chore(deps): bump the python-deps group across 1 directory with 8 updates

[dependabot]

Updates the requirements on fastapi, uvicorn, typer, click, openai, cachetools, sqlalchemy and ruff to permit the latest version.
Updates fastapi from 0.136.1 to 0.136.3

Release notes

Sourced from fastapi's releases.

0.136.3

Refactors

• ♻️ Do not accept underscore headers when using convert_underscores=True (the default). PR #15589 by @​tiangolo.

0.136.2

Refactors

• ♻️ Validate Server Sent Event fields to avoid applications from sending broken data. PR #15588 by @​tiangolo.

Docs

• 📝 Document --entrypoint CLI option. PR #15464 by @​YuriiMotov.
• 📝 Update and simplify docs about help and management. PR #15583 by @​tiangolo.
• 📝 Add docs references to central contributing docs. PR #15580 by @​tiangolo.
• 📝 Update security policy. PR #15577 by @​tiangolo.
• 🍱 Update sponsors: TalorData image. PR #15562 by @​tiangolo.
• 📝 Update docs, simplify usage of admonitions, only default ones. PR #15553 by @​tiangolo.
• 📝 Fix image URLs in index.md. PR #15534 by @​YuriiMotov.
• ✏️ Fix Azkaban spelling typo in virtual-environments.md‎. PR #15463 by @​isaacbernat.
• 💄 Improve layout and styling. PR #15462 by @​alejsdev.
• 💄 Refactor opinions section with interactive tabs and new logos. PR #15458 by @​alejsdev.
• 📝 Add FastAPI Conf '26 announcement to docs. PR #15457 by @​alejsdev.

Translations

• 🌐 Improve translation consistency in ‎docs/pt/docs/advanced/generate-clients.md‎. PR #15456 by @​Will-thom.
• 🌐 Update translations for ja (update-outdated). PR #15530 by @​tiangolo.
• 🌐 Update translations for uk (update-outdated). PR #15529 by @​tiangolo.
• 🌐 Update translations for pt (update-outdated). PR #15528 by @​tiangolo.
• 🌐 Update translations for de (update-outdated). PR #15527 by @​tiangolo.
• 🌐 Update translations for tr (update-outdated). PR #15526 by @​tiangolo.
• 🌐 Update translations for ko (update-outdated). PR #15525 by @​tiangolo.
• 🌐 Update translations for zh-hant (update-outdated). PR #15524 by @​tiangolo.
• 🌐 Update translations for fr (update-outdated). PR #15522 by @​tiangolo.
• 🌐 Update translations for es (update-outdated). PR #15523 by @​tiangolo.
• 🌐 Update translations for zh (update-outdated). PR #15520 by @​tiangolo.
• 🌐 Update translations for ru (update-outdated). PR #15521 by @​tiangolo.
• 🌐 Fix typos in Spanish LLM-prompt. PR #15472 by @​crr004.

Internal

• ✅ Update tests, don't double dispose the engine. PR #15587 by @​tiangolo.
• ⚡️ Speed up test suite via caching and fixture scopes to make it ~24% faster. PR #13583 by @​dikos1337.
• 🔥 Remove config files now in central GitHub repo. PR #15585 by @​tiangolo.
• ⬆ Bump urllib3 from 2.6.3 to 2.7.0. PR #15502 by @​dependabot[bot].
• ⬆ Bump idna from 3.11 to 3.15. PR #15565 by @​dependabot[bot].
• ⬆ Bump cloudflare/wrangler-action from 3.15.0 to 4.0.0. PR #15571 by @​dependabot[bot].
• 🔧 Migrate docs from MkDocs to Zensical. PR #15563 by @​tiangolo.
• 🔒️ Only allow team members to modify dependencies. PR #15548 by @​svlandeg.

... (truncated)

Commits

• 8206485 🔖 Release version 0.136.3
• c910e01 📝 Update release notes
• 063b5bf ♻️ Do not accept underscore headers when using convert_underscores=True (th...
• 22b02e2 🔖 Release version 0.136.2
• 3b252a2 📝 Update release notes
• c7fb785 ♻️ Validate Server Sent Event fields to avoid applications from sending broke...
• cb83b83 📝 Update release notes
• 00f805c ✅ Update tests, don't double dispose the engine (#15587)
• 3675137 📝 Update release notes
• 7b57e42 📝 Document --entrypoint CLI option (#15464)
• Additional commits viewable in compare view

Updates uvicorn from 0.47.0 to 0.48.0

Release notes

Sourced from uvicorn's releases.

Version 0.48.0

What's Changed

• Default ssl_ciphers to None and use OpenSSL defaults by @​Kludex in Kludex/uvicorn#2940
• Ignore duplicate forwarding headers in ProxyHeadersMiddleware by @​Kludex in Kludex/uvicorn#2944

Full Changelog: Kludex/uvicorn@0.47.0...0.48.0

Changelog

Sourced from uvicorn's changelog.

0.48.0 (May 24, 2026)

Changed

• Default ssl_ciphers to None and use OpenSSL defaults (#2940)

Fixed

• Ignore duplicate forwarding headers in ProxyHeadersMiddleware (#2944)

Commits

• 73e84e5 Version 0.48.0 (#2951)
• 45ea116 Ignore duplicate forwarding headers in ProxyHeadersMiddleware (#2944)
• dd4394c chore(deps): bump idna from 3.11 to 3.15 (#2941)
• abe0781 Default ssl_ciphers to None and use OpenSSL defaults (#2940)
• See full diff in compare view

Updates typer from 0.25.1 to 0.26.4

Release notes

Sourced from typer's releases.

0.26.4

Features

• 📝 Update AI Library Skill to avoid verbose code for CLI Options. PR #1808 by @​tiangolo.

Internal

• 👷 Add CI to create draft release after merging a release PR. PR #1807 by @​tiangolo.
• 👷 Update labeler to accept label release. PR #1806 by @​tiangolo.
• 👷 Update GitHub Action permissions for prepare-release. PR #1804 by @​tiangolo.
• 👷 Add GitHub Actions prepare release workflow. PR #1802 by @​tiangolo.
• 👷 Update publish action, do not use uv cache. PR #1803 by @​tiangolo.
• ⬆ Bump the python-packages group across 1 directory with 5 updates. PR #1793 by @​dependabot[bot].

0.26.3

Refactors

• ♻️ Unify the testing functionality. PR #1792 by @​svlandeg.

Internal

• 👷 Update version of latest-changes GitHub action. PR #1798 by @​tiangolo.

0.26.2

Fixes

• 🐛 Ensure that an envvar set for a typer.Option list is split on whitespace. PR #1791 by @​svlandeg.

0.26.1

Fixes

• 🐛 Ensure that an envvar set for typer.Option works as expected. PR #1788 by @​svlandeg.

Internal

• ⬆ Bump python-dotenv from 1.2.1 to 1.2.2. PR #1714 by @​dependabot[bot].

0.26.0

Breaking Changes

• ➖ Vendor Click and streamline Typer's functionality and code base. PR #1774 by @​svlandeg.
  • Typer no longer depends on Click as a third party dependency, it vendors (includes the source code of) Click.
  • This simplifies the work done by both Click and Typer teams.
  • It allows Typer to evolve independently, and enables several new planned features.
  • It will solve several dependency conflict situations for projects that use some packages that depend on Click and some that depend on Typer.
  • This also means that Click-specific functionality is no longer supported, like extracting the Click app and adding Click-specific plug-ins, or customizing the field types with Click-specific types.
  • You can read more about it in the docs for Vendored Click.

Docs

... (truncated)

Changelog

Sourced from typer's changelog.

0.26.4 (2026-05-30)

Features

• 📝 Update AI Library Skill to avoid verbose code for CLI Options. PR #1808 by @​tiangolo.

Internal

• 👷 Add CI to create draft release after merging a release PR. PR #1807 by @​tiangolo.
• 👷 Update labeler to accept label release. PR #1806 by @​tiangolo.
• 👷 Update GitHub Action permissions for prepare-release. PR #1804 by @​tiangolo.
• 👷 Add GitHub Actions prepare release workflow. PR #1802 by @​tiangolo.
• 👷 Update publish action, do not use uv cache. PR #1803 by @​tiangolo.
• ⬆ Bump the python-packages group across 1 directory with 5 updates. PR #1793 by @​dependabot[bot].

0.26.3 (2026-05-28)

Refactors

• ♻️ Unify the testing functionality. PR #1792 by @​svlandeg.

Internal

• 👷 Update version of latest-changes GitHub action. PR #1798 by @​tiangolo.

0.26.2 (2026-05-27)

Fixes

• 🐛 Ensure that an envvar set for a typer.Option list is split on whitespace. PR #1791 by @​svlandeg.

0.26.1 (2026-05-26)

Fixes

• 🐛 Ensure that an envvar set for typer.Option works as expected. PR #1788 by @​svlandeg.

Internal

• ⬆ Bump python-dotenv from 1.2.1 to 1.2.2. PR #1714 by @​dependabot[bot].

0.26.0 (2026-05-26)

Breaking Changes

• ➖ Vendor Click and streamline Typer's functionality and code base. PR #1774 by @​svlandeg.
  • Typer no longer depends on Click as a third party dependency, it vendors (includes the source code of) Click.
  • This simplifies the work done by both Click and Typer teams.
  • It allows Typer to evolve independently, and enables several new planned features.
  • It will solve several dependency conflict situations for projects that use some packages that depend on Click and some that depend on Typer.

... (truncated)

Commits

• b1310f8 🔖 Release version 0.26.4 (#1809)
• e4bb679 📝 Update release notes
• 361221d 📝 Update AI Library Skill to avoid verbose code for CLI Options (#1808)
• e9efaab 📝 Update release notes
• 90f087a 👷 Add CI to create draft release after merging a release PR (#1807)
• 2f54c22 📝 Update release notes
• 1a71c8d 👷 Update labeler to accept label release (#1806)
• b8d870f 📝 Update release notes
• e3126b9 👷 Update GitHub Action permissions for prepare-release (#1804)
• 66af4fd 📝 Update release notes
• Additional commits viewable in compare view

Updates click from 8.4.0 to 8.4.1

Release notes

Sourced from click's releases.

8.4.1

This is the Click 8.4.1 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/click/8.4.1/ Changes: https://click.palletsprojects.com/page/changes/#version-8-4-1 Milestone: https://github.com/pallets/click/milestone/32?closed=1

• get_parameter_source() is available during eager callbacks and type conversion again. #3458 #3484
• Zsh completion scripts parse correctly on Windows. #3277 # 3466
• Shell completion of Choice Enum values produces a valid completion result. #3015
• Fix empty byte-string handling in echo. #3487
• Fix closed file error with echo_via_pager. #3449

Changelog

Sourced from click's changelog.

Version 8.4.1

Released 2026-05-21

• get_parameter_source() is available during eager callbacks and type conversion again. :issue:3458 :issue:3484
• Zsh completion scripts parse correctly on Windows. :issue:3277 :pr:3466
• Shell completion of Choice Enum values produces a valid completion result. :issue:3015
• Fix empty byte-string handling in echo. :issue:3487
• Fix closed file error with echo_via_pager. :issue:3449

Commits

• 6eeb50e release version 8.4.1
• 67921d5 change log and doc fixes (#3495)
• 9c41f46 Fix changelog and version admonitions
• 6cb3477 fix skip condition
• 5ee8e31 fix I/O operation on closed file error with CliRunner and echo_via_pager (#3482)
• becbde5 pager doesn't close std streams
• a5f5aa6 Handle empty bytes in echo (#3493)
• 4d3db84 handle empty bytes in echo
• d42f15b Fix get_parameter_source() during type conversion and eager callbacks (#3484)
• 0baa8db Document ctx.params bypass with test and doc
• Additional commits viewable in compare view

Updates openai to 2.38.0

Release notes

Sourced from openai's releases.

v2.38.0

2.38.0 (2026-05-21)

Full Changelog: v2.37.0...v2.38.0

Features

• api: api update (33d1d01)
• api: manual updates (a21700a)
• api: update OpenAPI spec or Stainless config (00265c5)

Chores

• api: docs updates (ee10152)
• check release PR custom code sync (2638779)
• remove release automation trigger (bd6eea5)
• trigger release automation (f62d082)

Changelog

Sourced from openai's changelog.

2.38.0 (2026-05-21)

Full Changelog: v2.37.0...v2.38.0

Features

• api: api update (33d1d01)
• api: manual updates (a21700a)
• api: update OpenAPI spec or Stainless config (00265c5)

Chores

• api: docs updates (ee10152)
• check release PR custom code sync (2638779)
• remove release automation trigger (bd6eea5)
• trigger release automation (f62d082)

2.37.0 (2026-05-13)

Full Changelog: v2.36.0...v2.37.0

Features

• api: add service_tier parameter to responses compact method (625827c)
• internal/types: support eagerly validating pydantic iterators (7e527bc)
• Remove unnecessary client_id when using workload identity provider for auth (c39ea8d)

Bug Fixes

• client: add missing f-string prefix in file type error message (c85ebd9)

2.36.0 (2026-05-07)

Full Changelog: v2.35.1...v2.36.0

Features

• api: manual updates (13c639c)
• api: realtime 2 (8fe0ab8)

2.35.1 (2026-05-06)

Full Changelog: v2.35.0...v2.35.1

Bug Fixes

• api: fix imagegen size enum regression (4484653)

... (truncated)

Commits

• e757667 release: 2.38.0
• b85b647 feat(api): api update
• d881c67 Revert "chore: check release PR custom code sync"
• d4a3228 chore: check release PR custom code sync
• 4888838 chore: remove release automation trigger
• 74978f0 chore: trigger release automation
• bab18af chore(api): docs updates
• a6f899a feat(api): manual updates
• 2897485 feat(api): update OpenAPI spec or Stainless config
• a2f1d6c codegen metadata
• Additional commits viewable in compare view

Updates cachetools to 7.1.4

Changelog

Sourced from cachetools's changelog.

v7.1.4 (2026-05-22)

• Minor unit test improvements.

• Update build environment.

v7.1.3 (2026-05-18)

• Minor type stub improvements.

• Update build environment.

v7.1.2 (2026-05-16)

• Minor type stub improvements.

• Minor documentation improvements.

• Modernize build environment.

v7.1.1 (2026-05-03)

• Various type stub improvements.

v7.1.0 (2026-05-01)

• Add type stubs based on the work of the good people at typeshed <https://github.com/python/typeshed/tree/main/stubs/cachetools/>__.

• Update unit tests.

v7.0.6 (2026-04-20)

• Minor code improvements.

• Update project URLs.

• Update CI environment.

... (truncated)

Commits

• 48284d7 Release v7.1.4.
• 55ea96b Update build environment.
• c5439fe Add threading tests for lock-only decorators.
• 91828fc Run threading tests unconditionally with timeout.
• See full diff in compare view

Updates sqlalchemy to 2.0.50

Release notes

Sourced from sqlalchemy's releases.

2.0.50

Released: May 24, 2026

orm

• [orm] [bug] Fixed issue where using _orm.joinedload() with PropComparator.of_type() targeting a joined-table subclass combined with PropComparator.and_() referencing a column on that subclass would generate invalid SQL, where the subclass column was not adapted to the subquery alias. Pull request courtesy Joaquin Hui Gomez.

  References: #13203

• [orm] [bug] Fixed issue where the presence of a SessionEvents.do_orm_execute() event hook would cause internal execution options such as yield_per and loader-specific state from the first orm_pre_session_exec pass to leak into the second pass, leading to errors when using relationship loaders such as selectinload() and immediateload(). The execution options passed to the second compilation pass are now based on the original options plus only the explicit updates made via ORMExecuteState.update_execution_options() within the event hook.

  References: #13301

• [orm] [bug] Fixed issue where using _orm.with_polymorphic() on a leaf class (a subclass with no further descendants) or a non-inherited class would fail with an AttributeError when used in an ORM statement, due to _orm.configure_mappers() not being triggered implicitly. The fix ensures that AliasedInsp participates in the _post_inspect hook, triggering mapper configuration during ORM statement compilation.

  References: #13319

sql

• [sql] [bug] Fixed issue where floor division (//) between a Float or Numeric numerator and an Integer denominator would omit the FLOOR() SQL wrapper on dialects where Dialect.div_is_floordiv is True (the default, including PostgreSQL and SQLite). FLOOR() is now applied if either the denominator or the numerator is a non-integer, so that expressions such as float_col // int_col render as FLOOR(float_col / int_col) instead of the incorrect float_col / int_col. Pull request courtesy r266-tech.

  References: #10528

postgresql

... (truncated)

Commits

• See full diff in compare view

Updates ruff from 0.15.14 to 0.15.15

Release notes

Sourced from ruff's releases.

0.15.15

Release Notes

Released on 2026-05-28.

Preview features

• Fix Markdown closing fence handling (#25310)
• [pyflakes] Report duplicate imports in typing.TYPE_CHECKING block (F811) (#22560)

Bug fixes

• [pyflakes] Treat function-scope bare annotations as locals per PEP 526 (F821) (#21540)

Performance

• Avoid redundant TokenValue drops in the lexer (#25300)
• Reduce memory usage by dropping token-excess capacity and improve performance by approximating the initial tokens Vec size (#25354)
• Use ThinVec in AST to shrink Stmt (#25361)

Documentation

• Fix line-length example for --config option (#25389)
• [flake8-comprehensions] Document RecursionError edge case in __len__ (C416) (#25286)
• [mccabe] Improve example (C901) (#25287)
• [pyupgrade] Clarify fix safety docs (UP007, UP045) (#25288)
• [refurb] Document FURB192 exception change for empty sequences (#25317)
• [ruff] Document false negative for user-defined types (RUF013) (#25289)

Formatter

• Fix formatting of lambdas nested within f-strings (#25398)

Server

• Return code action for codeAction/resolve requests that contain no or no valid URL (#25365)

Other changes

• Expand semantic syntax errors for invalid walruses (#25415)

Contributors

• @​chirizxc
• @​ntBre
• @​adityasingh2400
• @​charliermarsh
• @​fallintoplace
• @​martin-schlossarek
• @​MichaReiser

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.15

Released on 2026-05-28.

Preview features

• Fix Markdown closing fence handling (#25310)
• [pyflakes] Report duplicate imports in typing.TYPE_CHECKING block (F811) (#22560)

Bug fixes

• [pyflakes] Treat function-scope bare annotations as locals per PEP 526 (F821) (#21540)

Performance

• Avoid redundant TokenValue drops in the lexer (#25300)
• Reduce memory usage by dropping token-excess capacity and improve performance by approximating the initial tokens Vec size (#25354)
• Use ThinVec in AST to shrink Stmt (#25361)

Documentation

• Fix line-length example for --config option (#25389)
• [flake8-comprehensions] Document RecursionError edge case in __len__ (C416) (#25286)
• [mccabe] Improve example (C901) (#25287)
• [pyupgrade] Clarify fix safety docs (UP007, UP045) (#25288)
• [refurb] Document FURB192 exception change for empty sequences (#25317)
• [ruff] Document false negative for user-defined types (RUF013) (#25289)

Formatter

• Fix formatting of lambdas nested within f-strings (#25398)

Server

• Return code action for codeAction/resolve requests that contain no or no valid URL (#25365)

Other changes

• Expand semantic syntax errors for invalid walruses (#25415)

Contributors

• @​chirizxc
• @​ntBre
• @​adityasingh2400
• @​charliermarsh
• @​fallintoplace
• @​martin-schlossarek
• @​MichaReiser
• @​Ruchir28

Commits

• db5aa0a Bump 0.15.15 (#25431)
• 366fe21 [ty] Improve diagnostics for syntax errors in forward annotations (#25158)
• e2e1e64 [ty] Remove excess capacity from more Salsa cached collections (#25411)
• 1bd77e1 [ty] Use diagnostic message as tie breaker when sorting (#25424)
• 7e1bc1e Add agent skills for working on ty (#25422)
• 574e107 Expand semantic syntax errors for invalid walruses (#25415)
• 4a7ca06 [ty] Display docs for matching parameter when hovering over the name of an ar...
• 5432709 Refine a few agents instructions (#25423)
• 3cb09eb [ty] Support typing.TypeForm (#25334)
• c8cd59f [ty] Infer class attributes assigned by metaclass initialization (#25342)
• Additional commits viewable in compare view

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
compiler	Ready	Preview, Comment	May 31, 2026 10:28am

[cursor]

Stale comment

PR risk assessment (automation)

Risk level: Medium
Code review: Required
Automation action: Requested reviewer (madara88645); not approved

Evidence (diff-only)

Area	Finding
Files touched	Only pyproject.toml and requirements.txt (version pins; no application source changes).
Blast radius	Eight runtime/dev dependencies on the core stack: FastAPI, Uvicorn, Typer, Click, OpenAI client, cachetools, SQLAlchemy, and Ruff (dev).
Notable upstream behavior	Typer 0.26.x vendors Click (breaking change in 0.26.0; this repo uses Typer heavily in cli/). FastAPI 0.136.3 changes default underscore-header handling. SQLAlchemy 2.0.50 includes ORM/SQL bug fixes that can change query results. Uvicorn 0.48.0 adjusts SSL cipher defaults and proxy header handling.
CI	Smoke, extension build, Snyk, CodeQL, and Vercel checks reported success at assessment time.

Why Medium (not Low / Very Low)

The change set is small on disk, but it upgrades multiple production-critical libraries in one grouped bump, including at least one upstream breaking change (Typer) and several behavior-affecting fixes (FastAPI headers, SQLAlchemy ORM). Regression risk is real even with green CI; human review of release notes and CLI/API smoke paths is appropriate.

Why not High

No auth model, schema migration, infrastructure, or application logic edits—only dependency manifests.

Reviewer assignment

• Requested: madara88645 (primary maintainer / recent contributor on api/, app/, cli/).
• No CODEOWNERS file in repo; no prior automation threads to resolve.

Slack

Slack notification was not sent: no SLACK_BOT_TOKEN / webhook configured in this agent environment.

---

Assessment derived from commit diff d3c99af…14096bb only; PR description claims ignored per security policy.

  

_{Sent by Cursor Automation: Assign PR reviewers}

[madara88645]

@dependabot rebase

[cursor]

PR risk assessment (automation)

Risk level: Medium
Code review: Required
Automation action: No approval; existing reviewer retained

Re-evaluation (synchronize)

This run reassessed commit 3059df8 against base 58e959f after the PR was updated. Compared to the prior automation head (14096bb), the dependency delta is minor: Typer 0.26.2 → 0.26.4 (patch within the already-breaking 0.26 line), plus manifest parity tweaks (httpx pin restored, jinja2 casing). Risk level unchanged (Medium). No prior approval to revoke.

Evidence (diff-only)

Area	Finding
Files touched	Only pyproject.toml and requirements.txt — version pins; no application source changes.
Blast radius	Eight runtime/dev dependencies on the core stack: FastAPI, Uvicorn, Typer, Click, OpenAI client, cachetools, SQLAlchemy, and Ruff (dev).
Notable upstream behavior	Typer 0.26.x vendors Click (breaking change in 0.26.0; repo uses Typer in cli/). FastAPI 0.136.3 tightens underscore-header handling. SQLAlchemy 2.0.50 ships ORM/SQL bug fixes that can change query results. Uvicorn 0.48.0 changes SSL cipher defaults and proxy forwarding-header handling.
CI	Snyk, GitGuardian, and Vercel checks passing at assessment time; Smoke/Analyze/Extension jobs still pending.

Why Medium (not Low / Very Low)

The on-disk change is small, but it upgrades multiple production-critical libraries in one grouped bump, including an upstream breaking Typer release line and several behavior-affecting fixes. Regression risk warrants human review of release notes and CLI/API smoke paths even when CI is green.

Why not High

No auth model, schema migration, infrastructure, or application logic edits — only dependency manifests.

Reviewers

• Already requested: madara88645 (1 reviewer). Not adding more (under the max-2 cap and review already requested).
• No CODEOWNERS file in repo.

Slack

Slack notification was not sent: no SLACK_BOT_TOKEN / webhook configured in this agent environment.

---

Assessment derived from diff 58e959f…3059df8 only; PR description claims ignored per security policy.

  

_{Sent by Cursor Automation: Assign PR reviewers}