Bump the python-deps group in /backend with 21 updates by dependabot[bot] · Pull Request #18 · 2lba/basira

dependabot · 2026-05-21T16:50:51Z

Bumps the python-deps group in /backend with 21 updates:

Package	From	To
starlette	`0.49.1`	`1.0.0`
uvicorn	`0.34.0`	`0.47.0`
pydantic	`2.10.4`	`2.13.4`
pydantic-settings	`2.7.1`	`2.14.1`
sqlalchemy	`2.0.36`	`2.0.49`
asyncpg	`0.30.0`	`0.31.0`
alembic	`1.14.0`	`1.18.4`
redis	`5.2.1`	`7.4.0`
arq	`0.26.3`	`0.28.0`
anthropic	`0.42.0`	`0.103.1`
bcrypt	`4.2.1`	`5.0.0`
cryptography	`46.0.7`	`48.0.0`
python-multipart	`0.0.27`	`0.0.29`
structlog	`25.1.0`	`25.5.0`
tenacity	`9.0.0`	`9.1.4`
pygithub	`2.5.0`	`2.9.1`
pytest-cov	`6.0.0`	`7.1.0`
ruff	`0.8.4`	`0.15.14`
black	`26.3.1`	`26.5.1`
mypy	`1.14.0`	`2.1.0`
bandit	`1.8.0`	`1.9.4`

Updates starlette from 0.49.1 to 1.0.0

Release notes

Sourced from starlette's releases.

Version 1.0.0

Starlette 1.0 is here! 🎉

After nearly eight years since its creation, Starlette has reached its first stable release.

A special thank you to @lovelydinosaur, the creator of Starlette, Uvicorn, HTTPX and MkDocs, whose work helped to lay the foundation for the modern async Python ecosystem. 🙏

Thank you to @adriangb, @graingert, @agronholm, @florimondmanca, @aminalaee, @tiangolo, @alex-oleshkevich, @abersheeran, and @uSpike for helping make Starlette what it is today. And to all my sponsors - especially @tiangolo, @huggingface, and @elevenlabs - thank you for your support!

Thank you to all 290+ contributors who have shaped Starlette over the years! ❤️

Read more on the blog post.

Check out the full release notes at https://www.starlette.io/release-notes/#100-march-22-2026

Full Changelog: Kludex/starlette@1.0.0rc1...1.0.0

Version 1.0.0rc1

We're ready! 🚀

The first release candidate for Starlette 1.0 is here! After years on ZeroVer, we're finally making the jump.

This release removes all deprecated features marked for 1.0.0, along with some last-minute bug fixes.

A special thank you to @lovelydinosaur, the creator of Starlette, Uvicorn, HTTPX and MkDocs, whose work helped to lay the foundation for the modern async Python ecosystem. 🙏

Thank you to @adriangb, @graingert, @agronholm, @florimondmanca, @aminalaee, @tiangolo, @alex-oleshkevich, and @abersheeran for helping make Starlette what it is today. And to all my sponsors - especially @tiangolo, @huggingface, and @elevenlabs - thank you for your support!

Thank you to all 290+ contributors who have shaped Starlette over the years!

Check out the full release notes at https://www.starlette.io/release-notes/#100rc1-february-23-2026

Full Changelog: Kludex/starlette@0.52.1...1.0.0rc1

Version 0.52.1

What's Changed

Only use typing_extensions in older Python versions by @Kludex in Kludex/starlette#3109

Full Changelog: Kludex/starlette@0.52.0...0.52.1

Version 0.52.0

In this release, State can be accessed using dictionary-style syntax for improved type safety (#3036).
</tr></table> 

... (truncated)

Changelog

Sourced from starlette's changelog.

1.0.0 (March 22, 2026)

Starlette 1.0 is here!

After nearly eight years since its creation, Starlette has reached its first stable release. Thank you to everyone who tested the release candidate and reported issues.

You can read more on the blog post.

Added

Track session access and modification in SessionMiddleware #3166.

Fixed

Handle websocket denial responses in StreamingResponse and FileResponse #3189.

Use bytearray for field accumulation in FormParser #3179.

Move parser.finalize() inside try/except in MultiPartParser.parse() #3153.

1.0.0rc1 (February 23, 2026)

We're ready! I'm thrilled to announce the first release candidate for Starlette 1.0.

Starlette was created in June 2018 by Tom Christie, and has been on ZeroVer for years. Today, it's downloaded almost 10 million times a day, serves as the foundation for FastAPI, and has inspired many other frameworks. In the age of AI, Starlette continues to play an important role as a dependency of the Python MCP SDK.

This release focuses on removing deprecated features that were marked for removal in 1.0.0, along with some last minute bug fixes. It's a release candidate, so we can gather feedback from the community before the final 1.0.0 release soon.

A huge thank you to all the contributors who have helped make Starlette what it is today. In particular, I'd like to recognize:

Kim Christie - The original creator of Starlette, Uvicorn, and MkDocs, and the current maintainer of HTTPX. Kim's work helped lay the foundation for the modern async Python ecosystem.

Adrian Garcia Badaracco - One of the smartest people I know, whom I have the pleasure of working with at Pydantic.

Thomas Grainger - My async teacher, always ready to help with questions.

Alex Grönholm - Another async mentor, always prompt to help with questions.

Florimond Manca - Always present in the early days of both Starlette and Uvicorn, and helped a lot in the ecosystem.

Amin Alaee - Contributed a lot with file-related PRs.

Sebastián Ramírez - Maintains FastAPI upstream, and always in contact to help with upstream issues.

Alex Oleshkevich - Helped a lot on templates and many discussions.

abersheeran - My go-to person when I need help on many subjects.

I'd also like to thank my sponsors for their support. A special thanks to @tiangolo, @huggingface, and @elevenlabs for their generous sponsorship, and to all my other sponsors:

... (truncated)

Commits

0e88e92 Version 1.0.0 (#3178)
9ee9519 Handle websocket denial responses in streaming and file responses (#3189)
a0bcc26 chore(deps-dev): bump black from 26.1.0 to 26.3.1 (#3183)
79b3f26 chore(deps-dev): bump the python-packages group with 7 updates (#3168)
789b926 Use bytearray for field accumulation in FormParser (#3179)
a1fd9d8 docs: fix typo in routing.md (#3176)
c14d0f7 Document session cookie security flags (#3169)
c2e2878 Move parser.finalize() inside try/except in MultiPartParser.parse() (#3153)
89630a8 chore(deps): bump the github-actions group with 3 updates (#3167)
4647e53 Track session access and modification in SessionMiddleware (#3166)
Additional commits viewable in compare view

Updates uvicorn from 0.34.0 to 0.47.0

Release notes

Sourced from uvicorn's releases.

Version 0.47.0

What's Changed

Eagerly import the ASGI app in the parent process by @Kludex in Kludex/uvicorn#2919

Add ssl_context_factory for custom SSLContext configuration by @Kludex in Kludex/uvicorn#2920

Treat fd=0 as a valid file descriptor with reload/workers by @eltoder in Kludex/uvicorn#2927

Full Changelog: Kludex/uvicorn@0.46.0...0.47.0

Version 0.46.0

What's Changed

Support ws_max_size in wsproto implementation by @Kludex in Kludex/uvicorn#2915

Support ws_ping_interval and ws_ping_timeout in wsproto implementation by @Kludex in Kludex/uvicorn#2916

Use bytearray for incoming WebSocket message buffer in websockets-sansio by @Kludex in Kludex/uvicorn#2917

Full Changelog: Kludex/uvicorn@0.45.0...0.46.0

Version 0.45.0

What's Changed

Preserve forwarded client ports in proxy headers middleware by @Kludex in Kludex/uvicorn#2903

Accept os.PathLike for log_config by @Kludex in Kludex/uvicorn#2905

Accept log_level strings case-insensitively by @Kludex in Kludex/uvicorn#2907

Raise helpful ImportError when PyYAML is missing for YAML log config by @Kludex in Kludex/uvicorn#2906

Revert empty context for ASGI runs by @Kludex in Kludex/uvicorn#2911

Add --reset-contextvars flag to isolate ASGI request context by @Kludex in Kludex/uvicorn#2912

Revert "Emit http.disconnect on server shutdown for streaming responses" (#2829) by @Kludex in Kludex/uvicorn#2913

New Contributors

@Krishnachaitanyakc made their first contribution in Kludex/uvicorn#2870

Full Changelog: Kludex/uvicorn@0.44.0...0.45.0

Version 0.44.0

What's Changed

Implement websocket keepalive pings for websockets-sansio by @Kludex in Kludex/uvicorn#2888

Full Changelog: Kludex/uvicorn@0.43.0...0.44.0

Version 0.43.0

Changed

Emit http.disconnect ASGI receive() event on server shutting down for streaming responses (#2829)

Use native context parameter for create_task on Python 3.11+ (#2859)

Drop cast in ASGI types (#2875)

Full Changelog: Kludex/uvicorn@0.42.0...0.43.0

... (truncated)

Changelog

Sourced from uvicorn's changelog.

0.47.0 (May 14, 2026)

Added

Add ssl_context_factory for custom SSLContext configuration (#2920)

Changed

Eagerly import the ASGI app in the parent process (#2919)

Fixed

Treat fd=0 as a valid file descriptor with reload/workers (#2927)

0.46.0 (April 23, 2026)

Added

Support ws_max_size in wsproto implementation (#2915)

Support ws_ping_interval and ws_ping_timeout in wsproto implementation (#2916)

Changed

Use bytearray for incoming WebSocket message buffer in websockets-sansio (#2917)

0.45.0 (April 21, 2026)

Added

Add --reset-contextvars flag to isolate ASGI request context (#2912)

Accept os.PathLike for log_config (#2905)

Accept log_level strings case-insensitively (#2907)

Changed

Revert "Emit http.disconnect on server shutdown for streaming responses" (#2913)

Revert "Explicitly start ASGI run with empty context" (#2911)

Fixed

Preserve forwarded client ports in proxy headers middleware (#2903)

Raise helpful ImportError when PyYAML is missing for YAML log config (#2906)

0.44.0 (April 6, 2026)

Added

Implement websocket keepalive pings for websockets-sansio (#2888)

0.43.0 (April 3, 2026)

... (truncated)

Commits

479a2c0 Version 0.47.0 (#2937)
89347fd Add 7-day cooldown for dependency resolution via uv exclude-newer (#2936)
767315b Drop unused contents/actions permissions from zizmor workflow (#2935)
f25ee43 chore(deps): bump urllib3 from 2.6.3 to 2.7.0 (#2933)
8782666 Fix typo in docs/deployment/index.md. (#2932)
ad5ff87 Treat fd=0 as a valid file descriptor with reload/workers (#2927)
6761b2c Remove Hugging Face sponsor block from docs (#2923)
438f648 Surface sponsors on welcome page and sidebar (#2921)
10ddc6d Add ssl_context_factory for custom SSLContext configuration (#2920)
b499bc4 Eagerly import the ASGI app in the parent process (#2919)
Additional commits viewable in compare view

Updates pydantic from 2.10.4 to 2.13.4

Release notes

Sourced from pydantic's releases.

v2.13.4 2026-05-06

v2.13.4 (2026-05-06)

What's Changed

Packaging

Bump libc from 0.2.155 to 0.2.185 by @Viicos in #13109

Adapt pydantic-core linker flags on macOS by @washingtoneg and @Viicos in #13147

Fixes

Preserve RootModel core metadata by @Viicos in #13129

Full Changelog: pydantic/pydantic@v2.13.3...v2.13.4

v2.13.3 2026-04-20

v2.13.3 (2026-04-20)

What's Changed

Fixes

Handle AttributeError subclasses with from_attributes by @Viicos in #13096

Full Changelog: pydantic/pydantic@v2.13.2...v2.13.3

v2.13.2 2026-04-17

v2.13.2 (2026-04-17)

What's Changed

Fixes

Fix ValidationInfo.field_name missing with model_validate_json() by @Viicos in #13084

Full Changelog: pydantic/pydantic@v2.13.1...v2.13.2

v2.13.1 2026-04-15

v2.13.1 (2026-04-15)

What's Changed

Fixes

Fix ValidationInfo.data missing with model_validate_json() by @davidhewitt in #13079

Full Changelog: pydantic/pydantic@v2.13.0...v2.13.1

v2.13.0 2026-04-13

... (truncated)

Changelog

Sourced from pydantic's changelog.

v2.13.4 (2026-05-06)

GitHub release

What's Changed

Packaging

Bump libc from 0.2.155 to 0.2.185 by @Viicos in #13109

Adapt pydantic-core linker flags on macOS by @washingtoneg and @Viicos in #13147

Fixes

Preserve RootModel core metadata by @Viicos in #13129

v2.13.3 (2026-04-20)

GitHub release

What's Changed

Fixes

Handle AttributeError subclasses with from_attributes by @Viicos in #13096

v2.13.2 (2026-04-17)

GitHub release

What's Changed

Fixes

Fix ValidationInfo.field_name missing with model_validate_json() by @Viicos in #13084

v2.13.1 (2026-04-15)

GitHub release

What's Changed

Fixes

Fix ValidationInfo.data missing with model_validate_json() by @davidhewitt in #13079

v2.13.0 (2026-04-13)

GitHub release

The highlights of the v2.13 release are available in the blog post.

... (truncated)

Commits

cf67d4b Fix linting
f0d8a21 Prepare release v2.13.4
5e3fe1d Check for pydantic tag pattern in CI
7f9edcc Document tagging conventions
b46a0c9 Adapt pydantic-core linker flags on macOS
50629c8 Update to PyPy 7.3.22
8522ebb Preserve RootModel core metadata
a37f3af Adapt MISSING sentinel test to work with unreleased typing_extensions ver...
909259a Remove Logfire example in documentation
2c4174c Bump libc from 0.2.155 to 0.2.185
Additional commits viewable in compare view

Updates pydantic-settings from 2.7.1 to 2.14.1

Release notes

Sourced from pydantic-settings's releases.

v2.14.1

What's Changed

Bump the python-packages group with 4 updates by @dependabot[bot] in pydantic/pydantic-settings#850

Bump the python-packages group with 5 updates by @dependabot[bot] in pydantic/pydantic-settings#854

Bump the github-actions group with 3 updates by @dependabot[bot] in pydantic/pydantic-settings#853

Bump the python-packages group with 2 updates by @dependabot[bot] in pydantic/pydantic-settings#856

Fix field named cls conflicting with classmethod parameter by @hramezani in pydantic/pydantic-settings#858

Prepare release 2.14.1 by @hramezani in pydantic/pydantic-settings#859

Full Changelog: pydantic/pydantic-settings@v2.14.0...v2.14.1

v2.14.0

What's Changed

Fix parsing env vars into Optional Strict types by @hramezani in pydantic/pydantic-settings#792

Fix RecursionError with mutually recursive models in CLI by @hramezani in pydantic/pydantic-settings#794

Fix env_file from model_config ignored in CliApp.run() (#795) by @hramezani in pydantic/pydantic-settings#796

Update dependencies by @hramezani in pydantic/pydantic-settings#798

Add Dependabot configuration by @hramezani in pydantic/pydantic-settings#801

Bump samuelcolvin/check-python-version from 4.1 to 5 by @dependabot[bot] in pydantic/pydantic-settings#802

Bump actions/upload-artifact from 4 to 7 by @dependabot[bot] in pydantic/pydantic-settings#803

Bump actions/checkout from 4 to 6 by @dependabot[bot] in pydantic/pydantic-settings#804

Bump astral-sh/setup-uv from 5 to 7 by @dependabot[bot] in pydantic/pydantic-settings#805

Bump actions/setup-python from 5 to 6 by @dependabot[bot] in pydantic/pydantic-settings#806

Ignore chardet and group GitHub Actions in Dependabot by @hramezani in pydantic/pydantic-settings#808

Bump actions/download-artifact from 4 to 8 in the github-actions group by @dependabot[bot] in pydantic/pydantic-settings#809

Bump the python-packages group with 2 updates by @dependabot[bot] in pydantic/pydantic-settings#810

Support reading .env files from FIFOs (e.g. 1Password Environments) by @JacobHayes in pydantic/pydantic-settings#776

Fix AliasChoices ignored when changing provider priority by @hramezani in pydantic/pydantic-settings#813

fix: resolve KeyError in run_subcommand for underscore field names by @bradykieffer in pydantic/pydantic-settings#799

Bump the python-packages group with 3 updates by @dependabot[bot] in pydantic/pydantic-settings#814

Fix Literal[numeric Enum] coercion for CLI and env vars by @m9810223 in pydantic/pydantic-settings#811

Fix nested discriminated unions not discovered by env/CLI providers by @hramezani in pydantic/pydantic-settings#816

Bump the python-packages group with 3 updates by @dependabot[bot] in pydantic/pydantic-settings#820

CLI ensure env nested max split internally. by @kschwab in pydantic/pydantic-settings#821

Bump the python-packages group with 4 updates by @dependabot[bot] in pydantic/pydantic-settings#824

Migrate boto3-stubs to types-boto3 by @hramezani in pydantic/pydantic-settings#831

Fix CLI not recognizing field name with validate_by_name and AliasChoices by @hramezani in pydantic/pydantic-settings#826

Allow customisation of the dotevn setting source to filter variables by @CaselIT in pydantic/pydantic-settings#832

Bump the python-packages group with 3 updates by @dependabot[bot] in pydantic/pydantic-settings#833

Introduce yamlfmt by @Viicos in pydantic/pydantic-settings#836

Bump boto3 from 1.42.82 to 1.42.83 in the python-packages group by @dependabot[bot] in pydantic/pydantic-settings#837

Introduce zizmor by @Viicos in pydantic/pydantic-settings#838

Fix CliPositionalArg[list[CustomType]] crash for custom types by @hramezani in pydantic/pydantic-settings#839

Add note about Mypy plugin for BaseSettings.__init__() by @Viicos in pydantic/pydantic-settings#842

Fix cli_ignore_unknown_args=True not working on subcommands by @hramezani in pydantic/pydantic-settings#844

Bump the python-packages group with 4 updates by @dependabot[bot] in pydantic/pydantic-settings#847

Fix CLI descriptions lost under python -OO by falling back to json_schema_extra by @hramezani in pydantic/pydantic-settings#843

Prepare release 2.14.0 by @hramezani in pydantic/pydantic-settings#848

... (truncated)

Commits

e95c30b Prepare release 2.14.1 (#859)
0c87345 Fix field named cls conflicting with classmethod parameter (#858)
7bd0072 Bump the python-packages group with 2 updates (#856)
b03e573 Bump the github-actions group with 3 updates (#853)
eaa3b43 Bump the python-packages group with 5 updates (#854)
9f95615 Bump the python-packages group with 4 updates (#850)
8916bee Prepare release 2.14.0 (#848)
39e551c Fix CLI descriptions lost under python -OO by falling back to `json_schema_...
9ed7f48 Bump the python-packages group with 4 updates (#847)
617c690 Fix cli_ignore_unknown_args=True not working on subcommands (#844)
Additional commits viewable in compare view

Updates sqlalchemy from 2.0.36 to 2.0.49

Release notes

Sourced from sqlalchemy's releases.

2.0.49

Released: April 3, 2026

orm

[orm] [bug] Fixed issue where _orm.Session.get() would bypass the identity map and emit unnecessary SQL when with_for_update=False was passed, rather than treating it equivalently to the default of None. Pull request courtesy of Joshua Swanson.

References: #13176

[orm] [bug] Fixed issue where chained _orm.joinedload() options would not be applied correctly when the final relationship in the chain is declared on a base mapper and accessed through a subclass mapper in a _orm.with_polymorphic() query. The path registry now correctly computes the natural path when a property declared on a base class is accessed through a path containing a subclass mapper, ensuring the loader option can be located during query compilation.

References: #13193

[orm] [bug] [inheritance] Fixed issue where using _orm.Load.options() to apply a chained loader option such as _orm.joinedload() or _orm.selectinload() with _orm.PropComparator.of_type() for a polymorphic relationship would not generate the necessary clauses for the polymorphic subclasses. The polymorphic loading strategy is now correctly propagated when using a call such as joinedload(A.b).options(joinedload(B.c.of_type(poly))) to match the behavior of direct chaining e.g. joinedload(A.b).joinedload(B.c.of_type(poly)).

References: #13202

[orm] [bug] [inheritance] Fixed issue where using chained loader options such as _orm.selectinload() after _orm.joinedload() with _orm.PropComparator.of_type() for a polymorphic relationship would not properly apply the chained loader option. The loader option is now correctly applied when using a call such as joinedload(A.b.of_type(poly)).selectinload(poly.SubClass.c) to eagerly load related objects.

References: #13209

typing

[typing] [bug] Fixed a typing issue where the typed members of :data:.func would return the appropriate class of the same name, however this creates an issue for

... (truncated)

Commits

See full diff in compare view

Updates asyncpg from 0.30.0 to 0.31.0

Release notes

Sourced from asyncpg's releases.

v0.31.0

Enable Python 3.14 with experimental subinterpreter/freethreading support.

Improvements

Add Python 3.14 support, experimental subinterpreter/freethreading support (#1279) (by @elprans in 9e42642b)

Avoid performing type introspection on known types (#1243) (by @elprans in 5c9986c4)

Make prepare() not use named statements by default when cache is disabled (#1245) (by @elprans in 5b14653e)

Implement connection service file functionality (#1223) (by @AndrewJackson2020 in 1d63bb15)

Fixes

Fix multi port connection string issue (#1222) (by @AndrewJackson2020 in 01c0db7b)

Avoid leaking connections if _can_use_connection fails (#1269) (by @yuliy-openai in e94302d2)

Other

Drop support for EOL Python 3.8 (#1281) (by @elprans in 6c2c4904)

Commits

71775a6 asyncpg v0.31.0
508cae6 Test on PostgreSQL 18 (#1290)
e534e5f Bump cibuildwheel
07fe512 Bump pgproto
648b35f Bump Cython to 3.2.1 (#1288)
9e42642 Add Python 3.14 support, experimental subinterpreter/freethreading support (#...
6fe1c49 Move development deps away from extras and into dependency groups (#1280)
7a54816 Fix a couple of missed Python version guards
6c2c490 Drop support for EOL Python 3.8 (#1281)
4c60ae8 Bump version to 0.31.0.dev0
Additional commits viewable in compare view

Updates alembic from 1.14.0 to 1.18.4

Release notes

Sourced from alembic's releases.

1.18.4

Released: February 10, 2026

bug

[bug] [operations] Reverted the behavior of Operations.add_column() that would automatically render the "PRIMARY KEY" keyword inline when a Column with primary_key=True is added. The automatic behavior, added in version 1.18.2, is now opt-in via the new Operations.add_column.inline_primary_key parameter. This change restores the ability to render a PostgreSQL SERIAL column, which is required to be primary_key=True, while not impacting the ability to render a separate primary key constraint. This also provides consistency with the Operations.add_column.inline_references parameter and gives users explicit control over SQL generation.

To render PRIMARY KEY inline, use the Operations.add_column.inline_primary_key parameter set to True:

op.add_column( "my_table", Column("id", Integer, primary_key=True), inline_primary_key=True )References: #1232

1.18.3

Released: January 29, 2026

bug

[bug] [autogenerate] Fixed regression in version 1.18.0 due to #1771 where autogenerate would raise NoReferencedTableError when a foreign key constraint referenced a table that was not part of the initial table load, including tables filtered out by the EnvironmentContext.configure.include_name callable or tables in remote schemas that were not included in the initial reflection run.

The change in #1771 was a performance optimization that eliminated additional reflection queries for tables that were only referenced by foreign keys but not explicitly included in the main reflection run. However, this optimization inadvertently removed the creation of Table objects for these referenced tables, causing autogenerate to fail when processing foreign key constraints that pointed to them.

The fix creates placeholder Table objects for foreign key targets

... (truncated)

Commits

See full diff in compare view

Updates redis from 5.2.1 to 7.4.0

Release notes

Sourced from redis's releases.

7.4.0

Changes

🐛 Bug Fixes

Fix AttributeError in cluster metrics recording when connection is None or ClusterNode object instance is used to extract the connection info (#3999)

Fixing security concern in repr methods for ConnectionPools - passwords might leak in plain text logs (#3998)

Refactored connection count and SCH metric collection (#4001)

🧪 Experimental Features

-Refactored health check logic for MultiDBClient (#3994)

🧰 Maintenance

Expose basic Otel classes and functions to be importable through redis.observability to match the examples in the readthedocs (#3996)

We'd like to thank all the contributors who worked on this release! @vladvildanov @petyaslavova

7.3.0

Changes

OpenTelemetry Native Metrics Support for asynchronous clients Added comprehensive OpenTelemetry metrics support for asynchronous clients following the OpenTelemetry Database Client Semantic Conventions. Metric groups include:

Command metrics: Operation duration with retry tracking

Connection basic: Connection count and creation time

Resiliency: Errors, handoffs, timeout relaxation

Connection advanced: Wait time and use time

Pubsub metrics: Published and received messages

Stream metrics: Processing duration and maintenance notifications

🚀 New Features

Added OTel instrumentation and metrics export for async client (#3977)

🐛 Bug Fixes

[async] Adding access to cluster client's nodes_manager and set_response_callback in ClusterPipeline objects (#3989)

fix(connection): Ensure we have an initialized protocol in connection (#3981)

🧰 Maintenance

fix: use KeysT for blpop and brpop keys parameter type annotation (#3987 #3990)

Bump actions/upload-artifact from 6 to 7 (#3985)

fix: replace 3 bare except clauses with except Exception (#3980)

We'd like to thank all the contributors who worked on this release! @mitre88 @turanalmammadov @haosenwang1018 @Medno @vladvildanov @petyaslavova

7.2.1

Changes

... (truncated)

Commits

b72f24a Updating lib version to 7.4.0
0a4e0af Refactored health check logic for MultiDBClient (#3994)
15492c9 Refactored connection count and SCH metric collection (#4001)
cd964ac Expose basic Otel classes and funtions to be importable through redis.observa...
46ab74d Fixing security concern in repr methods for ConnectionPools - passwords m...
26482db Fix AttributeError in cluster metrics recording when connection is None or Cl...
8ecbc7a Updating lib version to 7.3.0
11043df typing: accept single-key input for blpop and brpop (#3990)
d958125 fix: use KeysT for blpop and brpop keys parameter type annotation (#3987)
75bf91b [async] Adding access to cluster client's nodes_manager and set_response_call...
Additional commits viewable in compare view

Updates arq from 0.26.3 to 0.28.0

Release notes

Sourced from arq's releases.

v0.28.0 2026-04-16

What's Changed

Add support for Python 3.14 by @Viicos in python-arq/arq#522

Full Changelog: python-arq/arq@v0.27.0...v0.28.0

v0.27.0 2026-02-02

What's Changed

Add support for Python 3.13, remove advertised support for Python 3.8 by @Viicos in python-arq/arq#514

Apply lint and format for Python 3.9 by @Viicos in python-arq/arq#515

Use uv, update actions by @Viicos in python-arq/arq#516

Update project URLs by @Viicos in python-arq/arq#517

Fix retry_on_error type annotation by @armicron in python-arq/arq#446

Fix wrong reference in Retry docstring by @PassionateBytes in python-arq/arq#507

New Contributors

@Viicos made their first contribution in python-arq/arq#514

@armicron made their first contribution in python-arq/arq#446

@PassionateBytes made their first contribution in python-arq/arq#507

Full Changelog: python-arq/arq@v0.26.3...v0.27.0

Changelog

Sourced from arq's changelog.

v0.28.0 (2026-04-16) ....................

Add support for Python 3.14 by @Viicos in #522

v0.27.0 (2026-01-30) ....................

Fix wrong reference in Retry docstring by @PassionateBytes in

…ng-key scan flow

…r byok

Bumps the python-deps group in /backend with 21 updates: | Package | From | To | | --- | --- | --- | | [starlette](https://github.com/Kludex/starlette) | `0.49.1` | `1.0.0` | | [uvicorn](https://github.com/Kludex/uvicorn) | `0.34.0` | `0.47.0` | | [pydantic](https://github.com/pydantic/pydantic) | `2.10.4` | `2.13.4` | | [pydantic-settings](https://github.com/pydantic/pydantic-settings) | `2.7.1` | `2.14.1` | | [sqlalchemy](https://github.com/sqlalchemy/sqlalchemy) | `2.0.36` | `2.0.49` | | [asyncpg](https://github.com/MagicStack/asyncpg) | `0.30.0` | `0.31.0` | | [alembic](https://github.com/sqlalchemy/alembic) | `1.14.0` | `1.18.4` | | [redis](https://github.com/redis/redis-py) | `5.2.1` | `7.4.0` | | [arq](https://github.com/python-arq/arq) | `0.26.3` | `0.28.0` | | [anthropic](https://github.com/anthropics/anthropic-sdk-python) | `0.42.0` | `0.103.1` | | [bcrypt](https://github.com/pyca/bcrypt) | `4.2.1` | `5.0.0` | | [cryptography](https://github.com/pyca/cryptography) | `46.0.7` | `48.0.0` | | [python-multipart](https://github.com/Kludex/python-multipart) | `0.0.27` | `0.0.29` | | [structlog](https://github.com/hynek/structlog) | `25.1.0` | `25.5.0` | | [tenacity](https://github.com/jd/tenacity) | `9.0.0` | `9.1.4` | | [pygithub](https://github.com/pygithub/pygithub) | `2.5.0` | `2.9.1` | | [pytest-cov](https://github.com/pytest-dev/pytest-cov) | `6.0.0` | `7.1.0` | | [ruff](https://github.com/astral-sh/ruff) | `0.8.4` | `0.15.14` | | [black](https://github.com/psf/black) | `26.3.1` | `26.5.1` | | [mypy](https://github.com/python/mypy) | `1.14.0` | `2.1.0` | | [bandit](https://github.com/PyCQA/bandit) | `1.8.0` | `1.9.4` | Updates `starlette` from 0.49.1 to 1.0.0 - [Release notes](https://github.com/Kludex/starlette/releases) - [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md) - [Commits](Kludex/starlette@0.49.1...1.0.0) Updates `uvicorn` from 0.34.0 to 0.47.0 - [Release notes](https://github.com/Kludex/uvicorn/releases) - [Changelog](https://github.com/Kludex/uvicorn/blob/main/docs/release-notes.md) - [Commits](Kludex/uvicorn@0.34.0...0.47.0) Updates `pydantic` from 2.10.4 to 2.13.4 - [Release notes](https://github.com/pydantic/pydantic/releases) - [Changelog](https://github.com/pydantic/pydantic/blob/v2.13.4/HISTORY.md) - [Commits](pydantic/pydantic@v2.10.4...v2.13.4) Updates `pydantic-settings` from 2.7.1 to 2.14.1 - [Release notes](https://github.com/pydantic/pydantic-settings/releases) - [Commits](pydantic/pydantic-settings@v2.7.1...v2.14.1) Updates `sqlalchemy` from 2.0.36 to 2.0.49 - [Release notes](https://github.com/sqlalchemy/sqlalchemy/releases) - [Changelog](https://github.com/sqlalchemy/sqlalchemy/blob/main/CHANGES.rst) - [Commits](https://github.com/sqlalchemy/sqlalchemy/commits) Updates `asyncpg` from 0.30.0 to 0.31.0 - [Release notes](https://github.com/MagicStack/asyncpg/releases) - [Commits](MagicStack/asyncpg@v0.30.0...v0.31.0) Updates `alembic` from 1.14.0 to 1.18.4 - [Release notes](https://github.com/sqlalchemy/alembic/releases) - [Changelog](https://github.com/sqlalchemy/alembic/blob/main/CHANGES) - [Commits](https://github.com/sqlalchemy/alembic/commits) Updates `redis` from 5.2.1 to 7.4.0 - [Release notes](https://github.com/redis/redis-py/releases) - [Changelog](https://github.com/redis/redis-py/blob/master/CHANGES) - [Commits](redis/redis-py@v5.2.1...v7.4.0) Updates `arq` from 0.26.3 to 0.28.0 - [Release notes](https://github.com/python-arq/arq/releases) - [Changelog](https://github.com/python-arq/arq/blob/main/HISTORY.rst) - [Commits](python-arq/arq@v0.26.3...v0.28.0) Updates `anthropic` from 0.42.0 to 0.103.1 - [Release notes](https://github.com/anthropics/anthropic-sdk-python/releases) - [Changelog](https://github.com/anthropics/anthropic-sdk-python/blob/main/CHANGELOG.md) - [Commits](anthropics/anthropic-sdk-python@v0.42.0...v0.103.1) Updates `bcrypt` from 4.2.1 to 5.0.0 - [Changelog](https://github.com/pyca/bcrypt/blob/main/CHANGELOG.rst) - [Commits](pyca/bcrypt@4.2.1...5.0.0) Updates `cryptography` from 46.0.7 to 48.0.0 - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@46.0.7...48.0.0) Updates `python-multipart` from 0.0.27 to 0.0.29 - [Release notes](https://github.com/Kludex/python-multipart/releases) - [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md) - [Commits](Kludex/python-multipart@0.0.27...0.0.29) Updates `structlog` from 25.1.0 to 25.5.0 - [Release notes](https://github.com/hynek/structlog/releases) - [Changelog](https://github.com/hynek/structlog/blob/main/CHANGELOG.md) - [Commits](hynek/structlog@25.1.0...25.5.0) Updates `tenacity` from 9.0.0 to 9.1.4 - [Release notes](https://github.com/jd/tenacity/releases) - [Commits](jd/tenacity@9.0.0...9.1.4) Updates `pygithub` from 2.5.0 to 2.9.1 - [Release notes](https://github.com/pygithub/pygithub/releases) - [Changelog](https://github.com/PyGithub/PyGithub/blob/main/doc/changes.rst) - [Commits](PyGithub/PyGithub@v2.5.0...v2.9.1) Updates `pytest-cov` from 6.0.0 to 7.1.0 - [Changelog](https://github.com/pytest-dev/pytest-cov/blob/master/CHANGELOG.rst) - [Commits](pytest-dev/pytest-cov@v6.0.0...v7.1.0) Updates `ruff` from 0.8.4 to 0.15.14 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](astral-sh/ruff@0.8.4...0.15.14) Updates `black` from 26.3.1 to 26.5.1 - [Release notes](https://github.com/psf/black/releases) - [Changelog](https://github.com/psf/black/blob/main/CHANGES.md) - [Commits](psf/black@26.3.1...26.5.1) Updates `mypy` from 1.14.0 to 2.1.0 - [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md) - [Commits](python/mypy@v1.14.0...v2.1.0) Updates `bandit` from 1.8.0 to 1.9.4 - [Release notes](https://github.com/PyCQA/bandit/releases) - [Commits](PyCQA/bandit@1.8.0...1.9.4) --- updated-dependencies: - dependency-name: starlette dependency-version: 1.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: python-deps - dependency-name: uvicorn dependency-version: 0.47.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-deps - dependency-name: pydantic dependency-version: 2.13.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-deps - dependency-name: pydantic-settings dependency-version: 2.14.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-deps - dependency-name: sqlalchemy dependency-version: 2.0.49 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: python-deps - dependency-name: asyncpg dependency-version: 0.31.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-deps - dependency-name: alembic dependency-version: 1.18.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-deps - dependency-name: redis dependency-version: 7.4.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: python-deps - dependency-name: arq dependency-version: 0.28.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-deps - dependency-name: anthropic dependency-version: 0.103.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-deps - dependency-name: bcrypt dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: python-deps - dependency-name: cryptography dependency-version: 48.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: python-deps - dependency-name: python-multipart dependency-version: 0.0.29 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: python-deps - dependency-name: structlog dependency-version: 25.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-deps - dependency-name: tenacity dependency-version: 9.1.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-deps - dependency-name: pygithub dependency-version: 2.9.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python-deps - dependency-name: pytest-cov dependency-version: 7.1.0 dependency-type: direct:development update-type: version-update:semver-major dependency-group: python-deps - dependency-name: ruff dependency-version: 0.15.14 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: python-deps - dependency-name: black dependency-version: 26.5.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: python-deps - dependency-name: mypy dependency-version: 2.1.0 dependency-type: direct:development update-type: version-update:semver-major dependency-group: python-deps - dependency-name: bandit dependency-version: 1.9.4 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: python-deps ... Signed-off-by: dependabot[bot] <support@github.com>

basira-dev

basira review

Multiple major version bumps across critical dependencies (Starlette, Redis, Anthropic, bcrypt, mypy) that are highly likely to introduce breaking changes. This PR needs comprehensive testing and likely code updates before merging.

Findings: major: 6
Inline comments: 5

File-level notes:

[major] backend/pyproject.toml - Anthropic SDK jumped from 0.42.0 to 0.103.1 (61 minor versions). This is extremely likely to contain breaking changes requiring code review.

_{generated by basira}

basira-dev · 2026-05-21T16:51:08Z

+    "pydantic==2.13.4",
+    "pydantic-settings==2.14.1",
+    "sqlalchemy[asyncio]==2.0.49",
+    "asyncpg==0.31.0",


[major]
Redis 7.4.0 is a major version jump from 5.2.1. This will have breaking API changes that require code updates.

basira-dev · 2026-05-21T16:51:08Z

-    "alembic==1.14.0",
-    "redis==5.2.1",
-    "arq==0.26.3",
+    "starlette==1.0.0",


[major]
Starlette 1.0.0 is a major version bump from 0.49.1. This likely introduces breaking changes that need testing and code updates.

basira-dev · 2026-05-21T16:51:08Z

    "httpx==0.28.1",
-    "anthropic==0.42.0",
-    "bcrypt==4.2.1",
+    "anthropic==0.103.1",


[major]
Bcrypt 5.0.0 is a major version bump from 4.2.1. Verify password hashing compatibility and that existing hashes still validate.

basira-dev · 2026-05-21T16:51:08Z

-    "black==26.3.1",
-    "mypy==1.14.0",
+    "ruff==0.15.14",
+    "black==26.5.1",


[major]
Mypy 2.1.0 is a major version jump from 1.14.0. This will introduce new type checking rules that may break CI or reveal new type errors.

basira-dev · 2026-05-21T16:51:08Z

-    "redis==5.2.1",
-    "arq==0.26.3",
+    "starlette==1.0.0",
+    "uvicorn[standard]==0.47.0",


[major]
Uvicorn 0.47.0 is a large jump from 0.34.0 (13 minor versions). Verify compatibility with the new Starlette 1.0.0 and check for breaking changes.

2lba added 30 commits May 19, 2026 15:20

match config to GITHUB_APP_ env names in .env

85e645c

vite proxy so frontend and backend share one origin

c265acd

bind installation to user on webhook + backfill

52b7793

fix severity threshold default and mount github key

ec4b977

isolate pytest to its own database

087592b

fix oauth callback when email is private

e6522a3

auto-migrate on boot

6bf7c4f

granular oauth error codes with frontend banner

1978cad

scope vite proxy patterns and pin e2e frontend url

8bd2c51

patch known cve dependencies

e040753

tidy import order

dde0c5c

pin vite to 7.x for stable hmr

5549d9e

bump eslint to match plugin api and clean unused imports

024f887

block ssrf via webhook url validator + idor jwt webhook tests

44d3bab

prod env safety + readyz version endpoints

6768793

threat model and owasp audit grounded in code

e93246e

public security contributing privacy changelog

3ed9874

issue and pr templates plus codeql workflow and tighter ci

858bb97

final audit report

e0f03d7

force backend to read updated base urls

9daaa1b

user api keys schema and migration

ffeb06a

anthropic key validation and encryption

f39ae12

api keys endpoints

d209de9

scan engine uses user-owned anthropic key

a065161

byok backend tests

87c567c

api keys settings tab

80a6bcb

missing key banner and error states

04167b4

snapshot before master audit

471be10

expand byok tests with post-test endpoint, encryption check and missi…

bd7fe64

…ng-key scan flow

drop em-dashes across codebase

0d80e52

2lba and others added 15 commits May 20, 2026 20:37

ignore local claude tooling

5e083c0

bump pyjwt to 2.12.1 and add byok mass-assignment and key-leak tests

c75974a

lint cleanup and stronger scan-engine missing-key test

ba35827

fix scan detail duplicate error kwarg and refresh settings tab e2e fo…

490cdb8

…r byok

add prod compose overlay with resource limits

857d740

audit report v2 covering byok shipping and security pass two

9754161

user flow simulation suite

a9f334b

load testing baseline

5810b83

fresh install verification report

767ed70

audit closeout: deferred items shipped

28c86d2

readme with screenshots

1af7c6b

remove internal claude context

fc6ea0f

move audit reports to docs/audit

9e81db4

reduce dependabot noise: monthly, grouped, limit 2

08c389a

dependabot Bot added the dependencies Pull requests that update a dependency file label May 21, 2026

basira-dev Bot reviewed May 21, 2026

View reviewed changes

2lba force-pushed the main branch from 06ef058 to 45871e8 Compare May 21, 2026 17:53

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the python-deps group in /backend with 21 updates#18

Bump the python-deps group in /backend with 21 updates#18
dependabot[bot] wants to merge 45 commits into
mainfrom
dependabot/pip/backend/python-deps-dec4385b94

dependabot Bot commented on behalf of github May 21, 2026

Uh oh!

basira-dev Bot left a comment

Uh oh!

basira-dev Bot May 21, 2026

Uh oh!

basira-dev Bot May 21, 2026

Uh oh!

basira-dev Bot May 21, 2026

Uh oh!

basira-dev Bot May 21, 2026

Uh oh!

basira-dev Bot May 21, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dependabot Bot commented on behalf of github May 21, 2026

Version 1.0.0

Version 1.0.0rc1

Version 0.52.1

What's Changed

Version 0.52.0

1.0.0 (March 22, 2026)

Added

Fixed

1.0.0rc1 (February 23, 2026)

Version 0.47.0

What's Changed

Version 0.46.0

What's Changed

Version 0.45.0

What's Changed

New Contributors

Version 0.44.0

What's Changed

Version 0.43.0

Changed

0.47.0 (May 14, 2026)

Added

Changed

Fixed

0.46.0 (April 23, 2026)

Added

Changed

0.45.0 (April 21, 2026)

Added

Changed

Fixed

0.44.0 (April 6, 2026)

Added

0.43.0 (April 3, 2026)

v2.13.4 2026-05-06

v2.13.4 (2026-05-06)

What's Changed

Packaging

Fixes

v2.13.3 2026-04-20

v2.13.3 (2026-04-20)

What's Changed

Fixes

v2.13.2 2026-04-17

v2.13.2 (2026-04-17)

What's Changed

Fixes

v2.13.1 2026-04-15

v2.13.1 (2026-04-15)

What's Changed

Fixes

v2.13.0 2026-04-13

v2.13.4 (2026-05-06)

What's Changed

Packaging

Fixes

v2.13.3 (2026-04-20)

What's Changed

Fixes

v2.13.2 (2026-04-17)

What's Changed

Fixes

v2.13.1 (2026-04-15)

What's Changed

Fixes

v2.13.0 (2026-04-13)

v2.14.1

What's Changed

v2.14.0

What's Changed

2.0.49

orm

typing

v0.31.0

Improvements

Fixes

Other

1.18.4