chore(deps): bump the python-deps group with 7 updates

[dependabot]

Updates the requirements on httpx, fastapi, uvicorn, python-multipart, jinja2, cryptography and pytest-asyncio to permit the latest version.
Updates httpx to 0.28.1

Release notes

Sourced from httpx's releases.

Version 0.28.1

0.28.1 (6th December, 2024)

• Fix SSL case where verify=False together with client side certificates.

Changelog

Sourced from httpx's changelog.

0.28.1 (6th December, 2024)

• Fix SSL case where verify=False together with client side certificates.

0.28.0 (28th November, 2024)

Be aware that the default JSON request bodies now use a more compact representation. This is generally considered a prefered style, tho may require updates to test suites.

The 0.28 release includes a limited set of deprecations...

Deprecations:

We are working towards a simplified SSL configuration API.

For users of the standard verify=True or verify=False cases, or verify=<ssl_context> case this should require no changes. The following cases have been deprecated...

• The verify argument as a string argument is now deprecated and will raise warnings.
• The cert argument is now deprecated and will raise warnings.

Our revised SSL documentation covers how to implement the same behaviour with a more constrained API.

The following changes are also included:

• The deprecated proxies argument has now been removed.
• The deprecated app argument has now been removed.
• JSON request bodies use a compact representation. (#3363)
• Review URL percent escape sets, based on WHATWG spec. (#3371, #3373)
• Ensure certifi and httpcore are only imported if required. (#3377)
• Treat socks5h as a valid proxy scheme. (#3178)
• Cleanup Request() method signature in line with client.request() and httpx.request(). (#3378)
• Bugfix: When passing params={}, always strictly update rather than merge with an existing querystring. (#3364)

0.27.2 (27th August, 2024)

Fixed

• Reintroduced supposedly-private URLTypes shortcut. (#2673)

0.27.1 (27th August, 2024)

Added

• Support for zstd content decoding using the python zstandard package is added. Installable using httpx[zstd]. (#3139)

Fixed

• Improved error messaging for InvalidURL exceptions. (#3250)
• Fix app type signature in ASGITransport. (#3109)

0.27.0 (21st February, 2024)

... (truncated)

Commits

• 26d48e0 Version 0.28.1 (#3445)
• 89599a9 Fix verify=False, cert=... case. (#3442)
• 8ecb86f Add test for request params behavior changes (#3364) (#3440)
• 0cb7e5a Bump the python-packages group with 11 updates (#3434)
• 15e21e9 Updating deprecated docstring Client() class (#3426)
• 80960fa Version 0.28.0. (#3419)
• a33c878 Fix extensions type annotation. (#3380)
• ce7e14d Error on verify as str. (#3418)
• 47f4a96 Handle empty zstd responses (#3412)
• 189fc4b Update CHANGELOG.md, fix typo(s) (#3406)
• Additional commits viewable in compare view

Updates fastapi to 0.136.3

Release notes

Sourced from fastapi's releases.

0.136.3

Refactors

• ♻️ Do not accept underscore headers when using convert_underscores=True (the default). PR #15589 by @​tiangolo.

Commits

• 8206485 🔖 Release version 0.136.3
• c910e01 📝 Update release notes
• 063b5bf ♻️ Do not accept underscore headers when using convert_underscores=True (th...
• 22b02e2 🔖 Release version 0.136.2
• 3b252a2 📝 Update release notes
• c7fb785 ♻️ Validate Server Sent Event fields to avoid applications from sending broke...
• cb83b83 📝 Update release notes
• 00f805c ✅ Update tests, don't double dispose the engine (#15587)
• 3675137 📝 Update release notes
• 7b57e42 📝 Document --entrypoint CLI option (#15464)
• Additional commits viewable in compare view

Updates uvicorn to 0.48.0

Release notes

Sourced from uvicorn's releases.

Version 0.48.0

What's Changed

• Default ssl_ciphers to None and use OpenSSL defaults by @​Kludex in Kludex/uvicorn#2940
• Ignore duplicate forwarding headers in ProxyHeadersMiddleware by @​Kludex in Kludex/uvicorn#2944

Full Changelog: Kludex/uvicorn@0.47.0...0.48.0

Changelog

Sourced from uvicorn's changelog.

0.48.0 (May 24, 2026)

Changed

• Default ssl_ciphers to None and use OpenSSL defaults (#2940)

Fixed

• Ignore duplicate forwarding headers in ProxyHeadersMiddleware (#2944)

0.47.0 (May 14, 2026)

Added

• Add ssl_context_factory for custom SSLContext configuration (#2920)

Changed

• Eagerly import the ASGI app in the parent process (#2919)

Fixed

• Treat fd=0 as a valid file descriptor with reload/workers (#2927)

0.46.0 (April 23, 2026)

Added

• Support ws_max_size in wsproto implementation (#2915)
• Support ws_ping_interval and ws_ping_timeout in wsproto implementation (#2916)

Changed

• Use bytearray for incoming WebSocket message buffer in websockets-sansio (#2917)

0.45.0 (April 21, 2026)

Added

• Add --reset-contextvars flag to isolate ASGI request context (#2912)
• Accept os.PathLike for log_config (#2905)
• Accept log_level strings case-insensitively (#2907)

Changed

• Revert "Emit http.disconnect on server shutdown for streaming responses" (#2913)
• Revert "Explicitly start ASGI run with empty context" (#2911)

Fixed

... (truncated)

Commits

• 73e84e5 Version 0.48.0 (#2951)
• 45ea116 Ignore duplicate forwarding headers in ProxyHeadersMiddleware (#2944)
• dd4394c chore(deps): bump idna from 3.11 to 3.15 (#2941)
• abe0781 Default ssl_ciphers to None and use OpenSSL defaults (#2940)
• 479a2c0 Version 0.47.0 (#2937)
• 89347fd Add 7-day cooldown for dependency resolution via uv exclude-newer (#2936)
• 767315b Drop unused contents/actions permissions from zizmor workflow (#2935)
• f25ee43 chore(deps): bump urllib3 from 2.6.3 to 2.7.0 (#2933)
• 8782666 Fix typo in docs/deployment/index.md. (#2932)
• ad5ff87 Treat fd=0 as a valid file descriptor with reload/workers (#2927)
• Additional commits viewable in compare view

Updates python-multipart to 0.0.29

Release notes

Sourced from python-multipart's releases.

Version 0.0.29

What's Changed

• Handle malformed RFC 2231 continuations in parse_options_header by @​manunio in Kludex/python-multipart#270

Full Changelog: Kludex/python-multipart@0.0.28...0.0.29

Changelog

Sourced from python-multipart's changelog.

0.0.29 (2026-05-17)

• Handle malformed RFC 2231 continuations in parse_options_header #270.

0.0.28 (2026-05-10)

• Speed up partial-boundary tail scan via bytes.find #281.
• Cap multipart boundary length at 256 bytes #282.

0.0.27 (2026-04-27)

• Add multipart header limits #267.
• Pass parse offsets via constructors #268.

0.0.26 (2026-04-10)

• Skip preamble before the first multipart boundary more efficiently #262.
• Silently discard epilogue data after the closing multipart boundary #259.

0.0.25 (2026-04-10)

• Add MIME content type info to File #143.
• Handle CTE values case-insensitively #258.
• Remove custom FormParser classes #257.
• Add UPLOAD_DELETE_TMP to FormParser config #254.
• Emit field_end for trailing bare field names on finalize #230.
• Handle multipart headers case-insensitively #252.
• Apply Apache-2.0 properly #247.

0.0.24 (2026-04-05)

• Validate chunk_size in parse_form() #244.

0.0.23 (2026-04-05)

• Remove unused trust_x_headers parameter and X-File-Name fallback #196.
• Return processed length from QuerystringParser._internal_write #229.
• Cleanup metadata dunders from __init__.py #227.

0.0.22 (2026-01-25)

• Drop directory path from filename in File 9433f4b.

0.0.21 (2025-12-17)

• Add support for Python 3.14 and drop EOL 3.8 and 3.9 #216.

0.0.20 (2024-12-16)

• Handle messages containing only end boundary #142.

... (truncated)

Commits

• e3d6853 Version 0.0.29 (#288)
• a60dcdc Handle malformed RFC 2231 continuations in parse_options_header (#270)
• 75c33b2 Add 7-day cooldown for dependency resolution via uv exclude-newer (#286)
• a078b8e Bump urllib3 from 2.6.3 to 2.7.0 (#285)
• 7d8d28b Version 0.0.28 (#284)
• b0dd125 Cap multipart boundary length at 256 bytes (#282)
• d1b5739 Speed up partial-boundary tail scan via bytes.find (#281)
• 09cb8c3 Make the long_boundary benchmark dominated by the patched code path (#280)
• a6467c9 Revert "Switch CodSpeed benchmarks to walltime mode" (#279)
• 9a96900 Switch CodSpeed benchmarks to walltime mode (#278)
• Additional commits viewable in compare view

Updates jinja2 to 3.1.6

Release notes

Sourced from jinja2's releases.

3.1.6

This is the Jinja 3.1.6 security release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.6/ Changes: https://jinja.palletsprojects.com/en/stable/changes/#version-3-1-6

• The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. GHSA-cpwx-vrp4-4pq7

Changelog

Sourced from jinja2's changelog.

Version 3.1.6

Released 2025-03-05

• The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. :ghsa:cpwx-vrp4-4pq7

Version 3.1.5

Released 2024-12-21

• The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. :ghsa:q2x7-8rv6-6q7h
• Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. :issue:1792, :ghsa:gmj6-6f8f-6699
• Sandbox does not allow clear and pop on known mutable sequence types. :issue:2032
• Calling sync render for an async template uses asyncio.run. :pr:1952
• Avoid unclosed auto_aiter warnings. :pr:1960
• Return an aclose-able AsyncGenerator from Template.generate_async. :pr:1960
• Avoid leaving root_render_func() unclosed in Template.generate_async. :pr:1960
• Avoid leaving async generators unclosed in blocks, includes and extends. :pr:1960
• The runtime uses the correct concat function for the current environment when calling block references. :issue:1701
• Make |unique async-aware, allowing it to be used after another async-aware filter. :issue:1781
• |int filter handles OverflowError from scientific notation. :issue:1921
• Make compiling deterministic for tuple unpacking in a {% set ... %} call. :issue:2021
• Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. :issue:2025
• Fix copy/pickle support for the internal missing object. :issue:2027
• Environment.overlay(enable_async) is applied correctly. :pr:2061
• The error message from FileSystemLoader includes the paths that were searched. :issue:1661
• PackageLoader shows a clearer error message when the package does not contain the templates directory. :issue:1705
• Improve annotations for methods returning copies. :pr:1880
• urlize does not add mailto: to values like @a@b. :pr:1870

... (truncated)

Commits

• 1520688 release version 3.1.6
• 90457bb Merge commit from fork
• 065334d attr filter uses env.getattr
• 033c200 start version 3.1.6
• bc68d4e use global contributing guide (#2070)
• 247de5e use global contributing guide
• ab8218c use project advisory link instead of global
• b4ffc8f release version 3.1.5 (#2066)
• 877f6e5 release version 3.1.5
• 8d58859 remove test pypi
• Additional commits viewable in compare view

Updates cryptography to 48.0.0

Changelog

Sourced from cryptography's changelog.

48.0.0 - 2026-05-04

* **BACKWARDS INCOMPATIBLE:** Support for Python 3.8 has been removed.
  ``cryptography`` now requires Python 3.9 or later.
* **BACKWARDS INCOMPATIBLE:** Loading an X.509 CRL whose inner
  ``TBSCertList.signature`` algorithm does not match the outer
  ``signatureAlgorithm`` now raises ``ValueError``. Previously, such CRLs
  were parsed successfully and only rejected during signature validation.
* Added support for :doc:`/hazmat/primitives/asymmetric/mlkem` and
  :doc:`/hazmat/primitives/asymmetric/mldsa` when using OpenSSL 3.5.0 or
  later, in addition to the existing AWS-LC and BoringSSL support. This means
  post-quantum algorithms are now available to users of our wheels.

Note: Going forward, we do not guarantee that all functionality

in cryptography will be available when building against

OpenSSL. See :doc:/statements/state-of-openssl for more information.

.. _v47-0-0:
47.0.0 - 2026-04-24

• Support for Python 3.8 is deprecated and will be removed in the next cryptography release.
• BACKWARDS INCOMPATIBLE: Support for binary elliptic curves (SECT* classes) has been removed. These curves are rarely used and have additional security considerations that make them undesirable.
• BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.1.x has been removed. OpenSSL 3.0.0 or later is now required. LibreSSL, BoringSSL, and AWS-LC continue to be supported.
• BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 4.1.
• BACKWARDS INCOMPATIBLE: Loading keys with unsupported algorithms or keys with unsupported explicit curve encodings now raises :class:~cryptography.exceptions.UnsupportedAlgorithm instead of ValueError. This change affects :func:~cryptography.hazmat.primitives.serialization.load_pem_private_key, :func:~cryptography.hazmat.primitives.serialization.load_der_private_key, :func:~cryptography.hazmat.primitives.serialization.load_pem_public_key, :func:~cryptography.hazmat.primitives.serialization.load_der_public_key, and :meth:~cryptography.x509.Certificate.public_key when called on certificates with unsupported public key algorithms.
• BACKWARDS INCOMPATIBLE: When parsing elliptic curve private keys, we now reject keys that incorrectly encode a private key of the wrong length because such keys are impossible to process in a constant-time manner. We do not believe keys with this problem are in wide use, however we may revert this change based on the feedback we receive.
• Deprecated passing 64-bit (8-byte) and 128-bit (16-byte) keys to :class:~cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES. In a

... (truncated)

Commits

• 8e03e30 bump for 48.0.0 release (#14796)
• 295e0d2 Add AGENTS.md with CLAUDE.md symlink (#14794)
• 104a2de Bump BoringSSL, OpenSSL, AWS-LC in CI (#14793)
• 67ec1e5 call check_length early on AesSiv::encrypt (#14792)
• b2da57a changelog for mldsa/mlkem for openssl (#14791)
• 3cf44ad ML-KEM OpenSSL support (#14781)
• 2e31639 ML-DSA OpenSSL support (#14773)
• 5affe5a fix rust nightly clippy (#14790)
• 2e73ca4 bump rust-openssl dep and update EcPoint::mul_generator to mul_generator2 (#1...
• 82ebd3b Bump BoringSSL, OpenSSL, AWS-LC in CI (#14785)
• Additional commits viewable in compare view

Updates pytest-asyncio to 1.4.0

Release notes

Sourced from pytest-asyncio's releases.

pytest-asyncio v1.4.0

1.4.0 - 2026-05-26

Deprecated

• Overriding the event_loop_policy fixture is deprecated. Use the pytest_asyncio_loop_factories hook instead. (#1419)

Added

• Added the pytest_asyncio_loop_factories hook to parametrize asyncio tests with custom event loop factories.

  The hook returns a mapping of factory names to loop factories, and pytest.mark.asyncio(loop_factories=[...]) selects a subset of configured factories per test. When a single factory is configured, test names are unchanged.

  Synchronous @pytest_asyncio.fixture functions now see the correct event loop when custom loop factories are configured, even when test code disrupts the current event loop (e.g., via asyncio.run() or asyncio.set_event_loop(None)). (#1164)

Changed

• Improved the readability of the warning message that is displayed when asyncio_default_fixture_loop_scope is unset (#1298)
• Only import asyncio.AbstractEventLoopPolicy for type checking to avoid raising a DeprecationWarning. (#1394)
• Updated minimum supported pytest version to v8.4.0. (#1397)

Fixed

• Fixed a ResourceWarning: unclosed event loop warning that could occur when a synchronous test called asyncio.run() or otherwise unset the current event loop after pytest-asyncio had run an async test or fixture. (#724)

Notes for Downstream Packagers

• Added dependency on sphinx-tabs >= 3.5 to organize documentation examples into tabs. (#1395)

Commits

• 6e14cd2 chore: Prepare release of v1.4.0.
• 4b900fb Build(deps): Bump codecov/codecov-action from 6.0.0 to 6.0.1
• ab9f632 Build(deps): Bump zipp from 3.23.1 to 4.1.0
• a56fc77 Build(deps): Bump hypothesis from 6.152.6 to 6.152.8
• e8bae9b Build(deps): Bump requests from 2.34.0 to 2.34.2
• fc43340 Build(deps): Bump idna from 3.14 to 3.15
• 762eaf5 Build(deps): Bump jaraco-functools from 4.4.0 to 4.5.0
• b62e222 Build(deps): Bump click from 8.3.3 to 8.4.0
• 9190447 Build(deps): Bump pydantic from 2.13.3 to 2.13.4
• 82a393c ci: Remove unnecessary debug output.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions