Bump the all-dependencies group across 1 directory with 32 updates

[dependabot]

Bumps the all-dependencies group with 30 updates in the / directory:

Package	From	To
alembic	1.17.1	1.18.3
asyncpg	0.30.0	0.31.0
fastapi	0.120.4	0.128.0
pydantic	2.12.3	2.12.5
pydantic-settings	2.11.0	2.12.0
pyjwt	2.10.1	2.11.0
python-multipart	0.0.20	0.0.22
sqlalchemy	2.0.44	2.0.46
coverage	7.11.0	7.13.2
greenlet	3.2.4	3.3.1
mypy	1.18.2	1.19.1
pre-commit	4.3.0	4.5.1
pytest	8.4.2	9.0.2
ruff	0.14.3	0.14.14
uvicorn	0.38.0	0.40.0
annotated-doc	0.0.3	0.0.4
anyio	4.11.0	4.12.1
certifi	2025.10.5	2026.1.4
cfgv	3.4.0	3.5.0
click	8.3.0	8.3.1
execnet	2.1.1	2.1.2
filelock	3.20.0	3.20.3
identify	2.6.15	2.6.16
nodeenv	1.9.1	1.10.0
packaging	25.0	26.0
pathspec	0.12.1	1.0.4
platformdirs	4.5.0	4.5.1
starlette	0.49.3	0.50.0
virtualenv	20.35.4	20.36.1
websockets	15.0.1	16.0

Updates alembic from 1.17.1 to 1.18.3

Release notes

Sourced from alembic's releases.

1.18.3

Released: January 29, 2026

bug

• [bug] [autogenerate] Fixed regression in version 1.18.0 due to #1771 where autogenerate would raise NoReferencedTableError when a foreign key constraint referenced a table that was not part of the initial table load, including tables filtered out by the EnvironmentContext.configure.include_name callable or tables in remote schemas that were not included in the initial reflection run.

  The change in #1771 was a performance optimization that eliminated additional reflection queries for tables that were only referenced by foreign keys but not explicitly included in the main reflection run. However, this optimization inadvertently removed the creation of Table objects for these referenced tables, causing autogenerate to fail when processing foreign key constraints that pointed to them.

  The fix creates placeholder Table objects for foreign key targets that are not reflected, allowing the autogenerate comparison to proceed without error while maintaining the performance improvement from #1771. When multiple foreign keys reference different columns in the same filtered table, the placeholder table accumulates all necessary columns. These placeholder tables may be visible when using the EnvironmentContext.configure.include_object callable to inspect ForeignKeyConstraint objects; they will have the name, schema and basic column information for the relevant columns present.

  References: #1787

• [bug] [general] Fixed regression caused by #1669 which requires SQLAlchemy objects to support generic type subscripting; for the older SQLAlchemy 1.4 series, this requires version 1.4.23. Changed the minimum requirements to require version 1.4.23 rather than 1.4.0.

  References: #1788

1.18.2

Released: January 28, 2026

usecase

• [usecase] [operations] The primary_key parameter on Column is now honored when Operations.add_column() is used, and will emit the "PRIMARY KEY" keyword inline within the ADD COLUMN directive. This is strictly a syntax

... (truncated)

Commits

• See full diff in compare view

Updates asyncpg from 0.30.0 to 0.31.0

Release notes

Sourced from asyncpg's releases.

v0.31.0

Enable Python 3.14 with experimental subinterpreter/freethreading support.

Improvements

• Add Python 3.14 support, experimental subinterpreter/freethreading support (#1279) (by @​elprans in 9e42642b)

• Avoid performing type introspection on known types (#1243) (by @​elprans in 5c9986c4)

• Make prepare() not use named statements by default when cache is disabled (#1245) (by @​elprans in 5b14653e)

• Implement connection service file functionality (#1223) (by @​AndrewJackson2020 in 1d63bb15)

Fixes

• Fix multi port connection string issue (#1222) (by @​AndrewJackson2020 in 01c0db7b)

• Avoid leaking connections if _can_use_connection fails (#1269) (by @​yuliy-openai in e94302d2)

Other

• Drop support for EOL Python 3.8 (#1281) (by @​elprans in 6c2c4904)

Commits

• 71775a6 asyncpg v0.31.0
• 508cae6 Test on PostgreSQL 18 (#1290)
• e534e5f Bump cibuildwheel
• 07fe512 Bump pgproto
• 648b35f Bump Cython to 3.2.1 (#1288)
• 9e42642 Add Python 3.14 support, experimental subinterpreter/freethreading support (#...
• 6fe1c49 Move development deps away from extras and into dependency groups (#1280)
• 7a54816 Fix a couple of missed Python version guards
• 6c2c490 Drop support for EOL Python 3.8 (#1281)
• 4c60ae8 Bump version to 0.31.0.dev0
• Additional commits viewable in compare view

Updates fastapi from 0.120.4 to 0.128.0

Release notes

Sourced from fastapi's releases.

0.128.0

Breaking Changes

• ➖ Drop support for pydantic.v1. PR #14609 by @​tiangolo.

Internal

• ✅ Run performance tests only on Pydantic v2. PR #14608 by @​tiangolo.

0.127.1

Refactors

• 🔊 Add a custom FastAPIDeprecationWarning. PR #14605 by @​tiangolo.

Docs

• 📝 Add documentary to website. PR #14600 by @​tiangolo.

Translations

• 🌐 Update translations for de (update-outdated). PR #14602 by @​nilslindemann.
• 🌐 Update translations for de (update-outdated). PR #14581 by @​nilslindemann.

Internal

• 🔧 Update pre-commit to use local Ruff instead of hook. PR #14604 by @​tiangolo.
• ✅ Add missing tests for code examples. PR #14569 by @​YuriiMotov.
• 👷 Remove lint job from test CI workflow. PR #14593 by @​YuriiMotov.
• 👷 Update secrets check. PR #14592 by @​tiangolo.
• 👷 Run CodSpeed tests in parallel to other tests to speed up CI. PR #14586 by @​tiangolo.
• 🔨 Update scripts and pre-commit to autofix files. PR #14585 by @​tiangolo.

0.127.0

Breaking Changes

• 🔊 Add deprecation warnings when using pydantic.v1. PR #14583 by @​tiangolo.

Translations

• 🔧 Add LLM prompt file for Korean, generated from the existing translations. PR #14546 by @​tiangolo.
• 🔧 Add LLM prompt file for Japanese, generated from the existing translations. PR #14545 by @​tiangolo.

Internal

• ⬆️ Upgrade OpenAI model for translations to gpt-5.2. PR #14579 by @​tiangolo.

0.126.0

Upgrades

• ➖ Drop support for Pydantic v1, keeping short temporary support for Pydantic v2's pydantic.v1. PR #14575 by @​tiangolo.

... (truncated)

Commits

• 8322a44 🔖 Release version 0.128.0
• 4b2cfcf 📝 Update release notes
• e300630 ➖ Drop support for pydantic.v1 (#14609)
• 1b3bea8 📝 Update release notes
• 34e8841 ✅ Run performance tests only on Pydantic v2 (#14608)
• cd90c78 🔖 Release version 0.127.1
• 93f4dfd 📝 Update release notes
• 535b5da 🔊 Add a custom FastAPIDeprecationWarning (#14605)
• 6b53786 📝 Update release notes
• d98f4eb 🔧 Update pre-commit to use local Ruff instead of hook (#14604)
• Additional commits viewable in compare view

Updates pydantic from 2.12.3 to 2.12.5

Release notes

Sourced from pydantic's releases.

v2.12.5 2025-11-26

v2.12.5 (2025-11-26)

This is the fifth 2.12 patch release, addressing an issue with the MISSING sentinel and providing several documentation improvements.

The next 2.13 minor release will be published in a couple weeks, and will include a new polymorphic serialization feature addressing the remaining unexpected changes to the serialize as any behavior.

• Fix pickle error when using model_construct() on a model with MISSING as a default value by @​ornariece in #12522.
• Several updates to the documentation by @​Viicos.

Full Changelog: pydantic/pydantic@v2.12.4...v2.12.5

v2.12.4 2025-11-05

v2.12.4 (2025-11-05)

This is the fourth 2.12 patch release, fixing more regressions, and reverting a change in the build() method of the AnyUrl and Dsn types.

This patch release also fixes an issue with the serialization of IP address types, when serialize_as_any is used. The next patch release will try to address the remaining issues with serialize as any behavior by introducing a new polymorphic serialization feature, that should be used in most cases in place of serialize as any.

• Fix issue with forward references in parent TypedDict classes by @​Viicos in #12427.

  This issue is only relevant on Python 3.14 and greater.

• Exclude fields with exclude_if from JSON Schema required fields by @​Viicos in #12430

• Revert URL percent-encoding of credentials in the build() method of the AnyUrl and Dsn types by @​davidhewitt in pydantic-core#1833.

  This was initially considered as a bugfix, but caused regressions and as such was fully reverted. The next release will include an opt-in option to percent-encode components of the URL.

• Add type inference for IP address types by @​davidhewitt in pydantic-core#1868.

  The 2.12 changes to the serialize_as_any behavior made it so that IP address types could not properly serialize to JSON.

• Avoid getting default values from defaultdict by @​davidhewitt in pydantic-core#1853.

  This fixes a subtle regression in the validation behavior of the collections.defaultdict type.

• Fix issue with field serializers on nested typed dictionaries by @​davidhewitt in pydantic-core#1879.

• Add more pydantic-core builds for the three-threaded version of Python 3.14 by @​davidhewitt in pydantic-core#1864.

Full Changelog: pydantic/pydantic@v2.12.3...v2.12.4

Changelog

Sourced from pydantic's changelog.

v2.12.5 (2025-11-26)

GitHub release

This is the fifth 2.12 patch release, addressing an issue with the MISSING sentinel and providing several documentation improvements.

The next 2.13 minor release will be published in a couple weeks, and will include a new polymorphic serialization feature addressing the remaining unexpected changes to the serialize as any behavior.

• Fix pickle error when using model_construct() on a model with MISSING as a default value by @​ornariece in #12522.
• Several updates to the documentation by @​Viicos.

v2.12.4 (2025-11-05)

GitHub release

This is the fourth 2.12 patch release, fixing more regressions, and reverting a change in the build() method of the AnyUrl and Dsn types.

This patch release also fixes an issue with the serialization of IP address types, when serialize_as_any is used. The next patch release will try to address the remaining issues with serialize as any behavior by introducing a new polymorphic serialization feature, that should be used in most cases in place of serialize as any.

• Fix issue with forward references in parent TypedDict classes by @​Viicos in #12427.

  This issue is only relevant on Python 3.14 and greater.

• Exclude fields with exclude_if from JSON Schema required fields by @​Viicos in #12430

• Revert URL percent-encoding of credentials in the build() method of the AnyUrl and Dsn types by @​davidhewitt in pydantic-core#1833.

  This was initially considered as a bugfix, but caused regressions and as such was fully reverted. The next release will include an opt-in option to percent-encode components of the URL.

• Add type inference for IP address types by @​davidhewitt in pydantic-core#1868.

  The 2.12 changes to the serialize_as_any behavior made it so that IP address types could not properly serialize to JSON.

• Avoid getting default values from defaultdict by @​davidhewitt in pydantic-core#1853.

  This fixes a subtle regression in the validation behavior of the collections.defaultdict type.

• Fix issue with field serializers on nested typed dictionaries by @​davidhewitt in pydantic-core#1879.

• Add more pydantic-core builds for the three-threaded version of Python 3.14 by @​davidhewitt in pydantic-core#1864.

Commits

• bd2d0dd Prepare release v2.12.5
• 7d0302e Document security implications when using create_model()
• e9ef980 Fix typo in Standard Library Types documentation
• f2c20c0 Add pydantic-docs dev dependency, make use of versioning blocks
• a76c1aa Update documentation about JSON Schema
• 8cbc72c Add documentation about custom __init__()
• 99eba59 Add additional test for FieldInfo.get_default()
• c710769 Special case MISSING sentinel in smart_deepcopy()
• 20a9d77 Do not delete mock validator/serializer in rebuild_dataclass()
• c86515a Update parts of the model and revalidate_instances documentation
• Additional commits viewable in compare view

Updates pydantic-settings from 2.11.0 to 2.12.0

Release notes

Sourced from pydantic-settings's releases.

v2.12.0

What's Changed

• Support for enum kebab case. by @​kschwab in pydantic/pydantic-settings#686
• Apply source order: init > env > dotenv > secrets > defaults and pres… by @​chbndrhnns in pydantic/pydantic-settings#688
• Add NestedSecretsSettings source by @​makukha in pydantic/pydantic-settings#690
• Strip non-explicit default values. by @​kschwab in pydantic/pydantic-settings#692
• Coerce env vars if strict is True. by @​kschwab in pydantic/pydantic-settings#693
• Restore init kwarg names before returning final state dictionary. by @​kschwab in pydantic/pydantic-settings#700
• Drop Python3.9 support by @​hramezani in pydantic/pydantic-settings#699
• Adapt test_protected_namespace_defaults for dev. Pydantic by @​musicinmybrain in pydantic/pydantic-settings#637
• Add Python 3.14 by @​hramezani in pydantic/pydantic-settings#704
• Prepare release 2.12 by @​hramezani in pydantic/pydantic-settings#705

New Contributors

• @​chbndrhnns made their first contribution in pydantic/pydantic-settings#688

Full Changelog: pydantic/pydantic-settings@v2.11.0...v2.12.0

Commits

• 584983d Prepare release 2.12 (#705)
• 6b4d87e Add Python 3.14 (#704)
• 02de5b6 Adapt test_protected_namespace_defaults for dev. Pydantic (#637)
• 4239ea4 Drop Python3.9 support (#699)
• 5008c69 Restore init kwarg names before returning final state dictionary. (#700)
• 4433101 Coerce env vars if strict is True. (#693)
• 4d2ebfd Strip non-explicit default values. (#692)
• 4a6ffca Add NestedSecretsSettings source (#690)
• 7a6e96e Apply source order: init > env > dotenv > secrets > defaults and pres… (#688)
• 68563ed Support for enum kebab case. (#686)
• See full diff in compare view

Updates pyjwt from 2.10.1 to 2.11.0

Release notes

Sourced from pyjwt's releases.

2.11.0

What's Changed

• Fixed type error in comment by @​shuhaib-aot in jpadilla/pyjwt#1026
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in jpadilla/pyjwt#1018
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in jpadilla/pyjwt#1033
• Make note of use of leeway with nbf by @​djw8605 in jpadilla/pyjwt#1034
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in jpadilla/pyjwt#1035
• Fixes #964: Validate key against allowed types for Algorithm family by @​pachewise in jpadilla/pyjwt#985
• Feat #1024: Add iterator for PyJWKSet by @​pachewise in jpadilla/pyjwt#1041
• Fixes #1039: Add iss, issuer type checks by @​pachewise in jpadilla/pyjwt#1040
• Fixes #660: Improve typing/logic for options in decode, decode_complete; Improve docs by @​pachewise in jpadilla/pyjwt#1045
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in jpadilla/pyjwt#1042
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in jpadilla/pyjwt#1052
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in jpadilla/pyjwt#1053
• Fix #1022: Map algorithm=None to "none" by @​qqii in jpadilla/pyjwt#1056
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in jpadilla/pyjwt#1055
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in jpadilla/pyjwt#1058
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in jpadilla/pyjwt#1060
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in jpadilla/pyjwt#1061
• Fixes #1047: Correct PyJWKClient.get_signing_key_from_jwt annotation by @​khvn26 in jpadilla/pyjwt#1048
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in jpadilla/pyjwt#1062
• Fixed doc string typo in _validate_jti() function #1063 by @​kuldeepkhatke in jpadilla/pyjwt#1064
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in jpadilla/pyjwt#1065
• Update SECURITY.md by @​auvipy in jpadilla/pyjwt#1057
• Typing fix: use float instead of int for lifespan and timeout by @​nikitagashkov in jpadilla/pyjwt#1068
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in jpadilla/pyjwt#1067
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in jpadilla/pyjwt#1071
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in jpadilla/pyjwt#1076
• Fix TYP header documentation by @​fobiasmog in jpadilla/pyjwt#1046
• doc: Document claims sub and jti by @​cleder in jpadilla/pyjwt#1088
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in jpadilla/pyjwt#1077
• Bump actions/setup-python from 5 to 6 by @​dependabot[bot] in jpadilla/pyjwt#1089
• Bump actions/stale from 8 to 10 by @​dependabot[bot] in jpadilla/pyjwt#1090
• Bump actions/checkout from 4 to 5 by @​dependabot[bot] in jpadilla/pyjwt#1083
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in jpadilla/pyjwt#1091
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in jpadilla/pyjwt#1093
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in jpadilla/pyjwt#1096
• Resolve package build warnings by @​kurtmckee in jpadilla/pyjwt#1105
• Support Python 3.14, and test against PyPy 3.10+ by @​kurtmckee in jpadilla/pyjwt#1104
• Fix a SyntaxWarning caused by invalid escape sequences by @​kurtmckee in jpadilla/pyjwt#1103
• Standardize CHANGELOG links to PRs by @​kurtmckee in jpadilla/pyjwt#1110
• Migrate from pep517, which is deprecated, to build by @​kurtmckee in jpadilla/pyjwt#1108
• Fix incorrectly-named test suite function by @​kurtmckee in jpadilla/pyjwt#1116
• Fix Read the Docs builds by @​kurtmckee in jpadilla/pyjwt#1111
• Bump actions/download-artifact from 4 to 6 by @​dependabot[bot] in jpadilla/pyjwt#1118
• Escalate test suite warnings to errors by @​kurtmckee in jpadilla/pyjwt#1107
• Add pyupgrade as a pre-commit hook by @​kurtmckee in jpadilla/pyjwt#1109
• Simplify the test suite decorators by @​kurtmckee in jpadilla/pyjwt#1113
• Improve coverage config and eliminate unused test suite code by @​kurtmckee in jpadilla/pyjwt#1115
• Build a shared wheel once in the test suite by @​kurtmckee in jpadilla/pyjwt#1114

... (truncated)

Changelog

Sourced from pyjwt's changelog.

v2.11.0 <https://github.com/jpadilla/pyjwt/compare/2.10.1...2.11.0>__

Fixed

- Enforce ECDSA curve validation per RFC 7518 Section 3.4.
- Fix build system warnings by @kurtmckee in `[#1105](https://github.com/jpadilla/pyjwt/issues/1105) <https://github.com/jpadilla/pyjwt/pull/1105>`__
- Validate key against allowed types for Algorithm family in `[#964](https://github.com/jpadilla/pyjwt/issues/964) <https://github.com/jpadilla/pyjwt/pull/964>`__
- Add iterator for JWKSet in `[#1041](https://github.com/jpadilla/pyjwt/issues/1041) <https://github.com/jpadilla/pyjwt/pull/1041>`__
- Validate `iss` claim is a string during encoding and decoding by @pachewise in `[#1040](https://github.com/jpadilla/pyjwt/issues/1040) <https://github.com/jpadilla/pyjwt/pull/1040>`__
- Improve typing/logic for `options` in decode, decode_complete by @pachewise in `[#1045](https://github.com/jpadilla/pyjwt/issues/1045) <https://github.com/jpadilla/pyjwt/pull/1045>`__
- Declare float supported type for lifespan and timeout by @nikitagashkov in `[#1068](https://github.com/jpadilla/pyjwt/issues/1068) <https://github.com/jpadilla/pyjwt/pull/1068>`__
- Fix ``SyntaxWarning``\s/``DeprecationWarning``\s caused by invalid escape sequences by @kurtmckee in `[#1103](https://github.com/jpadilla/pyjwt/issues/1103) <https://github.com/jpadilla/pyjwt/pull/1103>`__
- Development: Build a shared wheel once to speed up test suite setup times by @kurtmckee in `[#1114](https://github.com/jpadilla/pyjwt/issues/1114) <https://github.com/jpadilla/pyjwt/pull/1114>`__
- Development: Test type annotations across all supported Python versions,
  increase the strictness of the type checking, and remove the mypy pre-commit hook
  by @kurtmckee in `[#1112](https://github.com/jpadilla/pyjwt/issues/1112) <https://github.com/jpadilla/pyjwt/pull/1112>`__
Added

• Support Python 3.14, and test against PyPy 3.10 and 3.11 by @​kurtmckee in [#1104](https://github.com/jpadilla/pyjwt/issues/1104) <https://github.com/jpadilla/pyjwt/pull/1104>__
• Development: Migrate to build to test package building in CI by @​kurtmckee in [#1108](https://github.com/jpadilla/pyjwt/issues/1108) <https://github.com/jpadilla/pyjwt/pull/1108>__
• Development: Improve coverage config and eliminate unused test suite code by @​kurtmckee in [#1115](https://github.com/jpadilla/pyjwt/issues/1115) <https://github.com/jpadilla/pyjwt/pull/1115>__
• Docs: Standardize CHANGELOG links to PRs by @​kurtmckee in [#1110](https://github.com/jpadilla/pyjwt/issues/1110) <https://github.com/jpadilla/pyjwt/pull/1110>__
• Docs: Fix Read the Docs builds by @​kurtmckee in [#1111](https://github.com/jpadilla/pyjwt/issues/1111) <https://github.com/jpadilla/pyjwt/pull/1111>__
• Docs: Add example of using leeway with nbf by @​djw8605 in [#1034](https://github.com/jpadilla/pyjwt/issues/1034) <https://github.com/jpadilla/pyjwt/pull/1034>__
• Docs: Refactored docs with autodoc; added PyJWS and jwt.algorithms docs by @​pachewise in [#1045](https://github.com/jpadilla/pyjwt/issues/1045) <https://github.com/jpadilla/pyjwt/pull/1045>__
• Docs: Documentation improvements for "sub" and "jti" claims by @​cleder in [#1088](https://github.com/jpadilla/pyjwt/issues/1088) <https://github.com/jpadilla/pyjwt/pull/1088>__
• Development: Add pyupgrade as a pre-commit hook by @​kurtmckee in [#1109](https://github.com/jpadilla/pyjwt/issues/1109) <https://github.com/jpadilla/pyjwt/pull/1109>__
• Add minimum key length validation for HMAC and RSA keys (CWE-326). Warns by default via InsecureKeyLengthWarning when keys are below minimum recommended lengths per RFC 7518 Section 3.2 (HMAC) and NIST SP 800-131A (RSA). Pass enforce_minimum_key_length=True in options to PyJWT or PyJWS to raise InvalidKeyError instead.
• Refactor PyJWT to own an internal PyJWS instance instead of calling global api_jws functions.

Commits

• 697344d bump up version
• e4d0aec fix: pre-commit
• df9a6a0 fix: failing test
• 2b2e53c fix: docs
• 635c8d8 fix: failing mypy
• 96ae356 feat: add minimum key length validation for HMAC and RSA
• 5b86227 fix: enforce ECDSA curve validation per RFC 7518 Section 3.4
• 04947d7 Bump actions/download-artifact from 6 to 7 (#1125)
• dd44834 Fix leeway value in usage documentation (#1124)
• 407f0bd Thoroughly test type annotations, and resolve errors (#1112)
• Additional commits viewable in compare view

Updates python-multipart from 0.0.20 to 0.0.22

Release notes

Sourced from python-multipart's releases.

Version 0.0.22

What's Changed

• Drop directory path from filename in File 9433f4b.

---

Full Changelog: Kludex/python-multipart@0.0.21...0.0.22

Version 0.0.21

What's Changed

• Add support for Python 3.14 and drop EOL 3.8 and 3.9 by @​hugovk in Kludex/python-multipart#216

New Contributors

• @​waketzheng made their first contribution in Kludex/python-multipart#203

Full Changelog: Kludex/python-multipart@0.0.20...0.0.21

Changelog

Sourced from python-multipart's changelog.

0.0.22 (2026-01-25)

• Drop directory path from filename in File 9433f4b.

0.0.21 (2025-12-17)

• Add support for Python 3.14 and drop EOL 3.8 and 3.9 #216.

Commits

• bea7bbb Version 0.0.22 (#222)
• 0fb59a9 chore: add return type on test (#221)
• 9433f4b Merge commit from fork
• d5c91ec Bump the github-actions group with 2 updates (#219)
• 5a90631 bump uv (#218)
• 1f72955 Version 0.0.21 (#217)
• 47ecfed Add support for Python 3.14 and drop EOL 3.8 and 3.9 (#216)
• f18b709 Bump the github-actions group across 1 directory with 4 updates (#214)
• b388e9a chore: use depedency-groups in pyproject.toml (#212)
• 6113e75 Bump the github-actions group across 1 directory with 3 updates (#210)
• Additional commits viewable in compare view

Updates sqlalchemy from 2.0.44 to 2.0.46

Release notes

Sourced from sqlalchemy's releases.

2.0.46

Released: January 21, 2026

typing

• [typing] [bug] Fixed typing issues where ORM mapped classes and aliased entities could not be used as keys in result row mappings or as join targets in select statements. Patterns such as row._mapping[User], row._mapping[aliased(User)], row._mapping[with_polymorphic(...)] (rejected by both mypy and Pylance), and .join(aliased(User)) (rejected by Pylance) are documented and fully supported at runtime but were previously rejected by type checkers. The type definitions for _KeyType and _FromClauseArgument have been updated to accept these ORM entity types.

  References: #13075

postgresql

• [postgresql] [bug] Fixed issue where PostgreSQL JSONB operators _postgresql.JSONB.Comparator.path_match() and _postgresql.JSONB.Comparator.path_exists() were applying incorrect VARCHAR casts to the right-hand side operand when used with newer PostgreSQL drivers such as psycopg. The operators now indicate the right-hand type as JSONPATH, which currently results in no casting taking place, but is also compatible with explicit casts if the implementation were require it at a later point.

  References: #13059

• [postgresql] [bug] Fixed regression in PostgreSQL dialect where JSONB subscription syntax would generate incorrect SQL for cast() expressions returning JSONB, causing syntax errors. The dialect now properly wraps cast expressions in parentheses when using the [] subscription syntax, generating (CAST(...))[index] instead of CAST(...)[index] to comply with PostgreSQL syntax requirements. This extends the fix from #12778 which addressed the same issue for function calls.

  References: #13067

• [postgresql] [bug] Improved the foreign key reflection regular expression pattern used by the PostgreSQL dialect to be more permissive in matching identifier characters, allowing it to correctly handle unicode characters in table and column names. This change improves compatibility with PostgreSQL variants such as CockroachDB that may use different quoting patterns in combination with unicode characters in their identifiers. Pull request courtesy Gord Thompson.

... (truncated)

Commits

• See full diff in compare view

Updates coverage from 7.11.0 to 7.13.2

Changelog

Sourced from coverage's changelog.

Version 7.13.2 — 2026-01-25

• Fix: when Python is installed via symlinks, for example with Homebrew, the standard library files could be incorrectly included in coverage reports. This is now fixed, closing issue 2115_.

• Fix: if a data file is created with no read permissions, the combine step would fail completely. Now a warning is issued and the file is skipped. Closes issue 2117_.

.. _issue 2115: coveragepy/coveragepy#2115 .. _issue 2117: coveragepy/coveragepy#2117

.. _changes_7-13-1:

Version 7.13.1 — 2025-12-28

• Added: the JSON report now includes a "start_line" key for function and class regions, indicating the first line of the region in the source. Closes issue 2110_.

• Added: The debug data command now takes file names as arguments on the command line, so you can inspect specific data files without needing to set the COVERAGE_FILE environment variable.

• Fix: the JSON report used to report module docstrings as executed lines, which no other report did, as described in issue 2105_. This is now fixed, thanks to Jianrong Zhao.

• Fix: coverage.py uses a more disciplined approach to detecting where third-party code is installed, and avoids measuring it. This shouldn't change any behavior. If you find that it does, please get in touch.

• Performance: data files that will be combined now record their hash as part of the file name. This lets us skip duplicate data more quickly, speeding the combining step.

• Docs: added a section explaining more about what is considered a missing branch and how it is reported: :ref:branch_explain, as requested in issue 1597. Thanks to Ayisha Mohammed <pull 2092_>.

• Tests: the test suite misunderstood what core was being tested if COVERAGE_CORE wasn't set on 3.14+. This is now fixed, closing issue 2109_.

.. _issue 1597: coveragepy/coveragepy#1597 .. _pull 2092: coveragepy/coveragepy#2092

... (truncated)

Commits

• 513e971 docs: sample HTML for 7.13.2
• 27a8230 docs: prep for 7.13.2
• 27d8daa refactor: plural does more
• a2f248c fix: stdlib might be through a symlink. #2115
• bc52a22 debug: re-organize Matchers to show more of what they do
• f338d81 debug: build is a tuple, don't show it on two lines
• 92020e4 refactor(test): convert to parametrized
• 6387d0a test: let (most) tests run with no network
• 1d31e33 build: workflows sometimes need more than 10 min
• 6294978 refactor: an error message is now uniform across versions
• Additional commits viewable in compare view

Updates greenlet from 3.2.4 to 3.3.1

Changelog

Sourced from greenlet's changelog.

3.3.1 (2026-01-23)

• Publish Windows ARM binary wheels, where available.
• Fix compilation for 3.14t on Windows.
• Publish Windows 3.14t binary wheels for Intel.
• Switch from Appveyor for Windows to Github Actions.
• Fix compilation on MIPS with GCC 15 and binutils 2.45. See PR 487 by Rosen Penev <https://github.com/python-greenlet/greenlet/pull/487>_. Note that this is not a platform tested by this project's CI.
• Move most project metadata into the static pyproject.toml file. This updates licensing information to use the modern License-Expression field. See PR 480 by mrbean-bremen <https://github.com/python-greenlet/greenlet/pull/480/>_.

3.3.0 (2025-12-04)

• Drop support for Python 3.9.

• Switch to...

  Description has been truncated

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml