Skip to content

chore(deps): bump the uv group across 1 directory with 11 updates#4

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/uv-2f96932453
Open

chore(deps): bump the uv group across 1 directory with 11 updates#4
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/uv-2f96932453

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 18, 2026

Copy link
Copy Markdown

Bumps the uv group with 10 updates in the / directory:

Package From To
langchain-openai 1.1.10 1.1.14
langsmith 0.7.30 0.8.0
pytest 9.0.2 9.0.3
poetry 2.3.2 2.3.4
cryptography 44.0.3 48.0.1
dulwich 1.1.0 1.2.5
idna 3.11 3.15
python-dotenv 1.2.1 1.2.2
requests 2.32.5 2.33.0
urllib3 2.6.3 2.7.0

Updates langchain-openai from 1.1.10 to 1.1.14

Release notes

Sourced from langchain-openai's releases.

langchain-openai==1.1.14

Changes since langchain-openai==1.1.13

release(openai): 1.1.14 (#36820) fix(openai): use SSRF-safe transport for image token counting (#36819) chore(deps): bump pytest to 9.0.3 (#36801) chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/partners/openai (#36795) chore: bump pillow from 12.1.1 to 12.2.0 in /libs/partners/openai (#36777)

langchain-openai==1.1.13

Changes since langchain-openai==1.1.12

release(openai): 1.1.13 (#36729) fix(openai): handle content blocks without type key in responses api conversion (#36725) chore(model-profiles): refresh model profile data (#36539) chore(openai): fix broken vcr cassette playback and add ci guard (#36502) fix(openai,groq,openrouter): use is-not-None checks in usage metadata token extraction (#36500) fix(core): fixed typos in the documentation (#36459) chore(model-profiles): refresh model profile data (#36455) feat(core): impute placeholder filenames for OpenAI file inputs (#36433) chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (#36385) chore(model-profiles): refresh model profile data (#36368) fix(openai): update computer call test (#36352) fix(openai): let user-provided User-Agent override the Azure default (#35523) chore: bump requests from 2.32.5 to 2.33.0 in /libs/partners/openai (#36248)

Commits
  • b7447c6 fix(infra): skip serdes tests in min-version release step (#36818)
  • 41c0cc5 release(openai): 1.1.14 (#36820)
  • 0516156 fix(openai): use SSRF-safe transport for image token counting (#36819)
  • 338aa81 fix(core): restore cloud metadata IPs and link-local range in SSRF policy (#3...
  • 51e9548 chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/text-splitters (#36797)
  • e85c418 chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/model-profiles (#36798)
  • 789126e chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/standard-tests (#36799)
  • 937b3eb chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/langchain_v1 (#36800)
  • a06c205 ci(infra): validate issue checkboxes by section (#36811)
  • aa33b06 fix(langchain-classic): suppress mypy errors in compat code (#36806)
  • Additional commits viewable in compare view

Updates langsmith from 0.7.30 to 0.8.0

Release notes

Sourced from langsmith's releases.

v0.8.0

What's Changed

Full Changelog: langchain-ai/langsmith-sdk@v0.7.38...v0.8.0

v0.7.38

What's Changed

Full Changelog: langchain-ai/langsmith-sdk@v0.7.37...v0.7.38

v0.7.37

What's Changed

Full Changelog: langchain-ai/langsmith-sdk@v0.7.36...v0.7.37

... (truncated)

Commits

Updates pytest from 9.0.2 to 9.0.3

Release notes

Sourced from pytest's releases.

9.0.3

pytest 9.0.3 (2026-04-07)

Bug fixes

  • #12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

  • #13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

    Previously this resulted in an internal assertion failure during plugin loading.

    Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

  • #13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

  • #14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

  • #14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

  • #13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
  • #13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
  • #14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
  • #14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

  • #12689: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible on the web interface.

    -- by aleguy02

Commits

Updates poetry from 2.3.2 to 2.3.4

Release notes

Sourced from poetry's releases.

2.3.4

Fixed

  • Fix a performance regression in the wheel installer that was introduced in Poetry 2.3.3 (#10821).
  • Fix a path traversal vulnerability in sdist extraction on Python 3.10.0-3.10.12 and 3.11.0-3.11.4 that could allow malicious tarball files to write files outside the target directory (#10837).

2.3.3

Fixed

  • Fix a path traversal vulnerability in the wheel installer that could allow malicious wheel files to write files outside the intended installation directory (#10792).
  • Fix an issue where git dependencies from annotated tags could not be updated (#10719).
  • Fix an issue where empty VIRTUAL_ENV or CONDA_PREFIX environment variables (e.g., after conda deactivate) would cause Poetry to incorrectly detect an active virtualenv (#10784).
  • Fix an issue where an incomprehensible error message was printed when .venv was a file instead of a directory (#10777).
  • Fix an issue where HTTP Basic Authentication credentials could be corrupted during request preparation, causing authentication failures with long tokens (#10748).
  • Fix an issue where poetry publish --no-interaction --build requested user interaction (#10769).
  • Fix an issue where poetry init and poetry new created a deprecated project.license format (#10787).

Docs

  • Clarify the differences between poetry install and poetry update (#10713).
  • Clarify the section of fields in the pyproject.toml examples (#10753).
  • Add a note about the different installation location when Python from the Microsoft Store is used (#10759).
  • Fix the system requirements for Poetry (#10739).
  • Fix the poetry cache clear example (#10749).
  • Fix the link to pipx installation instructions (#10783).

poetry-core (2.3.2)

  • Fix an issue where platform_release could not be parsed on Debian Trixie (#930).
  • Fix an issue where using project.readme.text in the pyproject.toml file resulted in broken metadata (#914).
  • Fix an issue where dependency groups were considered equal when their resolved dependencies were equal, even if the groups themselves were not (#919).
  • Fix an issue where removing a dependency from a group that included another group resulted in other dependencies being added to the included group (#922).
  • Fix an issue where PEP 735 include-group entries were lost when [tool.poetry.group] also defined include-groups for the same group (#924).
  • Fix an issue where the union of <value> not in <marker> constraints was wrongly treated as always satisfied (#925).
  • Fix an issue where a post release with a local version identifier was wrongly allowed by a > version constraint (#921).
  • Fix an issue where a version with the local version identifier 0 was treated as equal to the corresponding public version (#920).
  • Fix an issue where a != <version> constraint wrongly disallowed pre releases and post releases of the specified version (#929).
  • Fix an issue where in and not in constraints were wrongly not allowed by specific compound constraints (#927).
Changelog

Sourced from poetry's changelog.

[2.3.4] - 2026-04-12

Fixed

  • Fix a performance regression in the wheel installer that was introduced in Poetry 2.3.3 (#10821).
  • Fix a path traversal vulnerability in sdist extraction on Python 3.10.0-3.10.12 and 3.11.0-3.11.4 that could allow malicious tarball files to write files outside the target directory (#10837).

[2.3.3] - 2026-03-29

Fixed

  • Fix a path traversal vulnerability in the wheel installer that could allow malicious wheel files to write files outside the intended installation directory (#10792).
  • Fix an issue where git dependencies from annotated tags could not be updated (#10719).
  • Fix an issue where empty VIRTUAL_ENV or CONDA_PREFIX environment variables (e.g., after conda deactivate) would cause Poetry to incorrectly detect an active virtualenv (#10784).
  • Fix an issue where an incomprehensible error message was printed when .venv was a file instead of a directory (#10777).
  • Fix an issue where HTTP Basic Authentication credentials could be corrupted during request preparation, causing authentication failures with long tokens (#10748).
  • Fix an issue where poetry publish --no-interaction --build requested user interaction (#10769).
  • Fix an issue where poetry init and poetry new created a deprecated project.license format (#10787).

Docs

  • Clarify the differences between poetry install and poetry update (#10713).
  • Clarify the section of fields in the pyproject.toml examples (#10753).
  • Add a note about the different installation location when Python from the Microsoft Store is used (#10759).
  • Fix the system requirements for Poetry (#10739).
  • Fix the poetry cache clear example (#10749).
  • Fix the link to pipx installation instructions (#10783).
Commits
  • 7c7af71 release: bump version to 2.3.4
  • e512e7f fix: refuse to write files outside the target directory during sdist extracti...
  • 506c09d perf: use os.path.abspath() instead of Path.resolve() (#10821)
  • 3d0151a release: bump version to 2.3.3
  • 89f09aa fix long path issue on Windows (#10794)
  • e068177 installer: fix path traversal (#10792)
  • d76a2f6 chore: require new poetry-core version (#10790)
  • 859d443 Update init & new commands for PEP 639 (License) (#10787)
  • 2ff2845 fix: pass auth via Request constructor instead of calling HTTPBasicAuth on un...
  • 286e43b env: improve error handling if .venv is not a directory but a file (#10777)
  • Additional commits viewable in compare view

Updates cryptography from 44.0.3 to 48.0.1

Changelog

Sourced from cryptography's changelog.

48.0.1 - 2026-06-09


* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 4.0.1.

.. _v48-0-0:


48.0.0 - 2026-05-04

  • BACKWARDS INCOMPATIBLE: Support for Python 3.8 has been removed. cryptography now requires Python 3.9 or later.

  • BACKWARDS INCOMPATIBLE: Loading an X.509 CRL whose inner TBSCertList.signature algorithm does not match the outer signatureAlgorithm now raises ValueError. Previously, such CRLs were parsed successfully and only rejected during signature validation.

  • Added support for :doc:/hazmat/primitives/asymmetric/mlkem and :doc:/hazmat/primitives/asymmetric/mldsa when using OpenSSL 3.5.0 or later, in addition to the existing AWS-LC and BoringSSL support. This means post-quantum algorithms are now available to users of our wheels.

    • Note: Going forward, we do not guarantee that all functionality in cryptography will be available when building against OpenSSL. See :doc:/statements/state-of-openssl for more information.

.. _v47-0-0:

47.0.0 - 2026-04-24


* Support for Python 3.8 is deprecated and will be removed in the next
  ``cryptography`` release.
* **BACKWARDS INCOMPATIBLE:** Support for binary elliptic curves
  (``SECT*`` classes) has been removed. These curves are rarely used and
  have additional security considerations that make them undesirable.
* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.1.x has been removed.
  OpenSSL 3.0.0 or later is now required. LibreSSL, BoringSSL, and AWS-LC
  continue to be supported.
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 4.1.
* **BACKWARDS INCOMPATIBLE:** Loading keys with unsupported algorithms or
  keys with unsupported explicit curve encodings now raises
  :class:`~cryptography.exceptions.UnsupportedAlgorithm` instead of
  ``ValueError``. This change affects
  :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`,
  :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`,
  :func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`,
  :func:`~cryptography.hazmat.primitives.serialization.load_der_public_key`,
  and :meth:`~cryptography.x509.Certificate.public_key` when called on
  certificates with unsupported public key algorithms.
</tr></table>

... (truncated)

Commits

Updates dulwich from 1.1.0 to 1.2.5

Release notes

Sourced from dulwich's releases.

1.2.5

This is a security release. All users are encouraged to upgrade.

Security fixes

  • GHSA-gfhv-vqv2-4544 -- Validate submodule paths in porcelain.submodule_update (and thus porcelain.clone(recurse_submodules=True)). A crafted upstream repository could carry a submodule whose path was .git/hooks (or any other path inside .git or above the work tree), causing the submodule's tree contents to be written there with their executable bits intact. The dulwich analogue of git's CVE-2024-32002 / CVE-2024-32004. (Reported by tonghuaroot)

  • CVE-2026-42305 -- Harden tree path validation against entry names that are harmless on POSIX but dangerous when checked out on Windows. validate_path_element_ntfs now also rejects Windows path separators, the alternate data stream marker :, NTFS 8.3 short-name aliases of .git, and reserved Windows device names. core.protectNTFS now defaults to true on every platform, and both core.protectNTFS and core.protectHFS are now read under their correct option names. (Reported by Christopher Toth)

  • CVE-2026-42563 -- Shell-quote values substituted into ProcessMergeDriver commands. A malicious branch could inject shell commands when a merge driver referencing %P was configured. (Reported by Ravishanker Kusuma (hayageek))

  • CVE-2026-47712 -- Sanitize commit subjects used in porcelain.format_patch filenames so a malicious subject (e.g. x/../../x) cannot direct the generated patch outside outdir. (Reported by Christopher Toth)

  • receive.maxInputSize -- Honour receive.maxInputSize in ReceivePackHandler. Previously a remote unauthenticated client could send a tiny crafted pack that declared a huge dest_size and trigger hundreds of MB of allocation over git-receive-pack. (Reported by Liyi, Ziyue, Strick, Maurice and Chenchen @ University of Sydney)

1.2.4

What's Changed

Full Changelog: jelmer/dulwich@dulwich-1.2.3...dulwich-1.2.4

1.2.1

Changes since 1.2.0

  • Derive the LFS endpoint as the remote's on-disk LFS store (<remote>/.git/lfs for worktrees, <remote>/lfs for bare repos) when remote.origin.url points at a local filesystem path or file:// URL, matching git-lfs behaviour. Previously the built-in smudge filter constructed an HTTP-style <remote>.git/info/lfs path that did not exist on disk, leaving LFS-tracked files as pointers when cloning from a local repo.

  • Deduplicate objects when writing a multi-pack-index. Objects present in multiple packs (e.g. after git gc creates a cruft pack) would otherwise produce an OIDL chunk with repeated SHAs, causing git multi-pack-index verify to fail with "oid lookup out of order". (#2152)

  • Extend ignorecase and precomposeunicode support to index lookups. (#1807)

1.2.0

Notable changes since 1.1.0

New features

  • Add am command and porcelain.am() for applying mailbox-style email patches (git am), with state persistence for --continue, --skip, --abort, and --quit recovery (#1692).
  • Add apply command and porcelain.apply_patch() for applying unified diffs, including rename/copy detection, binary patches with Git's base85 encoding, and --3way merge fallback (#1784).

... (truncated)

Changelog

Sourced from dulwich's changelog.

1.2.5 2026-05-28

  • SECURITY(GHSA-gfhv-vqv2-4544): Validate submodule paths in porcelain.submodule_update (and thus porcelain.clone(recurse_submodules=True)). A crafted upstream repository could carry a submodule whose path was .git/hooks (or any other path inside .git or above the work tree), causing the submodule's tree contents to be written there with their executable bits intact -- dropping a hook that later commands would run. Submodule paths are now rejected if they are absolute or carry a component that the configured path validator refuses, and the submodule's own tree is materialized with the same validator. This is the dulwich analogue of git's CVE-2024-32002 / CVE-2024-32004. (Jelmer Vernooij; reported by tonghuaroot)

  • SECURITY(CVE-2026-42305): Harden tree path validation against entry names that are harmless on POSIX but dangerous when checked out on Windows. A crafted tree could previously carry such names through to the work tree. validate_path_element_ntfs now also rejects:

    • Windows path separators, so an entry named .git\hooks\pre-commit.exe can no longer materialize a file inside .git that Git for Windows would execute.
    • The alternate data stream marker : (e.g. .git::$INDEX_ALLOCATION, which writes into .git directly).
    • NTFS 8.3 short-name aliases of .git (git~<digits>); only git~1 was rejected before.
    • Reserved Windows device names (CON, PRN, AUX, NUL, COM1-COM9, LPT1-LPT9), including with an extension or trailing dots/spaces such as NUL.txt or COM1 .bar.

    In addition, core.protectNTFS now defaults to true on every platform (matching git after CVE-2019-1353), so a POSIX clone no longer accepts paths that would be unsafe on a later Windows clone, and both core.protectNTFS and core.protectHFS are now read under their correct option names, having previously been silently ignored. POSIX users who need literal NTFS-unsafe filenames can opt out with core.protectNTFS=false. (Jelmer Vernooij; reported by Christopher Toth)

  • SECURITY (CVE-2026-42563): Shell-quote values substituted into ProcessMergeDriver commands. %P is a path from the git tree, so a malicious branch could inject shell commands when the user had a merge driver configured that referenced %P. (Jelmer Vernooij; reported by Ravishanker Kusuma (hayageek))

  • SECURITY(CVE-2026-47712): Sanitize commit subjects used in porcelain.format_patch filenames so a malicious subject (e.g. x/../../x) cannot direct the generated patch outside outdir. get_summary now matches git's format_sanitized_subject.

... (truncated)

Commits
  • 073f4df Release 1.2.5
  • 5f85d3e tests: fix Windows-only failures in NTFS and merge-driver tests
  • 25313ad Merge branch 'advisory-5'
  • 1ca1814 submodule: Reject unsafe submodule paths in submodule_update
  • 3559ef1 Merge branch 'advisory-4'
  • f860ca4 server: Honour receive.maxInputSize to bound received packs
  • 0fd6e6b Merge branch 'advisory-3'
  • 0110b88 Merge branch 'advisory-2'
  • 49eb56e Add NEWS entry for CVE-2026-42305
  • 57efc4a Merge branch 'advisory-1'
  • Additional commits viewable in compare view

Updates idna from 3.11 to 3.15

Changelog

Sourced from idna's changelog.

3.15 (2026-05-12)

  • Enforce DNS-length cap on individual labels early in check_label, short-circuiting contextual-rule processing for oversized input while staying compatible with UTS 46 usage.
  • Tidy core helpers: hoist bidi category sets to module-level frozensets (avoiding per-codepoint list construction), simplify length checks, and reuse the shared _unicode_dots_re from idna.core in the codec module.
  • Use raise ... from err for proper exception chaining and switch internal string formatting to f-strings.
  • Allow flit_core 4.x in the build backend.
  • Expand the ruff lint set (flake8-bugbear, flake8-simplify, pyupgrade, perflint) and apply the surfaced fixes; pin lint CI to Python 3.14.
  • Add Dependabot configuration for GitHub Actions.
  • Convert README and HISTORY from reStructuredText to Markdown.
  • Reference CVE-2026-45409 for the 3.14 advisory in place of the initial GHSA identifier.

Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for contributions to this release.

3.14 (2026-05-10)

  • Removed opportunity to process long inputs into quadratic time by rejecting oversize inputs up-front. Closes a bypass of the CVE-2024-3651 mitigation. [CVE-2026-45409]

Thanks to Stan Ulbrych for reporting the issue.

3.13 (2026-04-22)

  • Correct classification error for codepoint U+A7F1

3.12 (2026-04-21)

  • Update to Unicode 17.0.0.
  • Issue a deprecation warning for the transitional argument.
  • Added lazy-loading to provide some performance improvements.
  • Removed vestiges of code related to Python 2 support, including segmentation of data structures specific to Jython.

Thanks to Rodrigo Nogueira for contributions to this release.

Commits
  • af30a09 Release 3.15
  • 30314d4 Pre-release 3.15rc0
  • 05d4b21 Merge pull request #237 from kjd/convert-docs-to-markdown
  • 2987fdb Convert README and HISTORY from reStructuredText to Markdown
  • 59fa800 Merge pull request #236 from kjd/dependabot/github_actions/actions-f3e34333ea
  • def6983 Merge branch 'master' into dependabot/github_actions/actions-f3e34333ea
  • bbd8004 Merge pull request #234 from StanFromIreland/patch-1
  • edd07c0 Bump github/codeql-action from 3.35.2 to 4.35.2 in the actions group
  • 5557db0 Merge branch 'master' into patch-1
  • f11746c Merge pull request #235 from StanFromIreland/patch-2
  • Additional commits viewable in compare view

Updates python-dotenv from 1.2.1 to 1.2.2

Release notes

Sourced from python-dotenv's releases.

v1.2.2

Added

  • Support for Python 3.14, including the free-threaded (3.14t) build. (#)

Changed

  • The dotenv run command now forwards flags directly to the specified command by @​bbc2 in theskumar/python-dotenv#607
  • Improved documentation clarity regarding override behavior and the reference page.
  • Updated PyPy support to version 3.11.
  • Documentation for FIFO file support.
  • Support for Python 3.9.

Fixed

Breaking Changes

  • dotenv.set_key and dotenv.unset_key used to follow symlinks in some situations. This is no longer the case. For that behavior to be restored in all cases, follow_symlinks=True should be used.

  • In the CLI, set and unset used to follow symlinks in some situations. This is no longer the case.

  • dotenv.set_key, dotenv.unset_key and the CLI commands set and unset used to reset the file mode of the modified .env file to 0o600 in some situations. This is no longer the case: The original mode of the file is now preserved. Is the file needed to be created or wasn't a regular file, mode 0o600 is used.

Misc

New Contributors

Full Changelog: theskumar/python-dotenv@v1.2.1...v1.2.2

Changelog

Sourced from python-dotenv's changelog.

[1.2.2] - 2026-03-01

Added

  • Support for Python 3.14, including the free-threaded (3.14t) build. (#588)

Changed

  • The dotenv run command now forwards flags directly to the specified command by [@​bbc2] in #607
  • Improved documentation clarity regarding override behavior and the reference page.
  • Updated PyPy support to version 3.11.
  • Documentation for FIFO file support.
  • Dropped Support for Python 3.9.

Fixed

  • Improved set_key and unset_key behavior when interacting with symlinks by [@​bbc2] in [790c5c0]
  • Corrected the license specifier and added missing Python 3.14 classifiers in package metadata by [@​JYOuyang] in #590

Breaking Changes

  • dotenv.set_key and dotenv.unset_key used to follow symlinks in some situations. This is no longer the case. For that behavior to be restored in all cases, follow_symlinks=True should be used.

  • In the CLI, set and unset used to follow symlinks in some situations. This is no longer the case.

  • dotenv.set_key, dotenv.unset_key and the CLI commands set and unset used to reset the file mode of the modified .env file to 0o600 in some situations. This is no longer the case: The original mode of the file is now preserved. Is the file needed to be created or wasn't a regular file, mode 0o600 is used.

Commits

@dependabot
chore(deps): bump the uv group across 1 directory with 11 updates
e1f0a4b 
Bumps the uv group with 10 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [langchain-openai](https://github.com/langchain-ai/langchain) | `1.1.10` | `1.1.14` |
| [langsmith](https://github.com/langchain-ai/langsmith-sdk) | `0.7.30` | `0.8.0` |
| [pytest](https://github.com/pytest-dev/pytest) | `9.0.2` | `9.0.3` |
| [poetry](https://github.com/python-poetry/poetry) | `2.3.2` | `2.3.4` |
| [cryptography](https://github.com/pyca/cryptography) | `44.0.3` | `48.0.1` |
| [dulwich](https://github.com/dulwich/dulwich) | `1.1.0` | `1.2.5` |
| [idna](https://github.com/kjd/idna) | `3.11` | `3.15` |
| [python-dotenv](https://github.com/theskumar/python-dotenv) | `1.2.1` | `1.2.2` |
| [requests](https://github.com/psf/requests) | `2.32.5` | `2.33.0` |
| [urllib3](https://github.com/urllib3/urllib3) | `2.6.3` | `2.7.0` |



Updates `langchain-openai` from 1.1.10 to 1.1.14
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](langchain-ai/langchain@langchain-openai==1.1.10...langchain-openai==1.1.14)

Updates `langsmith` from 0.7.30 to 0.8.0
- [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases)
- [Commits](langchain-ai/langsmith-sdk@v0.7.30...v0.8.0)

Updates `pytest` from 9.0.2 to 9.0.3
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](pytest-dev/pytest@9.0.2...9.0.3)

Updates `poetry` from 2.3.2 to 2.3.4
- [Release notes](https://github.com/python-poetry/poetry/releases)
- [Changelog](https://github.com/python-poetry/poetry/blob/main/CHANGELOG.md)
- [Commits](python-poetry/poetry@2.3.2...2.3.4)

Updates `cryptography` from 44.0.3 to 48.0.1
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@44.0.3...48.0.1)

Updates `dulwich` from 1.1.0 to 1.2.5
- [Release notes](https://github.com/dulwich/dulwich/releases)
- [Changelog](https://github.com/jelmer/dulwich/blob/main/NEWS)
- [Commits](jelmer/dulwich@dulwich-1.1.0...dulwich-1.2.5)

Updates `idna` from 3.11 to 3.15
- [Release notes](https://github.com/kjd/idna/releases)
- [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.md)
- [Commits](kjd/idna@v3.11...v3.15)

Updates `python-dotenv` from 1.2.1 to 1.2.2
- [Release notes](https://github.com/theskumar/python-dotenv/releases)
- [Changelog](https://github.com/theskumar/python-dotenv/blob/main/CHANGELOG.md)
- [Commits](theskumar/python-dotenv@v1.2.1...v1.2.2)

Updates `requests` from 2.32.5 to 2.33.0
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.32.5...v2.33.0)

Updates `starlette` from 0.52.1 to 1.3.1
- [Release notes](https://github.com/Kludex/starlette/releases)
- [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md)
- [Commits](Kludex/starlette@0.52.1...1.3.1)

Updates `urllib3` from 2.6.3 to 2.7.0
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](urllib3/urllib3@2.6.3...2.7.0)

---
updated-dependencies:
- dependency-name: langchain-openai
  dependency-version: 1.1.14
  dependency-type: direct:production
  dependency-group: uv
- dependency-name: langsmith
  dependency-version: 0.8.0
  dependency-type: direct:production
  dependency-group: uv
- dependency-name: pytest
  dependency-version: 9.0.3
  dependency-type: direct:production
  dependency-group: uv
- dependency-name: poetry
  dependency-version: 2.3.4
  dependency-type: direct:production
  dependency-group: uv
- dependency-name: cryptography
  dependency-version: 48.0.1
  dependency-type: indirect
  dependency-group: uv
- dependency-name: dulwich
  dependency-version: 1.2.5
  dependency-type: indirect
  dependency-group: uv
- dependency-name: idna
  dependency-version: '3.15'
  dependency-type: indirect
  dependency-group: uv
- dependency-name: python-dotenv
  dependency-version: 1.2.2
  dependency-type: indirect
  dependency-group: uv
- dependency-name: requests
  dependency-version: 2.33.0
  dependency-type: indirect
  dependency-group: uv
- dependency-name: starlette
  dependency-version: 1.3.1
  dependency-type: indirect
  dependency-group: uv
- dependency-name: urllib3
  dependency-version: 2.7.0
  dependency-type: indirect
  dependency-group: uv
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants