Skip to content

chore(deps): bump the uv group across 1 directory with 3 updates#3174

Merged
snopoke merged 1 commit into
mainfrom
dependabot/uv/uv-8b45fedaa0
Apr 16, 2026
Merged

chore(deps): bump the uv group across 1 directory with 3 updates#3174
snopoke merged 1 commit into
mainfrom
dependabot/uv/uv-8b45fedaa0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 16, 2026

Copy link
Copy Markdown
Contributor

Bumps the uv group with 3 updates in the / directory: pytest, langsmith and python-multipart.

Updates pytest from 8.3.5 to 9.0.3

Release notes

Sourced from pytest's releases.

9.0.3

pytest 9.0.3 (2026-04-07)

Bug fixes

  • #12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

  • #13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

    Previously this resulted in an internal assertion failure during plugin loading.

    Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

  • #13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

  • #14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

  • #14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

  • #13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
  • #13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
  • #14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
  • #14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

  • #12689: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible on the web interface.

    -- by aleguy02

9.0.2

pytest 9.0.2 (2025-12-06)

Bug fixes

  • #13896: The terminal progress feature added in pytest 9.0.0 has been disabled by default, except on Windows, due to compatibility issues with some terminal emulators.

    You may enable it again by passing -p terminalprogress. We may enable it by default again once compatibility improves in the future.

    Additionally, when the environment variable TERM is dumb, the escape codes are no longer emitted, even if the plugin is enabled.

  • #13904: Fixed the TOML type of the tmp_path_retention_count settings in the API reference from number to string.

  • #13946: The private config.inicfg attribute was changed in a breaking manner in pytest 9.0.0. Due to its usage in the ecosystem, it is now restored to working order using a compatibility shim. It will be deprecated in pytest 9.1 and removed in pytest 10.

... (truncated)

Commits

Updates langsmith from 0.3.45 to 0.7.31

Release notes

Sourced from langsmith's releases.

v0.7.31

What's Changed

Full Changelog: langchain-ai/langsmith-sdk@v0.7.30...v0.7.31

v0.7.30

What's Changed

Full Changelog: langchain-ai/langsmith-sdk@v0.7.29...v0.7.30

v0.7.29

What's Changed

Full Changelog: langchain-ai/langsmith-sdk@v0.7.28...v0.7.29

v0.7.28

What's Changed

... (truncated)

Commits
  • c434999 release(py): 0.7.31 (#2716)
  • 47d7c4a feat: Filter kwargs from new token events (#2714)
  • 3c57445 chore(deps-dev): bump rich from 14.3.3 to 15.0.0 in /python (#2708)
  • 2be6cd0 chore(deps-dev): bump types-psutil from 7.2.2.20260130 to 7.2.2.20260408 in /...
  • b8b6ca3 chore(deps-dev): bump the js-minor-and-patch group across 1 directory with 7 ...
  • 9897cb3 chore(deps): bump actions/github-script from 8 to 9 (#2706)
  • 572c018 chore(deps-dev): bump @​anthropic-ai/sdk from 0.85.0 to 0.86.0 in /js (#2702)
  • 5744752 chore(deps): bump the py-minor-and-patch group across 1 directory with 10 upd...
  • 960cae7 chore(deps): bump pnpm/action-setup from 5 to 6 (#2705)
  • 9370e76 chore(deps-dev): bump types-tqdm from 4.67.3.20260303 to 4.67.3.20260408 in /...
  • Additional commits viewable in compare view

Updates python-multipart from 0.0.22 to 0.0.26

Release notes

Sourced from python-multipart's releases.

Version 0.0.26

What's Changed

Full Changelog: Kludex/python-multipart@0.0.25...0.0.26

Version 0.0.25

What's Changed

Full Changelog: Kludex/python-multipart@0.0.24...0.0.25

Version 0.0.24

What's Changed

Full Changelog: Kludex/python-multipart@0.0.23...0.0.24

Version 0.0.23

What's Changed

New Contributors

Full Changelog: Kludex/python-multipart@0.0.22...0.0.23

Changelog

Sourced from python-multipart's changelog.

0.0.26 (2026-04-10)

  • Skip preamble before the first multipart boundary more efficiently #262.
  • Silently discard epilogue data after the closing multipart boundary #259.

0.0.25 (2026-04-10)

  • Add MIME content type info to File #143.
  • Handle CTE values case-insensitively #258.
  • Remove custom FormParser classes #257.
  • Add UPLOAD_DELETE_TMP to FormParser config #254.
  • Emit field_end for trailing bare field names on finalize #230.
  • Handle multipart headers case-insensitively #252.
  • Apply Apache-2.0 properly #247.

0.0.24 (2026-04-05)

  • Validate chunk_size in parse_form() #244.

0.0.23 (2026-04-05)

  • Remove unused trust_x_headers parameter and X-File-Name fallback #196.
  • Return processed length from QuerystringParser._internal_write #229.
  • Cleanup metadata dunders from __init__.py #227.
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump the uv group across 1 directory with 3 updates
ffb9890 
Bumps the uv group with 3 updates in the / directory: [pytest](https://github.com/pytest-dev/pytest), [langsmith](https://github.com/langchain-ai/langsmith-sdk) and [python-multipart](https://github.com/Kludex/python-multipart).


Updates `pytest` from 8.3.5 to 9.0.3
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](pytest-dev/pytest@8.3.5...9.0.3)

Updates `langsmith` from 0.3.45 to 0.7.31
- [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases)
- [Commits](langchain-ai/langsmith-sdk@v0.3.45...v0.7.31)

Updates `python-multipart` from 0.0.22 to 0.0.26
- [Release notes](https://github.com/Kludex/python-multipart/releases)
- [Changelog](https://github.com/Kludex/python-multipart/blob/master/CHANGELOG.md)
- [Commits](Kludex/python-multipart@0.0.22...0.0.26)

---
updated-dependencies:
- dependency-name: pytest
  dependency-version: 9.0.3
  dependency-type: direct:development
  dependency-group: uv
- dependency-name: langsmith
  dependency-version: 0.7.31
  dependency-type: indirect
  dependency-group: uv
- dependency-name: python-multipart
  dependency-version: 0.0.26
  dependency-type: indirect
  dependency-group: uv
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Apr 16, 2026
@claude

claude Bot commented Apr 16, 2026

Copy link
Copy Markdown
Contributor

🔍 Dependency Analysis Summary

This PR bundles 4 effective package updates (3 explicit + 1 transitive):

Package Old → New Type Risk
pytest 8.3.5 → 9.0.3 MAJOR MEDIUM
langsmith 0.3.45 → 0.7.31 VERY LARGE jump LOW (transitive dep)
python-multipart 0.0.22 → 0.0.26 MINOR LOW
pytest-httpx 0.35.0 → 0.36.2 MINOR (cascade) LOW

Overall Risk: LOW — No OCS code changes required; the security fix in pytest 9.0.3 makes this worth merging promptly.

📋 Detailed Changelog Review

pytest 8.3.5 → 9.0.3

Notable in 9.0.0:

  • pygments is now a required dependency (added in lock file as expected)
  • Terminal progress bar introduced (disabled by default on non-Windows)
  • The private config.inicfg attribute changed; a compatibility shim was added in 9.0.2 and will be formally deprecated in 9.1

Bug fixes (9.0.1–9.0.3):

  • Blocked conftest.py via -p no: now raises a clear UsageError instead of an internal assertion failure
  • Fixed crash when a test raises an ExceptionGroup with __tracebackhide__ = True
  • Fixed pytest.approx mapping key order comparison

🔒 Security fix in 9.0.3: CVE-2025-71176 — Use of insecure temporary directory. This alone is a compelling reason to merge.

OCS impact:

  • addopts = "--strict-markers" still works unchanged
  • No conftest blocking via -p no: in OCS config
  • No unusual pytest internals used — standard test infrastructure

langsmith 0.3.45 → 0.7.31

This is a very large jump (40+ releases spanning roughly ~10 months), but the risk to OCS is low because:

  • OCS does not import langsmith directly. The single string "langsmith:hidden" in apps/service_providers/tracing/callback.py:11 is just a constant tag name, not an import.
  • langsmith is a transitive dependency of langchain_core / langchain_community / langgraph, which OCS uses via BaseCallbackHandler.
  • Major changes in the 0.4–0.7 range include: new OTEL/OpenTelemetry exporter integration, Claude Agent SDK tracing, OpenAI Agents SDK tracing, a sandbox execution feature, and uuid-utils/xxhash as new performance dependencies (both now appear in lock file).

Notable fixes across the range:

  • Run tree memory leak fix (0.7.30)
  • Race condition around Claude Agent SDK instrumentation fix (0.7.29)

OCS impact: None expected. The langchain abstractions OCS uses (BaseCallbackHandler) are stable across this range.

python-multipart 0.0.22 → 0.0.26

0.0.23 (potentially breaking):

  • Removed trust_x_headers parameter and X-File-Name fallback from FormParser
  • Cleanup of metadata dunders from __init__.py

0.0.24–0.0.26:

  • chunk_size validation in parse_form()
  • Removed custom FormParser classes
  • Case-insensitive multipart header handling
  • Better preamble/epilogue handling

OCS impact: Searched apps/ for trust_x_headers, FormParser, QuerystringParser — no direct usage found. python-multipart is used transitively (likely via Django or a related package). No code changes needed.

pytest-httpx 0.35.0 → 0.36.2 (transitive)

Not listed explicitly in the PR title but updated in uv.lock. OCS uses httpx_mock.add_response() across 7 test files — this is the stable core API and is unchanged in this range.

⚠️ Impact Assessment

Breaking Changes Found: No OCS code changes required.

Security Fixes: Yes — CVE-2025-71176 in pytest 9.0.3 (insecure temp dir).

Affected Files: None — all changes are additive or fix internal issues.

New transitive dependencies added by langsmith 0.7.x:

  • uuid-utils — drop-in performance replacement for stdlib uuid
  • xxhash — fast hashing library

These are safe additions used internally by langsmith.

🛠️ Recommendations

Action Required: None. No OCS source files need updating.

Testing Focus:

  • Run the full test suite to confirm pytest 9.0 compatibility: uv run pytest apps/ -x --tb=short
  • Pay attention to any ExceptionGroup-related tests since pytest 9.0 changed traceback handling there
  • Verify tests using httpx_mock fixture still pass (7 test files)

Merge Recommendation:APPROVE — the CVE fix in pytest 9.0.3 makes this a priority merge. No code changes needed.

📚 Useful Links

@snopoke snopoke merged commit c097d8d into main Apr 16, 2026
9 checks passed
@snopoke snopoke deleted the dependabot/uv/uv-8b45fedaa0 branch April 16, 2026 06:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@snopoke snopoke snopoke approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@snopoke