chore(deps): bump the python-minor group across 1 directory with 22 updates

[dependabot]

Bumps the python-minor group with 19 updates in the / directory:

Package	From	To
netmiko	4.6.0	4.7.0
ntc-templates	9.0.0	9.1.0
pydantic	2.12.5	2.13.4
rq	2.7.0	2.9.1
requests	2.33.0	2.34.2
ttp-templates	0.5.1	0.5.8
pyjwt	2.12.1	2.13.0
pytest	9.0.3	9.1.0
fakeredis	2.34.1	2.36.1
ipython	9.10.1	9.14.1
ruff	0.15.8	0.15.17
pre-commit	4.5.1	4.6.0
opentelemetry-test-utils	0.62b0	0.63b1
locust	2.43.4	2.44.3
boto3	1.42.84	1.43.29
typer	0.24.1	0.26.7
pytest-asyncio	1.3.0	1.4.0
datamodel-code-generator	0.56.0	0.64.0
fastmcp	3.2.4	3.4.2

Updates netmiko from 4.6.0 to 4.7.0

Release notes

Sourced from netmiko's releases.

Netmiko 4.7.0 Release

New Platforms

• Optilink GOLT in ktbyers/netmiko#3583
• Cisco Access Points in ktbyers/netmiko#3584
• IPInfusion OcNOS (commit model) in ktbyers/netmiko#3596
• Aviat WTM in ktbyers/netmiko#3602
• Nokia ISAM in ktbyers/netmiko#3725
• Perle IOLAN Console in ktbyers/netmiko#3738
• Smartoptics DWDM in ktbyers/netmiko#3760
• APC AOS in ktbyers/netmiko#3768
• OpenGear in ktbyers/netmiko#3769
• Cisco WLC IOS in ktbyers/netmiko#3777
• Calix EXA in ktbyers/netmiko#3781
• Hioso OLT in ktbyers/netmiko#3799
• Huawei ONT in ktbyers/netmiko#3800
• Raisecom ROS in ktbyers/netmiko#3802
• IIJ Seilos in ktbyers/netmiko#3804
• Avara in ktbyers/netmiko#3805
• Lancom LCOSsx5 in ktbyers/netmiko#3806
• Fujitsu SIR in ktbyers/netmiko#3807
• Hirschmann HIOS in ktbyers/netmiko#3808
• Furukawa FITELnet in ktbyers/netmiko#3810
• ZPE Nodegrid in ktbyers/netmiko#3835

What's Changed

• Fixes 'enable' call issue when device prompt is a substring of literal 'password' string in ktbyers/netmiko#3708
• Fix missing flags in re.search call in enable() in ktbyers/netmiko#3709
• Aruba OS: Add file transfer support in ktbyers/netmiko#3691
• Minor updates to Aruba OS file transfer in ktbyers/netmiko#3711
• Ocnos commit description map to 'comment' argument in ktbyers/netmiko#3714
• Remove superfluous executable bits in ktbyers/netmiko#3722
• Fix typing hints for timeouts: change from int to float in ktbyers/netmiko#3720
• Add py.typed and fix include/MANIFEST.in issues in ktbyers/netmiko#3723
• Mikrotik space fix issue in ktbyers/netmiko#3739
• Use proper type hints for session_log argument of BaseConnection constructor in ktbyers/netmiko#3727
• Minor perle fixes in ktbyers/netmiko#3740
• Fix Check Point Gaia double command echo issue in ktbyers/netmiko#3742
• Improve Check Point Gaia in ktbyers/netmiko#3748
• Fix Garderos GRS alt_prompt in ktbyers/netmiko#3733
• GH Actions: updating Python and MacOS runner versions in ktbyers/netmiko#3755
• Fix error in enable_secret_handler() in ktbyers/netmiko#3759
• nokia_isam improvements in ktbyers/netmiko#3754
• Add cleanup method for graceful cleanup for Gaia in ktbyers/netmiko#3772
• Add save config method for Gaia in ktbyers/netmiko#3773
• Add additional search pattern for AOS-CX (e.g. CX 6300M) in ktbyers/netmiko#3774
• Adva driver fixes in ktbyers/netmiko#3595
• IOS-XR add 'replace' option to commit method in ktbyers/netmiko#3668
• Improve Paramiko Cleanup in ktbyers/netmiko#3675

... (truncated)

Commits

• 1e28a76 Merge pull request #3851 from ktbyers/develop
• 33f6f5e Merge branch 'master' into develop
• e781ac9 Update poetry lock file including paramiko version 5 (#3852)
• 706ca1f Netmiko 4.7.0 Release (#3850)
• c27bb91 Doc update (#3849)
• 5605388 Minor fix for tests (#3848)
• 4570e14 Fix exit_enable_mode issue with not verifying command echo (#3847)
• 6105c72 Fix typing import issue on PY3.13 (#3846)
• eadebd7 Add unit tests for SessionLog (Layer 1 + Layer 2) (#3843)
• 2c1286d Fix session_log flush so data is written immediately on write() (#3841)
• Additional commits viewable in compare view

Updates ntc-templates from 9.0.0 to 9.1.0

Release notes

Sourced from ntc-templates's releases.

v9.1.0

What's Changed

• Fix nxos sh license usage for nxos 10 (mmilaitis) by @​michalis1 in networktocode/ntc-templates#2302
• Fix alcatel_sros sh lag when there are lag names by @​mjbear in networktocode/ntc-templates#2277
• v9.1.0 release notes by @​matt852 in networktocode/ntc-templates#2303

Full Changelog: networktocode/ntc-templates@v9.0.0...v9.1.0

Commits

• e60dae3 v9.1.0 release notes (#2303)
• 64f94f6 Fix alcatel_sros sh lag when there are lag names (#2277)
• b73b614 Merge pull request #2302 from michalis1/mmilaitis_nxos_sh_lic_usage_issue2285
• ef8f223 Update ntc_templates/templates/cisco_nxos_show_license_usage.textfsm
• 4d9972d updates nxos show_license_usage for nxos v10
• 074c716 updates nxos show_license_usage for nxos v10
• See full diff in compare view

Updates pydantic from 2.12.5 to 2.13.4

Release notes

Sourced from pydantic's releases.

v2.13.4 2026-05-06

v2.13.4 (2026-05-06)

What's Changed

Packaging

• Bump libc from 0.2.155 to 0.2.185 by @​Viicos in #13109
• Adapt pydantic-core linker flags on macOS by @​washingtoneg and @​Viicos in #13147

Fixes

• Preserve RootModel core metadata by @​Viicos in #13129

Full Changelog: pydantic/pydantic@v2.13.3...v2.13.4

v2.13.3 2026-04-20

v2.13.3 (2026-04-20)

What's Changed

Fixes

• Handle AttributeError subclasses with from_attributes by @​Viicos in #13096

Full Changelog: pydantic/pydantic@v2.13.2...v2.13.3

v2.13.2 2026-04-17

v2.13.2 (2026-04-17)

What's Changed

Fixes

• Fix ValidationInfo.field_name missing with model_validate_json() by @​Viicos in #13084

Full Changelog: pydantic/pydantic@v2.13.1...v2.13.2

v2.13.1 2026-04-15

v2.13.1 (2026-04-15)

What's Changed

Fixes

• Fix ValidationInfo.data missing with model_validate_json() by @​davidhewitt in #13079

Full Changelog: pydantic/pydantic@v2.13.0...v2.13.1

v2.13.0 2026-04-13

... (truncated)

Changelog

Sourced from pydantic's changelog.

v2.13.4 (2026-05-06)

GitHub release

What's Changed

Packaging

• Bump libc from 0.2.155 to 0.2.185 by @​Viicos in #13109
• Adapt pydantic-core linker flags on macOS by @​washingtoneg and @​Viicos in #13147

Fixes

• Preserve RootModel core metadata by @​Viicos in #13129

v2.13.3 (2026-04-20)

GitHub release

What's Changed

Fixes

• Handle AttributeError subclasses with from_attributes by @​Viicos in #13096

v2.13.2 (2026-04-17)

GitHub release

What's Changed

Fixes

• Fix ValidationInfo.field_name missing with model_validate_json() by @​Viicos in #13084

v2.13.1 (2026-04-15)

GitHub release

What's Changed

Fixes

• Fix ValidationInfo.data missing with model_validate_json() by @​davidhewitt in #13079

v2.13.0 (2026-04-13)

GitHub release

The highlights of the v2.13 release are available in the blog post.

... (truncated)

Commits

• cf67d4b Fix linting
• f0d8a21 Prepare release v2.13.4
• 5e3fe1d Check for pydantic tag pattern in CI
• 7f9edcc Document tagging conventions
• b46a0c9 Adapt pydantic-core linker flags on macOS
• 50629c8 Update to PyPy 7.3.22
• 8522ebb Preserve RootModel core metadata
• a37f3af Adapt MISSING sentinel test to work with unreleased typing_extensions ver...
• 909259a Remove Logfire example in documentation
• 2c4174c Bump libc from 0.2.155 to 0.2.185
• Additional commits viewable in compare view

Updates rq from 2.7.0 to 2.9.1

Release notes

Sourced from rq's releases.

v2.9.1

• Job.create() now supports retry argument. Thanks @​sethuvishal!
• Add compatibility with redis-py >= 8. Thanks @​selwin!

v2.9

• Added json and pickle shorthand aliases for serializers. These can now be used when creating queues/workers and with the --serializer CLI option. Thanks @​selwin!
• Fixed a bug where SpawnWorker does not use user supplied serializer. Thanks @​selwin!
• Queue.parse_args() now returns a EnqueueArgs named tuple. Thanks @​libmilos-so!
• Fixed a race condition that could cause worker keys in Redis to get out of sync when Redis is under load. Thanks @​terencehonles!
• Enqueueing deferred jobs now removes them from DeferredJobRegistry. Thanks @​selwin!
• SpawnWorker now uses repr() when reconstructing worker, job and queue identifiers in child processes. Thanks @​selwin!
• Minor typing and cleanup improvements. Thanks @​selwin and @​rextea!

v2.8

• Added support for unique jobs. Passing unique=True with job_id prevents duplicate jobs from being enqueued or scheduled. Thanks @​selwin!
• Result now stores execution metadata (execution_id, execution_started_at and execution_ended_at). Thanks @​selwin!
• Retry now supports enqueue_at_front=True, allowing retried jobs to be requeued at the front of the queue. Thanks @​crazillagodzilla!
• Custom job_id values may only contain letters, numbers, underscores and dashes. Thanks @​selwin!
• When a job is stopped, its dependencies are no longer enqueued. Thanks @​selwin!
• DeferredJobRegistry is now scored by job creation time. Thanks @​selwin!
• Workers now print a warning instead of raising an exception when CLIENT LIST is not supported. Thanks @​selwin and @​djmaze!

Changelog

Sourced from rq's changelog.

RQ 2.9.1 (2026-06-06)

• Job.create() now supports retry argument. Thanks @​sethuvishal!
• Add compatibility with redis-py >= 8. Thanks @​selwin!

RQ 2.9.0 (2026-05-19)

• Added json and pickle shorthand aliases for serializers. These can now be used when creating queues/workers and with the --serializer CLI option. Thanks @​selwin!
• Fixed a bug where SpawnWorker does not use user supplied serializer. Thanks @​selwin!
• Queue.parse_args() now returns a EnqueueArgs named tuple. Thanks @​libmilos-so!
• Fixed a race condition that could cause worker keys in Redis to get out of sync when Redis is under load. Thanks @​terencehonles!
• Enqueueing deferred jobs now removes them from DeferredJobRegistry. Thanks @​selwin!
• SpawnWorker now uses repr() when reconstructing worker, job and queue identifiers in child processes. Thanks @​selwin!
• Minor typing and cleanup improvements. Thanks @​selwin and @​rextea!

RQ 2.8.0 (2026-04-16)

• Added support for unique jobs. Passing unique=True with job_id prevents duplicate jobs from being enqueued or scheduled. Thanks @​selwin!
• Result now stores execution metadata (execution_id, execution_started_at and execution_ended_at). Thanks @​selwin!
• Retry now supports enqueue_at_front=True, allowing retried jobs to be requeued at the front of the queue. Thanks @​crazillagodzilla!
• Custom job_id values may only contain letters, numbers, underscores and dashes. Thanks @​selwin!
• When a job is stopped, its dependencies are no longer enqueued. Thanks @​selwin!
• DeferredJobRegistry is now scored by job creation time. Thanks @​selwin!
• Workers now print a warning instead of raising an exception when CLIENT LIST is not supported. Thanks @​selwin and @​djmaze!

Commits

• 01a3867 Bump version to 2.9.1
• 94d591a [WIP] Redis py 8 compatibility (#2416)
• 298f09e Fix flaky test (#2415)
• 1293e92 Allow retry configuration in Job.create() for parity with Queue.enqueue() (#2...
• 7099d3d Bump codecov/codecov-action from 6.0.0 to 6.0.1 (#2408)
• 4ee8428 Bump version to 2.9 (#2405)
• bb826fc SpawnWorker should use user specified serializer (#2407)
• 0f45286 Drop python39 redis8 (#2404)
• 4cf9a64 Rename QueueArgs to EnqueueArgs (#2403)
• f78dbaf Add shorthand aliases for json and pickle serializers (#2401)
• Additional commits viewable in compare view

Updates requests from 2.33.0 to 2.34.2

Release notes

Sourced from requests's releases.

v2.34.2

2.34.2 (2026-05-14)

• Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2342-2026-05-14

v2.34.1

2.34.1 (2026-05-13)

Bugfixes

• Widened json input type from dict and list to Mapping and Sequence. (#7436)
• Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
• Response.reason moved from str | None to str to improve handling for users. (#7437)
• Fixed a bug where some bodies with custom __getattr__ implementations weren't being properly detected as Iterables. (#7433)

New Contributors

• @​k223kim made their first contribution in psf/requests#7433

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2341-2026-05-13

v2.34.0

2.34.0 (2026-05-11)

Announcements

• Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue.

  Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for helping review and test the types ahead of the release. (#7272)

Improvements

• Digest Auth hashing algorithms have added usedforsecurity=False to clarify security considerations. (#7310)
• Requests added support for Python 3.15 based on beta1. Downstream projects should be able to start testing prior to its release in October. (#7422)
• Requests added support for Python 3.14t. (#7419)

Bugfixes

• Response.history no longer contains a reference to itself, preventing accidental looping when traversing the history list. (#7328)
• Requests no longer performs greedy matching on no_proxy domains. The

... (truncated)

Changelog

Sourced from requests's changelog.

2.34.2 (2026-05-14)

• Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

2.34.1 (2026-05-13)

Bugfixes

• Widened json input type from dict and list to Mapping and Sequence. (#7436)
• Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
• Response.reason moved from str | None to str to improve handling for users. (#7437)
• Fixed a bug where some bodies with custom __getattr__ implementations weren't being properly detected as Iterables. (#7433)

2.34.0 (2026-05-11)

Announcements

• Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue.

  Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for helping review and test the types ahead of the release. (#7272)

Improvements

• Digest Auth hashing algorithms have added usedforsecurity=False to clarify security considerations. (#7310)
• Requests added support for Python 3.15 based on beta1. Downstream projects should be able to start testing prior to its release in October. (#7422)
• Requests added support for Python 3.14t. (#7419)

Bugfixes

• Response.history no longer contains a reference to itself, preventing accidental looping when traversing the history list. (#7328)
• Requests no longer performs greedy matching on no_proxy domains. The proxy_bypass implementation has been updated with CPython's fix from bpo-39057. (#7427)
• Requests no longer incorrectly strips duplicate leading slashes in URI paths. This should address user issues with specific presigned URLs. Note the full fix requires urllib3 2.7.0+. (#7315)

... (truncated)

Commits

• 6e83187 v2.34.2
• 84d10f0 Move Request.headers back to Mapping (#7441)
• b7b549b v2.34.1
• e511bc7 Fix mutability issues with headers input types (#7431)
• 5691f59 Update JsonType containers to read-based collections (#7436)
• 2144213 Constrain Response.reason to str (#7437)
• 6404f34 Fix prepare_body stream detection for __getattr__-based file wrappers (#7...
• 0b401c7 v2.34.0
• 86b378d Align Session.get parameters with requests.get (#7429)
• a4f9a59 Port bpo-39057 to Requests (#7427)
• Additional commits viewable in compare view

Updates ttp-templates from 0.5.1 to 0.5.8

Release notes

Sourced from ttp-templates's releases.

0.5.8

BUGS

1. Fixing juniper_junos_process_show_configuration_interfaces_pipe_display_set untagged_vlan vlan handling for juniper subinterfaces - set mode to access and populate untagged_vlan correctly
2. Fixing juniper_junos_process_show_configuration_interfaces_pipe_display_set to not assing parent for any logical interface like gr or lt or lo0

Full Changelog: dmulyalin/ttp_templates@0.5.6...0.5.8

0.5.7

BUGS

1. Fixing cisco_xr_show_bgp_neighbors.txt template dynamic BGP peers ASN parsing
2. Fixing juniper_junos_process_show_configuration_interfaces_pipe_display_set extraction of ips for interfaces with virtual gateways
3. Fixing juniper_junos_process_show_configuration_interfaces_pipe_display_set parent assignment logic - skip it for irb and lo0 interfaces
4. Fixing juniper_junos_process_show_configuration_interfaces_pipe_display_set to check if bridge port has sub-interface when trying to derive untagged vlan

Full Changelog: dmulyalin/ttp_templates@0.5.6...0.5.7

0.5.6

CHANGES

1. Changing get/interfaces lag to be a parent lag name and adding lag_id attribute
2. get/interfaces for Arista adding interfaces speeds map
3. Enhancing get/interfaces for Arista to calculate access VLAN id for SVI interfaces
4. Changing vrf to be None for get bgp peerings, if BGP peering belongs to global/default/master VRF

TEMPLATES

1. Added platform/cisco_xr_show_running_config_interface.txt refactoring to alight with interfaces getter data
2. Added platform/juniper_junos_show_configuration_interfaces_pipe_display_set.txt template
3. Added platform/arista_eos_show_lldp_neighbors_detail_pipe_json.txt template
4. Added get/lldp_neighbors.txt getter template supporting Arista EOS
5. Added platform/juniper_junos_show_lldp_neighbors_detail_pipe_display_json.txt template

Full Changelog: dmulyalin/ttp_templates@0.5.5...0.5.6

0.5.5

CHANGES

1. Changing Arista EOS bgp neighbor template to use "show ip bgp .." command instead of "show bgp .." command

Full Changelog: dmulyalin/ttp_templates@0.5.4...0.5.5

0.5.4

BUGS

... (truncated)

Changelog

Sourced from ttp-templates's changelog.

Release Notes

0.5.7

BUGS

1. Fixing cisco_xr_show_bgp_neighbors.txt template dynamic BGP peers ASN parsing
2. Fixing juniper_junos_process_show_configuration_interfaces_pipe_display_set extraction of ips for interfaces with virtual gateways
3. Fixing juniper_junos_process_show_configuration_interfaces_pipe_display_set parent assignment logic - skip it for irb and lo0 interfaces
4. Fixing juniper_junos_process_show_configuration_interfaces_pipe_display_set to check if bridge port has sub-interface when trying to derive untagged vlan

---

0.5.6

CHANGES

1. Changing get/interfaces lag to be a parent lag name and adding lag_id attribute
2. get/interfaces for Arista adding interfaces speeds map
3. Enhancing get/interfaces for Arista to calculate access VLAN id for SVI interfaces
4. Changing vrf to be None for get bgp peerings, if BGP peering belongs to global/default/master VRF

TEMPLATES

1. Added platform/cisco_xr_show_running_config_interface.txt refactoring to alight with interfaces getter data
2. Added platform/juniper_junos_show_configuration_interfaces_pipe_display_set.txt template
3. Added platform/arista_eos_show_lldp_neighbors_detail_pipe_json.txt template
4. Added get/lldp_neighbors.txt getter template supporting Arista EOS
5. Added platform/juniper_junos_show_lldp_neighbors_detail_pipe_display_json.txt template

---

0.5.5

CHANGES

1. Changing Arista EOS bgp neighbor template to use "show ip bgp .." command instead of "show bgp .." command

---

0.5.4

BUGS

1. Fixing VRF handling for platform/cisco_xr_show_bgp_neighbors.txt template.
2. Fixing BGP peer local ip handling for platform/cisco_xr_show_bgp_neighbors.txt template for newer IOS XR syntax
3. Fixing bgp peer group extraction for platform/arista_eos_show_bgp_neighbors_vrf_all_pipe_json.txt template for newer JSON format

---

... (truncated)

Commits

• 8f933b7 regenerating docs
• 6bd324e bump to 0.5.7
• e93c9c3 fixing extraction of ips for irb interfaces with virtual gateways
• 9f589e4 fixing dynamic bgp peers parsing for cisco xr
• d37bead bump to 0.5.6
• 4d4e52a changing vrf to None by default
• 32627f0 adding lldp neighbour tempalte
• e438e13 few templates fixes
• da1d487 adding mac address extraction to juniper inteerfaces tempalte
• 7115f1d linting
• Additional commits viewable in compare view

Updates pyjwt from 2.12.1 to 2.13.0

Release notes

Sourced from pyjwt's releases.

2.13.0

PyJWT 2.13.0 — Security Release

This release bundles five security fixes plus three additional hardening / spec-compliance changes. We recommend all users upgrade.

Security

• GHSA-xgmm-8j9v-c9wx — JWK JSON accepted as HMAC secret (algorithm confusion). HMACAlgorithm.prepare_key previously rejected PEM- and SSH-formatted asymmetric keys but did not catch a JWK passed as a raw JSON string. In a verifier configured with both symmetric and asymmetric algorithms in algorithms=[…] and a raw-JSON JWK as the key, an attacker could forge HS256 tokens using the JWK text as the HMAC secret. The guard has been extended to reject any JWK-shaped JSON. Reported by @​aradona91.

• GHSA-jq35-7prp-9v3f — Algorithm allow-list bypass with PyJWK / PyJWKClient. When verifying with a PyJWK, the caller's algorithms=[…] allow-list was checked against the token header alg as a string only; actual verification used the algorithm bound to the PyJWK. An attacker who controlled a registered JWKS key could sign with one algorithm and advertise another on the header. PyJWT now requires the token header alg to match the PyJWK's algorithm before verification. Reported by @​sushi-gif.

• GHSA-w7vc-732c-9m39 — DoS via base64 decode of unused payload segment when b64=false. For detached-payload JWS (b64=false), the compact-form payload segment was base64-decoded before being discarded in favor of the caller-supplied detached_payload. An attacker could inflate the unused segment to force CPU + memory cost without holding a valid signature. The segment is now required to be empty per RFC 7515 Appendix F, and is no longer decoded. Reported by @​thesmartshadow.

• GHSA-993g-76c3-p5m4 — PyJWKClient accepts non-HTTP(S) URIs. PyJWKClient.fetch_data passed its URI to urllib.request.urlopen, which by default also handles file://, ftp://, and data: schemes. An application that fed an attacker-influenced URI into PyJWKClient could be coerced into reading local files or reaching other unintended schemes. PyJWKClient now rejects any URI whose scheme isn't http or https. Reported by @​KEIJOT.

• GHSA-fhv5-28vv-h8m8 — PyJWKClient cache wiped on fetch error. A finally-block put(jwk_set=None) cleared the JWK Set cache whenever a fetch raised, turning a transient JWKS-endpoint outage into application-wide auth failure. The cache write was moved into the success path; transient errors no longer evict valid cached keys. Reported by @​eddieran.

Fixed

• Reject empty HMAC keys outright in HMACAlgorithm.prepare_key with InvalidKeyError instead of accepting them with only a warning. Defends against the os.getenv("JWT_SECRET", "") footgun. Thanks to @​SnailSploit and @​spartan8806 for the reports.
• Forward per-call options (including enforce_minimum_key_length) from PyJWT.decode through to PyJWS._verify_signature. The option was previously silently dropped between the two layers, so it only took effect when set on the PyJWT instance. Thanks to @​WLUB for the report.
• RFC 7797 §3 compliance for b64=false: the encoder now auto-adds "b64" to crit, and the decoder rejects tokens that set b64=false without listing it in crit. Thanks to @​MachineLearning-Nerd for the report.

Changed

• Migrate the dev, docs, and tests package extras to dependency groups, by @​kurtmckee in #1152.

Upgrade notes

Most fixes are invisible to correctly-configured callers. A few behavioral changes you may encounter:

• Empty HMAC keys now raise. If your app passed "" or b"" as a secret (often via a missing env var, e.g. os.getenv("JWT_SECRET", "")), encode/decode will now raise InvalidKeyError. This is the intended behavior — fix the configuration.
• PyJWK decoding now requires the token's alg to match the JWK's algorithm. Previously a mismatch was silently honored if the header alg appeared in the allow-list. Tokens that relied on this mismatch will now fail with InvalidAlgorithmError.
• PyJWKClient now rejects non-HTTP(S) URIs at construction time. Tests or dev environments that fetched JWKS from file:// URIs need to switch to a local HTTP server or load the JWKS by other means (e.g. construct PyJWKSet.from_dict(...) directly).
• b64=false tokens are now strictly RFC 7515 / 7797 compliant. Tokens with a non-empty compact-form payload segment, or that omit "b64" from crit, will be rejected. PyJWT-produced tokens always satisfy both invariants, so round-trips through PyJWT are unaffected.
• enforce_minimum_key_length set per-call now takes effect. Callers who passed options={"enforce_minimum_key_length": True} to jwt.decode() previously got no enforcement; they will now get InvalidKeyError on undersized keys, as documented.

Full changelog: jpadilla/pyjwt@2.12.1...2.13.0

Changelog

Sourced from pyjwt's changelog.

v2.13.0 <https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0>__

Security

- Reject JWK JSON documents passed as raw HMAC secrets in
  ``HMACAlgorithm.prepare_key`` to close an algorithm-confusion gap that
  the existing PEM/SSH guard did not cover. Reported by @aradona91 in
  `GHSA-xgmm-8j9v-c9wx <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx>`__.
- Bind the JWT header ``alg`` to ``PyJWK.algorithm_name`` during
  verification so the caller's ``algorithms=[...]`` allow-list cannot be
  bypassed when decoding with a ``PyJWK`` / ``PyJWKClient`` key. Reported
  by @sushi-gif in `GHSA-jq35-7prp-9v3f <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f>`__.
- Reject non-``http(s)`` URI schemes in ``PyJWKClient`` so attacker-
  influenced URIs cannot read local files or reach unintended schemes via
  urllib's default ``file://`` / ``ftp://`` / ``data:`` handlers. Reported
  by @KEIJOT in `GHSA-993g-76c3-p5m4 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4>`__.
- Preserve the cached JWK Set on fetch errors in ``PyJWKClient.fetch_data``.
  The previous ``finally``-block ``put(None)`` pattern cleared the cache
  on any transient outage, turning one bad JWKS request into application-
  wide auth failure. Reported by @eddieran in `GHSA-fhv5-28vv-h8m8 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8>`__.
- Skip the unconditional base64 decode of the compact-form payload segment
  when ``b64=false`` is set in the protected header, and require that
  segment to be empty (RFC 7515 Appendix F detached form). Closes an
  unauthenticated DoS amplifier. Reported by @thesmartshadow in
  `GHSA-w7vc-732c-9m39 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39>`__.
Fixed

- Reject empty HMAC keys outright in ``HMACAlgorithm.prepare_key`` with
  ``InvalidKeyError`` instead of accepting them with only a warning.
  Thanks to @SnailSploit and @spartan8806 for independently flagging the
  footgun.
- Forward per-call ``options`` (including ``enforce_minimum_key_length``)
  from ``PyJWT.decode`` through to ``PyJWS._verify_signature`` so the
  option actually takes effect when set at the call site rather than only
  on the ``PyJWT`` instance. Thanks to @WLUB for the report.
- RFC 7797 §3 compliance for ``b64=false``: the encoder now auto-adds
  ``&quot;b64&quot;`` to the ``crit`` header parameter, and the decoder rejects
  tokens that set ``b64=false`` without listing it in ``crit``. Thanks to
  @MachineLearning-Nerd for the report.
Changed



Migrate the dev, docs, and tests package extras to dependency groups by @​kurtmckee in [#1152](https://github.com/jpadilla/pyjwt/issues/1152) &lt;https://github.com/jpadilla/pyjwt/pull/1152&gt;__

Commits

• 7144e45 Apply ruff format
• d2f4bec Restore cast() calls with cross-version type: ignore for prepare_key
• 22f478c Remove redundant casts in RSAAlgorithm.prepare_key and `ECAlgorithm.prepare...
• 95791b1 Bundle security fixes and hardening into 2.13.0
• dcc27a9 [pre-commit.ci] pre-commit autoupdate (#1155)
• 9d08a9a [pre-commit.ci] pre-commit autoupdate (#1146)
• b87c100 Bump codecov/codecov-action from 5 to 6 (#1154)
• 40e3147 Migrate development extras to dependency groups (#1152)
• See full diff in compare view

Updates pytest from 9.0.3 to 9.1.0

Release notes

Sourced from pytest's releases.

9.1.0

pytest 9.1.0 (2026-06-13)

Removals and backward incompatible breaking changes

• #14533: When using --doctest-modules, autouse fixtures with module, package or session scope that are defined inline in Python test modules (not plugins or conftests) will now possibly execute twice.

  If this is undesirable, move the fixture definition to a conftest.py file if possible.

  Technical explanation for those interested: When using --doctest-modules, pytest possibly collects Python modules twice, once as pytest.Module and once as a DoctestModule (depending on the configuration). Due to improvements in pytest's fixture implementation, if e.g. the DoctestModule collects a fixture, it is now visible to it only, and not to the Module. This means that both need to register the fixtures independently.

Deprecations (removal in next major release)

• #10819: Added a deprecation warning for class-scoped fixtures defined as instance methods (without @classmethod). Such fixtures set attributes on a different instance than the test methods use, leading to unexpected behavior. Use @classmethod decorator instead -- by yastcher.

  See 10819 and 14011.

• #12882: Calling request.getfixturevalue() <pytest.FixtureRequest.getfixturevalue> during teardown to request a fixture that was not already requested is now deprecated and will become an error in pytest 10.

  See dynamic-fixture-request-during-teardown for details.

• #13409: Using non-~collections.abc.Collection iterables (such as generators, iterators, or custom iterable objects) for the argvalues parameter in @pytest.mark.parametrize <pytest.mark.parametrize ref> and metafunc.parametrize <pytest.Metafunc.parametrize> is now deprecated.

  These iterables get exhausted after the first iteration, leading to tests getting unexpectedly skipped in cases such as running pytest.main() multiple times, using class-level parametrize decorators, or collecting tests multiple times.

  See parametrize-iterators for details and suggestions.

• #13946: The private config.inicfg attribute is now deprecated. Use config.getini() <pytest.Config.getini> to access configuration values instead.

  See config-inicfg for more details.

• #14004: Passing baseid to ~pytest.FixtureDef or nodeid strings to fixture registration APIs is now deprecated. These are internal pytest APIs that are used by some plugins.

  Use the node parameter instead for fixture scoping. This enables more robust node-based matching instead of string prefix matching. If you've used nodeid=None, pass node=session instead.

  This will be removed in pytest 10.

• #14335: The method of configuring hooks using markers, deprecated since pytest 7.2, is now scheduled to be removed in pytest 10. See hook-markers for more details.

• #14434: The --pastebin option is now deprecated.

... (truncated)

Commits

• b2522cf Prepare release version 9.1.0
• 368d2fc [refactor] Tighten SetComparisonFunction to Iterator[str] (#14587)
• ff77cd8 [refactor] Make base assertion comparisons return an iterator instead of a li...
• 0d8491a build(deps): Bump actions/stale from 10.2.0 to 10.3.0