Skip to content

Bump the production-dependencies group with 7 updates #365

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
biancadanforth merged 5 commits into from
Dec 4, 2025
Merged

Bump the production-dependencies group with 7 updates #365

biancadanforth merged 5 commits into from
Dec 4, 2025

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 1, 2025
edited
Loading

Bumps the production-dependencies group with 7 updates:

Package From To
click 8.3.0 8.3.1
falcon 4.0.2 4.2.0
msgpack 1.1.0 1.1.2
pytest 8.4.2 9.0.1
ruff 0.14.3 0.14.7
symbolic 12.16.3 12.17.0
werkzeug 3.1.3 3.1.4

Updates click from 8.3.0 to 8.3.1

Release notes

Sourced from click's releases.

8.3.1

This is the Click 8.3.1 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/click/8.3.1/ Changes: https://click.palletsprojects.com/page/changes/#version-8-3-1 Milestone: https://github.com/pallets/click/milestone/28

  • Don't discard pager arguments by correctly using subprocess.Popen. #3039 #3055
  • Replace Sentinel.UNSET default values by None as they're passed through the Context.invoke() method. #3066 #3065 #3068
  • Fix conversion of Sentinel.UNSET happening too early, which caused incorrect behavior for multiple parameters using the same name. #3071 #3079
  • Fix rendering when prompt and confirm parameter prompt_suffix is empty. #3019 #3021
  • When Sentinel.UNSET is found during parsing, it will skip calls to type_cast_value. #3069 #3090
  • Hide Sentinel.UNSET values as None when looking up for other parameters through the context inside parameter callbacks. #3136 #3137
Changelog

Sourced from click's changelog.

Version 8.3.1

Released 2025-11-15

  • Don't discard pager arguments by correctly using subprocess.Popen. :issue:3039 :pr:3055
  • Replace Sentinel.UNSET default values by None as they're passed through the Context.invoke() method. :issue:3066 :issue:3065 :pr:3068
  • Fix conversion of Sentinel.UNSET happening too early, which caused incorrect behavior for multiple parameters using the same name. :issue:3071 :pr:3079
  • Hide Sentinel.UNSET values as None when looking up for other parameters through the context inside parameter callbacks. :issue:3136 :pr:3137
  • Fix rendering when prompt and confirm parameter prompt_suffix is empty. :issue:3019 :pr:3021
  • When Sentinel.UNSET is found during parsing, it will skip calls to type_cast_value. :issue:3069 :pr:3090
Commits
  • 1d038f2 release version 8.3.1
  • 03f3889 Fix Ruff UP038 warning (#3141)
  • 3867781 Fix Ruff UP038 warning
  • b91bb95 Provide altered context to callbacks to hide UNSET values as None (#3137)
  • 437e1e3 Temporarily provide a fake context to the callback to hide UNSET values as ...
  • ea70da4 Don't test using a file in docs/ (#3102)
  • e27b307 Make uv run --all-extras pyright --verifytypes click pass (#3072)
  • a92c573 Fix test_edit to work with BSD sed (#3129)
  • bd131e1 Fix test_edit to work with BSD sed
  • 0b5c6b7 Add Best practices section (#3127)
  • Additional commits viewable in compare view

Updates falcon from 4.0.2 to 4.2.0

Release notes

Sourced from falcon's releases.

4.2.0

Falcon 4.2.0 primarily contains typing enhancements and performance optimizations. This release also marks the debut of pre-compiled wheels for the free-threaded CPython 3.14 build. Let us know if you are experimenting with scaling Falcon applications using free-threading!

🐍 Falcon 4.2.0 on PyPI 📚 Changelog on RtD

The typing improvements focus on making the WSGI and ASGI App types generic (parametrized by the request and response types). This should make it significantly easier to properly annotate applications that leverage custom request and/or response types.

Additionally, we have fixed a reproducibility issue (thanks to @​bmwiedemann from openSUSE for reporting!) in our documentation build process. Regarding packaging Falcon for distributions in general, we would like to remind you of the Packaging Guide that was published with the previous Falcon release (4.1.0). We hope this guide proves useful.

This release also incorporates a number of pull requests submitted by our community. Sincere thanks to all 8 contributors who made this release possible!

4.2.0rc1

This is the first release candidate of Falcon 4.2.0.

We would greatly appreciate it if you could help us with testing on your apps! If you use type checking, please also check how the new generic App types (and other typing improvements) work for you. Let us know if you run into any issues!

🐍 4.2.0rc1 on PyPI 📚 Changelog on RtD

As always, you can grab this pre-release from PyPI:

pip install falcon==4.2.0rc1

Thank You!

4.1.0

This release contains enhancements to media handling, serving static files, and a fix for the WebSockets-sink interaction, alongside performance optimizations and full support for CPython 3.14.

🐍 Falcon 4.1.0 on PyPI 📚 Changelog on RtD

During this release cycle, we have migrated to publishing to PyPI with a Trusted Publisher (thanks to @​webknjaz for helping to iron out the workflow details).

For those relying on other package distribution channels than PyPI, we have prepared a brand new Packaging Guide for Falcon. Please check it out and let us know what you think! Additionally, we have formalized our security maintenance policy as well as the status of stable releases: Releases and Versioning.

This release also incorporates many pull requests submitted by our community. We would like to extend our heartfelt thanks to all 17 contributors who made this release possible!

... (truncated)

Commits
  • 5544589 chore: prepare 4.2.0 stable (#2575)
  • 684adbb fix(cibw): use the correct arch/os for ARM cp314t wheels (#2573)
  • d31d9ac chore(release): prepare 4.2.0rc1 (#2571)
  • a75d864 feat(platform): provide selected cp314t (free-threading) wheels (#2555)
  • 4dcd4fe docs: polish documentation before 4.2.0 release (#2570)
  • 2702ae6 fix: ensure reproducible documentation builds wrt SOURCE_DATE_EPOCH (#2568)
  • 9971742 chore: update devcontainer to Python 3.13 with improved setup (#2566)
  • 73b7637 Fixes Raises section of some request method docstrings (#2557)
  • d7d203d chore: add a new Gold Patron LambdaTest (#2554)
  • 6bee1aa feat(routing): add support for QUERY HTTP method (#2541)
  • Additional commits viewable in compare view

Updates msgpack from 1.1.0 to 1.1.2

Release notes

Sourced from msgpack's releases.

v1.1.2

What's Changed

New Contributors

Full Changelog: msgpack/msgpack-python@v1.1.1...v1.1.2

v1.1.1

What's Changed

New Contributors

Full Changelog: msgpack/msgpack-python@v1.1.0...v1.1.1

v1.1.1rc1

What's Changed

New Contributors

Full Changelog: msgpack/msgpack-python@v1.1.0...v1.1.1rc1

Changelog

Sourced from msgpack's changelog.

1.1.2

Release Date: 2025-10-08

This release does not change source code. It updates only building wheels:

  • Update Cython to v3.1.4
  • Update cibuildwheel to v3.2.0
  • Drop Python 3.8
  • Add Python 3.14
  • Add windows-arm

1.1.1

Release Date: 2025-06-13

  • No change from 1.1.1rc1.

1.1.1rc1

Release Date: 2025-06-06

  • Update Cython to 3.1.1 and cibuildwheel to 2.23.3.
Commits

Updates pytest from 8.4.2 to 9.0.1

Release notes

Sourced from pytest's releases.

9.0.1

pytest 9.0.1 (2025-11-12)

Bug fixes

  • #13895: Restore support for skipping tests via raise unittest.SkipTest.
  • #13896: The terminal progress plugin added in pytest 9.0 is now automatically disabled when iTerm2 is detected, it generated desktop notifications instead of the desired functionality.
  • #13904: Fixed the TOML type of the verbosity settings in the API reference from number to string.
  • #13910: Fixed UserWarning: Do not expect file_or_dir on some earlier Python 3.12 and 3.13 point versions.

Packaging updates and notes for downstreams

  • #13933: The tox configuration has been adjusted to make sure the desired version string can be passed into its package_env through the SETUPTOOLS_SCM_PRETEND_VERSION_FOR_PYTEST environment variable as a part of the release process -- by webknjaz.

Contributor-facing changes

  • #13891, #13942: The CI/CD part of the release automation is now capable of creating GitHub Releases without having a Git checkout on disk -- by bluetech and webknjaz.
  • #13933: The tox configuration has been adjusted to make sure the desired version string can be passed into its package_env through the SETUPTOOLS_SCM_PRETEND_VERSION_FOR_PYTEST environment variable as a part of the release process -- by webknjaz.

9.0.0

pytest 9.0.0 (2025-11-05)

New features

  • #1367: Support for subtests has been added.

    subtests <subtests> are an alternative to parametrization, useful in situations where the parametrization values are not all known at collection time.

    Example:

    def contains_docstring(p: Path) -> bool:
    """Return True if the given Python file contains a top-level docstring."""
    ...
def test_py_files_contain_docstring(subtests: pytest.Subtests) -> None:
for path in Path.cwd().glob("*.py"):
with subtests.test(path=str(path)):
assert contains_docstring(path)

... (truncated)

Commits
  • d1b64aa Prepare release version 9.0.1
  • 0a497c7 regendoc: remove CI environment variables (#13950) (#13951)
  • a9f7e6e 🧪 Run gh release w/o Git in CI/CD (#13942) (#13947)
  • 2682a66 Merge pull request #13944 from pytest-dev/patchback/backports/9.0.x/bef7d34f1...
  • a999997 Merge pull request #13941 from nicoddemus/min-pre-commit-version
  • 4bd63a0 Merge pull request #13935 from pytest-dev/patchback/backports/9.0.x/ce8b8a7b4...
  • 15f93b3 Merge pull request #13933 from webknjaz/maintenance/tox-pep517-env-setuptools...
  • 0fa11ae Merge pull request #13927 from pytest-dev/patchback/backports/9.0.x/3d8075743...
  • fa45470 Merge pull request #13926 from pytest-dev/patchback/backports/9.0.x/d587e0cf8...
  • b4e3973 Merge pull request #13922 from bluetech/fix-argparse-userwarning
  • Additional commits viewable in compare view

Updates ruff from 0.14.3 to 0.14.7

Release notes

Sourced from ruff's releases.

0.14.7

Release Notes

Released on 2025-11-28.

Preview features

  • [flake8-bandit] Handle string literal bindings in suspicious-url-open-usage (S310) (#21469)
  • [pylint] Fix PLR1708 false positives on nested functions (#21177)
  • [pylint] Fix suppression for empty dict without tuple key annotation (PLE1141) (#21290)
  • [ruff] Add rule RUF066 to detect unnecessary class properties (#21535)
  • [ruff] Catch more dummy variable uses (RUF052) (#19799)

Bug fixes

  • [server] Set severity for non-rule diagnostics (#21559)
  • [flake8-implicit-str-concat] Avoid invalid fix in (ISC003) (#21517)
  • [parser] Fix panic when parsing IPython escape command expressions (#21480)

CLI

  • Show partial fixability indicator in statistics output (#21513)

Contributors

Install ruff 0.14.7

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/ruff/releases/download/0.14.7/ruff-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/astral-sh/ruff/releases/download/0.14.7/ruff-installer.ps1 | iex"

... (truncated)

Changelog

Sourced from ruff's changelog.

0.14.7

Released on 2025-11-28.

Preview features

  • [flake8-bandit] Handle string literal bindings in suspicious-url-open-usage (S310) (#21469)
  • [pylint] Fix PLR1708 false positives on nested functions (#21177)
  • [pylint] Fix suppression for empty dict without tuple key annotation (PLE1141) (#21290)
  • [ruff] Add rule RUF066 to detect unnecessary class properties (#21535)
  • [ruff] Catch more dummy variable uses (RUF052) (#19799)

Bug fixes

  • [server] Set severity for non-rule diagnostics (#21559)
  • [flake8-implicit-str-concat] Avoid invalid fix in (ISC003) (#21517)
  • [parser] Fix panic when parsing IPython escape command expressions (#21480)

CLI

  • Show partial fixability indicator in statistics output (#21513)

Contributors

0.14.6

Released on 2025-11-21.

Preview features

  • [flake8-bandit] Support new PySNMP API paths (S508, S509) (#21374)

Bug fixes

  • Adjust own-line comment placement between branches (#21185)
  • Avoid syntax error when formatting attribute expressions with outer parentheses, parenthesized value, and trailing comment on value (#20418)
  • Fix panic when formatting comments in unary expressions (#21501)
  • Respect fmt: skip for compound statements on a single line (#20633)
  • [refurb] Fix FURB103 autofix (#21454)

... (truncated)

Commits

Updates symbolic from 12.16.3 to 12.17.0

Updates werkzeug from 3.1.3 to 3.1.4

Release notes

Sourced from werkzeug's releases.

3.1.4

This is the Werkzeug 3.1.4 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Werkzeug/3.1.4/ Changes: https://werkzeug.palletsprojects.com/page/changes/#version-3-1-4 Milestone: https://github.com/pallets/werkzeug/milestone/42?closed=1

  • safe_join on Windows does not allow special device names. This prevents reading from these when using send_from_directory. secure_filename already prevented writing to these. ghsa-hgf8-39gv-g3f2
  • The debugger pin fails after 10 attempts instead of 11. #3020
  • The multipart form parser handles a \r\n sequence at a chunk boundary. #3065
  • Improve CPU usage during Watchdog reloader. #3054
  • Request.json annotation is more accurate. #3067
  • Traceback rendering handles when the line number is beyond the available source lines. #3044
  • HTTPException.get_response annotation and doc better conveys the distinction between WSGI and sans-IO responses. #3056
Changelog

Sourced from werkzeug's changelog.

Version 3.1.4

Released 2025-11-28

  • safe_join on Windows does not allow special device names. This prevents reading from these when using send_from_directory. secure_filename already prevented writing to these. :ghsa:hgf8-39gv-g3f2
  • The debugger pin fails after 10 attempts instead of 11. :pr:3020
  • The multipart form parser handles a \r\n sequence at a chunk boundary. :issue:3065
  • Improve CPU usage during Watchdog reloader. :issue:3054
  • Request.json annotation is more accurate. :issue:3067
  • Traceback rendering handles when the line number is beyond the available source lines. :issue:3044
  • HTTPException.get_response annotation and doc better conveys the distinction between WSGI and sans-IO responses. :issue:3056
Commits

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Dec 1, 2025
@dependabot dependabot bot requested a review from a team as a code owner December 1, 2025 11:38
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Dec 1, 2025
@biancadanforth
Copy link
Contributor

biancadanforth commented Dec 2, 2025

@dependabot rebase

@dependabot
Bump the production-dependencies group with 7 updates
37c779e 
Bumps the production-dependencies group with 7 updates:

| Package | From | To |
| --- | --- | --- |
| [click](https://github.com/pallets/click) | `8.3.0` | `8.3.1` |
| [falcon](https://github.com/falconry/falcon) | `4.0.2` | `4.2.0` |
| [msgpack](https://github.com/msgpack/msgpack-python) | `1.1.0` | `1.1.2` |
| [pytest](https://github.com/pytest-dev/pytest) | `8.4.2` | `9.0.1` |
| [ruff](https://github.com/astral-sh/ruff) | `0.14.3` | `0.14.7` |
| symbolic | `12.16.3` | `12.17.0` |
| [werkzeug](https://github.com/pallets/werkzeug) | `3.1.3` | `3.1.4` |


Updates `click` from 8.3.0 to 8.3.1
- [Release notes](https://github.com/pallets/click/releases)
- [Changelog](https://github.com/pallets/click/blob/main/CHANGES.rst)
- [Commits](pallets/click@8.3.0...8.3.1)

Updates `falcon` from 4.0.2 to 4.2.0
- [Release notes](https://github.com/falconry/falcon/releases)
- [Changelog](https://github.com/falconry/falcon/blob/master/RELEASE.md)
- [Commits](falconry/falcon@4.0.2...4.2.0)

Updates `msgpack` from 1.1.0 to 1.1.2
- [Release notes](https://github.com/msgpack/msgpack-python/releases)
- [Changelog](https://github.com/msgpack/msgpack-python/blob/main/ChangeLog.rst)
- [Commits](msgpack/msgpack-python@v1.1.0...v1.1.2)

Updates `pytest` from 8.4.2 to 9.0.1
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](pytest-dev/pytest@8.4.2...9.0.1)

Updates `ruff` from 0.14.3 to 0.14.7
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ruff@0.14.3...0.14.7)

Updates `symbolic` from 12.16.3 to 12.17.0

Updates `werkzeug` from 3.1.3 to 3.1.4
- [Release notes](https://github.com/pallets/werkzeug/releases)
- [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst)
- [Commits](pallets/werkzeug@3.1.3...3.1.4)

---
updated-dependencies:
- dependency-name: click
  dependency-version: 8.3.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: falcon
  dependency-version: 4.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: msgpack
  dependency-version: 1.1.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: pytest
  dependency-version: 9.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: ruff
  dependency-version: 0.14.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: symbolic
  dependency-version: 12.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: werkzeug
  dependency-version: 3.1.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/pip/production-dependencies-7d38efb47a branch from b144783 to 37c779e Compare December 2, 2025 21:22
biancadanforth
biancadanforth reviewed Dec 4, 2025
View reviewed changes
Copy link
Contributor

@biancadanforth biancadanforth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately, this won't work to fix the error in the Verify Requirements step of the CI workflow for the reasons in the comments below.

@biancadanforth
Copy link
Contributor

biancadanforth commented Dec 4, 2025

See mozilla-services/socorro#7099 (comment) for why I had to update requirements.txt.

I had to also further constrain the version of pip due to this comment.

@biancadanforth
Copy link
Contributor

biancadanforth commented Dec 4, 2025
edited
Loading

The falcon upgrade likely is what broke the test_sentry_scrubbing test in test_sentry.py. The vars field for the first frame in the stacktrace went from {} to an object with a bunch of variables. Since the first frame in the stacktrace in this case is from the Falcon framework, we can't control what vars are reported here, so to be safe, we omit this field entirely from the event reported to Sentry, as also done in Antenna.

The other changes to the test are for the same reason as described in the latest Antenna dependabot group update PR: mozilla-services/antenna#1306 (comment).

biancadanforth
biancadanforth approved these changes Dec 4, 2025
View reviewed changes
Copy link
Contributor

@biancadanforth biancadanforth left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Going to self R+, but I talked this over with @smarnach , and he agrees with the changes.

Edit: Once again, this is more evidence to support switching to uv, which I hope to do later this month in CRINGE-7.

@biancadanforth biancadanforth added this pull request to the merge queue Dec 4, 2025
Merged via the queue into main with commit 42d2097 Dec 4, 2025
1 check passed
@biancadanforth biancadanforth deleted the dependabot/pip/production-dependencies-7d38efb47a branch December 4, 2025 20:02
@biancadanforth biancadanforth mentioned this pull request Jan 7, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@biancadanforth biancadanforth biancadanforth approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@biancadanforth