deps(py): bump marshmallow from 3.26.2 to 4.2.2

[dependabot]

Bumps marshmallow from 3.26.2 to 4.2.2.

Changelog

Sourced from marshmallow's changelog.

4.2.2 (2026-02-04)

Bug fixes:

• Fix behavior of fields.Contant(None) (:issue:2868). Thanks :user:T90REAL for reporting and emmanuel-ferdman for the fix.

4.2.1 (2026-01-23)

Bug fixes:

• Fix validation of URLs beginning with uppercare FILE (:issue:2891). Thanks :user:thanhlecongg for reporting and fixing.

4.2.0 (2026-01-04)

Other changes:

• many argument of Nested properly overrides schema instance value (:pr:2854). Thanks :user:jafournier for the PR.

4.1.2 (2025-12-19)

Bug fixes:

• :cve:2025-68480: Merge error store messages without rebuilding collections. Thanks 카푸치노 for reporting and :user:deckar01 for the fix.

4.1.1 (2025-11-05)

Bug fixes:

• Ensure URL validator is case-insensitive when using custom schemes (:pr:2874). Thanks :user:T90REAL for the PR.

4.1.0 (2025-11-01)

Other changes:

• Add __len__ implementation to missing so that it can be used with validate.Length <marshmallow.validate.Length> (:pr:2861). Thanks :user:agentgodzilla for the PR.
• Drop support for Python 3.9 (:pr:2363).

... (truncated)

Commits

• 2a3812d Bump version and update changelog
• 19ca8dc Fix Constant field rejecting None values during load (#2894)
• 213ee3a [pre-commit.ci] pre-commit autoupdate (#2896)
• ba8b512 Update AUTHORS.rst
• 40105ad Bump version and update changelog
• 39e7c83 Merge pull request #2892 from thanhlecongg/fix-2891
• 78a94ea Fix docstring typo
• 8dc078e fix issue #2891
• c62b911 add tests for issue #2891
• d07bf5e [pre-commit.ci] pre-commit autoupdate (#2887)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Summary by cubic

Upgrade marshmallow from 3.26.2 to 4.2.2 to pick up bug and security fixes. This is a major upgrade and drops Python 3.9 support.

• Dependencies

  • Bumped to 4.2.2 in pyproject.toml, requirements.txt, and requirements-nginx.txt.
  • Upstream highlights: Python 3.9 dropped; fixes for URL validation, fields.Constant(None), and an error-message merge CVE.

• Migration

  • Ensure runtime is Python 3.10+.
  • Run schema load/dump tests and check for changed validation errors or field behavior.

^{Written for commit 29e5dd1. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 3 files