Skip to content

Bump pydantic from 2.13.3 to 2.13.4#110

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/pydantic-2.13.4
Closed

Bump pydantic from 2.13.3 to 2.13.4#110
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/pydantic-2.13.4

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 6, 2026

Copy link
Copy Markdown
Contributor

Bumps pydantic from 2.13.3 to 2.13.4.

Release notes

Sourced from pydantic's releases.

v2.13.4 2026-05-06

v2.13.4 (2026-05-06)

What's Changed

Packaging

Fixes

Full Changelog: pydantic/pydantic@v2.13.3...v2.13.4

Changelog

Sourced from pydantic's changelog.

v2.13.4 (2026-05-06)

GitHub release

What's Changed

Packaging

Fixes

Commits
  • cf67d4b Fix linting
  • f0d8a21 Prepare release v2.13.4
  • 5e3fe1d Check for pydantic tag pattern in CI
  • 7f9edcc Document tagging conventions
  • b46a0c9 Adapt pydantic-core linker flags on macOS
  • 50629c8 Update to PyPy 7.3.22
  • 8522ebb Preserve RootModel core metadata
  • a37f3af Adapt MISSING sentinel test to work with unreleased typing_extensions ver...
  • 909259a Remove Logfire example in documentation
  • 2c4174c Bump libc from 0.2.155 to 0.2.185
  • See full diff in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

Bumps [pydantic](https://github.com/pydantic/pydantic) from 2.13.3 to 2.13.4.
- [Release notes](https://github.com/pydantic/pydantic/releases)
- [Changelog](https://github.com/pydantic/pydantic/blob/v2.13.4/HISTORY.md)
- [Commits](pydantic/pydantic@v2.13.3...v2.13.4)

---
updated-dependencies:
- dependency-name: pydantic
  dependency-version: 2.13.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels May 6, 2026
@dependabot dependabot Bot requested a review from a team as a code owner May 6, 2026 15:42
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels May 6, 2026
kishore7snehil added a commit that referenced this pull request Jun 25, 2026
Refresh the lock for the open dependabot pip bumps in one go: idna 3.13 to
3.18, pyjwt 2.12.1 to 2.13.0, pydantic 2.13.3 to 2.13.4 (pydantic-core
2.46.4), and ruff 0.15.11 to 0.15.19. All within the existing pyproject
constraints; full suite passes. Supersedes #110, #113, #118, #119.
kishore7snehil added a commit that referenced this pull request Jun 25, 2026
…gation/impersonation (#122)

* feat: validate CTE actor token pairing and surface act claim for delegation

* fix(cte): harden act-claim extraction against decode and issuer failures

The act-claim enrichment in custom_token_exchange ran _verify_and_decode_jwt
with no error handling, so a present-but-undecodable id_token turned an
already-issued exchange into a generic TOKEN_EXCHANGE_FAILED. It also skipped
the normalized issuer check the login path applies before trusting claims.

Wrap the enrichment so any decode/verify failure leaves act=None instead of
failing the exchange, and apply the issuer check before reading the claim.
Rewrite the opaque-token test (it never exercised the decode path) and add
coverage for the undecodable-id_token and issuer-mismatch cases.

* fix(cte): validate subject_token_type and actor_token, clarify act sourcing

Add local empty/whitespace guards for subject_token_type and actor_token so
they fail with a clear INVALID_TOKEN_FORMAT instead of a generic round-trip
error from the token endpoint, matching the existing subject_token check.
Add tests for both cases.

Document that response.act is read from the id_token and that Auth0 writes
the same act onto the access token (verified against the platform token
dialects), noting the access token may be opaque. Add a comment on the login
path noting act reaches the session user via UserClaims. Rename the refresh
test to reflect that it pins the state-merge behavior the refresh path uses.

* chore(deps): bump idna, pyjwt, pydantic, and ruff in poetry.lock

Refresh the lock for the open dependabot pip bumps in one go: idna 3.13 to
3.18, pyjwt 2.12.1 to 2.13.0, pydantic 2.13.3 to 2.13.4 (pydantic-core
2.46.4), and ruff 0.15.11 to 0.15.19. All within the existing pyproject
constraints; full suite passes. Supersedes #110, #113, #118, #119.

* ci: bump actions/checkout to v7 and actions/cache to v6

Update GitHub Actions pins across the workflows: actions/checkout v6 to v7
(publish, test, codeql) and actions/cache v5 to v6 (test). Supersedes #121,
#123.
@dependabot @github

dependabot Bot commented on behalf of github Jun 25, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/pip/pydantic-2.13.4 branch June 25, 2026 09:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant