chore(deps): bump the python-dependencies group across 1 directory with 24 updates

[dependabot]

Updates the requirements on pytest-asyncio, coverage, responses, moto, pyarrow, datasets, langchain, langchain-openai, opensearch-py, pypdf, lxml, requests-aws4auth, langchain-community, langchain-core, cachetools, tiktoken, fastapi, pydantic, cryptography, starlette, black, mypy, poetry and pydantic-core to permit the latest version.
Updates pytest-asyncio from 1.3.0 to 1.4.0

Release notes

Sourced from pytest-asyncio's releases.

pytest-asyncio v1.4.0

1.4.0 - 2026-05-26

Deprecated

• Overriding the event_loop_policy fixture is deprecated. Use the pytest_asyncio_loop_factories hook instead. (#1419)

Added

• Added the pytest_asyncio_loop_factories hook to parametrize asyncio tests with custom event loop factories.

  The hook returns a mapping of factory names to loop factories, and pytest.mark.asyncio(loop_factories=[...]) selects a subset of configured factories per test. When a single factory is configured, test names are unchanged.

  Synchronous @pytest_asyncio.fixture functions now see the correct event loop when custom loop factories are configured, even when test code disrupts the current event loop (e.g., via asyncio.run() or asyncio.set_event_loop(None)). (#1164)

Changed

• Improved the readability of the warning message that is displayed when asyncio_default_fixture_loop_scope is unset (#1298)
• Only import asyncio.AbstractEventLoopPolicy for type checking to avoid raising a DeprecationWarning. (#1394)
• Updated minimum supported pytest version to v8.4.0. (#1397)

Fixed

• Fixed a ResourceWarning: unclosed event loop warning that could occur when a synchronous test called asyncio.run() or otherwise unset the current event loop after pytest-asyncio had run an async test or fixture. (#724)

Notes for Downstream Packagers

• Added dependency on sphinx-tabs >= 3.5 to organize documentation examples into tabs. (#1395)

pytest-asyncio v1.4.0a2

1.4.0a2 - 2026-05-02

Deprecated

• Overriding the event_loop_policy fixture is deprecated. Use the pytest_asyncio_loop_factories hook instead. (#1419)

Added

• Added the pytest_asyncio_loop_factories hook to parametrize asyncio tests with custom event loop factories.

  The hook returns a mapping of factory names to loop factories, and pytest.mark.asyncio(loop_factories=[...]) selects a subset of configured factories per test. When a single factory is configured, test names are unchanged on pytest 8.4+.

  Synchronous @pytest_asyncio.fixture functions now see the correct event loop when custom loop factories are configured, even when test code disrupts the current event loop (e.g., via asyncio.run() or asyncio.set_event_loop(None)). (#1164)

Changed

• Improved the readability of the warning message that is displayed when asyncio_default_fixture_loop_scope is unset (#1298)
• Only import asyncio.AbstractEventLoopPolicy for type checking to avoid raising a DeprecationWarning. (#1394)

... (truncated)

Commits

• 6e14cd2 chore: Prepare release of v1.4.0.
• 4b900fb Build(deps): Bump codecov/codecov-action from 6.0.0 to 6.0.1
• ab9f632 Build(deps): Bump zipp from 3.23.1 to 4.1.0
• a56fc77 Build(deps): Bump hypothesis from 6.152.6 to 6.152.8
• e8bae9b Build(deps): Bump requests from 2.34.0 to 2.34.2
• fc43340 Build(deps): Bump idna from 3.14 to 3.15
• 762eaf5 Build(deps): Bump jaraco-functools from 4.4.0 to 4.5.0
• b62e222 Build(deps): Bump click from 8.3.3 to 8.4.0
• 9190447 Build(deps): Bump pydantic from 2.13.3 to 2.13.4
• 82a393c ci: Remove unnecessary debug output.
• Additional commits viewable in compare view

Updates coverage to 7.14.0

Changelog

Sourced from coverage's changelog.

Version 7.14.0 — 2026-05-10

• Feature: now when running one of the reporting commands, if there are parallel data files that need combining, they will be implicitly combined before creating the report. There is no option to avoid the combination; let us know if you have a use case that requires it. Thanks, Tim Hatch <pull 2162_>. Closes issue 1781.

• Fix: the output from combine was too verbose, listing each file considered. Now it shows a single line with the counts of files combined, files skipped, and files with errors. The -q flag suppresses this line. The old detailed lines are available with the new --debug=combine option.

• Fix: running a Python file through a symlink now sets the sys.path correctly, matching regular Python behavior. Fixes issue 2157_.

• Fix: Collector.flush_data could fail with "RuntimeError: Set changed size during iteration" when a tracer in another thread added a line to the per-file set that add_lines (or add_arcs) was iterating. The values passed to CoverageData are now snapshotted via dict.copy() and set.copy(), which are atomic under the GIL. Thanks, Alex Vandiver <pull 2165_>_.

• Fix: the soft keyword lazy is now bolded in HTML reports.

• We are no longer testing eventlet support. Eventlet started issuing stern deprecation warnings that break our tests. Our support code is still there.

.. _issue 1781: coveragepy/coveragepy#1781 .. _issue 2157: coveragepy/coveragepy#2157 .. _pull 2162: coveragepy/coveragepy#2162 .. _pull 2165: coveragepy/coveragepy#2165

.. _changes_7-13-5:

Version 7.13.5 — 2026-03-17

• Fix: issue 2138_ describes a memory leak that happened when repeatedly using the Coverage API with in-memory data. This is now fixed.

• Fix: the markdown-formatted coverage report didn't fully escape special characters in file paths (issue 2141). This would be very unlikely to cause a problem, but now it's done properly, thanks to Ellie Ayla <pull 2142_>.

• Fix: the C extension wouldn't build on VS2019, but now it does (issue 2145_).

... (truncated)

Commits

• 646351b docs: sample HTML for 7.14.0
• 39cd015 docs: prep for 7.14.0
• 649e8aa docs: thanks Alex Vandiver for #2165
• 8cd392e fix: snapshot data in Collector.flush_data to avoid threading race (#2165)
• c48e0ed fix: less output for combining
• c2a3a28 docs: explain the change from #2162
• 1cd47aa fix: implicit combine-during-report now removes the combined data files
• 2d99fd7 feat: automatically combine coverage in report, thanks Tim Hatch (#2162)
• 9fbdcdf fix: lazy soft keywords are bolded
• 5de7d02 build: oops, misplaced quote
• Additional commits viewable in compare view

Updates responses to 0.26.1

Release notes

Sourced from responses's releases.

0.26.1

• Added Spanish translation of the README (README.es.rst)
• When both content_type and headers['content-type'] are in a response mock file, content_type is now used.
• Added strict_match to urlencoded_params_matcher, enabling partial request parameter matching.

Changelog

Sourced from responses's changelog.

0.26.1

• Added Spanish translation of the README (README.es.rst)
• When both content_type and headers['content-type'] are in a response mock file, content_type is now used.
• Added strict_match to urlencoded_params_matcher, enabling partial request parameter matching.

0.26.0

• When using assert_all_requests_are_fired=True, assertions about unfired requests are now raised even when an exception occurs in the context manager or decorated function. Previously, these assertions were suppressed when exceptions occurred. This new behavior provides valuable debugging context about which mocked requests were or weren't called.
• Consider the Retry-After header when handling retries

0.25.8

• Fix bug where the content type is always recorded as either text/plain or application/json. See #770
• Allow asserts on add_callback() matches. See #727

0.25.7

• Added support for python 3.13

0.25.6

• Added py.typed to package_data

0.25.5

• Fix readme issue that prevented 0.25.4 from being published to pypi.

0.25.4

• Responses can now match requests that use data with file-like objects. Files will be read as bytes and stored in the request mock. See #736
• RequestsMock.matchers was added. This property is an alias to responses.matchers. See #739
• Removed tests from packaged wheels. See #746
• Improved recorder API to ease use in REPL environments. See #745

... (truncated)

Commits

• 7a80232 release: 0.26.1
• 1fda897 Add strict_match parameter to urlencoded_params_matcher (#796)
• ab8d480 chore: Fix lint build and update changes (#795)
• 71be9a2 fix: remove content-type from headers in _add_from_file to avoid RuntimeError...
• 84c2b08 Add Spanish translation of the README documentation (#790)
• 3da192e chore: pin GitHub Actions to full-length commit SHAs (#789)
• cc53d77 Merge branch 'release/0.26.0'
• See full diff in compare view

Updates moto from 5.1.22 to 5.2.1

Changelog

Sourced from moto's changelog.

5.2.1

Docker Digest for 5.2.1: sha256:fe6575dcd878842124f05d20e4ffde2d1126e1e38ad03e196353b9e53649bcdf

Miscellaneous:
    * DynamoDB: batch_write_item() now correctly handles PUT requests with Binary (B) attributes (broken in 5.2.0)
    * S3: Uploading files no longer fails with 'Unsupported protocol' (broken in 5.2.0)
    * S3: create_multipart_upload() is now compatible with Java SDK again (broken in 5.2.0)
    * Route53: update_health_check() now correctly updates falsy values (broken in 5.2.0)

5.2.0

Docker Digest for 5.2.0: sha256:d8d063e3e704d256cbe8165072fa273c17698be91311e49fc602b7716f459bea

General:
    * Drops support for Python 3.9
    * Lambda Containers now configure the AWS_ENDPOINT_URL, automatically intercepting requests to other AWS services
New Services:

* Bedrock-AgentCore-Control:

* create_agent_runtime()

* create_agent_runtime_endpoint()

* create_gateway()

* create_gateway_target()

* create_memory()

* delete_agent_runtime()

* delete_agent_runtime_endpoint()

* delete_gateway()

* delete_gateway_target()

* delete_memory()

* get_agent_runtime()

* get_agent_runtime_endpoint()

* get_gateway()

* get_gateway_target()

* get_memory()

* list_agent_runtimes()

* list_agent_runtime_endpoints()

* list_agent_runtime_versions()

* list_gateways()

* list_gateway_targets()

* list_memories()

* list_tags_for_resource()

* tag_resource()

* update_agent_runtime()

* update_agent_runtime_endpoint()

* update_gateway()

* update_gateway_target()

* untag_resource()

... (truncated)

Commits

• 543c687 Pre-Release: Up Version Number
• b653a99 Prep release 5.2.1 (#10020)
• df3dc92 Core: Disable flaky AWS tests (#10019)
• ef42e0e S3: Make CreateMultipartUpload compatible with Java SDK (#10017)
• 50ab624 Core: Make compatible with mypy 2 (#10016)
• 6b3cf8d Route53: update_health_check() should handle falsy values correctly (#10014)
• b4f8b78 Core: short circuit protocol detection for S3 (#10012)
• 665e817 DynamoDB: fix BatchWriteItem handling of binary attributes (#10007)
• e754d88 Admin: Post-release steps
• 4d17a10 Pre-Release: Up Version Number
• Additional commits viewable in compare view

Updates pyarrow to 24.0.0

Release notes

Sourced from pyarrow's releases.

Apache Arrow 24.0.0

Release Notes URL: https://arrow.apache.org/release/24.0.0.html

Commits

• 31b4b6c MINOR: [Release] Update versions for 24.0.0
• 06dbc17 MINOR: [Release] Update .deb/.rpm changelogs for 24.0.0
• a021d80 MINOR: [Release] Update CHANGELOG.md for 24.0.0
• 2d6b12c GH-49716: [C++] FixedShapeTensorType::Deserialize should strictly validate se...
• a74cb6a GH-49697: [C++][CI] Check IPC file body bounds are in sync with decoder outco...
• 871a0c6 GH-49676: [Python][Packaging] Fix gRPC docker image layer being too big for h...
• f9203b3 GH-49586: [C++][CI] StructToStructSubset test failure with libc++ 22.1.1 (#49...
• fe298b4 GH-49628: [Python][Interchange protocol] Suppress warnings for pandas 4.0.0 a...
• 1f94910 GH-49252: [GLib] Deprecate Feather features (#49673)
• 5ba5c3c GH-49671: [CI][Docs] Don't run jobs for push by Dependabot (#49672)
• Additional commits viewable in compare view

Updates datasets from 3.6.0 to 4.8.5

Release notes

Sourced from datasets's releases.

4.8.5

Main bug fixes

• fix: decode Json() values before calling DataFrame.to_json() (#8116) by @​Brianzhengca in huggingface/datasets#8122
• Fix: decode JSON type before to_list or to_dict is called by @​ItsTania in huggingface/datasets#8137
• Fix batching for table-formatted datasets by @​bluehyena in huggingface/datasets#8126
• Fix iterable map resume state by @​Brianzhengca in huggingface/datasets#8147
• don't embed remote files in download_and_prepare to parquet by @​lhoestq in huggingface/datasets#8150

Other improvements and bug fixes

• Parse agent traces by @​lhoestq in huggingface/datasets#8113
• 🔒 Pin GitHub Actions to commit SHAs by @​paulinebm in huggingface/datasets#8114
• chore: bump doc-builder SHA for PR upload workflow by @​rtrompier in huggingface/datasets#8134
• Remove print statement in JSON processing by @​lhoestq in huggingface/datasets#8136
• Don't include files list DatasetInfo (and remove old stuff) by @​lhoestq in huggingface/datasets#8128
• update ci uer by @​lhoestq in huggingface/datasets#8139
• fix warning in ci by @​lhoestq in huggingface/datasets#8140
• fix mask in embed_storage for remote files by @​lhoestq in huggingface/datasets#8151
• fix original_files missing in ci json test by @​lhoestq in huggingface/datasets#8152
• Fix null in embed storage by @​lhoestq in huggingface/datasets#8154
• Fix base_path in integration tests by @​lhoestq in huggingface/datasets#8155

New Contributors

• @​paulinebm made their first contribution in huggingface/datasets#8114
• @​Brianzhengca made their first contribution in huggingface/datasets#8122
• @​bluehyena made their first contribution in huggingface/datasets#8126
• @​rtrompier made their first contribution in huggingface/datasets#8134
• @​ItsTania made their first contribution in huggingface/datasets#8137

Full Changelog: huggingface/datasets@4.8.4...4.8.5

4.8.4

What's Changed

• Support latest torchvision by @​lhoestq in huggingface/datasets#8087
• fix regression when loading JSON with one file = one object by @​lhoestq in huggingface/datasets#8086

Full Changelog: huggingface/datasets@4.8.3...4.8.4

4.8.3

What's Changed

• Fix split_dataset_by_node step by @​lhoestq in huggingface/datasets#8081
• Fix docstring of Json.cast_storage by @​albertvillanova in huggingface/datasets#8080

Full Changelog: huggingface/datasets@4.8.2...4.8.3

4.8.2

What's Changed

• Json type for empty struct by @​lhoestq in huggingface/datasets#8074

... (truncated)

Commits

• a015b2f Release: 4.8.5 (#8157)
• 4428907 Fix: decode JSON type before to_list or to_dict is called (#8137)
• ab921d1 Fix iterable map resume state (#8147)
• 7fe94d1 Fix base_path in integration tests (#8155)
• 8515a8c Fix null in embed storage (#8154)
• ff7dc9e fix original_files missing in ci json test (#8152)
• b27a470 fix mask in embed_storage for remote files (#8151)
• 6d03398 don't embed remote files in download_and_prepare to parquet (#8150)
• 891e52f Parse agent traces (#8113)
• 2724a65 fix warning in ci (#8140)
• Additional commits viewable in compare view

Updates langchain from 1.2.15 to 1.3.1

Release notes

Sourced from langchain's releases.

langchain-core==1.3.1

Changes since langchain-core==1.3.0

release(core): 1.3.1 (#36972) feat(core): allow _format_output to pass through list of ToolOutputMixin instances (#36963) chore: bump nbconvert from 7.17.0 to 7.17.1 in /libs/core (#36923) feat(core): Update inheritance behavior for tracer metadata for special keys (#36900) chore: bump langsmith from 0.7.13 to 0.7.31 in /libs/core (#36813)

langchain-fireworks==1.3.1

Changes since langchain-fireworks==1.3.0

fix(fireworks): require api_key in FireworksEmbeddings (#37193) release(fireworks): 1.3.1 (#37189) fix(fireworks): strip non-wire keys from ToolMessage text content blocks (#37187)

langchain==1.3.1

Changes since langchain==1.3.0

release(langchain): 1.3.1 (#37454) fix(langchain): alias Bedrock providers in summarization token check (#37453)

langchain-core==1.3.0

Changes since langchain-core==1.2.31

release(core): release 1.3.0 (#36851) release(core): 1.3.0a3 (#36829) chore(core): keep checkpoint_ns behavior in streaming metadata for backwards compat (#36828) feat(core): Add chat model and LLM invocation params to traceable metadata (#36771) fix(core): restore cloud metadata IPs and link-local range in SSRF policy (#36816) chore(deps): bump pytest to 9.0.3 (#36801) chore(core): harden private SSRF utilities (#36768) fix(openai): handle content blocks without type key in responses api conversion (#36725) chore: bump pytest from 9.0.2 to 9.0.3 in /libs/core (#36719) release(core): 1.3.0.a2 (#36698) fix(core): Use reference counting for storing inherited run trees to support garbage collection (#36660) docs(core): nit (#36685) release(core): 1.3.0a1 (#36656) chore(core): reduce streaming metadata / perf (#36588)

langchain-fireworks==1.3.0

Changes since langchain-fireworks==1.2.1

release(fireworks): 1.3.0 (#37144) feat(fireworks): service_tier init kwarg on ChatFireworks (#37143) chore(model-profiles): refresh model profile data (#37122)

langchain==1.3.0

This release adds support for version="v3" in stream_events / astream_events for langchain agents. Refer to the event streaming guide for details.

... (truncated)

Commits

• b6b769b release(langchain): 1.3.1 (#37454)
• 36c381b fix(langchain): alias Bedrock providers in summarization token check (#37453)
• 0831e44 docs(openai): document base_url env var fallback chain (#37436)
• e208f38 chore: bump langsmith from 0.8.0 to 0.8.4 in /libs/partners/xai (#37411)
• a4a2be9 chore: bump langsmith from 0.8.0 to 0.8.4 in /libs/partners/qdrant (#37412)
• f5322d9 chore: bump langsmith from 0.8.0 to 0.8.4 in /libs/partners/perplexity (#37413)
• 5d9ac69 chore: bump langsmith from 0.8.0 to 0.8.4 in /libs/partners/openrouter (#37414)
• f42d80c fix(core): preserve chunk additional_kwargs across v3 stream assembly (#37435)
• 649d82f fix(core): preserve reasoning blocks alongside tool_call in v3 stream (#37434)
• 9f9a8a7 chore: bump langsmith from 0.8.0 to 0.8.4 in /libs/partners/ollama (#37415)
• Additional commits viewable in compare view

Updates langchain-openai from 1.1.10 to 1.2.2

Release notes

Sourced from langchain-openai's releases.

langchain-openai==1.2.2

Changes since langchain-openai==1.2.1

release(openai): 1.2.2 (#37617) chore(infra): bump langchain-tests floor to 1.1.9 (#37610) test(openai): unbreak audio chat and Azure embedding integration tests (#37589) fix(openai): guard httpx finalizers (#37570) chore: bump langsmith from 0.8.4 to 0.8.5 in /libs/partners/openai (#37549) chore: bump idna from 3.11 to 3.15 in /libs/partners/openai (#37548) ci(infra): harden Dependabot version-bound preservation (#37510) test(standard-tests): assert ls_model_name honors per-call model override (#37504) fix(openai): source LLM context size from model profiles (#37489) chore(core,langchain,openai): refresh stale OpenAI model references (#37487) fix(openai): broaden condition for ContextOverflowError to accommodate other providers (#37457) docs(openai): document base_url env var fallback chain (#37436) chore: bump langsmith from 0.8.0 to 0.8.4 in /libs/partners/openai (#37416) chore: bump langsmith from 0.7.31 to 0.8.0 in /libs/partners/openai (#37398) chore(infra): merge v1.4 into master (#37350) chore: bump urllib3 from 2.6.3 to 2.7.0 in /libs/partners/openai (#37330) chore: bump langchain-core from 1.3.2 to 1.3.3 in /libs/partners/openai (#37266) chore(docs): update x handle references (#37081) chore(model-profiles): refresh model profile data (#37074) chore(docs): update comment for chatopenai (#37034) chore(model-profiles): refresh model profile data (#37015)

langchain-openai==1.2.1

Changes since langchain-openai==1.2.0

hotfix: bump min core versions (#36996) release(openai): 1.2.1 (#36995) fix(openai): add gpt-5.5 pro to Responses API check (#36994) feat(core): add content-block-centric streaming (v2) (#36834) chore(model-profiles): refresh model profile data (#36982)

langchain-openai==1.2.0

Changes since langchain-openai==1.1.16

release(openai): 1.2.0 (#36961) feat(openai): prevent silent streaming hangs in ChatOpenAI (#36949) hotfix(ci): remove nobenchmark flag (#36959) chore(partners): standardize integration test invocation (#36958)

langchain-openai==1.1.16

Changes since langchain-openai==1.1.15

release(openai): 1.1.16 (#36927) fix(openai): tolerate prompt_cache_retention drift in streaming (#36925)

langchain-openai==1.1.15

Changes since langchain-openai==1.1.14

... (truncated)

Commits

• a1e2daf release(openai): 1.2.2 (#37617)
• 9e21348 fix(openai): guard httpx finalizers against uninitialized instances (#37568)
• 74cecb4 ci(infra): expand integration tests dispatch dropdown to external partners (#...
• 269d628 fix(standard-tests): recognize parametrize-nested xfails in override check (#...
• 23d369e test(xai): tolerate extra block types in web search and xfail v1 streaming to...
• aef86c4 chore(infra): bump langchain-tests floor to 1.1.9 (#37610)
• ebc1880 release(standard-tests): 1.1.9 (#37609)
• 22575ad test(standard-tests): allow extra content blocks in streaming assertions (#37...
• 1aa4496 feat(langchain): register stream transformers on middleware (#37591)
• d2931d8 release(fireworks): 1.4.1 (#37603)
• Additional commits viewable in compare view

Updates opensearch-py from 3.1.0 to 3.2.0

Release notes

Sourced from opensearch-py's releases.

v3.2.0

What's Changed

• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in opensearch-project/opensearch-py#986
• ci(linkchecker): remove exclude-mail option by @​florianvazelle in opensearch-project/opensearch-py#987
• change pool.close to pool.terminate by @​ekneg54 in opensearch-project/opensearch-py#981
• Bump codecov/codecov-action from 4 to 5 by @​dependabot[bot] in opensearch-project/opensearch-py#985
• Update pytest-asyncio requirement from <=1.2.0 to <=1.3.0 by @​dependabot[bot] in opensearch-project/opensearch-py#984
• Add ML Commons plugin doc by @​nathaliellenaa in opensearch-project/opensearch-py#992
• ci: fix mypy type ignore for untyped decorator in tests by @​florianvazelle in opensearch-project/opensearch-py#993
• Updated opensearch-py to reflect the latest OpenSearch API spec by @​opensearch-trigger-bot[bot] in opensearch-project/opensearch-py#994
• Bump actions/upload-artifact from 5 to 6 by @​dependabot[bot] in opensearch-project/opensearch-py#989
• Bump actions/download-artifact from 6 to 7 by @​dependabot[bot] in opensearch-project/opensearch-py#988
• Bump peter-evans/create-pull-request from 7 to 8 by @​dependabot[bot] in opensearch-project/opensearch-py#990
• fix(docs): use keyword arguments in security API examples by @​Pigueiras in opensearch-project/opensearch-py#1004
• Fix CI failures due to API spec updates by @​finnegancarroll in opensearch-project/opensearch-py#1007
• Bump opensearch protobufs - 1.2.0. by @​finnegancarroll in opensearch-project/opensearch-py#1000
• Fix AWSV4Signer.sign() not passing headers to AWSRequest by @​rbhatane in opensearch-project/opensearch-py#1035
• fix(signer): Include X-Amz-Content-SHA256 in SignedHeaders (#1038) by @​JiaxiChris in opensearch-project/opensearch-py#1039

New Contributors

• @​ekneg54 made their first contribution in opensearch-project/opensearch-py#981
• @​Pigueiras made their first contribution in opensearch-project/opensearch-py#1004
• @​rbhatane made their first contribution in opensearch-project/opensearch-py#1035
• @​JiaxiChris made their first contribution in opensearch-project/opensearch-py#1039

Full Changelog: opensearch-project/opensearch-py@v3.1.0...v3.2.0

Changelog

Sourced from opensearch-py's changelog.

[3.2.0]

Added

• Add dependency on opensearch-protobufs to provide client libraries for gRPC transport (#977)
• Add ML Commons plugin documentation (#992)

Updated APIs

• Updated opensearch-py APIs to reflect opensearch-api-specification@2954600

Changed

Deprecated

Removed

Fixed

• Fixed AWSV4Signer.sign() not passing custom headers to AWSRequest, causing x-amz-* headers to be excluded from SigV4 signature (#1034)
• Fixed AWSV4Signer.sign() not setting X-Amz-Content-SHA256 before SigV4Auth.add_auth(), causing the header to be absent from SignedHeaders in the Authorization header. The fix uses a guarded assignment that preserves caller-provided values (e.g., UNSIGNED-PAYLOAD, precomputed hashes) (#1038, #1039)
• Fixed the linkchecker CI step (#987)

Security

Dependencies

• Bump pytest-asyncio from <=1.2.0 to <=1.3.0 (#984)
• Bump actions/checkout from 5 to 6 (#986)
• Bump codecov/codecov-action from 4 to 5 (#985)
• Bump actions/upload-artifact from 5 to 6 (#989)
• Bump actions/download-artifact from 6 to 7 (#988)
• Bump peter-evans/create-pull-request from 7 to 8 (#990)
• Bump opensearch-protobufs from 0.19.0 to 1.2.0 (#1000)

Commits

• 8991792 fix(signer): Include X-Amz-Content-SHA256 in SignedHeaders (#1038) (#1039)
• d8a8c57 Fix AWSV4Signer.sign() not passing headers to AWSRequest (#1035)
• 6551595 Bump opensearch protobufs - 1.2.0. (#1000)
• 94ae310 Fix CI failures due to API spec updates (#1007)
• 1ce5b46 fix(docs): use keyword arguments in security API examples (#1004)
• 9b6d240 Bump peter-evans/create-pull-request from 7 to 8 (#990)
• 02c5dcc Bump actions/download-artifact from 6 to 7 (#988)
• fa8a862 Bump actions/upload-artifact from 5 to 6 (#989)
• f5ef694 Updated opensearch-py to reflect the latest OpenSearch API spec (2026-01-22) ...
• 10ab792 ci: fix mypy type ignore for untyped decorator in tests (#993)
• Additional commits viewable in compare view

Updates pypdf from 6.10.2 to 6.12.2

Release notes

Sourced from pypdf's releases.

Version 6.12.2, 2026-05-26

What's new

Security (SEC)

• Optimize _decode_png_prediction regarding memory and speed (#3806) by @​stefan6419846
• Improve loop control in text extraction (#3805) by @​stefan6419846

Full Changelog

Version 6.12.1, 2026-05-22

What's new

Security (SEC)

• Limit input size and element count for XMP metadata (#3796) by @​stefan6419846

Robustness (ROB)

• Prevent cyclic parent hierarchies for inherited dictionaries (#3795) by @​stefan6419846
• Deal with invalid first code in LZW decoder (#3794) by @​stefan6419846

Full Changelog

Version 6.12.0, 2026-05-21

What's new

Security (SEC)

• Disallow cross-reference streams with zero-only width values (#3791) by @​stefan6419846
• Avoid excessive whitespace in layout mode text extraction (#3790) by @​stefan6419846

New Features (ENH)

• Implement SASLprep (RFC 4013) for AES-256 password normalization (#3780) by @​adityamoolya
• CID font resource from font file to encode more characters (#3652) by @​PJBrs

Performance Improvements (PI)

• Optimize retrieval of named destinatinos in reader (