chore: bump the python-test-dependencies group across 1 directory with 5 updates

[dependabot]

Bumps the python-test-dependencies group with 5 updates in the /tests/requirements-python directory:

Package	From	To
cryptography	46.0.5	46.0.7
filelock	3.25.1	3.25.2
pytest	9.0.2	9.0.3
requests	2.33.0	2.33.1
stripe	14.4.1	15.0.1

Updates cryptography from 46.0.5 to 46.0.7

Changelog

Sourced from cryptography's changelog.

46.0.7 - 2026-04-07

* **SECURITY ISSUE**: Fixed an issue where non-contiguous buffers could be
  passed to APIs that accept Python buffers, which could lead to buffer
  overflow. **CVE-2026-39892**
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.6.
.. _v46-0-6:
46.0.6 - 2026-03-25

• SECURITY ISSUE: Fixed a bug where name constraints were not applied to peer names during verification when the leaf certificate contains a wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug, including those used by the Web PKI. Credit to Oleh Konko (1seal) for reporting the issue. CVE-2026-34073

.. _v46-0-5:

Commits

• 622d672 46.0.7 release (#14602)
• 91d7288 Cherry-pick #14542 (#14543)
• See full diff in compare view

Updates filelock from 3.25.1 to 3.25.2

Release notes

Sourced from filelock's releases.

3.25.2

What's Changed

• 🐛 fix(unix): suppress EIO on close in Docker bind mounts by @​gaborbernat in tox-dev/filelock#513

Full Changelog: tox-dev/filelock@3.25.1...3.25.2

Changelog

Sourced from filelock's changelog.

########### Changelog ###########

---

3.26.1 (2026-04-09)

---

• 🐛 fix(asyncio): add exit to BaseAsyncFileLock and fix del loop handling :pr:518 - by :user:naarob
• build(deps): bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 :pr:525 - by :user:dependabot[bot]

---

3.26.0 (2026-04-06)

---

• ✨ feat(soft): add PID inspection and lock breaking :pr:524
• [pre-commit.ci] pre-commit autoupdate :pr:523 - by :user:pre-commit-ci[bot]
• build(deps): bump astral-sh/setup-uv from 7.6.0 to 8.0.0 :pr:522 - by :user:dependabot[bot]
• Remove persist-credentials: false from release job :pr:520
• [pre-commit.ci] pre-commit autoupdate :pr:519 - by :user:pre-commit-ci[bot]
• 🔒 ci(workflows): add zizmor security auditing :pr:517
• [pre-commit.ci] pre-commit autoupdate :pr:516 - by :user:pre-commit-ci[bot]
• [pre-commit.ci] pre-commit autoupdate :pr:514 - by :user:pre-commit-ci[bot]

---

3.25.2 (2026-03-11)

---

• 🐛 fix(unix): suppress EIO on close in Docker bind mounts :pr:513

---

3.25.1 (2026-03-09)

---

• [pre-commit.ci] pre-commit autoupdate :pr:510 - by :user:pre-commit-ci[bot]
• 🐛 fix(win): restore best-effort lock file cleanup on release :pr:511
• [pre-commit.ci] pre-commit autoupdate :pr:508 - by :user:pre-commit-ci[bot]
• 📝 docs(logo): add branded project logo :pr:507

---

3.25.0 (2026-03-01)

---

• ✨ feat(async): add AsyncReadWriteLock :pr:506
• Standardize .github files to .yaml suffix
• build(deps): bump actions/download-artifact from 7 to 8 :pr:503 - by :user:dependabot[bot]
• build(deps): bump actions/upload-artifact from 6 to 7 :pr:502 - by :user:dependabot[bot]
• Move SECURITY.md to .github/SECURITY.md
• Add security policy
• Add permissions to check workflow :pr:500

... (truncated)

Commits

• 5b9872c Release 3.25.2
• 42b740a 🐛 fix(unix): suppress EIO on close in Docker bind mounts (#513)
• See full diff in compare view

Updates pytest from 9.0.2 to 9.0.3

Release notes

Sourced from pytest's releases.

9.0.3

pytest 9.0.3 (2026-04-07)

Bug fixes

• #12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

• #13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

  Previously this resulted in an internal assertion failure during plugin loading.

  Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

• #13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

• #14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

• #14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

• #13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
• #13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
• #14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
• #14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

• #12689: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible on the web interface.

  -- by aleguy02

Commits

• a7d58d7 Prepare release version 9.0.3
• 089d981 Merge pull request #14366 from bluetech/revert-14193-backport
• 8127eaf Revert "Fix: assertrepr_compare respects dict insertion order (#14050) (#14193)"
• 99a7e60 Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/95d8423bd...
• ddee02a Merge pull request #14343 from bluetech/cve-2025-71176-simple
• 74eac69 doc: Update training info (#14298) (#14301)
• f92dee7 Merge pull request #14267 from pytest-dev/patchback/backports/9.0.x/d6fa26c62...
• 7ee58ac Merge pull request #12378 from Pierre-Sassoulas/fix-implicit-str-concat-and-d...
• 37da870 Merge pull request #14259 from mitre88/patch-4 (#14268)
• c34bfa3 Add explanation for string context diffs (#14257) (#14266)
• Additional commits viewable in compare view

Updates requests from 2.33.0 to 2.33.1

Release notes

Sourced from requests's releases.

v2.33.1

2.33.1 (2026-03-30)

Bugfixes

• Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (#7305)
• Fixed Content-Type header parsing for malformed values. (#7309)
• Improved error consistency for malformed header values. (#7308)

New Contributors

• @​ferdnyc made their first contribution in psf/requests#7277

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2331-2026-03-30

Changelog

Sourced from requests's changelog.

2.33.1 (2026-03-30)

Bugfixes

• Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (#7305)
• Fixed Content-Type header parsing for malformed values. (#7309)
• Improved error consistency for malformed header values. (#7308)

Commits

• 111d2b7 v2.33.1
• f0198e6 Fix malformed value parsing for Content-Type (#7309)
• bc7dd0f Fix cosmetic header validity parsing regex (#7308)
• 4443b1a Fix unintended test extra (#7306)
• 389eea5 Cleanup extracted file after extract_zipped_path test (#7305)
• 7407309 Packaging: DRY out extras definition (#7277)
• See full diff in compare view

Updates stripe from 14.4.1 to 15.0.1

Release notes

Sourced from stripe's releases.

v15.0.1

• #1786 Fix encoding two-dimensional array request params
• #1785 Improve types for metadata and other dict-like types
• #1780 Fix str / repr for StripeObjects with decimals & add support for plain dicts

See the changelog for more details.

v15.0.0

This release changes the pinned API version to 2026-03-25.dahlia and contains breaking changes (prefixed with ⚠️ below). There's also a detailed migration guide to simplify your upgrade process.

Please review details for the breaking changes and alternatives in the Stripe API changelog before upgrading.

• ⚠️ Breaking change: #1769 Add decimal_string coercion for v1 and v2 API fields

  • All decimal_string fields changed type from str to decimal.Decimal in both request params and response objects. Code that reads or writes these fields as str will need to use Decimal instead. Affected fields across v1 and v2 APIs:
    • checkout.Session: fx_rate
    • climate.Order: metric_tons; climate.Product: metric_tons_available
    • CreditNoteLineItem: unit_amount_decimal
    • InvoiceItem: quantity_decimal, unit_amount_decimal
    • InvoiceLineItem: quantity_decimal, unit_amount_decimal
    • issuing.Authorization / issuing.Transaction (and TestHelpers): quantity_decimal, unit_cost_decimal, gross_amount_decimal, local_amount_decimal, national_amount_decimal
    • Plan: amount_decimal, flat_amount_decimal, unit_amount_decimal
    • Price: unit_amount_decimal, flat_amount_decimal (including currency_options and tiers)
    • v2.core.Account / v2.core.AccountPerson: percent_ownership
    • Request params on Invoice, Product, Quote, Subscription, SubscriptionItem, SubscriptionSchedule, PaymentLink: unit_amount_decimal, flat_amount_decimal, quantity_decimal (where applicable)

• [⚠️ Breaking change:#1767](stripe/stripe-python#1767) Throw an error when using the wrong webhook parsing method

• ⚠️ Breaking change: #1764 Drop support for Python 3.7 & 3.8

• ⚠️ Breaking change: #1762 StripeObject no longer inherits from dict

  • StripeObject no longer inherits from dict, so any dict methods will no longer exist, including .get(), .update(), and notably, .items().
  • or convenience, it's still possible to check presence with 'some_key' in some_obj and check for equality between stripe objects. But most key/value iteration needs an extra step
  • To access the underlying data as a dict, call some_obj.to_dict(), which recursively dumps all stripe-provided classes into native Python types. This is a read-only view; changes to the output of to_dict() won't affect the original object.
  • Write operations can still be done with dot notation (some_obj.val = 123) or bracket notation (some_obj["val"] = 123). Do that instead of trying to interact with the underlying data store, as the implementation is considered private and may change without warning in the future.

See the changelog for more details.

v14.5.0b1

This release changes the pinned API version to 2026-02-25.preview.

• #1727 Update generated code for beta
  • Add support for smart_disputes on Account.Setting, AccountCreateParamsSetting, AccountModifyParamsSetting, V2.Core.Account.Configuration.Merchant, v2.core.AccountCreateParamsConfigurationMerchant, and v2.core.AccountModifyParamsConfigurationMerchant
  • Add support for email_customers_on_successful_payment on Account.Setting.Payment, AccountCreateParamsSettingPayment, and AccountModifyParamsSettingPayment
  • Add support for managed_payments on Checkout.Session, PaymentIntent, SetupIntent, Subscription, and checkout.SessionCreateParams
  • Add support for new value lk_vat on enums Checkout.Session.CollectedInformation.TaxId.type, Order.TaxDetail.TaxId.type, and QuotePreviewInvoice.CustomerTaxId.type
  • Add support for new value lk_vat on enums OrderCreateParamsTaxDetailTaxId.type and OrderModifyParamsTaxDetailTaxId.type
  • Add support for new value pay_by_bank on enum QuotePreviewInvoice.PaymentSetting.payment_method_types
  • Add support for new values bt_bank_account, cr_bank_account, do_bank_account, gt_bank_account, md_bank_account, mk_bank_account, mo_bank_account, mz_bank_account, pe_bank_account, pk_bank_account, tw_bank_account, and uz_bank_account on enum V2.Core.Account.Configuration.Recipient.DefaultOutboundDestination.type
  • Add support for purpose on V2.MoneyManagement.OutboundPayment and v2.money_management.OutboundPaymentCreateParams
  • Add support for branch_number and swift_code on V2.MoneyManagement.PayoutMethod.BankAccount
  • Change V2.MoneyManagement.Transaction.flow and V2.MoneyManagement.TransactionEntry.TransactionDetail.flow to be optional
  • Add support for error codes storer_capability_missing and storer_capability_not_active on QuotePreviewInvoice.LastFinalizationError

... (truncated)

Changelog

Sourced from stripe's changelog.

15.0.1 - 2026-04-01

• #1786 Fix encoding two-dimensional array request params
• #1785 Improve types for metadata and other dict-like types
• #1780 Fix str / repr for StripeObjects with decimals & add support for plain dicts

15.0.0 - 2026-03-25

This release changes the pinned API version to 2026-03-25.dahlia and contains breaking changes (prefixed with ⚠️ below). There's also a detailed migration guide to simplify your upgrade process.

Please review details for the breaking changes and alternatives in the Stripe API changelog before upgrading.

• ⚠️ Breaking change: #1769 Add decimal_string coercion for v1 and v2 API fields

  • All decimal_string fields changed type from str to decimal.Decimal in both request params and response objects. Code that reads or writes these fields as str will need to use Decimal instead. Affected fields across v1 and v2 APIs:
    • checkout.Session: fx_rate
    • climate.Order: metric_tons; climate.Product: metric_tons_available
    • CreditNoteLineItem: unit_amount_decimal
    • InvoiceItem: quantity_decimal, unit_amount_decimal
    • InvoiceLineItem: quantity_decimal, unit_amount_decimal
    • issuing.Authorization / issuing.Transaction (and TestHelpers): quantity_decimal, unit_cost_decimal, gross_amount_decimal, local_amount_decimal, national_amount_decimal
    • Plan: amount_decimal, flat_amount_decimal, unit_amount_decimal
    • Price: unit_amount_decimal, flat_amount_decimal (including currency_options and tiers)
    • v2.core.Account / v2.core.AccountPerson: percent_ownership
    • Request params on Invoice, Product, Quote, Subscription, SubscriptionItem, SubscriptionSchedule, PaymentLink: unit_amount_decimal, flat_amount_decimal, quantity_decimal (where applicable)

• [⚠️ Breaking change:#1767](stripe/stripe-python#1767) Throw an error when using the wrong webhook parsing method

• ⚠️ Breaking change: #1764 Drop support for Python 3.7 & 3.8

• ⚠️ Breaking change: #1762 StripeObject no longer inherits from dict

  • StripeObject no longer inherits from dict, so any dict methods will no longer exist, including .get() and notably, .items().
    • For convenience, it's still possible to check key presence with 'some_key' in some_obj. To replicate .get() behavior, use getattr(obj, 'some_key', None) for now. We've got some improvements around accessing properties that may not be present planned, but getattr works for now.
    • .update() has been retained for easier interaction with metadata, but it's not really intended for use on full objects.
    • Equality between StripeObjects still works: it checks for equality between the same class and underlying data.
  • To access the underlying data as a dict, call some_obj.to_dict(), which recursively dumps all stripe-provided classes into native Python types. This is a read-only view; changes to the output of to_dict() won't affect the original object.
  • Write operations can still be done with dot notation (some_obj.val = 123) or bracket notation (some_obj["val"] = 123). Do that instead of trying to interact with the underlying data store, as the implementation is considered private and may change without warning in the future.

⚠️ Breaking changes due to changes in the Stripe API

• Generated changes from #1749, #1771, #1773, #1775
  • Add support for upi_payments on Account.Capability, AccountCreateParamsCapability, and AccountModifyParamsCapability
  • Add support for upi on Charge.PaymentMethodDetail, Checkout.Session.PaymentMethodOption, ConfirmationToken.PaymentMethodPreview, ConfirmationTokenCreateParamsPaymentMethodDatum, Mandate.PaymentMethodDetail, PaymentAttemptRecord.PaymentMethodDetail, PaymentIntent.PaymentMethodOption, PaymentIntentConfirmParamsPaymentMethodDatum, PaymentIntentConfirmParamsPaymentMethodOption, PaymentIntentCreateParamsPaymentMethodDatum, PaymentIntentCreateParamsPaymentMethodOption, PaymentIntentModifyParamsPaymentMethodDatum, PaymentIntentModifyParamsPaymentMethodOption, PaymentMethodConfigurationCreateParams, PaymentMethodConfigurationModifyParams, PaymentMethodConfiguration, PaymentMethodCreateParams, PaymentMethod, PaymentRecord.PaymentMethodDetail, SetupAttempt.PaymentMethodDetail, SetupIntent.PaymentMethodOption, SetupIntentConfirmParamsPaymentMethodDatum, SetupIntentConfirmParamsPaymentMethodOption, SetupIntentCreateParamsPaymentMethodDatum, SetupIntentCreateParamsPaymentMethodOption, SetupIntentModifyParamsPaymentMethodDatum, SetupIntentModifyParamsPaymentMethodOption, and checkout.SessionCreateParamsPaymentMethodOption
  • Add support for new value tempo on enums Charge.PaymentMethodDetail.Crypto.network, PaymentAttemptRecord.PaymentMethodDetail.Crypto.network, and PaymentRecord.PaymentMethodDetail.Crypto.network
  • Add support for integration_identifier on Checkout.Session and checkout.SessionCreateParams
  • Add support for new value upi on enums PaymentIntent.excluded_payment_method_types, PaymentIntentConfirmParams.excluded_payment_method_types, PaymentIntentCreateParams.excluded_payment_method_types, PaymentIntentModifyParams.excluded_payment_method_types, SetupIntent.excluded_payment_method_types, SetupIntentCreateParams.excluded_payment_method_types, SetupIntentModifyParams.excluded_payment_method_types, and checkout.SessionCreateParams.excluded_payment_method_types
  • Add support for crypto on checkout.SessionCreateParamsPaymentMethodOption
  • Add support for new value upi on enum checkout.SessionCreateParams.payment_method_types
  • Add support for pending_invoice_item_interval on checkout.SessionCreateParamsSubscriptionDatum
  • Add support for new values elements, embedded_page, form, and hosted_page on enums Checkout.Session.ui_mode and checkout.SessionCreateParams.ui_mode
  • Add support for new value marine_carbon_removal on enum Climate.Supplier.removal_pathway
  • Add support for new value upi on enums ConfirmationTokenCreateParamsPaymentMethodDatum.type, PaymentIntentConfirmParamsPaymentMethodDatum.type, PaymentIntentCreateParamsPaymentMethodDatum.type, PaymentIntentModifyParamsPaymentMethodDatum.type, SetupIntentConfirmParamsPaymentMethodDatum.type, SetupIntentCreateParamsPaymentMethodDatum.type, and SetupIntentModifyParamsPaymentMethodDatum.type
  • Add support for new value upi on enums ConfirmationToken.PaymentMethodPreview.type and PaymentMethod.type
  • Add support for metadata on CreditNoteCreateParamsLine, CreditNoteLineItem, CreditNotePreviewLinesParamsLine, and CreditNotePreviewParamsLine

... (truncated)

Commits

• e3ee617 Bump version to 15.0.1
• f6b17f7 Fix 2D array parameter encoding (#1786)
• 628da69 improve types for metadata and other dict-like types (#1785)
• 601875a tweak changelog
• 38deb0b Fix JSON serialization (and str / repr) for objects with decimals & add s...
• 04d8bfd Bump version to 15.0.0
• 03b1d60 Update generated code (#1775)
• 618d3b3 Add decimal_string coercion for v1 and v2 API fields (#1769)
• 18f4f88 ⚠️ Throw an error when using the wrong webhook parsing method (#1767)
• 8841462 Update generated code for v2205 and (#1773)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions