Skip to content

chore(deps): bump the python-packages group with 7 updates#15

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/python-packages-a258a32414
Closed

chore(deps): bump the python-packages group with 7 updates#15
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/python-packages-a258a32414

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 6, 2026
edited
Loading

Bumps the python-packages group with 7 updates:

Package From To
attrs 25.4.0 26.1.0
django 5.2.10 5.2.12
djangorestframework 3.16.1 3.17.1
dependency-injector 4.48.3 4.49.0
gunicorn 23.0.0 25.3.0
mypy 1.19.1 1.20.0
django-stubs 6.0.1 6.0.2

Updates attrs from 25.4.0 to 26.1.0

Release notes

Sourced from attrs's releases.

26.1.0

Highlights

The main outward change here only affects people using field transformers, but it should be a nice quality of life improvement!

Full changelog below!

Special Thanks

This release would not be possible without my generous sponsors! Thank you to all of you making sustainable maintenance possible! If you would like to join them, go to https://github.com/sponsors/hynek and check out the sweet perks!

Above and Beyond

Variomedia AG (@variomedia), Tidelift (@tidelift), Kraken Tech (@kraken-tech), Privacy Solutions GmbH (@privacy-solutions), FilePreviews (@filepreviews), Ecosystems (@ecosyste-ms), TestMu AI Open Source Office (Formerly LambdaTest) (@LambdaTest-Inc), Doist (@Doist), Daniel Fortunov (@asqui), and Kevin P. Fleming (@kpfleming).

Maintenance Sustainers

Buttondown (@buttondown), Christopher Dignam (@chdsbd), Magnus Watn (@magnuswatn), David Cramer (@dcramer), Rivo Laks (@rivol), Polar (@polarsource), Mike Fiedler (@miketheman), Duncan Hill (@cricalix), Colin Marquardt (@cmarqu), Pieter Swinkels (@swinkels), Nick Libertini (@libertininick), Brian M. Dennis (@crossjam), Celebrity News AG (@celebritynewsag), The Westervelt Company (@westerveltco), Sławomir Ehlert (@slafs), Mostafa Khalil (@khadrawy), Filip Mularczyk (@mukiblejlok), Thomas Klinger (@thmsklngr), Andreas Poehlmann (@ap--), August Trapper Bigelow (@atbigelow), Carlton Gibson (@carltongibson), and Roboflow (@roboflow).

Full Changelog

Backwards-incompatible Changes

  • Field aliases are now resolved before calling field_transformer, so transformers receive fully populated Attribute objects with usable alias values instead of None. The new Attribute.alias_is_default flag indicates whether the alias was auto-generated (True) or explicitly set by the user (False). #1509

Changes

  • Fix type annotations for attrs.validators.optional(), so it no longer rejects tuples with more than one validator. #1496
  • The attrs.validators.disabled() contextmanager can now be nested. #1513
  • Frozen classes can set on_setattr=attrs.setters.NO_OP in addition to None. #1515
  • It's now possible to pass attrs instances in addition to attrs classes to attrs.fields(). #1529

This release contains contributions from @​bysiber, @​DavidCEllis, @​finite-state-machine, @​hynek, @​veeceey, and @​vstinner.

Artifact Attestations

You can verify this release's artifact attestions using GitHub's CLI tool by downloading the sdist and wheel from PyPI and running:

$ gh attestation verify --owner python-attrs attrs-26.1.0.tar.gz

... (truncated)

Changelog

Sourced from attrs's changelog.

26.1.0 - 2026-03-19

Backwards-incompatible Changes

  • Field aliases are now resolved before calling field_transformer, so transformers receive fully populated Attribute objects with usable alias values instead of None. The new Attribute.alias_is_default flag indicates whether the alias was auto-generated (True) or explicitly set by the user (False). #1509

Changes

  • Fix type annotations for attrs.validators.optional(), so it no longer rejects tuples with more than one validator. #1496
  • The attrs.validators.disabled() contextmanager can now be nested. #1513
  • Frozen classes can set on_setattr=attrs.setters.NO_OP in addition to None. #1515
  • It's now possible to pass attrs instances in addition to attrs classes to attrs.fields(). #1529
Commits
  • 7bfc49e Prepare 26.1.0
  • 31e0286 Update test_validators.py for Python 3.15a7 (#1530)
  • 48b8611 Add instance support to attrs.fields() (#1529)
  • 3a68d49 dev: document missing git tags failure mode
  • a572c3a Allow field(on_setattr=NO_OP) on frozen classes
  • af9c510 Fix validators.disabled() to save/restore state on nesting (#1513)
  • ab7f8b2 update dev
  • ce89f5d Fix message passing in frozen errors
  • eccd966 Fix optional validator to accept tuples of len > 1 (#1496)
  • e92fe52 policies: tighten screws (#1528)
  • Additional commits viewable in compare view

Updates django from 5.2.10 to 5.2.12

Commits
  • 4f382ca [5.2.x] Bumped version for 5.2.12 release.
  • b07ed2a [5.2.x] Fixed CVE-2026-25674 -- Prevented potentially incorrect permissions o...
  • 4d3c184 [5.2.x] Fixed CVE-2026-25673 -- Simplified URLField scheme detection.
  • 94e7f17 [5.2.x] Refs #36944 -- Added missing versionchanged annotation for MAX_LENGTH...
  • 951fe8b [5.2.x] Pinned black == 25.12.0 for black docs checks and ensured they pass.
  • 1db60ed [5.2.x] Aligned docs checks between GitHub Actions and local development.
  • 703777c [5.2.x] Fixed #36944 -- Removed MAX_LENGTH_HTML and related 5M chars limit re...
  • a73eed2 [5.2.x] Pinned black == 25.12.0 in GitHub actions, pre-commit and test requir...
  • 490e495 [5.2.x] Bumped minimum isort version to 7.0.0.
  • 2bc009b [5.2.x] Added stub release notes and release date for 5.2.12 and 4.2.29.
  • Additional commits viewable in compare view

Updates djangorestframework from 3.16.1 to 3.17.1

Release notes

Sourced from djangorestframework's releases.

3.17.1

What's Changed

Bug fixes

Full Changelog: encode/django-rest-framework@3.17.0...3.17.1

3.17.0

What's Changed

Breaking changes

Features

Bug fixes

Translations

Packaging

Other changes

New Contributors

... (truncated)

Commits
  • 22e231c Prepare bug fix release 3.17.1 (#9931)
  • 8e99b53 Add condition to skip pushed tags from forks (#9924)
  • c0407de Fix HTMLFormRenderer with empty datetime values (#9928)
  • 30d58a7 Fix the book sizing in the documentation (#9926)
  • 6f03b79 Tweak order of changes in release notes
  • 021ab56 Bump version and update release notes for 3.17.0 (#9921)
  • 19ebad7 Bump mkdocs-material[imaging] from 9.7.4 to 9.7.5 (#9923)
  • f222c55 Correct requires-python key in pyproject.toml
  • 7e7de6f Remove code fences from release checklist
  • c599d30 Update release process
  • Additional commits viewable in compare view

Updates dependency-injector from 4.48.3 to 4.49.0

Release notes

Sourced from dependency-injector's releases.

4.49.0

What's Changed

New Contributors

Full Changelog: ets-labs/python-dependency-injector@4.48.3...4.49.0

Commits

Updates gunicorn from 23.0.0 to 25.3.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 25.3.0

Bug Fixes

  • HTTP/2 ASGI Body Duplication: Fix request body being received twice in HTTP/2 ASGI requests, causing JSON parsing errors with "Extra data" messages (#3558)

  • ASGI Chunked EOF Handling: Add finish() method to callback parser to handle chunked encoding edge case where connection closes before final CRLF after zero-chunk

  • HTTP/2 Documentation: Fix http_protocols examples to use comma-separated string instead of list syntax (#3561)

  • Chunked Encoding: Reject chunk extensions containing bare CR bytes per RFC 9112 (#3556)

  • Request Line Limit: Fix --limit-request-line 0 to mean unlimited as documented, instead of using default maximum. Works with both Python and fast C parser. (#3563)

Security

  • ASGI Parser Header Validation: Add security checks per RFC 9110/9112:
    • Reject duplicate Content-Length headers
    • Reject requests with both Content-Length and Transfer-Encoding
    • Reject chunked transfer encoding in HTTP/1.0
    • Reject stacked chunked encoding
    • Validate Transfer-Encoding values
    • Strict chunk size validation

Changes

  • Fast HTTP Parser: Update to gunicorn_h1c >= 0.6.3 for asgi_headers property and InvalidChunkExtension validation for bare CR rejection

  • ASGI PROXY Protocol: Add PROXY protocol v1/v2 support to callback parser

  • Docker Images: Update to Python 3.14

Gunicorn 25.2.0

New Features

  • Fast HTTP Parser (gunicorn_h1c 0.4.1): Integrate new exception types and limit parameters from gunicorn_h1c 0.4.1 for both WSGI and ASGI workers
    • Requires gunicorn_h1c >= 0.4.1 for http_parser='fast'
    • Falls back to Python parser in auto mode if version not met
    • Proper HTTP status codes for limit errors (414, 431)

Bug Fixes

  • uWSGI Async Workers: Fix InvalidUWSGIHeader: incomplete header error when using gevent or gthread workers with uwsgi protocol behind nginx. (#3552, [PR #3554](benoitc/gunicorn#3554))

... (truncated)

Commits
  • 9bce72c Update changelog with missing 25.3.0 changes
  • 2a15fdb Fix pylint isinstance-second-argument-not-valid-type warning
  • 8d08aaa Fix --limit-request-line 0 to mean unlimited
  • d40a374 Fix pytest-asyncio configuration and treq_asgi hex escapes
  • da8bd48 Remove unused AsyncRequest class
  • b00f125 Integrate gunicorn_h1c 0.6.3 with InvalidChunkExtension support
  • bdb2ebd Reject chunk extensions with bare CR bytes (RFC 9112)
  • 7057fc9 Fix http_protocols documentation to use string syntax
  • d43acb8 Update to gunicorn_h1c >= 0.6.2 for asgi_headers support
  • cbd27e8 Merge pull request #3559 from benleembruggen/fix/http2-asgi-body-duplication
  • Additional commits viewable in compare view

Updates mypy from 1.19.1 to 1.20.0

Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next Release

Mypy 1.20

We’ve just uploaded mypy 1.20.0 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features, performance improvements and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

Planned Changes to Defaults and Flags in Mypy 2.0

As a reminder, we are planning to enable --local-partial-types by default in mypy 2.0, which will likely be the next feature release. This will often require at least minor code changes. This option is implicitly enabled by mypy daemon, so this makes the behavior of daemon and non-daemon modes consistent.

Note that this release improves the compatibility of --local-partial-types significantly to make the switch easier (see below for more).

This can also be configured in a mypy configuration file (use False to disable):

local_partial_types = True

For more information, refer to the documentation.

We will also enable --strict-bytes by default in mypy 2.0. This usually requires at most minor code changes to adopt. For more information, refer to the documentation.

Finally, --allow-redefinition-new will be renamed to --allow-redefinition. If you want to continue using the older --allow-redefinition semantics which are less flexible (e.g. limited support for conditional redefinitions), you can switch to --allow-redefinition-old, which is currently supported as an alias to the legacy --allow-redefinition behavior. To use --allow-redefinition in the upcoming mypy 2.0, you can't use --no-local-partial-types. For more information, refer to the documentation.

Better Type Narrowing

Mypy's implementation of narrowing has been substantially reworked. Mypy will now narrow more aggressively, more consistently, and more correctly. In particular, you are likely to notice new narrowing behavior in equality expressions (==), containment expressions (in),

... (truncated)

Commits
  • 770d3ca Remove +dev from version
  • 4738ffa Changelog updates for 1.20 (#21109)
  • b4f07a7 Use 'native-parser' instead of 'native-parse' for optional dependency (#21115)
  • 7bec7b7 [mypyc] Document librt and librt.base64 (#21114)
  • c482596 --allow-redefinition-new is no longer experimental (#21110)
  • c916ca3 sdist: include misc/{diff-cache,apply-cache-diff}.py for `mypy/test/test_di...
  • b137e4e [mypyc] Speed up native-to-native imports within the same group (#21101)
  • 978b711 [mypyc] Fix range loop variable off-by-one after loop exit (#21098)
  • 67ada30 [stubtest] Check runtime availability of private types not marked `@type_chec...
  • bdef6ef librt cache tests: build respecting MYPY_TEST_PREFIX (#21097)
  • Additional commits viewable in compare view

Updates django-stubs from 6.0.1 to 6.0.2

Commits
  • 44df163 Version 6.0.2 release (#3254)
  • 28eafd8 Update dependency mypy to >=1.13,<1.21 & fix tests (#3252)
  • 047a72f chore(deps): update dependency pyrefly to v0.59.0 (#3251)
  • f2ff7ca chore(deps): update dependency ty to v0.0.27 (#3249)
  • b73fe6e Use newer syntax and enable more mypy configuration options (#3203)
  • 925fbda Resolve .values() field types on annotated querysets (#3232)
  • 29e03bb Use getattr for field.attname with fallback to field.name (#3248)
  • 0867431 Bump pygments from 2.19.2 to 2.20.0 (#3246)
  • 1151636 [pre-commit.ci] pre-commit autoupdate (#3245)
  • 1f73fcf Disallow mutually exclusive arguments boolean and empty_value in admin `d...
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the python-packages group with 7 updates
ac2a5a8 
Bumps the python-packages group with 7 updates:

| Package | From | To |
| --- | --- | --- |
| [attrs](https://github.com/python-attrs/attrs) | `25.4.0` | `26.1.0` |
| [django](https://github.com/django/django) | `5.2.10` | `5.2.12` |
| [djangorestframework](https://github.com/encode/django-rest-framework) | `3.16.1` | `3.17.1` |
| [dependency-injector](https://github.com/ets-labs/python-dependency-injector) | `4.48.3` | `4.49.0` |
| [gunicorn](https://github.com/benoitc/gunicorn) | `23.0.0` | `25.3.0` |
| [mypy](https://github.com/python/mypy) | `1.19.1` | `1.20.0` |
| [django-stubs](https://github.com/typeddjango/django-stubs) | `6.0.1` | `6.0.2` |


Updates `attrs` from 25.4.0 to 26.1.0
- [Release notes](https://github.com/python-attrs/attrs/releases)
- [Changelog](https://github.com/python-attrs/attrs/blob/main/CHANGELOG.md)
- [Commits](python-attrs/attrs@25.4.0...26.1.0)

Updates `django` from 5.2.10 to 5.2.12
- [Commits](django/django@5.2.10...5.2.12)

Updates `djangorestframework` from 3.16.1 to 3.17.1
- [Release notes](https://github.com/encode/django-rest-framework/releases)
- [Commits](encode/django-rest-framework@3.16.1...3.17.1)

Updates `dependency-injector` from 4.48.3 to 4.49.0
- [Release notes](https://github.com/ets-labs/python-dependency-injector/releases)
- [Commits](ets-labs/python-dependency-injector@4.48.3...4.49.0)

Updates `gunicorn` from 23.0.0 to 25.3.0
- [Release notes](https://github.com/benoitc/gunicorn/releases)
- [Commits](benoitc/gunicorn@23.0.0...25.3.0)

Updates `mypy` from 1.19.1 to 1.20.0
- [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md)
- [Commits](python/mypy@v1.19.1...v1.20.0)

Updates `django-stubs` from 6.0.1 to 6.0.2
- [Release notes](https://github.com/typeddjango/django-stubs/releases)
- [Commits](typeddjango/django-stubs@6.0.1...6.0.2)

---
updated-dependencies:
- dependency-name: attrs
  dependency-version: 26.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: python-packages
- dependency-name: django
  dependency-version: 5.2.12
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-packages
- dependency-name: djangorestframework
  dependency-version: 3.17.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-packages
- dependency-name: dependency-injector
  dependency-version: 4.49.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-packages
- dependency-name: gunicorn
  dependency-version: 25.3.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: python-packages
- dependency-name: mypy
  dependency-version: 1.20.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-packages
- dependency-name: django-stubs
  dependency-version: 6.0.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-packages
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Apr 6, 2026
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 13, 2026

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Apr 13, 2026
@dependabot dependabot Bot deleted the dependabot/pip/python-packages-a258a32414 branch April 13, 2026 14:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants