chore(deps): bump the pip-version-updates group across 1 directory with 7 updates

[dependabot]

Bumps the pip-version-updates group with 7 updates in the / directory:

Package	From	To
fastapi	0.128.0	0.128.7
authlib	1.6.6	1.6.7
uvicorn	0.39.0	0.40.0
pytest	8.4.2	9.0.2
ruff	0.14.13	0.15.0
fawltydeps	0.19.0	0.20.0
ty	0.0.13	0.0.16

Updates fastapi from 0.128.0 to 0.128.7

Release notes

Sourced from fastapi's releases.

0.128.7

Features

• ✨ Show a clear error on attempt to include router into itself. PR #14258 by @​JavierSanchezCastro.
• ✨ Replace dict by Mapping on HTTPException.headers. PR #12997 by @​rijenkii.

Refactors

• ♻️ Simplify reading files in memory, do it sequentially instead of (fake) parallel. PR #14884 by @​tiangolo.

Docs

• 📝 Use dfn tag for definitions instead of abbr in docs. PR #14744 by @​YuriiMotov.

Internal

• ✅ Tweak comment in test to reference PR. PR #14885 by @​tiangolo.
• 🔧 Update LLM-prompt for abbr and dfn tags. PR #14747 by @​YuriiMotov.
• ✅ Test order for the submitted byte Files. PR #14828 by @​valentinDruzhinin.
• 🔧 Configure test workflow to run tests with inline-snapshot=review. PR #14876 by @​YuriiMotov.

0.128.6

Fixes

• 🐛 Fix on_startup and on_shutdown parameters of APIRouter. PR #14873 by @​YuriiMotov.

Translations

• 🌐 Update translations for zh (update-outdated). PR #14843 by @​tiangolo.

Internal

• ✅ Fix parameterized tests with snapshots. PR #14875 by @​YuriiMotov.

0.128.5

Refactors

• ♻️ Refactor and simplify Pydantic v2 (and v1) compatibility internal utils. PR #14862 by @​tiangolo.

Internal

• ✅ Add inline snapshot tests for OpenAPI before changes from Pydantic v2. PR #14864 by @​tiangolo.

0.128.4

Refactors

• ♻️ Refactor internals, simplify Pydantic v2/v1 utils, create_model_field, better types for lenient_issubclass. PR #14860 by @​tiangolo.
• ♻️ Simplify internals, remove Pydantic v1 only logic, no longer needed. PR #14857 by @​tiangolo.
• ♻️ Refactor internals, cleanup unneeded Pydantic v1 specific logic. PR #14856 by @​tiangolo.

... (truncated)

Commits

• 8f82c94 🔖 Release version 0.128.7
• 5bb3423 📝 Update release notes
• 6ce5e3e ✅ Tweak comment in test to reference PR (#14885)
• 65da3dd 📝 Update release notes
• 81f82fd 🔧 Update LLM-prompt for abbr and dfn tags (#14747)
• ff72101 📝 Update release notes
• ca76a4e 📝 Use dfn tag for definitions instead of abbr in docs (#14744)
• 1133a45 📝 Update release notes
• 38f9659 ✅ Test order for the submitted byte Files (#14828)
• 3f1cc8f 📝 Update release notes
• Additional commits viewable in compare view

Updates authlib from 1.6.6 to 1.6.7

Release notes

Sourced from authlib's releases.

v1.6.7

Full Changelog: authlib/authlib@v1.6.6...v1.6.7

Set supported algorithms for the default jwt instance.

Changelog

Sourced from authlib's changelog.

Changelog

.. meta:: :description: The full list of changes between each Authlib release.

Here you can see the full list of changes between each Authlib release.

Version 1.7.0

Unreleased

• Add support for OpenID Connect RP-Initiated Logout 1.0 <https://openid.net/specs/openid-connect-rpinitiated-1_0.html>_. See :ref:specs/rpinitiated for details. :issue:500
• Per RFC 6749 Section 3.3, the scope parameter is now optional at both authorization and token endpoints. client.get_allowed_scope() is called to determine the default scope when omitted. :issue:845
• Stop support for Python 3.9, start support Python 3.14. :pr:850
• Allow AuthorizationServerMetadata.validate() to compose with RFC extension classes.
• Fix expires_at=0 being incorrectly treated as None. :issue:530
• Allow ResourceProtector decorator to be used without parentheses. :issue:604

Upgrade Guide: :ref:joserfc_upgrade.

Commits

• 38e872a chore: release 1.6.7
• b87c32e fix: remove "none" algorithm from default jwt instance
• See full diff in compare view

Updates uvicorn from 0.39.0 to 0.40.0

Release notes

Sourced from uvicorn's releases.

Version 0.40.0

What's Changed

• Drop Python 3.9 by @​Kludex in Kludex/uvicorn#2772

Full Changelog: Kludex/uvicorn@0.39.0...0.40.0

Changelog

Sourced from uvicorn's changelog.

0.40.0 (December 21, 2025)

Remove

• Drop support for Python 3.9 (#2772)

Commits

• 9ff6004 Version 0.40.0 (#2773)
• 19df042 Drop Python 3.9 (#2772)
• 865ce7c Run strict mypy on test suite (#2771)
• See full diff in compare view

Updates pytest from 8.4.2 to 9.0.2

Release notes

Sourced from pytest's releases.

9.0.2

pytest 9.0.2 (2025-12-06)

Bug fixes

• #13896: The terminal progress feature added in pytest 9.0.0 has been disabled by default, except on Windows, due to compatibility issues with some terminal emulators.

  You may enable it again by passing -p terminalprogress. We may enable it by default again once compatibility improves in the future.

  Additionally, when the environment variable TERM is dumb, the escape codes are no longer emitted, even if the plugin is enabled.

• #13904: Fixed the TOML type of the tmp_path_retention_count settings in the API reference from number to string.

• #13946: The private config.inicfg attribute was changed in a breaking manner in pytest 9.0.0. Due to its usage in the ecosystem, it is now restored to working order using a compatibility shim. It will be deprecated in pytest 9.1 and removed in pytest 10.

• #13965: Fixed quadratic-time behavior when handling unittest subtests in Python 3.10.

Improved documentation

• #4492: The API Reference now contains cross-reference-able documentation of pytest's command-line flags <command-line-flags>.

9.0.1

pytest 9.0.1 (2025-11-12)

Bug fixes

• #13895: Restore support for skipping tests via raise unittest.SkipTest.
• #13896: The terminal progress plugin added in pytest 9.0 is now automatically disabled when iTerm2 is detected, it generated desktop notifications instead of the desired functionality.
• #13904: Fixed the TOML type of the verbosity settings in the API reference from number to string.
• #13910: Fixed UserWarning: Do not expect file_or_dir on some earlier Python 3.12 and 3.13 point versions.

Packaging updates and notes for downstreams

• #13933: The tox configuration has been adjusted to make sure the desired version string can be passed into its package_env through the SETUPTOOLS_SCM_PRETEND_VERSION_FOR_PYTEST environment variable as a part of the release process -- by webknjaz.

Contributor-facing changes

• #13891, #13942: The CI/CD part of the release automation is now capable of creating GitHub Releases without having a Git checkout on disk -- by bluetech and webknjaz.
• #13933: The tox configuration has been adjusted to make sure the desired version string can be passed into its package_env through the SETUPTOOLS_SCM_PRETEND_VERSION_FOR_PYTEST environment variable as a part of the release process -- by webknjaz.

... (truncated)

Commits

• 3d10b51 Prepare release version 9.0.2
• 188750b Merge pull request #14030 from pytest-dev/patchback/backports/9.0.x/1e4b01d1f...
• b7d7bef Merge pull request #14014 from bluetech/compat-note
• bd08e85 Merge pull request #14013 from pytest-dev/patchback/backports/9.0.x/922b60377...
• bc78386 Add CLI options reference documentation (#13930)
• 5a4e398 Fix docs typo (#14005) (#14008)
• d7ae6df Merge pull request #14006 from pytest-dev/maintenance/update-plugin-list-tmpl...
• 556f6a2 pre-commit: fix rst-lint after new release (#13999) (#14001)
• c60fbe6 Fix quadratic-time behavior when handling unittest subtests in Python 3.10 ...
• 73d9b01 Merge pull request #13995 from nicoddemus/patchback/backports/9.0.x/1b5200c0f...
• Additional commits viewable in compare view

Updates ruff from 0.14.13 to 0.15.0

Release notes

Sourced from ruff's releases.

0.15.0

Release Notes

Released on 2026-02-03.

Check out the blog post for a migration guide and overview of the changes!

Breaking changes

• Ruff now formats your code according to the 2026 style guide. See the formatter section below or in the blog post for a detailed list of changes.

• The linter now supports block suppression comments. For example, to suppress N803 for all parameters in this function:

  # ruff: disable[N803]
  def foo(
      legacyArg1,
      legacyArg2,
      legacyArg3,
      legacyArg4,
  ): ...
  # ruff: enable[N803]

  See the documentation for more details.

• The ruff:alpine Docker image is now based on Alpine 3.23 (up from 3.21).

• The ruff:debian and ruff:debian-slim Docker images are now based on Debian 13 "Trixie" instead of Debian 12 "Bookworm."

• Binaries for the ppc64 (64-bit big-endian PowerPC) architecture are no longer included in our releases. It should still be possible to build Ruff manually for this platform, if needed.

• Ruff now resolves all extended configuration files before falling back on a default Python version.

Stabilization

The following rules have been stabilized and are no longer in preview:

• blocking-http-call-httpx-in-async-function (ASYNC212)
• blocking-path-method-in-async-function (ASYNC240)
• blocking-input-in-async-function (ASYNC250)
• map-without-explicit-strict (B912)
• if-exp-instead-of-or-operator (FURB110)
• single-item-membership-test (FURB171)
• missing-maxsplit-arg (PLC0207)
• unnecessary-lambda (PLW0108)
• unnecessary-empty-iterable-within-deque-call (RUF037)
• in-empty-collection (RUF060)
• legacy-form-pytest-raises (RUF061)
• non-octal-permissions (RUF064)

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.0

Released on 2026-02-03.

Check out the blog post for a migration guide and overview of the changes!

Breaking changes

• Ruff now formats your code according to the 2026 style guide. See the formatter section below or in the blog post for a detailed list of changes.

• The linter now supports block suppression comments. For example, to suppress N803 for all parameters in this function:

  # ruff: disable[N803]
  def foo(
      legacyArg1,
      legacyArg2,
      legacyArg3,
      legacyArg4,
  ): ...
  # ruff: enable[N803]

  See the documentation for more details.

• The ruff:alpine Docker image is now based on Alpine 3.23 (up from 3.21).

• The ruff:debian and ruff:debian-slim Docker images are now based on Debian 13 "Trixie" instead of Debian 12 "Bookworm."

• Binaries for the ppc64 (64-bit big-endian PowerPC) architecture are no longer included in our releases. It should still be possible to build Ruff manually for this platform, if needed.

• Ruff now resolves all extended configuration files before falling back on a default Python version.

Stabilization

The following rules have been stabilized and are no longer in preview:

• blocking-http-call-httpx-in-async-function (ASYNC212)
• blocking-path-method-in-async-function (ASYNC240)
• blocking-input-in-async-function (ASYNC250)
• map-without-explicit-strict (B912)
• if-exp-instead-of-or-operator (FURB110)
• single-item-membership-test (FURB171)

... (truncated)

Commits

• ce5f7b6 Bump 0.15.0 (#23055)
• b4e40f5 [ty] Fix __contains__ to respect descriptors (#23056)
• 848cb72 [ty] Fix narrowing of nonlocal variables with conditional assignments (#22966)
• da7f33a [ty] Add a diagnostic for Final without assignment (#23001)
• e65f9a6 Document markdown formatting feature (#22990)
• c0c1b98 Format markdown code blocks with line-by-line regex parse (#22996)
• 9f8f3e1 Allow positional-only params with defaults in method overrides (#23037)
• ef83810 [ty] ecosystem-analyzer: Support bare git repositories (#23054)
• 54dfee4 Customize where the fix_title sub-diagnostic appears (#23044)
• b534607 2026 Ruff Formatter Style (#22735)
• Additional commits viewable in compare view

Updates fawltydeps from 0.19.0 to 0.20.0

Release notes

Sourced from fawltydeps's releases.

v0.20.0

As we're nearing the release of v1.0, here is an update with various quality-of-life improvements.

Suggesting package names for undeclared dependencies

When FawltyDeps finds a 3rd-party import that is not declared, it will output that import name as an undeclared dependency. But as we've talked about before, import names in Python are not necessarily synonymous with the package names that you would have to declare in order to make those import names available.

For example, if you import sklearn in your code, it might not be obvious that the corresponding dependency declaration should be scikit-learn, and not sklearn.

Starting with this version, if you run FawltyDeps with the --detailed option, and if there happens to be one or more (undeclared) packages in your Python environment that provide the relevant import name, then FawltyDeps will suggest these packages as potential solutions to your undeclared dependency.

For the sklearn/scikit-learn example:

These imports appear to be undeclared dependencies:
- 'sklearn'
    imported at:
      some/file.py:123
    may be provided by these packages:
      'scikit-learn'

New option to control where FawltyDeps looks for 1st-party imports

By default (and before this release) FawltyDeps looks at the paths on the command-line to deduce where 1st-party imports (i.e. your project's own modules) can be found. In some corner cases this deduction fails, and the result is typically that a 1st-party import is flagged by FawltyDeps as an undeclared dependency.

The new --base-dir allows you to control where FawltyDeps looks for 1st-party imports, and it can help fix those cases where the default deduction fails, for example in cases where you are passing individual file names (instead of directory names) on the FawltyDeps command line.

We have a new section in our FAQ to more precisely describe how the new option works, and when it's needed.

Thanks to our new co-maintainer @​layus for suggesting and contributing both of the above improvements!

Otherwise

This release also includes various quality-of-life improvements for us maintainers, not necessarily user visible:

• We now have CodeQL and actionlint checks running in our CI pipeline, thanks to @​smelc 🎉
• Improved documentation
• Various internal cleanups and modernizations

What's Changed

• Expand user defined mapping documentation. by @​obscurerichard in tweag/FawltyDeps#480
• Follow-up after removing support for Python v3.8 by @​jherland in tweag/FawltyDeps#475
• Work around top-level venv special case by @​jherland in tweag/FawltyDeps#468
• Upgrade project declarations in pyproject.toml by @​jherland in tweag/FawltyDeps#481
• Suggest package names for undeclared imports, when possible by @​jherland in tweag/FawltyDeps#470
• CI: call actionlint to check workflow files by @​smelc in tweag/FawltyDeps#485
• Add support for *-wildcards in ignore-undeclared and ignore-unused by @​jherland in tweag/FawltyDeps#479
• RFC/Follow-up to actionlint CI action by @​jherland in tweag/FawltyDeps#488
• Follow-up to #484: Add a --base-dir option by @​jherland in tweag/FawltyDeps#489
• CI: run CodeQL by @​smelc in tweag/FawltyDeps#487
• CI: call the CodeQL workflow from the main workflow file by @​smelc in tweag/FawltyDeps#491

... (truncated)

Commits

• c0ed1a1 Bump version to v0.20.0
• b0c9d77 test_sample_projects: Fix incorrect type annotation, found by new Mypy
• 437361e Bump minimum Python version to allow update of transitive dependency
• 3e8636a Update lock file, re-pin dependencies
• b7208c7 extract_imports.parse_source: Improve interaction with dirs_between()
• d7be28c extract_imports.parse_source(): Fix case when base_dir is not a parent
• 7b581f8 test_extract_imports_simple: Add failing test case for issue #490
• de7c126 test_extract_imports_simple: Reformat test vectors with dataclass
• 4ea2c22 CI: call the CodeQL workflow from the main workflow file
• ce4b485 Rename codeql.yml to use the yaml extension
• Additional commits viewable in compare view

Updates ty from 0.0.13 to 0.0.16

Release notes

Sourced from ty's releases.

0.0.16

Release Notes

Released on 2026-02-10.

Bug fixes

• Allow stringified argument in PEP-613 alias to Optional (#23200)
• Fix fuzzer panic on slice expression in unclosed comprehension (#23146)
• Fix combinatorial explosion due to fixed-length tuple expansion in overload matching (#23190)
• Respect @no_type_check when combined with other decorators (#23177)
• Fix diagnostic location for an incorrect sub-call to a specialized ParamSpec (#23036)

LSP server

• Assign lower completions ranking to deprecated functions and classes (#23089)
• Change goto-def for class constructors to always go to class definition (#23071)
• Ensure diagnostic mode is consistent across projects inside the LSP server (#23121)
• Don't include the class Foo in autocomplete suggestions when the user is typing out Foo's bases (#23141)
• Fix parameter references across files via keyword args (#23012)
• Fix wrong inlay hints for overloaded function arguments (#23179)
• Support diagnostics in newly created files inside neovim (#23095)
• Exclude already-included classes when providing completion suggestions for class bases (#23085)

CLI

• Add support for TY_OUTPUT_FORMAT environment variable (#23123)
• Fall back to python3 found in $PATH if no environment is found (#22843)

Type checking

• Add inconsistent-mro autofix to move Generic[] to the end of the bases list (#22998)
• Add precise return-type inference for struct.unpack (#22562, #23130)
• Disallow TypeVars within ClassVars (#23184)
• Emit diagnostic on unbound call to abstract @classmethod or @staticmethod (#23182)
• Fix false-positive diagnostics when providing the total= keyword to TypedDict classes that had PEP-695 type parameters (#23114)
• Narrow both left- and right-hand operands where possible (#23084)
• Narrow chained operators (#23093)
• Narrow equality subscripts on either operand (#23104)
• Recognize __dataclass_transform__ to support SQLModel (#23070)
• Relax the attribute narrowing condition to support deeper-nested attribute type narrowing (#22440)
• Support constrained TypeVar compatibility across function boundaries (#23103)
• Support comparison methods (__gt__, etc.) where a parameter is annotated with a Literal type (#23100)
• Support partially specialized type context (#22748)
• Use type context when inferring constructor argument types (#23139)
• Validate TypedDict constructor calls for generic aliases and type[...] targets (#23113)

Performance

• Conservative narrowing places optimization (#22734)

... (truncated)

Changelog

Sourced from ty's changelog.

0.0.16

Released on 2026-02-10.

Bug fixes

• Allow stringified argument in PEP-613 alias to Optional (#23200)
• Fix fuzzer panic on slice expression in unclosed comprehension (#23146)
• Fix combinatorial explosion due to fixed-length tuple expansion in overload matching (#23190)
• Respect @no_type_check when combined with other decorators (#23177)
• Fix diagnostic location for an incorrect sub-call to a specialized ParamSpec (#23036)

LSP server

• Assign lower completions ranking to deprecated functions and classes (#23089)
• Change goto-def for class constructors to always go to class definition (#23071)
• Ensure diagnostic mode is consistent across projects inside the LSP server (#23121)
• Don't include the class Foo in autocomplete suggestions when the user is typing out Foo's bases (#23141)
• Fix parameter references across files via keyword args (#23012)
• Fix wrong inlay hints for overloaded function arguments (#23179)
• Support diagnostics in newly created files inside neovim (#23095)
• Exclude already-included classes when providing completion suggestions for class bases (#23085)

CLI

• Add support for TY_OUTPUT_FORMAT environment variable (#23123)
• Fall back to python3 found in $PATH if no environment is found (#22843)

Type checking

• Add inconsistent-mro autofix to move Generic[] to the end of the bases list (#22998)
• Add precise return-type inference for struct.unpack (#22562, #23130)
• Disallow TypeVars within ClassVars (#23184)
• Emit diagnostic on unbound call to abstract @classmethod or @staticmethod (#23182)
• Fix false-positive diagnostics when providing the total= keyword to TypedDict classes that had PEP-695 type parameters (#23114)
• Narrow both left- and right-hand operands where possible (#23084)
• Narrow chained operators (#23093)
• Narrow equality subscripts on either operand (#23104)
• Recognize __dataclass_transform__ to support SQLModel (#23070)
• Relax the attribute narrowing condition to support deeper-nested attribute type narrowing (#22440)
• Support constrained TypeVar compatibility across function boundaries (#23103)
• Support comparison methods (__gt__, etc.) where a parameter is annotated with a Literal type (#23100)
• Support partially specialized type context (#22748)
• Use type context when inferring constructor argument types (#23139)
• Validate TypedDict constructor calls for generic aliases and type[...] targets (#23113)

Performance

• Conservative narrowing places optimization (#22734)

... (truncated)

Commits

• e96ea4c Bump version to 0.0.16 (#2779)
• b393d32 Update docker/login-action action to v3.7.0 (#2754)
• 532b111 Update actions/cache action to v5.0.3 (#2751)
• 61b0376 Update astral-sh/setup-uv action to v7.3.0 (#2753)
• 216f8dc Update prek dependencies (#2752)
• 044af7f FAQ: Why doesn't ty warn about missing type annotations? (#2721)
• eb43dff Bump version to 0.0.15 (#2717)
• 338058b Add instructions for how to run ty with Bazel (#2711)
• deed12c Fix ty version reporting in Docker distributions (#2702)
• 3f490fa Document configuration option for setting level for all rules (#2691)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions