chore(deps): bump sqlalchemy from 1.4.54 to 2.0.49

[dependabot]

Bumps sqlalchemy from 1.4.54 to 2.0.49.

Release notes

Sourced from sqlalchemy's releases.

2.0.49

Released: April 3, 2026

orm

• [orm] [bug] Fixed issue where _orm.Session.get() would bypass the identity map and emit unnecessary SQL when with_for_update=False was passed, rather than treating it equivalently to the default of None. Pull request courtesy of Joshua Swanson.

  References: #13176

• [orm] [bug] Fixed issue where chained _orm.joinedload() options would not be applied correctly when the final relationship in the chain is declared on a base mapper and accessed through a subclass mapper in a _orm.with_polymorphic() query. The path registry now correctly computes the natural path when a property declared on a base class is accessed through a path containing a subclass mapper, ensuring the loader option can be located during query compilation.

  References: #13193

• [orm] [bug] [inheritance] Fixed issue where using _orm.Load.options() to apply a chained loader option such as _orm.joinedload() or _orm.selectinload() with _orm.PropComparator.of_type() for a polymorphic relationship would not generate the necessary clauses for the polymorphic subclasses. The polymorphic loading strategy is now correctly propagated when using a call such as joinedload(A.b).options(joinedload(B.c.of_type(poly))) to match the behavior of direct chaining e.g. joinedload(A.b).joinedload(B.c.of_type(poly)).

  References: #13202

• [orm] [bug] [inheritance] Fixed issue where using chained loader options such as _orm.selectinload() after _orm.joinedload() with _orm.PropComparator.of_type() for a polymorphic relationship would not properly apply the chained loader option. The loader option is now correctly applied when using a call such as joinedload(A.b.of_type(poly)).selectinload(poly.SubClass.c) to eagerly load related objects.

  References: #13209

typing

• [typing] [bug] Fixed a typing issue where the typed members of :data:.func would return the appropriate class of the same name, however this creates an issue for

... (truncated)

Commits

• See full diff in compare view

[dependabot]

Labels

The following labels could not be found: pip. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[bito-code-review]

Code Review Agent Run #fba815

Actionable Suggestions - 0

Additional Suggestions - 1

• pyproject.toml - 1

  • SQLAlchemy 2.x string execute incompatibility · Line 102-102
    Wrap raw SQL strings in `text()` or use compiled statement objects in both `tests/unit_tests/db_engine_specs/test_sqlite.py` and `tests/unit_tests/models/helpers_test.py` before upgrading to SQLAlchemy 2.x.

Review Details

• Files reviewed - 1 · Commit Range: 01e2814..01e2814

  • pyproject.toml
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[bito-code-review]

Code Review Agent Run #9dce47

Actionable Suggestions - 0

Additional Suggestions - 1

• pyproject.toml - 1

  • SQLAlchemy 2.0 deprecation warnings · Line 102-102
    Expanding SQLAlchemy to 2.x (lower-bound already 1.4) is technically supported by sqlalchemy-utils 0.42.0 (requires SQLAlchemy>=1.4 per PyPI) and flask-appbuilder 5.2.1+ (officially supports SQLAlchemy 2.x). However, superset has 110+ legacy `db.session.query()` calls in daos alone, which will trigger `LegacyAPIWarning` in SQLAlchemy 2.0. The codebase already uses some 2.0-style `select()` in files like `daos/datasource.py`. Without incremental migration, users will see deprecation warnings on every database operation. Consider adding a comment or tracking migration progress.

Review Details

• Files reviewed - 1 · Commit Range: 7b0e2ab..7b0e2ab

  • pyproject.toml
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[villebro]

We're definitely not SQLA 2.0 compatible yet!

[rusackas]

We're definitely not SQLA 2.0 compatible yet!

@betodealmeida @villebro I have no idea how big the effort is to make it happen. Shall we update the dependabot config to not even try this, if it's going to be a long time?

[rusackas]

Also, @villebro @betodealmeida, perhaps more importantly, if we're NOT SQLA2.0 ready, what tests are we missing... sounds like this should've failed CI for any number of reasons.