Skip to content

Bump the pip group across 1 directory with 6 updates#64

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/pip-55e08e2395
Open

Bump the pip group across 1 directory with 6 updates#64
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/pip-55e08e2395

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Apr 20, 2026

Bumps the pip group with 6 updates in the / directory:

Package From To
authlib 1.6.9 1.6.11
cryptography 43.0.3 46.0.7
filelock 3.19.1 3.20.3
langchain-core 0.3.83 1.2.28
langsmith 0.4.37 0.7.31
marshmallow 4.0.1 4.1.2

Updates authlib from 1.6.9 to 1.6.11

Release notes

Sourced from authlib's releases.

v1.6.11

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

  • Fix CSRF issue with starlette client

v1.6.10

Full Changelog: authlib/authlib@v1.6.9...v1.6.10

  • Fix redirecting to unvalidated redirect_uri on UnsupportedResponseTypeError.
Changelog

Sourced from authlib's changelog.

Version 1.6.11

Released on Apr 16, 2026

  • Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Version 1.6.10

Released on Apr 13, 2026

  • Fix redirecting to unvalidated redirect_uri on UnsupportedResponseTypeError.
Commits
  • 0dc0e5b chore: bump to 1.6.11
  • aa7b8e4 Merge commit from fork
  • 401a770 fix: CSRF issue with starlette client
  • ef09aeb chore: release 1.6.10
  • 3be0846 fix: redirecting to unvalidated redirect_uri on UnsupportedResponseTypeError
  • See full diff in compare view

Updates cryptography from 43.0.3 to 46.0.7

Changelog

Sourced from cryptography's changelog.

46.0.7 - 2026-04-07


* **SECURITY ISSUE**: Fixed an issue where non-contiguous buffers could be
  passed to APIs that accept Python buffers, which could lead to buffer
  overflow. **CVE-2026-39892**
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.6.

.. _v46-0-6:


46.0.6 - 2026-03-25

  • SECURITY ISSUE: Fixed a bug where name constraints were not applied to peer names during verification when the leaf certificate contains a wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug, including those used by the Web PKI. Credit to Oleh Konko (1seal) for reporting the issue. CVE-2026-34073

.. _v46-0-5:

46.0.5 - 2026-02-10


* An attacker could create a malicious public key that reveals portions of your
  private key when using certain uncommon elliptic curves (binary curves).
  This version now includes additional security checks to prevent this attack.
  This issue only affects binary elliptic curves, which are rarely used in
  real-world applications. Credit to **XlabAI Team of Tencent Xuanwu Lab and
  Atuin Automated Vulnerability Discovery Engine** for reporting the issue.
  **CVE-2026-26007**
* Support for ``SECT*`` binary elliptic curves is deprecated and will be
  removed in the next release.

.. v46-0-4:


46.0.4 - 2026-01-27

  • Dropped support for win_arm64 wheels_.
  • Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.

.. _v46-0-3:

46.0.3 - 2025-10-15


* Fixed compilation when using LibreSSL 4.2.0.

.. _v46-0-2:

</tr></table>

... (truncated)

Commits

Updates filelock from 3.19.1 to 3.20.3

Release notes

Sourced from filelock's releases.

3.20.3

What's Changed

Full Changelog: tox-dev/filelock@3.20.2...3.20.3

3.20.2

What's Changed

New Contributors

Full Changelog: tox-dev/filelock@3.20.1...3.20.2

3.20.1

What's Changed

Full Changelog: tox-dev/filelock@3.20.0...3.20.1

3.20.0

What's Changed

New Contributors

Full Changelog: tox-dev/filelock@3.19.1...3.20.0

Changelog

Sourced from filelock's changelog.

########### Changelog ###########

3.29.0 (2026-04-19)

  • ✨ feat(soft): enable stale lock detection on Windows :pr:534
  • 🐛 fix(async): use single-thread executor for lock consistency :pr:533
  • build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 :pr:530 - by :user:dependabot[bot]

3.28.0 (2026-04-14)

  • 🐛 fix(ci): unbreak release workflow, publish to PyPI again :pr:529

3.26.1 (2026-04-09)

  • 🐛 fix(asyncio): add exit to BaseAsyncFileLock and fix del loop handling :pr:518 - by :user:naarob
  • build(deps): bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 :pr:525 - by :user:dependabot[bot]

3.26.0 (2026-04-06)

  • ✨ feat(soft): add PID inspection and lock breaking :pr:524
  • [pre-commit.ci] pre-commit autoupdate :pr:523 - by :user:pre-commit-ci[bot]
  • build(deps): bump astral-sh/setup-uv from 7.6.0 to 8.0.0 :pr:522 - by :user:dependabot[bot]
  • Remove persist-credentials: false from release job :pr:520
  • [pre-commit.ci] pre-commit autoupdate :pr:519 - by :user:pre-commit-ci[bot]
  • 🔒 ci(workflows): add zizmor security auditing :pr:517
  • [pre-commit.ci] pre-commit autoupdate :pr:516 - by :user:pre-commit-ci[bot]
  • [pre-commit.ci] pre-commit autoupdate :pr:514 - by :user:pre-commit-ci[bot]

3.25.2 (2026-03-11)

  • 🐛 fix(unix): suppress EIO on close in Docker bind mounts :pr:513

3.25.1 (2026-03-09)

  • [pre-commit.ci] pre-commit autoupdate :pr:510 - by :user:pre-commit-ci[bot]
  • 🐛 fix(win): restore best-effort lock file cleanup on release :pr:511

... (truncated)

Commits

Updates langchain-core from 0.3.83 to 1.2.28

Release notes

Sourced from langchain-core's releases.

langchain-core==1.2.28

Changes since langchain-core==1.2.27

release(core): release 1.2.28 (#36614) fix(core): add more sanitization to templates (#36612)

langchain-core==1.2.27

Changes since langchain-core==1.2.26

release(core): 1.2.27 (#36586) fix(core): handle symlinks in deprecated prompt save path (#36585) chore: add comment explaining pygments>=2.20.0 (#36570)

Credit to Jeff Ponte (@​JDP-Security) for reporting the symlink resolution issue in #36585.

langchain-core==1.2.26

Changes since langchain-core==1.2.25

release(core): 1.2.26 (#36511) fix(core): add init validator and serialization mappings for Bedrock models (#34510) feat(core): add ChatBaseten to serializable mapping (#36510) chore(core): drop gpt-3.5-turbo from docstrings (#36497) fix(core): correct parameter names in filter_messages docstring example (#36462)

langchain-core==1.2.25

Changes since langchain-core==1.2.24

release(core): 1.2.25 (#36473) fix(core): harden check for txt files in deprecated prompt loading functions (#36471) fix(core): fixed typos in the documentation (#36459)

Credit to Jeff Ponte (@​JDP-Security) for reporting the symlink resolution issue resolved in #36471.

langchain-core==1.2.24

Changes since langchain-core==1.2.23

release(core): 1.2.24 (#36434) feat(core): impute placeholder filenames for OpenAI file inputs (#36433) chore: pygments>=2.20.0 across all packages (CVE-2026-4539) (#36385) fix(core): add "computer" to _WellKnownOpenAITools (#36261)

langchain-core==1.2.23

Changes since langchain-core==1.2.22

release(core): 1.2.23 (#36323) revert: Revert "fix(core): trace invocation params in metadata" (#36322) chore: bump requests from 2.32.5 to 2.33.0 in /libs/core (#36243)

langchain-core==1.2.22

Changes since langchain-core==1.2.21

... (truncated)

Commits

Updates langsmith from 0.4.37 to 0.7.31

Release notes

Sourced from langsmith's releases.

v0.7.31

What's Changed

Full Changelog: langchain-ai/langsmith-sdk@v0.7.30...v0.7.31

v0.7.30

What's Changed

Full Changelog: langchain-ai/langsmith-sdk@v0.7.29...v0.7.30

v0.7.29

What's Changed

Full Changelog: langchain-ai/langsmith-sdk@v0.7.28...v0.7.29

v0.7.28

What's Changed

... (truncated)

Commits
  • c434999 release(py): 0.7.31 (#2716)
  • 47d7c4a feat: Filter kwargs from new token events (#2714)
  • 3c57445 chore(deps-dev): bump rich from 14.3.3 to 15.0.0 in /python (#2708)
  • 2be6cd0 chore(deps-dev): bump types-psutil from 7.2.2.20260130 to 7.2.2.20260408 in /...
  • b8b6ca3 chore(deps-dev): bump the js-minor-and-patch group across 1 directory with 7 ...
  • 9897cb3 chore(deps): bump actions/github-script from 8 to 9 (#2706)
  • 572c018 chore(deps-dev): bump @​anthropic-ai/sdk from 0.85.0 to 0.86.0 in /js (#2702)
  • 5744752 chore(deps): bump the py-minor-and-patch group across 1 directory with 10 upd...
  • 960cae7 chore(deps): bump pnpm/action-setup from 5 to 6 (#2705)
  • 9370e76 chore(deps-dev): bump types-tqdm from 4.67.3.20260303 to 4.67.3.20260408 in /...
  • Additional commits viewable in compare view

Updates marshmallow from 4.0.1 to 4.1.2

Changelog

Sourced from marshmallow's changelog.

4.1.2 (2025-12-19)

Bug fixes:

  • :cve:2025-68480: Merge error store messages without rebuilding collections. Thanks 카푸치노 for reporting and :user:deckar01 for the fix.

4.1.1 (2025-11-05)

Bug fixes:

  • Ensure URL validator is case-insensitive when using custom schemes (:pr:2874). Thanks :user:T90REAL for the PR.

4.1.0 (2025-11-01)

Other changes:

  • Add __len__ implementation to missing so that it can be used with validate.Length <marshmallow.validate.Length> (:pr:2861). Thanks :user:agentgodzilla for the PR.
  • Drop support for Python 3.9 (:pr:2363).
  • Test against Python 3.14 (:pr:2864).
Commits
  • 692e79d Merge pull request #2876 from marshmallow-code/delint
  • 045c5f6 [pre-commit.ci] auto fixes from pre-commit.com hooks
  • 94c4d98 Delint
  • d24a0c9 Merge commit from fork
  • 1682640 Bump version and update changelog
  • 36f8787 Only deep copy error message collections
  • 70141f4 Add test coverage for error message modification
  • 218d98a Merge error store messages without rebuilding collections
  • 80f1110 Bump version and update changelog
  • 10fe10b Merge pull request #2874 from T90REAL/fix_case_sensitivity
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the pip group across 1 directory with 6 updates
922c969 
Bumps the pip group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [authlib](https://github.com/authlib/authlib) | `1.6.9` | `1.6.11` |
| [cryptography](https://github.com/pyca/cryptography) | `43.0.3` | `46.0.7` |
| [filelock](https://github.com/tox-dev/py-filelock) | `3.19.1` | `3.20.3` |
| [langchain-core](https://github.com/langchain-ai/langchain) | `0.3.83` | `1.2.28` |
| [langsmith](https://github.com/langchain-ai/langsmith-sdk) | `0.4.37` | `0.7.31` |
| [marshmallow](https://github.com/marshmallow-code/marshmallow) | `4.0.1` | `4.1.2` |



Updates `authlib` from 1.6.9 to 1.6.11
- [Release notes](https://github.com/authlib/authlib/releases)
- [Changelog](https://github.com/authlib/authlib/blob/v1.6.11/docs/changelog.rst)
- [Commits](authlib/authlib@v1.6.9...v1.6.11)

Updates `cryptography` from 43.0.3 to 46.0.7
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@43.0.3...46.0.7)

Updates `filelock` from 3.19.1 to 3.20.3
- [Release notes](https://github.com/tox-dev/py-filelock/releases)
- [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst)
- [Commits](tox-dev/filelock@3.19.1...3.20.3)

Updates `langchain-core` from 0.3.83 to 1.2.28
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](langchain-ai/langchain@langchain-core==0.3.83...langchain-core==1.2.28)

Updates `langsmith` from 0.4.37 to 0.7.31
- [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases)
- [Commits](langchain-ai/langsmith-sdk@v0.4.37...v0.7.31)

Updates `marshmallow` from 4.0.1 to 4.1.2
- [Changelog](https://github.com/marshmallow-code/marshmallow/blob/dev/CHANGELOG.rst)
- [Commits](marshmallow-code/marshmallow@4.0.1...4.1.2)

---
updated-dependencies:
- dependency-name: authlib
  dependency-version: 1.6.11
  dependency-type: indirect
  dependency-group: pip
- dependency-name: cryptography
  dependency-version: 46.0.7
  dependency-type: indirect
  dependency-group: pip
- dependency-name: filelock
  dependency-version: 3.20.3
  dependency-type: indirect
  dependency-group: pip
- dependency-name: langchain-core
  dependency-version: 1.2.28
  dependency-type: indirect
  dependency-group: pip
- dependency-name: langsmith
  dependency-version: 0.7.31
  dependency-type: indirect
  dependency-group: pip
- dependency-name: marshmallow
  dependency-version: 4.1.2
  dependency-type: indirect
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Apr 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants