format. Example of how to use this:

$ python -m mypy.exportjson .mypy_cache/.../my_module.data.ff

... (truncated)

Commits

• 0f068c9 Remove +dev
• 6d5cf52 Various updates to 1.19 changelog (#20304)
• 3c81308 Add draft version of 1.19 release notes (#20296)
• 1999a20 [mypyc] librt base64: use existing SIMD CPU dispatch by customizing build fla...
• 1b94fbb [mypyc] Fix vtable pointer with inherited dunder new (#20302)
• 13369cb [mypyc] Fix crash on super in generator (#20291)
• a087a58 Update import map when new modules added (#20271)
• 35e843c [mypyc] Add efficient librt.base64.b64decode (#20263)
• 094f66d [mypyc] Add repr to AssignmentTarget subclasses (#20258)
• 0738db3 Do not push partial types to the binder (#20202)
• Additional commits viewable in compare view

Updates anyio from 4.11.0 to 4.12.0

Release notes

Sourced from anyio's releases.

4.12.0

• Added support for asyncio's task call graphs on Python 3.14 and later when using AnyIO's task groups (#1025)
• Added an asynchronous implementation of the functools module (#1001)
• Added support for uvloop=True on Windows via the winloop implementation (#960; PR by @​Vizonex)
• Added support for use as a context manager to anyio.lowlevel.RunVar (#1003)
• Added __all__ declarations to public submodules (anyio.lowlevel etc.) (#1009)
• Added the ability to set the token count of a CapacityLimiter to zero (#1019; requires Python 3.10 or later when using Trio)
• Added parameters case_sensitive and recurse_symlinks along with support for path-like objects to anyio.Path.glob() and anyio.Path.rglob() (#1033; PR by @​northisup)
• Dropped sniffio as a direct dependency and added the get_available_backends() function (#1021)
• Fixed Process.stdin.send() not raising ClosedResourceError and BrokenResourceError on asyncio. Previously, a non-AnyIO exception was raised in such cases (#671; PR by @​gschaffner)
• Fixed Process.stdin.send() not checkpointing before writing data on asyncio (#1002; PR by @​gschaffner)
• Fixed a race condition where cancelling a Future from BlockingPortal.start_task_soon() would sometimes not cancel the async function (#1011; PR by @​gschaffner)
• Fixed the presence of the pytest plugin causing breakage with older versions of pytest (<= 6.1.2) (#1028; PR by @​saper)
• Fixed a rarely occurring RuntimeError: Set changed size during iteration while shutting down the process pool when using the asyncio backend (#985)

Commits

• bc021b6 Fixed the download-artifact settings to retain the expected behavior
• c6000aa Corrected the format of the version in the changelog
• 9d1bfe0 Bumped up the version
• 77f7ce2 Fixed RuntimeError while shutting down the asyncio process pool (#1039)
• aecc666 [pre-commit.ci] pre-commit autoupdate (#1036)
• e5569ad Bump actions/checkout from 5 to 6 in the github-actions group (#1037)
• dde3ab8 Moved a changelog entry to its correct position
• 250d4f1 Restore compatibility with pytest<=6.1.2 (#1030)
• 3708e22 Fixed a typo in the documentation (#1035)
• 9adbe08 Add new params to Path.glob & Path.rglob introduced since 3.12 (#1034)
• Additional commits viewable in compare view

Updates beautifulsoup4 from 4.14.2 to 4.14.3

Updates ruff from 0.14.6 to 0.14.8

Release notes

Sourced from ruff's releases.

0.14.8

Release Notes

Released on 2025-12-04.

Preview features

• [flake8-bugbear] Catch yield expressions within other statements (B901) (#21200)
• [flake8-use-pathlib] Mark fixes unsafe for return type changes (PTH104, PTH105, PTH109, PTH115) (#21440)

Bug fixes

• Fix syntax error false positives for await outside functions (#21763)
• [flake8-simplify] Fix truthiness assumption for non-iterable arguments in tuple/list/set calls (SIM222, SIM223) (#21479)

Documentation

• Suggest using --output-file option in GitLab integration (#21706)

Other changes

• [syntax-error] Default type parameter followed by non-default type parameter (#21657)

Contributors

• @​kieran-ryan
• @​11happy
• @​danparizher
• @​ntBre

Install ruff 0.14.8

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/ruff/releases/download/0.14.8/ruff-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/astral-sh/ruff/releases/download/0.14.8/ruff-installer.ps1 | iex"

Download ruff 0.14.8

File	Platform	Checksum
ruff-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
ruff-x86_64-apple-darwin.tar.gz	Intel macOS	checksum

... (truncated)

Changelog

Sourced from ruff's changelog.

0.14.8

Released on 2025-12-04.

Preview features

• [flake8-bugbear] Catch yield expressions within other statements (B901) (#21200)
• [flake8-use-pathlib] Mark fixes unsafe for return type changes (PTH104, PTH105, PTH109, PTH115) (#21440)

Bug fixes

• Fix syntax error false positives for await outside functions (#21763)
• [flake8-simplify] Fix truthiness assumption for non-iterable arguments in tuple/list/set calls (SIM222, SIM223) (#21479)

Documentation

• Suggest using --output-file option in GitLab integration (#21706)

Other changes

• [syntax-error] Default type parameter followed by non-default type parameter (#21657)

Contributors

• @​kieran-ryan
• @​11happy
• @​danparizher
• @​ntBre

0.14.7

Released on 2025-11-28.

Preview features

• [flake8-bandit] Handle string literal bindings in suspicious-url-open-usage (S310) (#21469)
• [pylint] Fix PLR1708 false positives on nested functions (#21177)
• [pylint] Fix suppression for empty dict without tuple key annotation (PLE1141) (#21290)
• [ruff] Add rule RUF066 to detect unnecessary class properties (#21535)
• [ruff] Catch more dummy variable uses (RUF052) (#19799)

Bug fixes

• [server] Set severity for non-rule diagnostics (#21559)
• [flake8-implicit-str-concat] Avoid invalid fix in (ISC003) (#21517)
• [parser] Fix panic when parsing IPython escape command expressions (#21480)

CLI

• Show partial fixability indicator in statistics output (#21513)

... (truncated)

Commits

• 9d4f1c6 Bump 0.14.8 (#21791)
• 326025d [ty] Always register rename provider if client doesn't support dynamic regist...
• 3aefe85 [ty] Ensure rename CursorTest calls can_rename before renaming (#21790)
• b8ecc83 Fix clippy errors on main (#21788)
• 6491932 [ty] Fix crash when hovering an unknown string annotation (#21782)
• a9f2bb4 [ty] Don't send publish diagnostics for clients supporting pull diagnostics (...
• e2b72fb [ty] cleanup test path (#21781)
• 14fce0d [ty] Improve the display of various special-form types (#21775)
• 8ebecb2 [ty] Add subdiagnostic hint if the user wrote X = Any rather than X: Any ...
• 45ac30a [ty] Teach ty the meaning of desperation (try ancestor pyproject.tomls as...
• Additional commits viewable in compare view

Updates urllib3 from 2.5.0 to 2.6.0

Release notes

Sourced from urllib3's releases.

2.6.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

• Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471 reported by @​Cycloctane, 8.9 High, GHSA-2xpw-w6gg-jr37)
• Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418 reported by @​illia-v, 8.9 High, GHSA-gm62-xv2j-4w53)

[!IMPORTANT]

• If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using urllib3[brotli] to install a compatible Brotli package automatically.
• If you use custom decompressors, please make sure to update them to respect the changed API of urllib3.response.ContentDecoder.

Features

• Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. (#3653)
• Added host and port information to string representations of HTTPConnection. (#3666)
• Added support for Python 3.14 free-threading builds explicitly. (#3696)

Removals

• Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers. Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default). (#3622)

Bugfixes

• Fixed redirect handling in urllib3.PoolManager when an integer is passed for the retries parameter. (#3649)
• Fixed HTTPConnectionPool when used in Emscripten with no explicit port. (#3664)
• Fixed handling of SSLKEYLOGFILE with expandable variables. (#3700)

Misc

• Changed the zstd extra to install backports.zstd instead of zstandard on Python 3.13 and before. (#3693)
• Improved the performance of content decoding by optimizing BytesQueueBuffer class. (#3710)
• Allowed building the urllib3 package with newer setuptools-scm v9.x. (#3652)
• Ensured successful urllib3 builds by setting Hatchling requirement to ≥ 1.27.0. (#3638)

Changelog

Sourced from urllib3's changelog.

2.6.0 (2025-12-05)

Security

• Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)
• Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__)

.. caution::

• If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using urllib3[brotli] to install a compatible Brotli package automatically.

• If you use custom decompressors, please make sure to update them to respect the changed API of urllib3.response.ContentDecoder.

Features

• Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. ([#3653](https://github.com/urllib3/urllib3/issues/3653) <https://github.com/urllib3/urllib3/issues/3653>__)
• Added host and port information to string representations of HTTPConnection. ([#3666](https://github.com/urllib3/urllib3/issues/3666) <https://github.com/urllib3/urllib3/issues/3666>__)
• Added support for Python 3.14 free-threading builds explicitly. ([#3696](https://github.com/urllib3/urllib3/issues/3696) <https://github.com/urllib3/urllib3/issues/3696>__)

Removals

• Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers. Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default). ([#3622](https://github.com/urllib3/urllib3/issues/3622) <https://github.com/urllib3/urllib3/issues/3622>__)

Bugfixes

• Fixed redirect handling in urllib3.PoolManager when an integer is passed for the retries parameter. ([#3649](https://github.com/urllib3/urllib3/issues/3649) <https://github.com/urllib3/urllib3/issues/3649>__)
• Fixed HTTPConnectionPool when used in Emscripten with no explicit port. ([#3664](https://github.com/urllib3/urllib3/issues/3664) <https://github.com/urllib3/urllib3/issues/3664>__)
• Fixed handling of SSLKEYLOGFILE with expandable variables. ([#3700](https://github.com/urllib3/urllib3/issues/3700) <https://github.com/urllib3/urllib3/issues/3700>__)

... (truncated)

Commits

• 720f484 Release 2.6.0
• 24d7b67 Merge commit from fork
• c19571d Merge commit from fork
• 816fcf0 Bump actions/setup-python from 6.0.0 to 6.1.0 (#3725)
• 18af0a1 Improve speed of BytesQueueBuffer.get() by using memoryview (#3711)
• 1f6abac Bump versions of pre-commit hooks (#3716)
• 1c8fbf7 Bump actions/checkout from 5.0.0 to 6.0.0 (#3722)
• 7784b9e Add Python 3.15 to CI (#3717)
• 0241c9e Updated docs to reflect change in optional zstd dependency from zstandard t...
• 7afcabb Expand environment variable of SSLKEYLOGFILE (#3705)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Conventional Commits Report

Type	Number
Dependencies	1

🚀 Conventional commits found.

[greenbonebot]

Scan: 'poetry.lock'

Nothing detected in poetry.lock
Scan took 0.02 seconds