Bump uvicorn from 0.38.0 to 0.40.0

[dependabot]

Bumps uvicorn from 0.38.0 to 0.40.0.

Release notes

Sourced from uvicorn's releases.

Version 0.40.0

What's Changed

• Drop Python 3.9 by @​Kludex in Kludex/uvicorn#2772

Full Changelog: Kludex/uvicorn@0.39.0...0.40.0

Version 0.39.0

What's Changed

• explicitly start ASGI run with empty context by @​pmeier in Kludex/uvicorn#2742
• fix(websockets): Send close frame on ASGI return by @​Kludex in Kludex/uvicorn#2769

New Contributors

• @​pmeier made their first contribution in Kludex/uvicorn#2742

Full Changelog: Kludex/uvicorn@0.38.0...0.39.0

Changelog

Sourced from uvicorn's changelog.

0.40.0 (December 21, 2025)

Remove

• Drop support for Python 3.9 (#2772)

0.39.0 (December 21, 2025)

Fixed

• Send close frame on ASGI return for WebSockets (#2769)
• Explicitly start ASGI run with empty context (#2742)

Commits

• 9ff6004 Version 0.40.0 (#2773)
• 19df042 Drop Python 3.9 (#2772)
• 865ce7c Run strict mypy on test suite (#2771)
• 4f40b84 Version 0.39.0 (#2770)
• 5692dfc fix(websockets): Send close frame on ASGI return (#2769)
• 4194764 chore(deps): bump the github-actions group with 2 updates (#2763)
• d94bf28 explicitly start ASGI run with empty context (#2742)
• 8ae0bcb chore(deps): bump the github-actions group with 2 updates (#2748)
• 4744ff9 Add groups configuration for GitHub Actions (#2747)
• 0391372 chore(deps): bump astral-sh/setup-uv from 6.8.0 to 7.1.2 (#2746)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[overcut-ai]

Completed Working on "Code Review"

✅ No .overcut/review chunk files found in workspace; no comments to post. Review submission not required.

---

👉 View complete log

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
pip/uvicorn	0.40.0	Unknown	Unknown

Scanned Files

• Pipfile.lock

[gkorland]

@dependabot rebase