chore(deps): update instructor requirement from >=1.7.0 to >=1.15.1

[dependabot]

Updates the requirements on instructor to permit the latest version.

Release notes

Sourced from instructor's releases.

v1.15.1

Security

• Bedrock: Block remote HTTP(S) image URL fetching in _openai_image_part_to_bedrock — only data: URLs accepted, preventing SSRF via user-controlled image URLs
• Bedrock/PDF: Block remote URL and local file fetching in PDF.to_bedrock — only base64 data or s3:// sources supported, preventing SSRF and local file disclosure

Added

• Hooks: completion:error and completion:last_attempt handlers now receive attempt_number, max_attempts, and is_last_attempt as keyword arguments. Old-style handlers remain fully backward-compatible.
• Anthropic: from_provider("anthropic/...") now sets a User-Agent: instructor/<version> header on the Anthropic client

Fixed

• Anthropic usage: Initialize usage correctly for ANTHROPIC_REASONING_TOOLS and ANTHROPIC_PARALLEL_TOOLS modes
• OpenRouter: Use reask_md_json for OPENROUTER_STRUCTURED_OUTPUTS retries instead of reask_default (tool-call format)
• Templating: Return kwargs unchanged instead of None in handle_templating when message list is empty or unrecognized
• from_openai: Allow Mode.JSON_SCHEMA for the OpenAI provider
• Bedrock: Pass through cachePoint dicts in message content unchanged (regression since v1.13.0)
• Bedrock: Allow Mode.MD_JSON in from_bedrock
• Parallel tools: ParallelBase generator consumed into ListResponse in both sync and async paths, fixing AttributeError

Dependencies

• Bump anthropic 0.76.0 → 0.88.0
• Bump litellm upper bound to ≤1.83.0
• Bump aiohttp 3.13.3 → 3.13.5

Changelog

Sourced from instructor's changelog.

[1.15.1] - 2026-04-03

Security

• Bedrock: Block remote HTTP(S) image URL fetching in _openai_image_part_to_bedrock — only data: URLs are now accepted, preventing SSRF via user-controlled image URLs
• Bedrock/PDF: Block remote URL and local file fetching in PDF.to_bedrock — only base64 data or s3:// sources are now supported, preventing SSRF and local file disclosure

Added

• Hooks: completion:error and completion:last_attempt handlers now receive attempt_number, max_attempts, and is_last_attempt as keyword arguments. Old-style handlers remain fully backward-compatible.
• Anthropic: from_provider("anthropic/...") now sets a User-Agent: instructor/<version> header on the Anthropic client

Fixed

• Anthropic usage: Initialize usage correctly for ANTHROPIC_REASONING_TOOLS and ANTHROPIC_PARALLEL_TOOLS modes — previously fell through to OpenAI usage tracking with wrong field names
• OpenRouter: Use reask_md_json for OPENROUTER_STRUCTURED_OUTPUTS retries instead of reask_default (tool-call format), fixing malformed retry prompts
• Templating: Return kwargs unchanged instead of None in handle_templating when message list is empty or format is unrecognized; process_message also now returns the original message unchanged for unrecognized formats instead of None
• from_openai: Allow Mode.JSON_SCHEMA for the OpenAI provider — it was incorrectly blocked by the mode validation check
• Bedrock: Pass through cachePoint dicts in message content unchanged — previously raised ValueError: Unsupported dict content for Bedrock, breaking prompt caching (regression since v1.13.0)
• Bedrock: Allow Mode.MD_JSON in from_bedrock
• Parallel tools: ParallelBase generator now consumed into ListResponse in both sync and async paths, fixing AttributeError when setting _raw_response on a generator

---

[1.15.0] - 2026-04-02

Security

• Pin litellm to <=1.82.6 to block compromised versions 1.82.7 and 1.82.8 (#2219)
• Make diskcache an optional dependency, removing it from all users' transitive dependency trees and mitigating CVE-2025-69872 (#2211)

Fixed

• Usage tracking: Preserve response.usage subclass type (e.g. LiteLLM, Langfuse) when accumulating token counts across retries — fixes downstream .get() method loss (#2217, #2199)
• Gemini: Exclude HARM_CATEGORY_IMAGE_* safety categories from standard Gemini API calls — these are Vertex AI-only and caused 400 INVALID_ARGUMENT errors (#2174)
• Gemini: Detect truncated responses (finish_reason=MAX_TOKENS) in GENAI_STRUCTURED_OUTPUTS mode and raise IncompleteOutputException immediately instead of retrying with malformed JSON (#2232)
• create_with_completion: Handle List[Model] response models that lack _raw_response attribute — previously raised AttributeError, now returns None for the completion (#2167)
• Partial streaming: Preserve default Literal field values (e.g. type: Literal["Person"] = "Person") during streaming instead of emitting None before the field arrives (#2204)
• Partial streaming: Support PEP 604 union syntax (str | int) in Partial models on Python 3.10+ (#2200)
• Validators: Fix allow_override=True in llm_validator — the override branch was unreachable due to a misplaced assertion, so fixed_value was never returned (#2215)
• Parallel tools: ParallelBase responses now return ListResponse (consistent with IterableBase) instead of a raw generator with _raw_response set on it (#2216)
• Multimodal: Add missing continue in convert_messages after handling typed (audio/image) messages — previously fell through to message["role"] causing KeyError (#2139)
• Anthropic: Fix dead code path for ANTHROPIC_REASONING_TOOLS mode — the mode was shadowed by a duplicate ANTHROPIC_TOOLS check and never routed correctly (#2140)

Added

• Models: Add Claude 4 (Opus, Sonnet, Haiku), OpenAI GPT-4.1 series, o3/o4 reasoning models, xAI Grok 3, and DeepSeek R1/V3 to KnownModelName type (#2235)

Docs

• Update GitHub organization links in README from instructor-ai to 567-labs (#2149)

Tests / CI

• Fix test_xai_optional_dependency tests to use monkeypatch so they pass regardless of whether xai-sdk is installed
• Update deprecated Anthropic model names (claude-3-5-haiku-latest -> claude-haiku-4-0-20250414, claude-3-7-sonnet-latest -> claude-sonnet-4-5-20250514)
• Update deprecated OpenAI model names (gpt-3.5-turbo -> gpt-4.1-mini) across unit tests
• Update stale provider model strings in shared_config.py: Writer palmyra-x5, Fireworks llama-v3p3, Perplexity sonar-pro

... (truncated)

Commits

• 8cc5e85 chore(release): bump version to 1.15.1
• f20ba3a chore(deps): bump the poetry group across 1 directory with 15 updates (#2239)
• 191bf2a staging: v1.15.1 release candidate (#2240)
• 58a3359 docs(changelog): backfill entries for v1.11.0 through v1.14.5
• 09fe03e docs(changelog): mark 1.15.0 as released
• 87aa5c9 ci: add workflow_dispatch to publish workflow
• f90fc54 chore(release): v1.15.0
• 6b969d2 staging: v1.15.0 release candidate (#2231)
• 7cf8015 fix(validation): require is_valid in Validator (#2230)
• 41f050c fix: handle GEMINI_TOOLS in async streaming paths (#2135)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)