deps(deps): bump the python-minor-and-patch group across 1 directory with 7 updates

[dependabot]

Bumps the python-minor-and-patch group with 7 updates in the / directory:

Package	From	To
django-reversion	6.2.0	6.3.0
django-environ	0.13.0	0.14.0
tqdm	4.68.1	4.68.3
vcrpy	8.1.1	8.2.1
model-bakery	1.23.4	1.23.5
ruff	0.15.16	0.15.18
djlint	1.39.0	1.39.2

Updates django-reversion from 6.2.0 to 6.3.0

Release notes

Sourced from django-reversion's releases.

v6.3.0

What's Changed

• feat: add Turkish translation for django-reversion by @​mcihad in etianen/django-reversion#1000

New Contributors

• @​mcihad made their first contribution in etianen/django-reversion#1000

Full Changelog: etianen/django-reversion@v6.2.0...v6.3.0

Changelog

Sourced from django-reversion's changelog.

6.3.0 - 2026-06-12

• Added Turkish translation (@​mcihad).

Commits

• cc6d5b9 v6.3.0
• a4b9377 Merge pull request #1000 from mcihad/master
• ef59de1 feat: add Turkish translation for django-reversion
• See full diff in compare view

Updates django-environ from 0.13.0 to 0.14.0

Release notes

Sourced from django-environ's releases.

v0.14.0

django-environ 0.14.0 improves type annotations across Env and updates Env.read_env() to support caller-owned file-like objects without closing them.

This is the final django-environ release supporting Python 3.9.

Added

• Type annotations and matching docstring information for Env methods.
• A conditional typing_extensions dependency providing TypeAlias on Python 3.9.

Changed

• Env.read_env() now accepts path-like and file-like objects without closing file-like objects supplied by the caller.

Fixed

• Env.read_env() now raises an explicit error when it cannot determine the caller frame used to resolve the default .env path.

Full changelog: joke2k/django-environ@v0.13.0...v0.14.0

PyPI: https://pypi.org/project/django-environ/0.14.0/

Changelog

Sourced from django-environ's changelog.

v0.14.0_ - 18-June-2026

Added +++++

• Added type annotations and matching docstring information to Env methods [#633](https://github.com/joke2k/django-environ/issues/633) <https://github.com/joke2k/django-environ/pull/633>_.
• Added a Python 3.9 compatibility dependency on typing_extensions for TypeAlias [#633](https://github.com/joke2k/django-environ/issues/633) <https://github.com/joke2k/django-environ/pull/633>_.

Changed +++++++

• Updated Env.read_env() to accept path-like and file-like objects without closing file-like objects supplied by the caller [#633](https://github.com/joke2k/django-environ/issues/633) <https://github.com/joke2k/django-environ/pull/633>_.

Fixed +++++

• Added an explicit error when Env.read_env() cannot determine its caller frame while resolving the default .env path [#633](https://github.com/joke2k/django-environ/issues/633) <https://github.com/joke2k/django-environ/pull/633>_.

Commits

• 6e1b461 Merge pull request #635 from joke2k/release/0.14.0
• b65f66e chore(release): prepare 0.14.0
• 39f980a Merge pull request #633 from joke2k/hotfix/0.14-apply-pr-600
• 020825c ci: allow release and hotfix PRs to target main
• 6c1dd5b fix(typing): support TypeAlias on Python 3.9
• c0d7b2b Ensure Env.read_env supports any file-like object
• c41ee54 Guard against an inability to read stack frames
• 64bfe4b Add type information to docstrings
• 791df95 Add type annotations to str and bool parameters of methods in Env
• 4370592 Merge branch 'develop' into main
• See full diff in compare view

Updates tqdm from 4.68.1 to 4.68.3

Release notes

Sourced from tqdm's releases.

tqdm v4.68.3 stable

• utils: delay os.get_terminal_size (#1763 <- #1760)
• autonotebook: support QtConsole, Spyder, JupyterLite (#1763, #1628, #1559 <- #1283, #1098, #512)
• minor docs updates
  • fix typo (#1762)
  • use git-fame
• misc minor framework updates
  • fix & update CI build
  • pre-commit: add docs & metadata generation
  • move tox.ini -> pyproject.toml, move tox-gh-actions -> tox-gh
  • add Python 3.14, drop 3.7 support

tqdm v4.68.2 stable

• revert accidental change to ascii default (fixes #1760)
  • UnicodeEncodeError: 'charmap' codec can't encode characters in position 6-7: character maps to <undefined> can be fixed by installing tqdm!=4.68.0,!=4.68.1
• misc docs updates
  • fix links
  • replace stray rst -> md syntax
  • consistent "progress bar" terminology (#1737)
• tests: fix coverage (fixes #1760)

Commits

• 9aff609 bump version, merge pull request #1763 from tqdm/jupyterlite
• 9872f80 drop date from snap version str to fix pydantic
• b829334 support QtConsole, Spyder, JupyterLite
• 6fa4867 delay os.get_terminal_size
• 748e107 lint
• e6e29eb move tox.ini -> pyproject.toml
• 617e4fa tox-gh-actions -> tox-gh
• c49c50d add python 3.14, drop python 3.7 support
• fa2bcdb pre-commit: tqdm.1
• 1ec7988 auto git-fame
• Additional commits viewable in compare view

Updates vcrpy from 8.1.1 to 8.2.1

Release notes

Sourced from vcrpy's releases.

v8.2.1

What's Changed

• SECURITY: Cassettes are now loaded with a safe YAML loader, preventing arbitrary code execution when a cassette from an untrusted source is loaded. Previously a crafted cassette containing a Python object tag (e.g. !!python/object/apply:os.system) would execute code on load, including via the normal vcr.use_cassette() path. Existing cassettes (including file-upload/streaming bodies) continue to load. Advisory: GHSA-rpj2-4hq8-938g — thanks @​RamiAltai and @​EQSTLab for the reports.
• Validate record_mode and raise a clear error on an invalid value (#208)
• Recommend pytest-recording over the unmaintained pytest-vcr in the docs (#986)

Full Changelog: kevin1024/vcrpy@v8.2.0...v8.2.1

v8.2.0

What's Changed

• Add support for httpx 2.x (#993) - thanks @​dsfaccini
• Patch httpx transports instead of httpcore (#972) - thanks @​seowalex
• Fix aiohttp 3.14 compatibility: AsyncStreamReaderMixin removed and ClientResponse now requires stream_writer (#995) - thanks @​dsfaccini
• Account for modified requests when storing played cassettes, so drop_unused_requests honours before_record_request filtering (#962) - thanks @​jamesbraza
• Make the request URL available on VCRHTTPResponse (#976) - thanks @​dAnjou
• Improve error message when a matching request has already been consumed (#985) - thanks @​Polandia94
• Fix body check in convert_body_to_unicode to use an explicit type check (#982) - thanks @​Polandia94
• Add env proxy cassette regression test (#994) - thanks @​tine1117
• Remove milestone references from docs (#984) - thanks @​Polandia94
• CI: bump sphinx-rtd-theme from 3.0.2 to 3.1.0 (#973)

Full Changelog: kevin1024/vcrpy@v8.1.1...v8.2.0

Changelog

Sourced from vcrpy's changelog.

Changelog

All help in providing PRs to close out bug issues is appreciated. Even if that is providing a repo that fully replicates issues. We have very generous contributors that have added these to bug issues which meant another contributor picked up the bug and closed it out.

• 8.2.1

  • SECURITY: Load cassettes with a safe YAML loader, preventing arbitrary code execution when a cassette from an untrusted source is loaded (GHSA-rpj2-4hq8-938g) - thanks @​RamiAltai and @​EQSTLab
  • Validate record_mode and raise a clear error on an invalid value (#208)
  • Recommend pytest-recording over the unmaintained pytest-vcr in the docs (#986)

• 8.2.0

  • Add support for httpx 2.x (#993) - thanks @​dsfaccini
  • Patch httpx transports instead of httpcore (#972) - thanks @​seowalex
  • Fix aiohttp 3.14 compatibility: AsyncStreamReaderMixin removed and ClientResponse now requires stream_writer (#995) - thanks @​dsfaccini
  • Account for modified requests when storing played cassettes, so drop_unused_requests honours before_record_request filtering (#962) - thanks @​jamesbraza
  • Make the request URL available on VCRHTTPResponse (#976) - thanks @​dAnjou
  • Improve error message when a matching request has already been consumed (#985) - thanks @​Polandia94
  • Fix body check in convert_body_to_unicode to use an explicit type check (#982) - thanks @​Polandia94
  • Add env proxy cassette regression test (#994) - thanks @​tine1117
  • Remove milestone references from docs (#984) - thanks @​Polandia94
  • CI: bump sphinx-rtd-theme from 3.0.2 to 3.1.0 (#973)

• 8.1.1

  • Fix sync requests in async contexts for HTTPX (#965) - thanks @​seowalex
  • CI: bump peter-evans/create-pull-request from 7 to 8 (#969)

• 8.1.0

  • Enable brotli decompression if available (via brotli, brotlipy or brotlicffi) (#620) - thanks @​immerrr
  • Fix aiohttp allowing both data and json arguments when one is None (#624) - thanks @​leorochael
  • Fix usage of io-like interface with VCR.py (#906) - thanks @​tito and @​kevdevg
  • Migrate to declarative Python package config (#767) - thanks @​deronnax
  • Various linting fixes - thanks @​jairhenrique
  • CI: bump actions/checkout from 5 to 6 (#955)

• 8.0.0

  • BREAKING: Drop support for Python 3.9 (major version bump) - thanks @​jairhenrique
  • BREAKING: Drop support for urllib3 < 2 - fixes CVE warnings from urllib3 1.x (#926, #880) - thanks @​jairhenrique
  • New feature: drop_unused_requests option to remove unused interactions from cassettes (#763) - thanks @​danielnsilva
  • Rewrite httpx support to patch httpcore instead of httpx (#943) - thanks @​seowalex
    • Fixes httpx.ResponseNotRead exceptions (#832, #834)
    • Fixes KeyError: 'follow_redirects' (#945)
    • Adds support for custom httpx transports
  • Fix HTTPS proxy handling - proxy address no longer ends up in cassette URIs (#809, #914) - thanks @​alga
  • Fix iscoroutinefunction deprecation warning on Python 3.14 - thanks @​kloczek
  • Only log message if response is appended - thanks @​talfus-laddus
  • Optimize urllib.parse calls - thanks @​Martin-Brunthaler
  • Fix CI for Ubuntu 24.04 - thanks @​hartwork
  • Various CI improvements: migrate to uv, update GitHub Actions - thanks @​jairhenrique
  • Various linting and test improvements - thanks @​jairhenrique and @​hartwork

... (truncated)

Commits

• 8531203 Release v8.2.1
• 045acb1 Use a safe YAML loader for cassettes to prevent code execution
• de43f46 Fix lint failures from merged PRs (codespell + ruff UP032)
• 514c374 Validate record_mode and raise a clear error on invalid values
• b736cad docs: recommend pytest-recording over unmaintained pytest-vcr
• 06758c9 Release v8.2.0
• 6554837 Add env proxy cassette regression test (#994)
• 62cf5e1 Accounting for modified requests when storing played cassettes, with a test (...
• 13f201a make url available in VCRHTTPResponse (#976)
• d57b553 improve error message on repeated requestt (#985)
• Additional commits viewable in compare view

Updates model-bakery from 1.23.4 to 1.23.5

Release notes

Sourced from model-bakery's releases.

1.23.5

Changed

• Speed up Baker.get_fields() by returning _meta.fields + _meta.many_to_many directly instead of filtering _meta.get_fields().
• [dev] Clarify Apache-2.0 license text and package metadata (#600)
• [dev] Harden GitHub Actions workflows and add Zizmor security checks (#604)

GitHub Changelog

• Bump pygments from 2.19.2 to 2.20.0 by @​dependabot[bot] in model-bakers/model_bakery#594
• Bump django from 5.2.12 to 5.2.13 by @​dependabot[bot] in model-bakers/model_bakery#596
• Update uv-build requirement from <0.11.0,>=0.9.26 to >=0.9.26,<0.12.0 by @​dependabot[bot] in model-bakers/model_bakery#595
• Bump pillow from 12.1.1 to 12.2.0 by @​dependabot[bot] in model-bakers/model_bakery#597
• Bump pytest from 9.0.2 to 9.0.3 by @​dependabot[bot] in model-bakers/model_bakery#598
• Speed up Baker.get_fields() by @​anze3db in model-bakers/model_bakery#593
• Clarify Apache-2.0 license text and package metadata by @​amureki in model-bakers/model_bakery#600
• Bump django from 5.2.13 to 5.2.14 by @​dependabot[bot] in model-bakers/model_bakery#602
• Bump urllib3 from 2.6.3 to 2.7.0 by @​dependabot[bot] in model-bakers/model_bakery#603
• Introduce Zizmor security check via pre-commit by @​amureki in model-bakers/model_bakery#604
• Bump astral-sh/setup-uv from 7.6.0 to 8.1.0 by @​dependabot[bot] in model-bakers/model_bakery#605
• Bump idna from 3.11 to 3.15 by @​dependabot[bot] in model-bakers/model_bakery#606

New Contributors

• @​anze3db made their first contribution in model-bakers/model_bakery#593

Full Changelog: model-bakers/model_bakery@1.23.4...1.23.5

Changelog

Sourced from model-bakery's changelog.

1.23.5

Changed

• Speed up Baker.get_fields() by returning _meta.fields + _meta.many_to_many directly instead of filtering _meta.get_fields().
• [dev] Clarify Apache-2.0 license text and package metadata (#600)
• [dev] Harden GitHub Actions workflows and add Zizmor security checks (#604)

Commits

• 9fbe82b Bump 1.23.5
• 8e4e13a Bump idna from 3.11 to 3.15 (#606)
• 89a449e Bump astral-sh/setup-uv from 7.6.0 to 8.1.0 (#605)
• d837e15 Introduce Zizmor security check via pre-commit (#604)
• f6532bb Bump urllib3 from 2.6.3 to 2.7.0 (#603)
• efafc2e Bump django from 5.2.13 to 5.2.14 (#602)
• 6519ce2 Clarify Apache-2.0 license text and package metadata (#600)
• 43fd807 Speed up Baker.get_fields() (#593)
• 0537ace Bump pytest from 9.0.2 to 9.0.3 (#598)
• e6f084f Bump pillow from 12.1.1 to 12.2.0 (#597)
• Additional commits viewable in compare view

Updates ruff from 0.15.16 to 0.15.18

Release notes

Sourced from ruff's releases.

0.15.18

Release Notes

Released on 2026-06-18.

Preview features

• Handle nested ruff:ignore comments (#25791)
• Stop displaying severity in output (#26050)
• Use human-readable names in CLI output (#25937)
• Use human-readable names in LSP and playground diagnostics (#26058)
• [pydocstyle] Prevent property docstrings starting with verbs (D421) (#23775)
• [flake8-pyi] Extend PYI033 to Python files (#26129)

Bug fixes

• Detect equivalent numeric mapping keys (#26009)
• Detect mapping keys equivalent to booleans (#25982)
• Detect repeated signed and complex dictionary keys (#26007)

Rule changes

• [flake8-pyi] Rename PYI033 to legacy-type-comment (#26131)

Performance

• Use ThinVec for call keywords (#25999)
• Inline parser recovery context checks (#26038)
• Match parser keywords as bytes (#26037)
• Move value parsing out of lexing (#25360)

Server

• Render subdiagnostics and secondary annotations as related information (#26011)

Documentation

• Update fix availability for always-fixable rules (#26091)
• [flake8-tidy-imports] Add fix safety section (TID252) (#17491)

Parser

• Reject __debug__ lambda parameters (#26022)
• Reject _ as a match-pattern target (#25977)
• Reject multiple starred names in sequence patterns (#25976)
• Reject parenthesized star imports (#26021)
• Reject starred comprehension targets (#26023)
• Reject unparenthesized generator expressions in class bases (#25978)
• Reject yield expressions after commas (#26024)
• Validate function type parameter default order (#25981)

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.18

Released on 2026-06-18.

Preview features

• Handle nested ruff:ignore comments (#25791)
• Stop displaying severity in output (#26050)
• Use human-readable names in CLI output (#25937)
• Use human-readable names in LSP and playground diagnostics (#26058)
• [pydocstyle] Prevent property docstrings starting with verbs (D421) (#23775)
• [flake8-pyi] Extend PYI033 to Python files (#26129)

Bug fixes

• Detect equivalent numeric mapping keys (#26009)
• Detect mapping keys equivalent to booleans (#25982)
• Detect repeated signed and complex dictionary keys (#26007)

Rule changes

• [flake8-pyi] Rename PYI033 to legacy-type-comment (#26131)

Performance

• Use ThinVec for call keywords (#25999)
• Inline parser recovery context checks (#26038)
• Match parser keywords as bytes (#26037)
• Move value parsing out of lexing (#25360)

Server

• Render subdiagnostics and secondary annotations as related information (#26011)

Documentation

• Update fix availability for always-fixable rules (#26091)
• [flake8-tidy-imports] Add fix safety section (TID252) (#17491)

Parser

• Reject __debug__ lambda parameters (#26022)
• Reject _ as a match-pattern target (#25977)
• Reject multiple starred names in sequence patterns (#25976)
• Reject parenthesized star imports (#26021)
• Reject starred comprehension targets (#26023)
• Reject unparenthesized generator expressions in class bases (#25978)
• Reject yield expressions after commas (#26024)
• Validate function type parameter default order (#25981)

... (truncated)

Commits

• 6686f63 Bump 0.15.18 (#26135)
• efbb732 [ty] Suggest keyword-only arguments between variadic parameters (#26134)
• c256d5f [ty] Support Annotated[Any, ...] as a class base (#26133)
• 19a4bea [flake8-pyi] Rename PYI033 to legacy-type-comment (#26131)
• 1d9866c Bump ecosystem-analyzer commit (#26130)
• 8656c73 [ty] Compact indexed AST node storage (#25998)
• c17c8d9 [ty] Garbage-collect cached constraint sets (#26116)
• ef0fb8f [ty] Fix bound TypeVar default cycle recovery (#26124)
• b83c024 [flake8-pyi] Extend PYI033 to Python files in preview (#26129)
• e8a5e38 Update Rust crate zip to v8 (#26078)
• Additional commits viewable in compare view

Updates djlint from 1.39.0 to 1.39.2

Release notes

Sourced from djlint's releases.

v1.39.2

v1.39.1 was not published due to mypyc compilation error.

Packaging

• Fix mypyc compilation.

v1.39.1

This release was not published due to mypyc compilation error.

Fix

• Avoid false T027 reports for apostrophes inside quoted template strings.
• Format Alpine.js object methods in attributes when format_attribute_js_json is enabled.
• Preserve indentation after inline Jinja control-flow blocks that start with whitespace trim markers, such as {%- if ... %}...{% endif %}.
• Preserve safe inner quote style for Jinja function calls inside quoted HTML attributes.

Changelog

Sourced from djlint's changelog.

[1.39.2] - 2026-06-11

v1.39.1 was not published due to mypyc compilation error.

Packaging

• Fix mypyc compilation.

[1.39.1] - 2026-06-11

Fix

• Avoid false T027 reports for apostrophes inside quoted template strings.
• Format Alpine.js object methods in attributes when format_attribute_js_json is enabled.
• Preserve indentation after inline Jinja control-flow blocks that start with whitespace trim markers, such as {%- if ... %}...{% endif %}.
• Preserve safe inner quote style for Jinja function calls inside quoted HTML attributes.

Commits

• a8264dd v1.39.2
• 0a59136 fix mypyc compilation
• 5daa5dd v1.39.1
• 27bae44 fix(linter): avoid false T027 for apostrophes in quoted strings
• 8a9d8f0 Fix Alpine x-data method attribute formatting
• c12d4e1 improve parenthesis tests
• d575507 fix(formatter): preserve Jinja quotes in HTML attributes
• 4129b05 chore(deps): update pre-commit hook types-tqdm to v4.68.0.20260608 (#2074)
• 0730bff Fix indentation after inline trim-marker Jinja blocks
• 338dee3 chore(deps): lock file maintenance (#2073)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions