Update Python dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
gunicorn (changelog)	==25.3.0 → ==26.0.0
tombi	==0.10.2 → ==0.11.1
ty (changelog)	==0.0.34 → ==0.0.35
types-grpcio (changelog)	==1.0.0.20260408 → ==1.0.0.20260508
types-protobuf (changelog)	==7.34.1.20260503 → ==7.34.1.20260508
zensical (changelog)	==0.0.39 → ==0.0.41

---

Release Notes

benoitc/gunicorn (gunicorn)

v26.0.0

Compare Source

Breaking Changes

• Eventlet worker removed: The eventlet worker class has been dropped. Migrate to gevent, gthread, or tornado.

New Features

• ASGI Framework Compatibility Suite: New end-to-end compatibility test harness covering Starlette, FastAPI, Litestar, Quart, Sanic, and BlackSheep. Current grid passes 438/444 tests (98%).
• ASGI Test Suite Expansion: 134 additional ASGI unit tests covering protocol semantics, lifespan, websockets, and chunked framing.

Security

• HTTP/1.1 Request-Target Validation (RFC 9112 sections 3.2.3, 3.2.4):
  • Reject authority-form request-target outside CONNECT
  • Reject asterisk-form request-target outside OPTIONS
  • Reject relative-reference request-targets
• Header Field Hardening (RFC 9110):
  • Reject control characters in header field-value (section 5.5)
  • Reject forbidden trailer field-names (section 6.5.1)
  • Reject Content-Length list form (RFC 9112 section 6.3)
• Request Smuggling Hardening:
  • Tighten keepalive gate and scope finish_body byte cap
  • Keep _body_receiver alive across the keepalive smuggling gate so pipelined requests cannot re-enter a closed body
  • Address parser/protocol findings from a six-point WSGI/ASGI audit
• PROXY Protocol (ASGI): Enforce proxy_allow_ips and tighten v1/v2 parsing in the ASGI callback parser.
• Connection Draining: Drain the connection on close per RFC 9112 section 9.6 to prevent reset-on-close truncation.

Bug Fixes

• Body Framing on HEAD/204/304:
  • Keep Content-Length on HEAD and 304 responses (#​3621)
  • Drop body framing on HEAD/204/304 even when the framework set it
  • Warn once when an ASGI app emits a body for a no-body response
• HTTP/2 ASGI:
  • Fix _handle_stream_ended to set _body_complete in the async HTTP/2 handler so request bodies finalize correctly on stream end
  • Add InvalidChunkExtension mapping and fast-parser support in ASGI tests (#​3565)
• HTTP/1.1 100-Continue: Stop adding Transfer-Encoding: chunked to 100-Continue interim responses.
• WebSocket Close Handshake (RFC 6455):
  • Comply with the close handshake state machine
  • Close the transport after the close handshake completes
  • Fix binary send when the text key is None
• Early Hints: Validate headers in the early_hints callback to match process_headers; pass only the header name to InvalidHeader (#​3588).
• ASGI Framework Fixes:
  • Fix ASGI disconnect handling for Django-style apps
  • Fix Litestar request handling (use raw ASGI receive for body/headers)
  • Fix Litestar HTTP endpoints for compatibility tests
  • Fix Quart headers endpoint to normalize keys to lowercase
  • Fix Quart WebSocket close test app (missing accept())
  • Fix duplicate Transfer-Encoding header for BlackSheep streaming

Refactoring

• Split BodyReceiver._closed into separate transport and body-wait flags for clearer keepalive/EOF semantics.

Changes

• Fast HTTP Parser: Require gunicorn_h1c >= 0.6.5. Drop the last python_only test markers; the C extension is now used wherever available (CPython only; PyPy continues to use the Python parser).
• Test Dependencies: Add h2 and uvloop to the testing extra; remove eventlet.
• Docker Build: Bump GitHub Actions docker/setup-qemu-action, docker/setup-buildx-action, docker/login-action, docker/build-push-action, and docker/metadata-action to current major versions.

Full changelog: benoitc/gunicorn@25.3.0...26.0.0

tombi-toml/tombi (tombi)

v0.11.1

Compare Source

What's Changed

🛠️ Other Changes

• Avoid holding document source locks in LSP handlers by @​ya7010 in #​1873
• refactor(lsp): extract workspace diagnostic modules by @​ya7010 in #​1874
• perf(lsp): cache workspace diagnostics by @​ya7010 in #​1876

Full Changelog: tombi-toml/tombi@v0.11.0...v0.11.1

v0.11.0

Compare Source

What's Changed

During the process of adding the files.respect-ignore-files option, the logic for disabling ignore files was fine-tuned.

🚨 Breaking Changes

• Add configuration option files.respect-ignore-files by @​ya7010 in #​1870

🛠️ Other Changes

• fix: update schema URL in catalog.json to use stable version by @​ya7010 in #​1863
• Revert "Remove unused TOML language server files and configurations" by @​ya7010 in #​1867
• zed-v0.2.5 by @​ya7010 in #​1868

Full Changelog: tombi-toml/tombi@v0.10.6...v0.11.0

v0.10.6

Compare Source

What's Changed

🐛 Bug Fixes

• Limit verbose logging to Tombi crates by @​ya7010 in #​1861

🛠️ Other Changes

• Move LSP store loading from initialize to initialized by @​ya7010 in #​1862

Full Changelog: tombi-toml/tombi@v0.10.5...v0.10.6

v0.10.5

Compare Source

What's Changed

🐛 Bug Fixes

• Show TOML keyword suggestions in VS Code by @​ya7010 in #​1859

🛠️ Other Changes

• clippy: fix needless_for_each lint by @​xtqqczze in #​1854
• Add workspace lints to all Cargo.toml files by @​xtqqczze in #​1855
• clippy: fix collapsible_match lint by @​xtqqczze in #​1856
• docs: remove sticky table header gap by @​ya7010 in #​1857
• Fix docs table sticky header path by @​ya7010 in #​1858

Full Changelog: tombi-toml/tombi@v0.10.4...v0.10.5

v0.10.4

Compare Source

What's Changed

🐛 Bug Fixes

• fix(lsp): refresh workspace pull diagnostics by @​ya7010 in #​1853

🛠️ Other Changes

• refactor: Replace Vec::with_capacity(0) with Vec::new() by @​xtqqczze in #​1851
• clippy: fix explicit_counter_loop lint by @​xtqqczze in #​1852

New Contributors

• @​xtqqczze made their first contribution in #​1851

Full Changelog: tombi-toml/tombi@v0.10.3...v0.10.4

v0.10.3

Compare Source

What's Changed

🚀 New Features

• feat(hover): show latest package version by @​ya7010 in #​1831

🐛 Bug Fixes

• Fix root table ordering when schema rule is disabled by @​ya7010 in #​1830
• fix: reuse cargo feature completion edit helper by @​ya7010 in #​1835
• fix: sort cargo version completions by semver precedence by @​ya7010 in #​1841
• fix: align optional dependency definitions with optional value by @​ya7010 in #​1846
• fix: expand optional dependency definition range by @​ya7010 in #​1847
• fix: limit optional dependency reference scope by @​ya7010 in #​1848

👒 Dependencies

• chore: add maturin to Python dev dependencies by @​ya7010 in #​1833

🛠️ Other Changes

• Show PyPI metadata for build requirements by @​ya7010 in #​1832
• Update generated JSON schema by @​ya7010 in #​1834
• Enable dependency references in LSP configurations for cargo and pyproject by @​ya7010 in #​1836
• refactor: move TestCacheHome into tombi-test-lib by @​ya7010 in #​1838
• Add dependency update code actions by @​ya7010 in #​1837
• Show latest version in Cargo version hover by @​ya7010 in #​1840
• Fix cargo dependency version hover metadata by @​ya7010 in #​1843
• Refactor version update logic and remove deprecated function by @​ya7010 in #​1842
• Update dependencies and enhance JSON schema directives with default values by @​ya7010 in #​1844
• docs: clarify TestCacheHome usage in agent rules by @​ya7010 in #​1845
• Add verbose logging section to VSCode extension documentation by @​ya7010 in #​1850
• docs: add dependency update code action config by @​ya7010 in #​1849

Full Changelog: tombi-toml/tombi@v0.10.2...v0.10.3

astral-sh/ty (ty)

v0.0.35

Compare Source

Released on 2026-05-10.

Bug fixes

• Allow ParamSpec specialization through unioned generic classes (#​24826)
• Fix cross-file find-references for keyword arguments (#​25043)
• Fix comparison between negative and positive literal integers (#​25023)
• Reject dataclass decorator parameters based on supported Python version (#​25029)

LSP server

• Adjust start of block folding range to preserve visible header for character-precise LSP clients. (#​24917)
• Emit folding ranges from the language server for multi-line block headers. (#​24978)
• Skip global search for references if identifier is not externally visible (#​25033)
• Speed-up find-references by using multithreading for cross-file searches (#​25042)

CLI

• Include severity in JUnit diagnostics (#​25080)

Core type checking

• Check non-generic overload implementations (#​24936)
• Expand support for narrowing within walruses (#​24968)
• Filter overloads based on return type for ParamSpec mapping (#​24769)
• Improve support for recursive types (#​24773)
• Include TypedDict type context when inferring mixed constructors (#​25039)
• Include TypedDict type context when inferring string keys (#​25037)
• Preserve NewType and TypeAliasType in implicit aliases (#​25072)
• Provide type cntext for generator expression yields (#​25069)
• Provide type context for boolean operands (#​25070)
• Selectively promote a union of homogeneous fixed-length tuples to a single variadic tuple (#​24705)
• Support narrowing on __class__ checks (#​24997)
• Use more precise exception types when catching a union (#​25076)

Diagnostics

• Include error context for overload consistency diagnostics (#​24950)

Performance

• Cache results in desperate module resolution (#​24977)
• Lazily initialize builder when transforming a union type (#​24929)
• Project reachability constraints before narrowing (#​24982)
• Skip parameter accumulation for object variadics (#​24976)

Contributors

• @​MichaReiser
• @​mtshiba
• @​dylwil3
• @​lerebear
• @​carljm
• @​charliermarsh
• @​dhruvmanila

zensical/zensical (zensical)

v0.0.41: 0.0.41

Compare Source

Summary

This version adds support for integrating tabular data as Markdown tables, covering the functionality of the mkdocs-table-reader-plugin, as well as the watch option to automatically rebuild on changes in unmonitored files. Table reading is implemented as part of macros, which we shipped in 0.0.40. You can now embed CSV and other file formats with:

{{ read_csv("data/team.csv") }}

Additionally, the stability of link validation has been drastically improved, reducing the rate of false positives. We're working on support for validating links using autorefs, which we'll provide in one of the next versions.

Changelog

Features

• d24ea24 compat – support table reader functionality
• 2cbb33d compat – support watch option (#​643)

Bug fixes

• 9e466fc ui – update ui to v0.0.17
• bee1c3f compat – give higher priority than superfences to macros preprocessor (#​638)

Refactorings

• 67b6ef1 compat – make extensions consistent
• bf26d1b zensical, compat – implement parser for link validation

v0.0.40: 0.0.40

Compare Source

Summary

This version adds support for macros, covering the functionality of the mkdocs-macros-plugin. Macros allow you to define custom variables and functions that can be used in your Markdown files, making it easier to manage and reuse content across your documentation.

We've implemented macros support as a Python Markdown extension, since it's essentially a Markdown preprocessor that doesn't need to be aware of the rest of Zensical's rendering process, except for the current page and configuration. The benefit is that it can now also be used in Python docstrings to build API documentation with mkdocstrings.

Changelog

Features

• 36b5131 compat – exclude macros blocks from link validation
• f7fe088 compat – support macros plugin

Bug fixes

• bdc3471 ui – update ui to v0.0.16
• 4be2374 compat – link validation doesn't catch end of MathJax when \r present (#​615)
• c6cffec compat – link validation exclusions don't catch \r\n line feeds
• 6efe0a3 compat – link validation exclusions require empty line after code block (#​618)
• 645bbe8 zensical – clear site directory contents instead of removing it (#​621)
• 814d2e9 zensical – link validation yields false positives on Windows (#​616)
• b229bac zensical-serve – zensical serve returns 404 after suspend (#​574)
• b5492ce compat – shim for mkdocs-glightbox fails when only defaults are set (#​611)

Refactorings

• 91090e9 zensical, compat – combine file watching for extensions
• b2fdc78 zensical, compat – pass rendering context into preprocessor

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.