mirror of
https://github.com/evroon/bracket.git
synced 2026-06-11 02:04:33 -04:00
master
1349 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
dependabot[bot]
|
e0a455995f |
Bump mypy from 1.20.0 to 2.0.0 in /backend (#1709)
Bumps [mypy](https://github.com/python/mypy) from 1.20.0 to 2.0.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/python/mypy/blob/master/CHANGELOG.md">mypy's changelog</a>.</em></p> <blockquote> <h1>Mypy Release Notes</h1> <h2>Next Release</h2> <h2>Mypy 2.1</h2> <p>We’ve just uploaded mypy 2.1.0 to the Python Package Index (<a href="https://pypi.org/project/mypy/">PyPI</a>). Mypy is a static type checker for Python. This release includes new features, performance improvements and bug fixes. You can install it as follows:</p> <pre><code>python3 -m pip install -U mypy </code></pre> <p>You can read the full documentation for this release on <a href="http://mypy.readthedocs.io">Read the Docs</a>.</p> <h3>librt.vecs: Fast Growable Array Type for Mypyc</h3> <p>The new <code>librt.vecs</code> module provides an efficient growable array type <code>vec</code> that is optimized for mypyc use. It provides fast, packed arrays with integer and floating point value types, which can be <strong>several times faster</strong> than <code>list</code>, and tens of times faster than <code>array.array</code> in code compiled using mypyc. It also supports nested <code>vec</code> objects and non-value-type items, such as <code>vec[vec[str]]</code>.</p> <p>Refer to the <a href="https://mypyc.readthedocs.io/en/latest/librt_vecs.html">documentation</a> for the details.</p> <p>Contributed by Jukka Lehtosalo.</p> <h3>librt.random: Fast Pseudo-Random Number Generation</h3> <p>The new <code>librt.random</code> module provides fast pseudo-random number generation that is optimized for code compiled using mypyc. It can be 3x to 10x faster than the stdlib <code>random</code> module in compiled code.</p> <p>Refer to the <a href="https://mypyc.readthedocs.io/en/latest/librt_random.html">documentation</a> for the details.</p> <p>Contributed by Jukka Lehtosalo (PR <a href="https://redirect.github.com/python/mypy/pull/21433">21433</a>).</p> <h3>Mypyc Improvements</h3> <ul> <li>Enable incremental self-compilation (Vaggelis Danias, PR <a href="https://redirect.github.com/python/mypy/pull/21369">21369</a>)</li> <li>Make compilation order with multiple files consistent (Piotr Sawicki, PR <a href="https://redirect.github.com/python/mypy/pull/21419">21419</a>)</li> <li>Fix crash on accessing <code>StopAsyncIteration</code> (Piotr Sawicki, PR <a href="https://redirect.github.com/python/mypy/pull/21406">21406</a>)</li> <li>Fix incremental compilation with <code>separate</code> flag (Vaggelis Danias, PR <a href="https://redirect.github.com/python/mypy/pull/21299">21299</a>)</li> </ul> <h3>Fixes to Crashes</h3> <ul> <li>Fix crash on partial type with <code>--allow-redefinition</code> and <code>global</code> declaration (Jukka Lehtosalo, PR <a href="https://redirect.github.com/python/mypy/pull/21428">21428</a>)</li> <li>Fix broken awaitable generator patching (Ivan Levkivskyi, PR <a href="https://redirect.github.com/python/mypy/pull/21435">21435</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
4f1dc6ae80 |
Bump pyrefly from 0.63.1 to 0.64.1 in /backend (#1710)
Bumps [pyrefly](https://github.com/facebook/pyrefly) from 0.63.1 to 0.64.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/facebook/pyrefly/releases">pyrefly's releases</a>.</em></p> <blockquote> <h2>Pyrefly v0.64.1</h2> <p><strong>Full Changelog</strong>: <a href="https://github.com/facebook/pyrefly/compare/0.64.0...0.64.1">https://github.com/facebook/pyrefly/compare/0.64.0...0.64.1</a></p> <h2>Pyrefly v0.64.0</h2> <p><strong>Status : BETA</strong> <em>Release date: May 05, 2026</em></p> <p>Pyrefly v0.64.0 bundles <strong>190 commits</strong> from <strong>20 contributors</strong>.</p> <hr /> <h2>✨ New & Improved</h2> <table> <thead> <tr> <th>Area</th> <th>What's new</th> </tr> </thead> <tbody> <tr> <td><strong>Type Checking</strong></td> <td>- You can now pass generic or overloaded callables to higher-order functions and Pyrefly will preserve their structure in the return type. For example, <code>identity(identity)</code> now correctly returns a generic callable instead of degrading to <code>Unknown</code>. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Same-scope class rebinds (like <code>Real = Dummy</code> after <code>class Real</code>) are now checked against the original class as if it were an implicit <code>type[Real]</code> annotation, preventing silent type changes and fixing spurious constructor-call errors. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Generic classes with missing type arguments in lax mode now default to <code>Any</code> instead of raising variance errors, improving consistency with how we handle other incomplete types. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Pydantic <code>field_validator</code> decorators with <code>mode='before'</code> and <code>mode='plain'</code> are now supported, allowing validators to accept broader input types before coercion. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Spurious unpack diagnostics are no longer emitted when the right-hand side involves <code>Never</code> (e.g. <code>a, b, c = never()</code> or <code>a, b = (never(), 1)</code>). The unpack solver is now <code>Never</code>-aware, recognizing that the producing expression cannot complete and any error message at the unpack site would be misleading. <!-- raw HTML omitted --><!-- raw HTML omitted -->- <code>assert</code> statements now check that <code>__bool__</code> is callable on the test expression, matching the behavior already in place for <code>if</code>, <code>while</code>, and ternary expressions (and aligning with mypy and pyright).</td> </tr> <tr> <td><strong>Language Server</strong></td> <td>- The language server now advertises both <code>source.fixAll</code> and <code>source.fixAll.pyrefly</code> code action kinds, enabling selective fix-on-save configuration across editors that implement the LSP protocol. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Document highlights now correctly distinguish between read and write references, setting <code>DocumentHighlightKind::WRITE</code> for assignments and declarations. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Go-to-definition on relative imports in site-packages files now correctly resolves to the package source instead of returning null when a <code>pyproject.toml</code> exists at the project root. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Notebook cell index resolution has been fixed to prevent mismatches between code cells and markdown cells, eliminating panics and incorrect byte offset calculations in Jupyter notebooks. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Cross-module "find references" (external references) is now enabled by default, returning references across the entire project rather than just the current file. <!-- raw HTML omitted --><!-- raw HTML omitted -->- A new quick fix turns the existing "Did you mean <code>Foo.BAR</code>?" diagnostic note for missing enum members into a code action that replaces the offending string literal with the proper enum member access. <!-- raw HTML omitted --><!-- raw HTML omitted -->- A new <code># pyrefly: ignore</code> quick fix inserts a suppression comment for the diagnostic at the cursor, automatically merging into an existing pyrefly-ignore directive on the same line or on a comment-only line above when present. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Numeric parameter defaults now preserve their source spelling (e.g. <code>0o777</code>, <code>0xFF</code>, <code>0b101</code>) in hover and signature display rather than being normalized to decimal. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Code actions documentation has been added to the IDE Supported Features page, covering quick fixes and <code>source.fixAll.pyrefly</code> configuration.</td> </tr> <tr> <td><strong>Onboarding & VS Code Extension</strong></td> <td>- A redesigned unconfigured-project experience: when no <code>pyrefly.toml</code> is found, Pyrefly auto-detects nearby <code>mypy.ini</code>, <code>pyrightconfig.json</code>, or <code>[tool.mypy]</code>/<code>[tool.pyright]</code> sections in <code>pyproject.toml</code> and synthesizes an in-memory configuration migrated from those settings (using the <code>legacy</code> or <code>default</code> preset respectively). With no detectable configuration, the new <code>basic</code> preset is used. <!-- raw HTML omitted --><!-- raw HTML omitted -->- A new <code>python.pyrefly.typeCheckingMode</code> workspace setting (auto / off / basic / legacy / default / strict, default <code>auto</code>) lets users pick a preset for files not covered by an explicit Pyrefly configuration, directly from the VS Code settings UI. The legacy <code>python.pyrefly.displayTypeErrors</code> setting is now deprecated, with values transparently mapped to the new model. <!-- raw HTML omitted --><!-- raw HTML omitted -->- A new <code>python.pyrefly.disableTypeErrors</code> workspace setting provides a clean per-workspace kill switch for diagnostics, independent of the type-checking mode. <!-- raw HTML omitted --><!-- raw HTML omitted -->- The VS Code status bar has been redesigned: it now shows the active preset (e.g. "Pyrefly (Legacy)", "Pyrefly (Basic)") and the tooltip explains why that preset was chosen and links to the relevant docs. <!-- raw HTML omitted --><!-- raw HTML omitted -->- After a <code>pyrefly check</code> on an unconfigured project, the CLI now prints a short upsell to <strong>stderr</strong> explaining what configuration was synthesized and pointing at <code>pyrefly init</code>. The message is routed to stderr so machine-readable stdout formats (e.g. <code>--output-format json</code>) remain untouched.</td> </tr> <tr> <td><strong>Configuration</strong></td> <td>- Configuration presets (<code>off</code>, <code>basic</code>, <code>legacy</code>, <code>default</code>, <code>strict</code>) are now available via the <code>preset</code> option, providing named collections of error severities and behavior settings as a base configuration that user settings can override. <!-- raw HTML omitted --><!-- raw HTML omitted -->- The <code>legacy</code> preset is now used by <code>pyrefly init</code> for mypy migration, disabling checks mypy doesn't have and setting looser inference defaults. <!-- raw HTML omitted --><!-- raw HTML omitted -->- The <code>implicit-any</code> error code has been split into sub-kinds (<code>implicit-any-attribute</code>, <code>implicit-any-empty-container</code>, <code>implicit-any-parameter</code>, <code>implicit-any-type-argument</code>) with <code>implicit-any</code> as the parent, allowing finer-grained control over where implicit <code>Any</code> is flagged. <!-- raw HTML omitted --><!-- raw HTML omitted -->- The <code>unbound-name</code> error is now disabled in the <code>legacy</code> preset to match mypy's default behavior, which does not flag possibly-undefined variables.</td> </tr> <tr> <td><strong>Error Reporting</strong></td> <td>- A new <code>incompatible-overload-residual</code> error kind has been introduced for cases where all branches of an overloaded callable are pruned during higher-order function analysis, making it easier to configure these errors independently. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Error messages for all-pruned overload residuals now describe the incompatibility in terms of "solved type variables" rather than "solved type constraints" for better clarity. <!-- raw HTML omitted --><!-- raw HTML omitted -->- The <code>pyrefly suppress</code> command now correctly handles removal of unused ignores via the <code>--remove-unused</code> flag, which was previously broken.</td> </tr> <tr> <td><strong>Factory Boy Support</strong></td> <td>- Pyrefly now infers the correct model return types for <code>create()</code>, <code>build()</code>, <code>create_batch()</code>, and <code>build_batch()</code> methods on <code>DjangoModelFactory</code> subclasses by reading the inner <code>Meta.model</code> attribute. <!-- raw HTML omitted --><!-- raw HTML omitted -->- False-positive <code>bad-override</code> errors on the inner <code>Meta</code> class in factory-boy factories are now suppressed, matching how we handle Django and Marshmallow.</td> </tr> <tr> <td><strong>Reporting</strong></td> <td>- The <code>pyrefly report</code> JSON output now includes a <code>path</code> field on each <code>ModuleReport</code>, for compatibility with typestats and similar tooling.</td> </tr> <tr> <td><strong>Performance</strong></td> <td>- Deeply-nested dict literals no longer cause exponential memory growth during type inference. A depth-25 dict literal that previously consumed ~7.7 GB now uses ~239 MB by computing the union of field types on demand instead of storing it redundantly. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Callable residual finalization has been optimized to avoid redundant type cloning and traversals, reducing memory churn in attribute-heavy code. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Eliminated some bugs that caused Pyrefly to unnecessarily analyze dependencies, improving latency and memory use, especially in the IDE.</td> </tr> </tbody> </table> <hr /> <h2>🐛 bug fixes</h2> <p>We closed <strong>15</strong> bug issues this release 👏</p> <ul> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3057">#3057</a>: Fixed an issue where string concatenation with the <code>+</code> operator was incorrectly flagging <code>str</code> as not assignable to <code>LiteralString</code> attributes. Pyrefly now preserves <code>LiteralString</code> style when adding two explicit string literals and uses implicit style otherwise.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/105">#105</a>: Fixed premature type pinning in function calls where arguments were incorrectly narrowed before all constraints were solved. For example, <code>foo(x, y)</code> with <code>x: int | None</code> and <code>y: int | None</code> no longer incorrectly narrows <code>x</code> to <code>None</code> when passed to a generic <code>foo[T](https://github.com/facebook/pyrefly/blob/HEAD/a: T, b: T)</code>.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3198">#3198</a>: Fixed <code>pyrefly suppress --remove-unused</code> which was not actually removing unused error suppressions. The command now correctly processes the <code>--remove-unused</code> flag.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3024">#3024</a>: The language server now advertises <code>source.fixAll.pyrefly</code> in addition to <code>source.fixAll</code>, allowing users to selectively enable or disable Pyrefly's fix-all actions in editors that support LSP code action kinds.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/2819">#2819</a>: Fixed incorrect variance errors when using generic classes like Pydantic's <code>RootModel</code> in lax mode. Missing type arguments now degrade to <code>Any</code> instead of raising errors, matching our handling of other incomplete types.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3000">#3000</a>: Fixed "find references" failures in Cursor and other editors caused by relative imports in site-packages not resolving correctly when a <code>pyproject.toml</code> existed at the project root.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/2563">#2563</a>: Fixed go-to-definition on relative imports in virtual environment site-packages, which was returning null because the project root's import path was matching before the more specific site-package prefix.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3193">#3193</a>: Fixed an error where <code>list["A|B"]</code> was incorrectly rejected as <code>not-a-type</code>. Type argument subscripts are now bound as type expressions even in value context, allowing forward-ref strings to be parsed.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3286">#3286</a>: Fixed exponential memory blowup when type-checking deeply-nested dict literals, which could cause VSCode to be killed by the OS. Memory usage for a depth-25 dict dropped from ~7.7 GB to ~239 MB.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3261">#3261</a>: Fixed a false positive <code>bad-class-definition</code> when a dataclass field was assigned inside a <code>@classmethod</code> or <code>__init_subclass__</code>. Pyrefly was incorrectly extracting these as dataclass fields, even though Python's <code>dataclasses.dataclass</code> ignores them at runtime.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/2914">#2914</a>: <code>assert</code> statements now flag a non-callable <code>__bool__</code> on the test expression, closing a gap that previously only caught the issue inside <code>if</code>, <code>while</code>, and ternary expressions.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/2867">#2867</a>: Fixed <code>urlunparse</code> being inferred as returning <code>Literal[b'']</code> instead of <code>str</code>. The fix reworks <code>as_superclass</code> so tuple-like <code>NamedTuple</code> subclasses are upcast through their erased tuple element types, which stops <code>ParseResult</code> from spuriously matching <code>Iterable[None]</code> and selecting the bytes overload.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3266">#3266</a>: Added a quick fix for the existing "Did you mean <code>Foo.BAR</code>?" diagnostic note for missing enum members, turning the suggestion into a code action that rewrites the surrounding string literal.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3230">#3230</a>: Numeric parameter defaults now preserve their original spelling (e.g. <code>0o777</code>) in hover and signature display rather than being normalized to a decimal value.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3302">#3302</a>: Added a <code>path</code> field to the <code>pyrefly report</code> JSON <code>ModuleReport</code>, restoring compatibility with typestats.</li> </ul> <p>Thank-you to all our contributors who found these bugs and reported them! Did you know this is one of the most helpful contributions you can make to an open-source project? If you find any bugs in Pyrefly we want to know about them! Please open a bug report issue <a href="https://github.com/facebook/pyrefly/issues">here</a></p> <hr /> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
9a47d9cf6a |
Bump gunicorn from 25.3.0 to 26.0.0 in /backend (#1708)
Bumps [gunicorn](https://github.com/benoitc/gunicorn) from 25.3.0 to 26.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/benoitc/gunicorn/releases">gunicorn's releases</a>.</em></p> <blockquote> <h2>26.0.0</h2> <h2>Breaking Changes</h2> <ul> <li><strong>Eventlet worker removed</strong>: The <code>eventlet</code> worker class has been dropped. Migrate to <code>gevent</code>, <code>gthread</code>, or <code>tornado</code>.</li> </ul> <h2>New Features</h2> <ul> <li><strong>ASGI Framework Compatibility Suite</strong>: New end-to-end compatibility test harness covering Starlette, FastAPI, Litestar, Quart, Sanic, and BlackSheep. Current grid passes 438/444 tests (98%).</li> <li><strong>ASGI Test Suite Expansion</strong>: 134 additional ASGI unit tests covering protocol semantics, lifespan, websockets, and chunked framing.</li> </ul> <h2>Security</h2> <ul> <li><strong>HTTP/1.1 Request-Target Validation</strong> (RFC 9112 sections 3.2.3, 3.2.4): <ul> <li>Reject <code>authority-form</code> request-target outside <code>CONNECT</code></li> <li>Reject <code>asterisk-form</code> request-target outside <code>OPTIONS</code></li> <li>Reject <code>relative-reference</code> request-targets</li> </ul> </li> <li><strong>Header Field Hardening</strong> (RFC 9110): <ul> <li>Reject control characters in header field-value (section 5.5)</li> <li>Reject forbidden trailer field-names (section 6.5.1)</li> <li>Reject <code>Content-Length</code> list form (RFC 9112 section 6.3)</li> </ul> </li> <li><strong>Request Smuggling Hardening</strong>: <ul> <li>Tighten keepalive gate and scope <code>finish_body</code> byte cap</li> <li>Keep <code>_body_receiver</code> alive across the keepalive smuggling gate so pipelined requests cannot re-enter a closed body</li> <li>Address parser/protocol findings from a six-point WSGI/ASGI audit</li> </ul> </li> <li><strong>PROXY Protocol (ASGI)</strong>: Enforce <code>proxy_allow_ips</code> and tighten v1/v2 parsing in the ASGI callback parser.</li> <li><strong>Connection Draining</strong>: Drain the connection on close per RFC 9112 section 9.6 to prevent reset-on-close truncation.</li> </ul> <h2>Bug Fixes</h2> <ul> <li><strong>Body Framing on HEAD/204/304</strong>: <ul> <li>Keep <code>Content-Length</code> on HEAD and 304 responses (<a href="https://redirect.github.com/benoitc/gunicorn/issues/3621">#3621</a>)</li> <li>Drop body framing on HEAD/204/304 even when the framework set it</li> <li>Warn once when an ASGI app emits a body for a no-body response</li> </ul> </li> <li><strong>HTTP/2 ASGI</strong>: <ul> <li>Fix <code>_handle_stream_ended</code> to set <code>_body_complete</code> in the async HTTP/2 handler so request bodies finalize correctly on stream end</li> <li>Add <code>InvalidChunkExtension</code> mapping and fast-parser support in ASGI tests (<a href="https://redirect.github.com/benoitc/gunicorn/issues/3565">#3565</a>)</li> </ul> </li> <li><strong>HTTP/1.1 100-Continue</strong>: Stop adding <code>Transfer-Encoding: chunked</code> to 100-Continue interim responses.</li> <li><strong>WebSocket Close Handshake</strong> (RFC 6455): <ul> <li>Comply with the close handshake state machine</li> <li>Close the transport after the close handshake completes</li> <li>Fix binary send when the <code>text</code> key is <code>None</code></li> </ul> </li> <li><strong>Early Hints</strong>: Validate headers in the <code>early_hints</code> callback to match <code>process_headers</code>; pass only the header name to <code>InvalidHeader</code> (<a href="https://redirect.github.com/benoitc/gunicorn/issues/3588">#3588</a>).</li> <li><strong>ASGI Framework Fixes</strong>: <ul> <li>Fix ASGI disconnect handling for Django-style apps</li> <li>Fix Litestar request handling (use raw ASGI receive for body/headers)</li> <li>Fix Litestar HTTP endpoints for compatibility tests</li> <li>Fix Quart headers endpoint to normalize keys to lowercase</li> <li>Fix Quart WebSocket close test app (missing <code>accept()</code>)</li> <li>Fix duplicate <code>Transfer-Encoding</code> header for BlackSheep streaming</li> </ul> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
280a573976 |
Bump starlette from 1.0.0 to 1.0.1 in /backend (#1706)
Bumps [starlette](https://github.com/Kludex/starlette) from 1.0.0 to 1.0.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Kludex/starlette/releases">starlette's releases</a>.</em></p> <blockquote> <h2>Version 1.0.1</h2> <h2>What's Changed</h2> <ul> <li>Ignore malformed <code>Host</code> header when constructing <code>request.url</code> by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/starlette/pull/3279">Kludex/starlette#3279</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/Kludex/starlette/compare/1.0.0...1.0.1">https://github.com/Kludex/starlette/compare/1.0.0...1.0.1</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Kludex/starlette/blob/main/docs/release-notes.md">starlette's changelog</a>.</em></p> <blockquote> <h2>1.0.1 (May 21, 2026)</h2> <h4>Fixed</h4> <ul> <li>Ignore malformed <code>Host</code> header when constructing <code>request.url</code> <a href="https://redirect.github.com/encode/starlette/pull/3279">#3279</a>.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
0b8e32af0a |
Bump sentry-sdk from 2.58.0 to 2.59.0 in /backend (#1704)
Bumps [sentry-sdk](https://github.com/getsentry/sentry-python) from 2.58.0 to 2.59.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/getsentry/sentry-python/releases">sentry-sdk's releases</a>.</em></p> <blockquote> <h2>2.59.0</h2> <h3>New Features ✨</h3> <h4>Langchain</h4> <ul> <li>Record <code>run_name</code> as <code>gen_ai.function_id</code> on Invoke Agent Spans by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5926">#5926</a></li> <li>Record <code>run_name</code> in <code>on_tool_start</code> by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5925">#5925</a></li> <li>Record <code>run_name</code> in <code>on_chat_model_start</code> by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5924">#5924</a></li> </ul> <h4>Other</h4> <ul> <li>(ci) Cancel in-progress PR workflows on new commit push by <a href="https://github.com/joshuarli"><code>@joshuarli</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5994">#5994</a></li> <li>(consts) Add updated span convention constants to SPANDATA by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6093">#6093</a></li> <li>(fastapi) Support span streaming in active thread tracking by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6118">#6118</a></li> <li>(httpx) Migrate to span first by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6084">#6084</a></li> <li>(huggingface_hub) Migrate to span first by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6124">#6124</a></li> <li>(mcp) Migrate to span first by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6131">#6131</a></li> <li>Add <code>db.driver.name</code> spans to database integrations by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6082">#6082</a></li> </ul> <h3>Bug Fixes 🐛</h3> <p>We've put additional data that might contain sensitive information, like GraphQL documents, behind the <code>send_default_pii</code> option.</p> <h4>Httpx</h4> <ul> <li>Consistently early-exit when adding request source by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6151">#6151</a></li> <li>Set <code>code.namespace</code> and <code>code.function</code> instead of <code>code.function.name</code> in span streaming by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6150">#6150</a></li> </ul> <h4>Langchain</h4> <ul> <li>Record <code>run_name</code> as <code>gen_ai.function_id</code> for text completions by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6073">#6073</a></li> <li>Set agent name as <code>gen_ai.agent.name</code> for chat and tool spans by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5877">#5877</a></li> </ul> <h4>Other</h4> <ul> <li>(asgi) Use <code>inspect.iscoroutinefunction</code> on Python 3.14+ by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6135">#6135</a></li> <li>(batcher) Reset lock and flusher in child after fork by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6163">#6163</a></li> <li>(google_genai) Redact binary data in inline_data and fix multi-part message extraction by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5977">#5977</a></li> <li>(grpc) Add isolation_scope to async server interceptor by <a href="https://github.com/robinvd"><code>@robinvd</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5940">#5940</a></li> <li>(metrics,logs) Don't attach <code>span_id</code> if no active span by <a href="https://github.com/sentrivana"><code>@sentrivana</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6162">#6162</a></li> <li>(monitor) Release <code>Monitor._thread_lock</code> after fork (<a href="https://redirect.github.com/getsentry/sentry-python/issues/6148">#6148</a>) by <a href="https://github.com/vokracko"><code>@vokracko</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6159">#6159</a></li> <li>(openai-agents) Resolve agent from <code>bindings</code> for openai-agents >= 0.14 by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6102">#6102</a></li> <li>(profiler) Stop nulling buffer on teardown by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6075">#6075</a></li> <li>(quart) Use <code>inspect.iscoroutinefunction</code> when Quart does by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6133">#6133</a></li> <li>(security) Prevent GitHub script injection in update-tox workflow by <a href="https://github.com/fix-it-felix-sentry"><code>@fix-it-felix-sentry</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6171">#6171</a></li> <li>(starlette/fastapi) Use <code>inspect.iscoroutinefunction</code> when Starlette does by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6134">#6134</a></li> <li>(tornado) Make sure context manager doesn't double yield by <a href="https://github.com/sentrivana"><code>@sentrivana</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6152">#6152</a></li> <li>Introduce <code>_get_current_streamed_span()</code> to keep types backwards compatible by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6177">#6177</a></li> </ul> <h3>Internal Changes 🔧</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/getsentry/sentry-python/blob/master/CHANGELOG.md">sentry-sdk's changelog</a>.</em></p> <blockquote> <h2>2.59.0</h2> <h3>New Features ✨</h3> <h4>Langchain</h4> <ul> <li>Record <code>run_name</code> as <code>gen_ai.function_id</code> on Invoke Agent Spans by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5926">#5926</a></li> <li>Record <code>run_name</code> in <code>on_tool_start</code> by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5925">#5925</a></li> <li>Record <code>run_name</code> in <code>on_chat_model_start</code> by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5924">#5924</a></li> </ul> <h4>Other</h4> <ul> <li>(ci) Cancel in-progress PR workflows on new commit push by <a href="https://github.com/joshuarli"><code>@joshuarli</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5994">#5994</a></li> <li>(consts) Add updated span convention constants to SPANDATA by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6093">#6093</a></li> <li>(fastapi) Support span streaming in active thread tracking by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6118">#6118</a></li> <li>(httpx) Migrate to span first by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6084">#6084</a></li> <li>(huggingface_hub) Migrate to span first by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6124">#6124</a></li> <li>(mcp) Migrate to span first by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6131">#6131</a></li> <li>Add <code>db.driver.name</code> spans to database integrations by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6082">#6082</a></li> </ul> <h3>Bug Fixes 🐛</h3> <p>We've put additional data that might contain sensitive information, like GraphQL documents, behind the <code>send_default_pii</code> option.</p> <h4>Httpx</h4> <ul> <li>Consistently early-exit when adding request source by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6151">#6151</a></li> <li>Set <code>code.namespace</code> and <code>code.function</code> instead of <code>code.function.name</code> in span streaming by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6150">#6150</a></li> </ul> <h4>Langchain</h4> <ul> <li>Record <code>run_name</code> as <code>gen_ai.function_id</code> for text completions by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6073">#6073</a></li> <li>Set agent name as <code>gen_ai.agent.name</code> for chat and tool spans by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5877">#5877</a></li> </ul> <h4>Other</h4> <ul> <li>(asgi) Use <code>inspect.iscoroutinefunction</code> on Python 3.14+ by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6135">#6135</a></li> <li>(batcher) Reset lock and flusher in child after fork by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6163">#6163</a></li> <li>(google_genai) Redact binary data in inline_data and fix multi-part message extraction by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5977">#5977</a></li> <li>(grpc) Add isolation_scope to async server interceptor by <a href="https://github.com/robinvd"><code>@robinvd</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5940">#5940</a></li> <li>(metrics,logs) Don't attach <code>span_id</code> if no active span by <a href="https://github.com/sentrivana"><code>@sentrivana</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6162">#6162</a></li> <li>(monitor) Release <code>Monitor._thread_lock</code> after fork (<a href="https://redirect.github.com/getsentry/sentry-python/issues/6148">#6148</a>) by <a href="https://github.com/vokracko"><code>@vokracko</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6159">#6159</a></li> <li>(openai-agents) Resolve agent from <code>bindings</code> for openai-agents >= 0.14 by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6102">#6102</a></li> <li>(profiler) Stop nulling buffer on teardown by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6075">#6075</a></li> <li>(quart) Use <code>inspect.iscoroutinefunction</code> when Quart does by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6133">#6133</a></li> <li>(security) Prevent GitHub script injection in update-tox workflow by <a href="https://github.com/fix-it-felix-sentry"><code>@fix-it-felix-sentry</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6171">#6171</a></li> <li>(starlette/fastapi) Use <code>inspect.iscoroutinefunction</code> when Starlette does by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6134">#6134</a></li> <li>(tornado) Make sure context manager doesn't double yield by <a href="https://github.com/sentrivana"><code>@sentrivana</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6152">#6152</a></li> <li>Introduce <code>_get_current_streamed_span()</code> to keep types backwards compatible by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/6177">#6177</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
119d097795 |
Bump pyrefly from 0.62.0 to 0.63.1 in /backend (#1703)
Bumps [pyrefly](https://github.com/facebook/pyrefly) from 0.62.0 to 0.63.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/facebook/pyrefly/releases">pyrefly's releases</a>.</em></p> <blockquote> <h2>Pyrefly v0.63.1</h2> <p><strong>Full Changelog</strong>: <a href="https://github.com/facebook/pyrefly/compare/0.63.0...0.63.1">https://github.com/facebook/pyrefly/compare/0.63.0...0.63.1</a></p> <h2>Pyrefly v0.63.0</h2> <p><strong>Status : BETA</strong> <em>Release date: April 27, 2026</em></p> <p>Pyrefly v0.63.0 bundles <strong>129 commits</strong> from <strong>26 contributors</strong>.</p> <hr /> <h2>✨ New & Improved</h2> <table> <thead> <tr> <th>Area</th> <th>What's new</th> </tr> </thead> <tbody> <tr> <td><strong>Type Checking</strong></td> <td>- Enum member types are preserved even when the metaclass conflicts with <code>EnumMeta</code>, reducing noise in projects using custom metaclasses with enums. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Constrained <code>TypeVar</code>s no longer get pinned to a specific constraint when matched against <code>Any</code>, preventing false positives. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Self/cls annotations on all methods and classmethods are validated to ensure they reference the defining class or a superclass, catching more annotation errors.</td> </tr> <tr> <td><strong>Language Server</strong></td> <td>- The LSP now reports <code>unused-ignore</code> diagnostics when configured to do so, helping you clean up stale suppression comments. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Completions for attribute override definitions are available in class bodies, surfacing base-class members filtered by fuzzy match. <!-- raw HTML omitted --><!-- raw HTML omitted -->- The LSP server no longer crashes on Jupyter notebook cell URIs (<code>vscode-notebook-cell:</code>), with full support for resolving notebook cell paths and position offsets. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Workspace symbol search uses the correct location for re-exported symbols, preventing panics on multi-byte UTF-8 characters. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Inlay hints are clickable for built-in types like <code>tuple</code>, <code>dict</code>, and <code>str</code>, enabling go-to-definition directly from hint overlays.</td> </tr> <tr> <td><strong>Error Messages</strong></td> <td>- A new <code>unnecessary-type-conversion</code> lint warns when <code>str()</code>, <code>int()</code>, or <code>float()</code> is called on an argument that is already of that exact type.</td> </tr> <tr> <td><strong>Reporting & Coverage</strong></td> <td>- Public symbol filtering is available via <code>pyrefly report --public-only</code>, using cross-module tracing to report only public symbols.</td> </tr> <tr> <td><strong>Performance</strong></td> <td>- TypedDict subset checks are now cached on the Solver, reducing CPU time by ~5.3x and wall time by ~6.7x on pydantic (from 9.5s to 1.4s).</td> </tr> <tr> <td><strong>Configuration & Initialization</strong></td> <td>- <code>pyrefly init</code> supports <code>--dry-run</code> for safe previews without writing files, and <code>--print-config</code> for machine-readable TOML output.</td> </tr> </tbody> </table> <hr /> <h2>🐛 bug fixes</h2> <p>We closed <strong>9</strong> bug issues this release 👏</p> <ul> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3099">#3099</a>: Fixed an issue where property setters and deleters inflated typable counts in <code>pyrefly report</code> by incorrectly counting their trivial <code>-> None</code> return types.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3098">#3098</a>: Fixed an issue where overloads in <code>pyrefly report</code> were not deduplicated, causing parameters and callable signatures to be counted multiple times and inflate coverage metrics.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3067">#3067</a>: Fixed an issue where the type display path was dropping the unpack marker (<code>*</code>) for direct <code>TypeVarTuple</code> arguments, causing <code>Shape</code> to render bare instead of <code>*Shape</code>.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3040">#3040</a>: Fixed an issue where properties on metaclasses were not taking precedence over properties on the class during class-level attribute access, causing false <code>bad-assignment</code> and <code>bad-return</code> errors.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3150">#3150</a>: Fixed an issue where type aliases were inflating type coverage in <code>pyrefly report</code> by being counted as typable entities.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3041">#3041</a>: Fixed a panic during workspace/symbol requests on re-exported symbols with multi-byte UTF-8 characters, caused by using the canonical module's byte offset against the re-exporting file's buffer.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3109">#3109</a>: Added a new <code>unnecessary-type-conversion</code> lint that warns when <code>str()</code>, <code>int()</code>, or <code>float()</code> is called on an argument that is already of that exact type, making the conversion redundant.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3187">#3187</a>: Fixed a panic in <code>pyrefly report</code> when <code>@no_type_check</code> decorator was used, caused by a missing key lookup for skipped parameter annotations.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3090">#3090</a>: Improved the unused-coroutine error message when an <code>await</code> expression already has <code>await</code> but produces a coroutine due to an incorrect return type annotation on the function definition.</li> </ul> <p>Thank-you to all our contributors who found these bugs and reported them! Did you know this is one of the most helpful contributions you can make to an open-source project? If you find any bugs in Pyrefly we want to know about them! Please open a bug report issue <a href="https://github.com/facebook/pyrefly/issues">here</a></p> <hr /> <h2>📦 Upgrade</h2> <pre lang="bash"><code>pip install --upgrade pyrefly==0.63.0 </code></pre> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
6b4fbb0fbe |
Bump node from 25-alpine to 26-alpine (#1699)
Bumps node from 25-alpine to 26-alpine. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
1e1e1788e6 |
Bump uvicorn from 0.44.0 to 0.46.0 in /backend (#1698)
Bumps [uvicorn](https://github.com/Kludex/uvicorn) from 0.44.0 to 0.46.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Kludex/uvicorn/releases">uvicorn's releases</a>.</em></p> <blockquote> <h2>Version 0.46.0</h2> <h2>What's Changed</h2> <ul> <li>Support <code>ws_max_size</code> in <code>wsproto</code> implementation by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/uvicorn/pull/2915">Kludex/uvicorn#2915</a></li> <li>Support <code>ws_ping_interval</code> and <code>ws_ping_timeout</code> in <code>wsproto</code> implementation by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/uvicorn/pull/2916">Kludex/uvicorn#2916</a></li> <li>Use <code>bytearray</code> for incoming WebSocket message buffer in websockets-sansio by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/uvicorn/pull/2917">Kludex/uvicorn#2917</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/Kludex/uvicorn/compare/0.45.0...0.46.0">https://github.com/Kludex/uvicorn/compare/0.45.0...0.46.0</a></p> <h2>Version 0.45.0</h2> <h2>What's Changed</h2> <ul> <li>Preserve forwarded client ports in proxy headers middleware by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/uvicorn/pull/2903">Kludex/uvicorn#2903</a></li> <li>Accept <code>os.PathLike</code> for <code>log_config</code> by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/uvicorn/pull/2905">Kludex/uvicorn#2905</a></li> <li>Accept <code>log_level</code> strings case-insensitively by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/uvicorn/pull/2907">Kludex/uvicorn#2907</a></li> <li>Raise helpful <code>ImportError</code> when PyYAML is missing for YAML log config by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/uvicorn/pull/2906">Kludex/uvicorn#2906</a></li> <li>Revert empty context for ASGI runs by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/uvicorn/pull/2911">Kludex/uvicorn#2911</a></li> <li>Add <code>--reset-contextvars</code> flag to isolate ASGI request context by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/uvicorn/pull/2912">Kludex/uvicorn#2912</a></li> <li>Revert "Emit <code>http.disconnect</code> on server shutdown for streaming responses" (<a href="https://redirect.github.com/Kludex/uvicorn/issues/2829">#2829</a>) by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/uvicorn/pull/2913">Kludex/uvicorn#2913</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Krishnachaitanyakc"><code>@Krishnachaitanyakc</code></a> made their first contribution in <a href="https://redirect.github.com/Kludex/uvicorn/pull/2870">Kludex/uvicorn#2870</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/Kludex/uvicorn/compare/0.44.0...0.45.0">https://github.com/Kludex/uvicorn/compare/0.44.0...0.45.0</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Kludex/uvicorn/blob/main/docs/release-notes.md">uvicorn's changelog</a>.</em></p> <blockquote> <h2>0.46.0 (April 23, 2026)</h2> <h3>Added</h3> <ul> <li>Support <code>ws_max_size</code> in <code>wsproto</code> implementation (<a href="https://redirect.github.com/Kludex/uvicorn/issues/2915">#2915</a>)</li> <li>Support <code>ws_ping_interval</code> and <code>ws_ping_timeout</code> in <code>wsproto</code> implementation (<a href="https://redirect.github.com/Kludex/uvicorn/issues/2916">#2916</a>)</li> </ul> <h3>Changed</h3> <ul> <li>Use <code>bytearray</code> for incoming WebSocket message buffer in <code>websockets-sansio</code> (<a href="https://redirect.github.com/Kludex/uvicorn/issues/2917">#2917</a>)</li> </ul> <h2>0.45.0 (April 21, 2026)</h2> <h3>Added</h3> <ul> <li>Add <code>--reset-contextvars</code> flag to isolate ASGI request context (<a href="https://redirect.github.com/Kludex/uvicorn/issues/2912">#2912</a>)</li> <li>Accept <code>os.PathLike</code> for <code>log_config</code> (<a href="https://redirect.github.com/Kludex/uvicorn/issues/2905">#2905</a>)</li> <li>Accept <code>log_level</code> strings case-insensitively (<a href="https://redirect.github.com/Kludex/uvicorn/issues/2907">#2907</a>)</li> </ul> <h3>Changed</h3> <ul> <li>Revert "Emit <code>http.disconnect</code> on server shutdown for streaming responses" (<a href="https://redirect.github.com/Kludex/uvicorn/issues/2913">#2913</a>)</li> <li>Revert "Explicitly start ASGI run with empty context" (<a href="https://redirect.github.com/Kludex/uvicorn/issues/2911">#2911</a>)</li> </ul> <h3>Fixed</h3> <ul> <li>Preserve forwarded client ports in proxy headers middleware (<a href="https://redirect.github.com/Kludex/uvicorn/issues/2903">#2903</a>)</li> <li>Raise helpful <code>ImportError</code> when PyYAML is missing for YAML log config (<a href="https://redirect.github.com/Kludex/uvicorn/issues/2906">#2906</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
38efd1e2b9 |
Bump pydantic-settings from 2.13.0 to 2.14.0 in /backend (#1697)
Bumps [pydantic-settings](https://github.com/pydantic/pydantic-settings) from 2.13.0 to 2.14.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pydantic/pydantic-settings/releases">pydantic-settings's releases</a>.</em></p> <blockquote> <h2>v2.14.0</h2> <h2>What's Changed</h2> <ul> <li>Fix parsing env vars into Optional Strict types by <a href="https://github.com/hramezani"><code>@hramezani</code></a> in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/792">pydantic/pydantic-settings#792</a></li> <li>Fix RecursionError with mutually recursive models in CLI by <a href="https://github.com/hramezani"><code>@hramezani</code></a> in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/794">pydantic/pydantic-settings#794</a></li> <li>Fix env_file from model_config ignored in CliApp.run() (<a href="https://redirect.github.com/pydantic/pydantic-settings/issues/795">#795</a>) by <a href="https://github.com/hramezani"><code>@hramezani</code></a> in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/796">pydantic/pydantic-settings#796</a></li> <li>Update dependencies by <a href="https://github.com/hramezani"><code>@hramezani</code></a> in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/798">pydantic/pydantic-settings#798</a></li> <li>Add Dependabot configuration by <a href="https://github.com/hramezani"><code>@hramezani</code></a> in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/801">pydantic/pydantic-settings#801</a></li> <li>Bump samuelcolvin/check-python-version from 4.1 to 5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/802">pydantic/pydantic-settings#802</a></li> <li>Bump actions/upload-artifact from 4 to 7 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/803">pydantic/pydantic-settings#803</a></li> <li>Bump actions/checkout from 4 to 6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/804">pydantic/pydantic-settings#804</a></li> <li>Bump astral-sh/setup-uv from 5 to 7 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/805">pydantic/pydantic-settings#805</a></li> <li>Bump actions/setup-python from 5 to 6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/806">pydantic/pydantic-settings#806</a></li> <li>Ignore chardet and group GitHub Actions in Dependabot by <a href="https://github.com/hramezani"><code>@hramezani</code></a> in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/808">pydantic/pydantic-settings#808</a></li> <li>Bump actions/download-artifact from 4 to 8 in the github-actions group by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/809">pydantic/pydantic-settings#809</a></li> <li>Bump the python-packages group with 2 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/810">pydantic/pydantic-settings#810</a></li> <li>Support reading .env files from FIFOs (e.g. 1Password Environments) by <a href="https://github.com/JacobHayes"><code>@JacobHayes</code></a> in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/776">pydantic/pydantic-settings#776</a></li> <li>Fix AliasChoices ignored when changing provider priority by <a href="https://github.com/hramezani"><code>@hramezani</code></a> in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/813">pydantic/pydantic-settings#813</a></li> <li>fix: resolve KeyError in run_subcommand for underscore field names by <a href="https://github.com/bradykieffer"><code>@bradykieffer</code></a> in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/799">pydantic/pydantic-settings#799</a></li> <li>Bump the python-packages group with 3 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/814">pydantic/pydantic-settings#814</a></li> <li>Fix <code>Literal[numeric Enum]</code> coercion for CLI and env vars by <a href="https://github.com/m9810223"><code>@m9810223</code></a> in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/811">pydantic/pydantic-settings#811</a></li> <li>Fix nested discriminated unions not discovered by env/CLI providers by <a href="https://github.com/hramezani"><code>@hramezani</code></a> in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/816">pydantic/pydantic-settings#816</a></li> <li>Bump the python-packages group with 3 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/820">pydantic/pydantic-settings#820</a></li> <li>CLI ensure env nested max split internally. by <a href="https://github.com/kschwab"><code>@kschwab</code></a> in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/821">pydantic/pydantic-settings#821</a></li> <li>Bump the python-packages group with 4 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/824">pydantic/pydantic-settings#824</a></li> <li>Migrate <code>boto3-stubs</code> to <code>types-boto3</code> by <a href="https://github.com/hramezani"><code>@hramezani</code></a> in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/831">pydantic/pydantic-settings#831</a></li> <li>Fix CLI not recognizing field name with validate_by_name and AliasChoices by <a href="https://github.com/hramezani"><code>@hramezani</code></a> in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/826">pydantic/pydantic-settings#826</a></li> <li>Allow customisation of the dotevn setting source to filter variables by <a href="https://github.com/CaselIT"><code>@CaselIT</code></a> in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/832">pydantic/pydantic-settings#832</a></li> <li>Bump the python-packages group with 3 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/833">pydantic/pydantic-settings#833</a></li> <li>Introduce yamlfmt by <a href="https://github.com/Viicos"><code>@Viicos</code></a> in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/836">pydantic/pydantic-settings#836</a></li> <li>Bump boto3 from 1.42.82 to 1.42.83 in the python-packages group by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/837">pydantic/pydantic-settings#837</a></li> <li>Introduce zizmor by <a href="https://github.com/Viicos"><code>@Viicos</code></a> in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/838">pydantic/pydantic-settings#838</a></li> <li>Fix CliPositionalArg[list[CustomType]] crash for custom types by <a href="https://github.com/hramezani"><code>@hramezani</code></a> in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/839">pydantic/pydantic-settings#839</a></li> <li>Add note about Mypy plugin for <code>BaseSettings.__init__()</code> by <a href="https://github.com/Viicos"><code>@Viicos</code></a> in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/842">pydantic/pydantic-settings#842</a></li> <li>Fix <code>cli_ignore_unknown_args=True</code> not working on subcommands by <a href="https://github.com/hramezani"><code>@hramezani</code></a> in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/844">pydantic/pydantic-settings#844</a></li> <li>Bump the python-packages group with 4 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/847">pydantic/pydantic-settings#847</a></li> <li>Fix CLI descriptions lost under <code>python -OO</code> by falling back to <code>json_schema_extra</code> by <a href="https://github.com/hramezani"><code>@hramezani</code></a> in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/843">pydantic/pydantic-settings#843</a></li> <li>Prepare release 2.14.0 by <a href="https://github.com/hramezani"><code>@hramezani</code></a> in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/848">pydantic/pydantic-settings#848</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] made their first contribution in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/802">pydantic/pydantic-settings#802</a></li> <li><a href="https://github.com/JacobHayes"><code>@JacobHayes</code></a> made their first contribution in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/776">pydantic/pydantic-settings#776</a></li> <li><a href="https://github.com/bradykieffer"><code>@bradykieffer</code></a> made their first contribution in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/799">pydantic/pydantic-settings#799</a></li> <li><a href="https://github.com/CaselIT"><code>@CaselIT</code></a> made their first contribution in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/832">pydantic/pydantic-settings#832</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/pydantic/pydantic-settings/compare/v2.13.1...v2.14.0">https://github.com/pydantic/pydantic-settings/compare/v2.13.1...v2.14.0</a></p> <h2>v2.13.1</h2> <h2>What's Changed</h2> <ul> <li>Fix regression for bool fields since 2.13.0 by <a href="https://github.com/hramezani"><code>@hramezani</code></a> in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/784">pydantic/pydantic-settings#784</a></li> <li>Fix RecursionError with self-referential models in CliApp by <a href="https://github.com/hramezani"><code>@hramezani</code></a> in <a href="https://redirect.github.com/pydantic/pydantic-settings/pull/783">pydantic/pydantic-settings#783</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
4fb0d150f5 |
Bump pyrefly from 0.61.1 to 0.62.0 in /backend (#1696)
Bumps [pyrefly](https://github.com/facebook/pyrefly) from 0.61.1 to 0.62.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/facebook/pyrefly/releases">pyrefly's releases</a>.</em></p> <blockquote> <h2>Pyrefly v0.62.0</h2> <p><strong>Status : BETA</strong> <em>Release date: April 20, 2026</em></p> <p>Pyrefly v0.62.0 bundles <strong>87 commits</strong> from <strong>23 contributors</strong>.</p> <hr /> <h2>✨ New & Improved</h2> <table> <thead> <tr> <th>Area</th> <th>What's new</th> </tr> </thead> <tbody> <tr> <td><strong>Type Checking</strong></td> <td>- <code>TypeVarTuple</code> inference has been changed to be consistent with <code>TypeVar</code>, per a recent change to the typing spec. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Errors logged during speculative union checks and overload calls are now reverted, eliminating a source of confusing false positives. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Union-typed decorators that return fully unknown types (either <code>Unknown</code> or callables with all-unknown signatures) preserve the original function signature instead of replacing it with <code>Unknown</code>, reducing false positives by ~23% on TensorFlow.</td> </tr> <tr> <td><strong>Language Server</strong></td> <td>- Semantic tokens and completions work for <code>inmemory://</code> documents on Windows. <!-- raw HTML omitted --><!-- raw HTML omitted -->- LSP server crashes from out-of-range line numbers in client requests are prevented by clamping positions to the buffer's valid range.</td> </tr> <tr> <td><strong>Error Reporting</strong></td> <td>- Error kinds can now have sub-kinds that can be disabled using their shared prefix. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Invariance checks for mutable attributes (corresponding to mypy's <code>mutable-override</code> opt-in behavior) have been moved to a new <code>bad-override-mutable-attribute</code> error code that is a sub-kind of <code>bad-override</code>. <!-- raw HTML omitted --><!-- raw HTML omitted -->- The <code>bad-param-name-override</code> error has been renamed to <code>bad-override-param-name</code> and made a sub-kind of <code>bad-override</code>. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Sub-configs that define <code>[errors]</code> inherit the root config's error severity overrides for any codes they don't explicitly set.</td> </tr> <tr> <td><strong>Configuration</strong></td> <td>- When migrating from mypy via <code>pyrefly init</code>, <code>bad-override-mutable-attribute</code> is disabled by default to match mypy's behavior. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Project excludes (e.g., <code>project-excludes = ["**/*.ipynb"]</code>) no longer block discovery of <code>.py</code> files when the default <code>project-includes</code> contains both <code>**/*.py*</code> and <code>**/*.ipynb</code>.</td> </tr> </tbody> </table> <hr /> <h2>🐛 bug fixes</h2> <p>We closed 12 bug issues this release 👏</p> <ul> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3118">#3118</a>: Fixed incorrect stub package recommendations for typeshed third-party libraries. Pyrefly now suggests the correct package name (e.g., <code>types-python-dateutil</code> for the <code>dateutil</code> module, not <code>types-dateutil</code>) by extracting the module→package mapping from the bundled typeshed archive, preventing potential typosquatting.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3081">#3081</a>: Fixed NewType wrappers with NoneType bases being incorrectly rejected or treated inconsistently. <code>NewType("NewNoneType", NoneType)</code> is now accepted as a valid nominal type declaration, and plain <code>None</code> is correctly rejected where <code>NewNoneType</code> is required.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3052">#3052</a>: Fixed false positive <code>unexpected-keyword</code> errors for named parameters before <code>*args: P.args</code>. Functions like <code>call_with_retry(f, max_attempts=10, *args: P.args, **kwargs: P.kwargs)</code> now correctly allow <code>max_attempts</code> to be passed as a keyword argument, matching mypy and pyright behavior.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3110">#3110</a>: Fixed LSP server crashes when the client sends a position with a line number beyond the end of the buffer (e.g., after a <code>DidChangeTextDocument</code> race where the file was truncated). Out-of-range positions now map to EOF instead of panicking.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/2912">#2912</a>: Fixed false positive <code>bad-argument-type</code> for <code>list(null_values.items())</code> when the return type hint is a union like <code>Sequence[str] | list[tuple[str, str]]</code>. Pyrefly now tries constructing the class with each union member independently and unions the results, ensuring the inferred type is assignable to the hint.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/2644">#2644</a>: Fixed false positive <code>bad-argument-type</code> when calling a method with <code>AnyStr</code>. Placeholder variables used during overload resolution are now saved and restored around overload calls, preventing <code>AnyStr</code> from being incorrectly specialized to <code>str</code> and polluting subsequent checks.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/2872">#2872</a>: Fixed false positive <code>invalid-type-var</code> for generic functions captured as closure default arguments. The <code>Visit</code> implementation for <code>DefaultValue</code> now calls <code>visit</code> instead of <code>recurse</code>, ensuring type-level visitors see the <code>Type</code> node stored in the default value.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3159">#3159</a>: Fixed incorrect type inference for <code>.value</code> on enum members with non-data-type mixins. Mixins that don't define <code>__new__</code> (e.g., <code>class Meta: pass</code>) are no longer treated as data type mixins, so <code>Foo.bar.value</code> correctly returns <code>Literal[1]</code> instead of <code>Meta</code>.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3161">#3161</a>: Fixed false positive <code>bad-argument-type</code> for overloaded functions with vararg unpacking (e.g., <code>*args: *tuple[int, str]</code>). Type check errors for unpacked varargs are now sent to <code>call_errors</code> instead of <code>arg_errors</code>, so they don't cause the overload to be incorrectly rejected.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3047">#3047</a>: Fixed false positive <code>bad-specialization</code> when matching a type variable against a union like <code>N | Iterable[N]</code>. Pyrefly now uses snapshot-based rollback when trying each union member, ensuring specialization errors from one branch don't leak into the final result if another branch succeeds without errors.</li> <li>And more! <a href="https://redirect.github.com/facebook/pyrefly/issues/3122">#3122</a>, <a href="https://redirect.github.com/facebook/pyrefly/issues/3080">#3080</a>, <a href="https://redirect.github.com/facebook/pyrefly/issues/3074">#3074</a></li> </ul> <p>Thank-you to all our contributors who found these bugs and reported them! Did you know this is one of the most helpful contributions you can make to an open-source project? If you find any bugs in Pyrefly we want to know about them! Please open a bug report issue <a href="https://github.com/facebook/pyrefly/issues">here</a></p> <hr /> <h2>📦 Upgrade</h2> <pre lang="bash"><code>pip install --upgrade pyrefly==0.62.0 </code></pre> <h3>How to safely upgrade your codebase</h3> <p>Upgrading the version of Pyrefly you're using or a third-party library you depend on can reveal new type errors in your code. Fixing them all at once is often unrealistic. We've written scripts to help you temporarily silence them. After upgrading, follow these steps:</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
a6eba4cbe4 |
Bump idna from 3.11 to 3.15 in /backend (#1692)
Bumps [idna](https://github.com/kjd/idna) from 3.11 to 3.15. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/kjd/idna/blob/master/HISTORY.md">idna's changelog</a>.</em></p> <blockquote> <h2>3.15 (2026-05-12)</h2> <ul> <li>Enforce DNS-length cap on individual labels early in <code>check_label</code>, short-circuiting contextual-rule processing for oversized input while staying compatible with UTS 46 usage.</li> <li>Tidy core helpers: hoist bidi category sets to module-level frozensets (avoiding per-codepoint list construction), simplify length checks, and reuse the shared <code>_unicode_dots_re</code> from <code>idna.core</code> in the codec module.</li> <li>Use <code>raise ... from err</code> for proper exception chaining and switch internal string formatting to f-strings.</li> <li>Allow <code>flit_core</code> 4.x in the build backend.</li> <li>Expand the ruff lint set (flake8-bugbear, flake8-simplify, pyupgrade, perflint) and apply the surfaced fixes; pin lint CI to Python 3.14.</li> <li>Add Dependabot configuration for GitHub Actions.</li> <li>Convert README and HISTORY from reStructuredText to Markdown.</li> <li>Reference CVE-2026-45409 for the 3.14 advisory in place of the initial GHSA identifier.</li> </ul> <p>Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for contributions to this release.</p> <h2>3.14 (2026-05-10)</h2> <ul> <li>Removed opportunity to process long inputs into quadratic time by rejecting oversize inputs up-front. Closes a bypass of the CVE-2024-3651 mitigation. [CVE-2026-45409]</li> </ul> <p>Thanks to Stan Ulbrych for reporting the issue.</p> <h2>3.13 (2026-04-22)</h2> <ul> <li>Correct classification error for codepoint U+A7F1</li> </ul> <h2>3.12 (2026-04-21)</h2> <ul> <li>Update to Unicode 17.0.0.</li> <li>Issue a deprecation warning for the transitional argument.</li> <li>Added lazy-loading to provide some performance improvements.</li> <li>Removed vestiges of code related to Python 2 support, including segmentation of data structures specific to Jython.</li> </ul> <p>Thanks to Rodrigo Nogueira for contributions to this release.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
a4ebc13c6b |
Bump pydantic from 2.12.4 to 2.13.2 in /backend (#1691)
Bumps [pydantic](https://github.com/pydantic/pydantic) from 2.12.4 to 2.13.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pydantic/pydantic/releases">pydantic's releases</a>.</em></p> <blockquote> <h2>v2.13.2 2026-04-17</h2> <h2>v2.13.2 (2026-04-17)</h2> <h3>What's Changed</h3> <h4>Fixes</h4> <ul> <li>Fix <code>ValidationInfo.field_name</code> missing with <code>model_validate_json()</code> by <a href="https://github.com/Viicos"><code>@Viicos</code></a> in <a href="https://redirect.github.com/pydantic/pydantic/pull/13084">#13084</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/pydantic/pydantic/compare/v2.13.1...v2.13.2">https://github.com/pydantic/pydantic/compare/v2.13.1...v2.13.2</a></p> <h2>v2.13.1 2026-04-15</h2> <h2>v2.13.1 (2026-04-15)</h2> <h3>What's Changed</h3> <h4>Fixes</h4> <ul> <li>Fix <code>ValidationInfo.data</code> missing with <code>model_validate_json()</code> by <a href="https://github.com/davidhewitt"><code>@davidhewitt</code></a> in <a href="https://redirect.github.com/pydantic/pydantic/pull/13079">#13079</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/pydantic/pydantic/compare/v2.13.0...v2.13.1">https://github.com/pydantic/pydantic/compare/v2.13.0...v2.13.1</a></p> <h2>v2.13.0 2026-04-13</h2> <h2>v2.13.0 (2026-04-13)</h2> <p>The highlights of the v2.13 release are available in the <a href="https://pydantic.dev/articles/pydantic-v2-13-release">blog post</a>. Several minor changes (considered non-breaking changes according to our <a href="https://pydantic.dev/docs/validation/2.13/get-started/version-policy/#pydantic-v2">versioning policy</a>) are also included in this release. Make sure to look into them before upgrading.</p> <p>This release contains the updated <code>pydantic.v1</code> namespace, matching version 1.10.26 which includes support for Python 3.14.</p> <h3>What's Changed</h3> <p>See the beta releases for all changes sinces 2.12.</p> <h4>Packaging</h4> <ul> <li>Add zizmor for GitHub Actions workflow linting by <a href="https://github.com/Viicos"><code>@Viicos</code></a> in <a href="https://redirect.github.com/pydantic/pydantic/pull/13039">#13039</a></li> <li>Update jiter to v0.14.0 to fix a segmentation fault on musl Linux by <a href="https://github.com/Viicos"><code>@Viicos</code></a> in <a href="https://redirect.github.com/pydantic/pydantic/pull/13064">#13064</a></li> </ul> <h4>New Features</h4> <ul> <li>Allow default factories of private attributes to take validated model data by <a href="https://github.com/Viicos"><code>@Viicos</code></a> in <a href="https://redirect.github.com/pydantic/pydantic/pull/13013">#13013</a></li> </ul> <h4>Changes</h4> <ul> <li>Warn when serializing fixed length tuples with too few items by <a href="https://github.com/arvindsaripalli"><code>@arvindsaripalli</code></a> in <a href="https://redirect.github.com/pydantic/pydantic/pull/13016">#13016</a></li> </ul> <h4>Fixes</h4> <ul> <li>Change type of <code>Any</code> when synthesizing <code>_build_sources</code> for <code>BaseSettings.__init__()</code> signature in the mypy plugin by <a href="https://github.com/Viicos"><code>@Viicos</code></a> in <a href="https://redirect.github.com/pydantic/pydantic/pull/13049">#13049</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pydantic/pydantic/blob/main/HISTORY.md">pydantic's changelog</a>.</em></p> <blockquote> <h2>v2.13.2 (2026-04-17)</h2> <p><a href="https://github.com/pydantic/pydantic/releases/tag/v2.13.2">GitHub release</a></p> <h3>What's Changed</h3> <h4>Fixes</h4> <ul> <li>Fix <code>ValidationInfo.field_name</code> missing with <code>model_validate_json()</code> by <a href="https://github.com/Viicos"><code>@Viicos</code></a> in <a href="https://redirect.github.com/pydantic/pydantic/pull/13084">#13084</a></li> </ul> <h2>v2.13.1 (2026-04-15)</h2> <p><a href="https://github.com/pydantic/pydantic/releases/tag/v2.13.1">GitHub release</a></p> <h3>What's Changed</h3> <h4>Fixes</h4> <ul> <li>Fix <code>ValidationInfo.data</code> missing with <code>model_validate_json()</code> by <a href="https://github.com/davidhewitt"><code>@davidhewitt</code></a> in <a href="https://redirect.github.com/pydantic/pydantic/pull/13079">#13079</a></li> </ul> <h2>v2.13.0 (2026-04-13)</h2> <p><a href="https://github.com/pydantic/pydantic/releases/tag/v2.13.0">GitHub release</a></p> <p>The highlights of the v2.13 release are available in the <a href="https://pydantic.dev/articles/pydantic-v2-13-release">blog post</a>. Several minor changes (considered non-breaking changes according to our <a href="https://pydantic.dev/docs/validation/2.13/get-started/version-policy/#pydantic-v2">versioning policy</a>) are also included in this release. Make sure to look into them before upgrading.</p> <p>This release contains the updated <code>pydantic.v1</code> namespace, matching version 1.10.26 which includes support for Python 3.14.</p> <h3>What's Changed</h3> <p>See the beta releases for all changes sinces 2.12.</p> <h4>New Features</h4> <ul> <li>Allow default factories of private attributes to take validated model data by <a href="https://github.com/Viicos"><code>@Viicos</code></a> in <a href="https://redirect.github.com/pydantic/pydantic/pull/13013">#13013</a></li> </ul> <h4>Changes</h4> <ul> <li>Warn when serializing fixed length tuples with too few items by <a href="https://github.com/arvindsaripalli"><code>@arvindsaripalli</code></a> in <a href="https://redirect.github.com/pydantic/pydantic/pull/13016">#13016</a></li> </ul> <h4>Fixes</h4> <ul> <li>Change type of <code>Any</code> when synthesizing <code>_build_sources</code> for <code>BaseSettings.__init__()</code> signature in the mypy plugin by <a href="https://github.com/Viicos"><code>@Viicos</code></a> in <a href="https://redirect.github.com/pydantic/pydantic/pull/13049">#13049</a></li> <li>Fix model equality when using runtime <code>extra</code> configuration by <a href="https://github.com/Viicos"><code>@Viicos</code></a> in <a href="https://redirect.github.com/pydantic/pydantic/pull/13062">#13062</a></li> </ul> <h4>Packaging</h4> <ul> <li>Add zizmor for GitHub Actions workflow linting by <a href="https://github.com/Viicos"><code>@Viicos</code></a> in <a href="https://redirect.github.com/pydantic/pydantic/pull/13039">#13039</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
c5be5378bf |
Bump pyrefly from 0.60.0 to 0.61.1 in /backend (#1690)
Bumps [pyrefly](https://github.com/facebook/pyrefly) from 0.60.0 to 0.61.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/facebook/pyrefly/releases">pyrefly's releases</a>.</em></p> <blockquote> <h2>Pyrefly v0.61.1</h2> <p><strong>Full Changelog</strong>: <a href="https://github.com/facebook/pyrefly/compare/0.61.0...0.61.1">https://github.com/facebook/pyrefly/compare/0.61.0...0.61.1</a></p> <h2>Pyrefly v0.61.0</h2> <p><strong>Status : BETA</strong> <em>Release date: April 13, 2026</em></p> <p>Pyrefly v0.61.0 bundles <strong>85 commits</strong> from <strong>21 contributors</strong>.</p> <hr /> <h2>✨ New & Improved</h2> <table> <thead> <tr> <th>Area</th> <th>What's new</th> </tr> </thead> <tbody> <tr> <td><strong>Type Checking</strong></td> <td>- Division, floor division, and modulo operations with a literal zero divisor (e.g., <code>x / 0</code>, <code>y // 0</code>, <code>z % 0</code>) are flagged as errors, catching runtime <code>ZeroDivisionError</code> before execution. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Multiple inheritance with conflicting <code>__slots__</code> definitions is detected and reported as an error, matching CPython's runtime behavior and preventing layout conflicts. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Protocol members assigned a value without an explicit type annotation (e.g., <code>x = None</code> in a <code>Protocol</code> class body) are flagged as errors, ensuring protocol members have declared types as required by the typing specification.</td> </tr> <tr> <td><strong>Language Server</strong></td> <td>- Variables used exclusively within f-string format specifiers (e.g., <code>f"{key:<{max_len}}"</code>) are correctly recognized as used, eliminating false positive unused-variable warnings. <!-- raw HTML omitted --><!-- raw HTML omitted -->- The VS Code extension explicitly declares workspace trust capabilities, requiring trusted workspaces to run and allowing machine-overridable scope for <code>lspPath</code> and <code>lspArguments</code> settings for improved security.</td> </tr> <tr> <td><strong>Coverage Reporting</strong></td> <td>- The <code>pyrefly report</code> command now excludes some dunder methods and typing-only constructs from coverage metrics. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Per-module JSON output includes entity counts (n_functions, n_methods, n_function_params, n_method_params, n_classes, n_attrs, n_properties, n_type_ignores) for downstream consumers. <!-- raw HTML omitted --><!-- raw HTML omitted -->- A new <code>--module <name></code> CLI flag allows overriding the module name in JSON output, supporting callers that need canonical package names instead of filesystem-derived names.</td> </tr> <tr> <td><strong>Pydantic</strong></td> <td>- Pydantic lax conversion special-cases regex patterns, fixing false positives when passing compiled patterns to Pydantic models.</td> </tr> <tr> <td><strong>Performance</strong></td> <td>- Fixed a bug in overload evaluation that caused exponential memory consumption and indefinite hangs on code with many overloaded calls.</td> </tr> </tbody> </table> <hr /> <h2>🐛 bug fixes</h2> <p>We closed <strong>9</strong> bug issues this release 👏</p> <ul> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3031">#3031</a>: Fixed a crash in mypy_primer caused by a variable leak in <code>LitEnum</code> — types are now deep-forced before storage to prevent leaking vars into the solver.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/2915">#2915</a>: Division, floor division, and modulo by literal <code>0</code> are now flagged as errors, catching <code>ZeroDivisionError</code> at static analysis time instead of runtime.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3009">#3009</a>: Fixed false positive unused-variable warnings for variables used exclusively within f-string format specifiers (e.g., <code>f"{key:<{max_len}}"</code>). The AST visitor now correctly descends into <code>format_spec</code> nodes.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/2799">#2799</a>: Fixed false positive <code>[missing-attribute]</code> errors for <code>dict.setdefault(key, []).append(val)</code> on unannotated dicts. Overload resolution now creates fresh partial variables for each overload, preventing incorrect pinning.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/2991">#2991</a>: Fixed Pydantic lax-mode rewriting <code>re.Pattern[str]</code> to <code>Pattern[LaxStr]</code> and rejecting <code>re.Pattern[str]</code>. Regex patterns now expand to <code>re.Pattern[T] | T</code> instead of recursively widening the inner type.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/2916">#2916</a>: Fixed runtime <code>TypeError</code> from multiple inheritance with conflicting <code>__slots__</code> (same slot names). Pyrefly now detects and reports this layout conflict during class metadata computation.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/2917">#2917</a>: Fixed runtime <code>TypeError</code> from multiple inheritance with conflicting <code>__slots__</code> (different slot names). Pyrefly now detects non-empty <code>__slots__</code> in multiple bases and reports the conflict.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3064">#3064</a>: Fixed false positive when using <code>issubclass()</code> after <code>isinstance()</code> narrowing with custom metaclasses (e.g., Django's <code>ModelBase</code>). Metaclass instances are now correctly accepted as valid class objects.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/3030">#3030</a>: Fixed false positive <code>LiteralString</code> type error in <code>map(str.strip, ...)</code>. Overloads with narrower <code>self</code>-type annotations are now filtered out during unbound method resolution.</li> </ul> <p>Thank-you to all our contributors who found these bugs and reported them! Did you know this is one of the most helpful contributions you can make to an open-source project? If you find any bugs in Pyrefly we want to know about them! Please open a bug report issue <a href="https://github.com/facebook/pyrefly/issues">here</a></p> <hr /> <h2>📦 Upgrade</h2> <pre lang="bash"><code>pip install --upgrade pyrefly==0.61.0 </code></pre> <h3>How to safely upgrade your codebase</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
2146f245a0 |
Bump sentry-sdk from 2.57.0 to 2.58.0 in /backend (#1689)
Bumps [sentry-sdk](https://github.com/getsentry/sentry-python) from 2.57.0 to 2.58.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/getsentry/sentry-python/releases">sentry-sdk's releases</a>.</em></p> <blockquote> <h2>2.58.0</h2> <h3>New Features ✨</h3> <ul> <li>(ai) Redact base64 data URLs in image_url content blocks by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5953">#5953</a></li> <li>(integrations) Instrument pyreqwest tracing by <a href="https://github.com/servusdei2018"><code>@servusdei2018</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5682">#5682</a></li> <li>(litellm) Add async callbacks by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5969">#5969</a></li> </ul> <h3>Bug Fixes 🐛</h3> <h4>Anthropic</h4> <ul> <li>Capture exceptions for <code>stream()</code> calls by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5950">#5950</a></li> <li>Stop setting transaction status when child span fails by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5717">#5717</a></li> <li>Only finish relevant spans in .create() patches by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5716">#5716</a></li> </ul> <h4>Pydantic Ai</h4> <ul> <li>Adapt import for new library versions by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5984">#5984</a></li> <li>Use first-class hooks when available by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5947">#5947</a></li> </ul> <h4>Other</h4> <ul> <li>(huggingface_hub) Stop setting transaction status when a child span fails by <a href="https://github.com/Zenithatic"><code>@Zenithatic</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5952">#5952</a></li> <li>(litellm) Avoid double span exits when streaming by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5933">#5933</a></li> <li>(wsgi) Respect HTTP_X_FORWARDED_PROTO in request.url construction by <a href="https://github.com/sl0thentr0py"><code>@sl0thentr0py</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5963">#5963</a></li> </ul> <h3>Internal Changes 🔧</h3> <h4>Litellm</h4> <ul> <li>Replace mocks with <code>httpx</code> types in rate-limit test by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5975">#5975</a></li> <li>Replace mocks with <code>httpx</code> types in embedding tests by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5970">#5970</a></li> <li>Replace mocks with <code>httpx</code> types in nonstreaming <code>completion()</code> tests by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5937">#5937</a></li> <li>Remove dead attributes by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5985">#5985</a></li> </ul> <h4>Other</h4> <ul> <li>(ai) Remove <code>gen_ai.tool.type</code> span attribute by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5964">#5964</a></li> <li>(anthropic) Separate sync and async .create() patches by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5715">#5715</a></li> <li>(openai) Split token counting by API for easier deprecation by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5930">#5930</a></li> <li>(openai-agents) Remove error attributes by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5986">#5986</a></li> <li>(opentelemetry) Ignore mypy error by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5927">#5927</a></li> <li>🤖 Update test matrix with new releases (04/13) by <a href="https://github.com/github-actions"><code>@github-actions</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5983">#5983</a></li> <li>Fix license metadata in setup.py by <a href="https://github.com/sl0thentr0py"><code>@sl0thentr0py</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5934">#5934</a></li> <li>Update validate-pr workflow by <a href="https://github.com/stephanie-anderson"><code>@stephanie-anderson</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5931">#5931</a></li> </ul> <h3>Other</h3> <ul> <li>Handle <code>None</code> span context in the span processor and pin tokenizers version for anthropic tests on Python 3.8 by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5967">#5967</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/getsentry/sentry-python/blob/master/CHANGELOG.md">sentry-sdk's changelog</a>.</em></p> <blockquote> <h2>2.58.0</h2> <h3>New Features ✨</h3> <ul> <li>(ai) Redact base64 data URLs in image_url content blocks by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5953">#5953</a></li> <li>(integrations) Instrument pyreqwest tracing by <a href="https://github.com/servusdei2018"><code>@servusdei2018</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5682">#5682</a></li> <li>(litellm) Add async callbacks by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5969">#5969</a></li> </ul> <h3>Bug Fixes 🐛</h3> <h4>Anthropic</h4> <ul> <li>Capture exceptions for <code>stream()</code> calls by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5950">#5950</a></li> <li>Stop setting transaction status when child span fails by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5717">#5717</a></li> <li>Only finish relevant spans in .create() patches by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5716">#5716</a></li> </ul> <h4>Pydantic Ai</h4> <ul> <li>Adapt import for new library versions by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5984">#5984</a></li> <li>Use first-class hooks when available by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5947">#5947</a></li> </ul> <h4>Other</h4> <ul> <li>(huggingface_hub) Stop setting transaction status when a child span fails by <a href="https://github.com/Zenithatic"><code>@Zenithatic</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5952">#5952</a></li> <li>(litellm) Avoid double span exits when streaming by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5933">#5933</a></li> <li>(wsgi) Respect HTTP_X_FORWARDED_PROTO in request.url construction by <a href="https://github.com/sl0thentr0py"><code>@sl0thentr0py</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5963">#5963</a></li> </ul> <h3>Internal Changes 🔧</h3> <h4>Litellm</h4> <ul> <li>Replace mocks with <code>httpx</code> types in rate-limit test by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5975">#5975</a></li> <li>Replace mocks with <code>httpx</code> types in embedding tests by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5970">#5970</a></li> <li>Replace mocks with <code>httpx</code> types in nonstreaming <code>completion()</code> tests by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5937">#5937</a></li> <li>Remove dead attributes by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5985">#5985</a></li> </ul> <h4>Other</h4> <ul> <li>(ai) Remove <code>gen_ai.tool.type</code> span attribute by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5964">#5964</a></li> <li>(anthropic) Separate sync and async .create() patches by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5715">#5715</a></li> <li>(openai) Split token counting by API for easier deprecation by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5930">#5930</a></li> <li>(openai-agents) Remove error attributes by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5986">#5986</a></li> <li>(opentelemetry) Ignore mypy error by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5927">#5927</a></li> <li>🤖 Update test matrix with new releases (04/13) by <a href="https://github.com/github-actions"><code>@github-actions</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5983">#5983</a></li> <li>Fix license metadata in setup.py by <a href="https://github.com/sl0thentr0py"><code>@sl0thentr0py</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5934">#5934</a></li> <li>Update validate-pr workflow by <a href="https://github.com/stephanie-anderson"><code>@stephanie-anderson</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5931">#5931</a></li> </ul> <h3>Other</h3> <ul> <li>Handle <code>None</code> span context in the span processor and pin tokenizers version for anthropic tests on Python 3.8 by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5967">#5967</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
48551b09f7 |
Bump fastapi from 0.135.3 to 0.136.0 in /backend (#1688)
Bumps [fastapi](https://github.com/fastapi/fastapi) from 0.135.3 to 0.136.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/fastapi/fastapi/releases">fastapi's releases</a>.</em></p> <blockquote> <h2>0.136.0</h2> <h3>Upgrades</h3> <ul> <li>⬆️ Support free-threaded Python 3.14t. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15149">#15149</a> by <a href="https://github.com/svlandeg"><code>@svlandeg</code></a>.</li> </ul> <h2>0.135.4</h2> <h3>Refactors</h3> <ul> <li>🔥 Remove April Fool's <code>@app.vibe()</code> 🤪. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15363">#15363</a> by <a href="https://github.com/tiangolo"><code>@tiangolo</code></a>.</li> </ul> <h3>Internal</h3> <ul> <li>⬆ Bump cryptography from 46.0.5 to 46.0.7. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15314">#15314</a> by <a href="https://github.com/apps/dependabot"><code>@dependabot[bot]</code></a>.</li> <li>⬆ Bump strawberry-graphql from 0.307.1 to 0.312.3. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15309">#15309</a> by <a href="https://github.com/apps/dependabot"><code>@dependabot[bot]</code></a>.</li> <li>🔨 Add pre-commit hook to ensure latest release header has date. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15293">#15293</a> by <a href="https://github.com/YuriiMotov"><code>@YuriiMotov</code></a>.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
e6abd7d282 |
Bump urllib3 from 2.6.3 to 2.7.0 in /backend (#1681)
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.7.0</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially. (Reported by <a href="https://github.com/Cycloctane"><code>@Cycloctane</code></a>)</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <a href="https://pypi.org/project/brotli/">Brotli</a> library. (Reported by <a href="https://github.com/kimkou2024"><code>@kimkou2024</code></a>)</li> </ol> <p>See GHSA-mf9v-mfxr-j63j for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by <a href="https://github.com/christos-spearbit"><code>@christos-spearbit</code></a>)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3763">urllib3/urllib3#3763</a>)</li> <li>Removed support for end-of-life Python 3.9. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3720">urllib3/urllib3#3720</a>)</li> <li>Removed support for end-of-life PyPy3.10. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4979">urllib3/urllib3#4979</a>)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3777">urllib3/urllib3#3777</a>)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3636">urllib3/urllib3#3636</a>)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/4967">urllib3/urllib3#4967</a>)</li> <li>Fixed <code>HTTPResponse.stream()</code> and <code>HTTPResponse.read_chunked()</code> to handle <code>amt=0</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3793">urllib3/urllib3#3793</a>)</li> <li>Updated <code>_TYPE_BODY</code> type alias to include missing <code>Iterable[str]</code>, matching the documented and runtime behavior of chunked request bodies. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3798">urllib3/urllib3#3798</a>)</li> <li>Fixed <code>LocationParseError</code> when paths resembling schemeless URIs were passed to <code>HTTPConnectionPool.urlopen()</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3352">urllib3/urllib3#3352</a>)</li> <li>Fixed <code>BaseHTTPResponse.readinto()</code> type annotation to accept <code>memoryview</code> in addition to <code>bytearray</code>, matching the <code>io.RawIOBase.readinto</code> contract and enabling use with <code>io.BufferedReader</code> without type errors. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3764">urllib3/urllib3#3764</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.7.0 (2026-05-07)</h1> <h2>Security</h2> <p>Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.</p> <ul> <li> <p>Decompression-bomb safeguards of the streaming API were bypassed:</p> <ol> <li>When <code>HTTPResponse.drain_conn()</code> was called after the response had been read and decompressed partially.</li> <li>During the second <code>HTTPResponse.read(amt=N)</code> or <code>HTTPResponse.stream(amt=N)</code> call when the response was decompressed using the official <code>Brotli <https://pypi.org/project/brotli/></code>__ library.</li> </ol> <p>See <code>GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j></code>__ for details.</p> </li> <li> <p>HTTP pools created using <code>ProxyManager.connection_from_url</code> did not strip sensitive headers specified in <code>Retry.remove_headers_on_redirect</code> when redirecting to a different host. (<code>GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc></code>__)</p> </li> </ul> <h2>Deprecations and Removals</h2> <ul> <li>Used <code>FutureWarning</code> instead of <code>DeprecationWarning</code> for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (<code>[#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763></code>__)</li> <li>Removed support for end-of-life Python 3.9. (<code>[#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720></code>__)</li> <li>Removed support for end-of-life PyPy3.10. (<code>[#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979></code>__)</li> <li>Bumped the minimum supported pyOpenSSL version to 19.0.0. (<code>[#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777></code>__)</li> </ul> <h2>Bugfixes</h2> <ul> <li>Fixed a bug where <code>HTTPResponse.read(amt=None)</code> was ignoring decompressed data buffered from previous partial reads. (<code>[#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636></code>__)</li> <li>Fixed a bug where <code>HTTPResponse.read()</code> could cache only part of the response after a partial read when <code>cache_content=True</code>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
7a1c2b0c4e |
Bump python-multipart from 0.0.26 to 0.0.27 in /backend (#1680)
Bumps [python-multipart](https://github.com/Kludex/python-multipart) from 0.0.26 to 0.0.27. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Kludex/python-multipart/releases">python-multipart's releases</a>.</em></p> <blockquote> <h2>0.0.27</h2> <h2>What's Changed</h2> <ul> <li>Pass parse offsets via constructors by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/python-multipart/pull/268">Kludex/python-multipart#268</a></li> <li>Add multipart header limits by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/python-multipart/pull/267">Kludex/python-multipart#267</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/Kludex/python-multipart/compare/0.0.26...0.0.27">https://github.com/Kludex/python-multipart/compare/0.0.26...0.0.27</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md">python-multipart's changelog</a>.</em></p> <blockquote> <h2>0.0.27 (2026-04-27)</h2> <ul> <li>Add multipart header limits <a href="https://redirect.github.com/Kludex/python-multipart/pull/267">#267</a>.</li> <li>Pass parse offsets via constructors <a href="https://redirect.github.com/Kludex/python-multipart/pull/268">#268</a>.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
0f626c344b |
Bump mako from 1.3.11 to 1.3.12 in /backend (#1679)
Bumps [mako](https://github.com/sqlalchemy/mako) from 1.3.11 to 1.3.12. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sqlalchemy/mako/releases">mako's releases</a>.</em></p> <blockquote> <h1>1.3.12</h1> <p>Released: Tue Apr 28 2026</p> <h2>bug</h2> <ul> <li> <p><strong>[bug] [template]</strong> Fixed issue in <code>TemplateLookup</code> where a URI with backslash path separators (e.g. <code>\..\secret.txt</code>) could bypass the directory traversal check on Windows, allowing reads of arbitrary files outside of the template directory. Backslash characters in URIs are now normalized to forward slashes before path resolution.</p> <p>References: <a href="https://redirect.github.com/sqlalchemy/mako/issues/435">#435</a></p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/sqlalchemy/mako/commits">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/evroon/bracket/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
06da3d3598 |
Bump axios from 1.15.0 to 1.15.2 in /frontend (#1678)
Bumps [axios](https://github.com/axios/axios) from 1.15.0 to 1.15.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/axios/axios/releases">axios's releases</a>.</em></p> <blockquote> <h2>v1.15.2</h2> <p>This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in <code>allowedSocketPaths</code> allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.</p> <h2>🔒 Security Fixes</h2> <ul> <li><strong>Prototype Pollution Hardening (HTTP Adapter):</strong> Hardened the Node HTTP adapter and <code>resolveConfig</code>/<code>mergeConfig</code>/validator paths to read only own properties and use null-prototype config objects, preventing polluted <code>auth</code>, <code>baseURL</code>, <code>socketPath</code>, <code>beforeRedirect</code>, and <code>insecureHTTPParser</code> from influencing requests. (<strong><a href="https://redirect.github.com/axios/axios/issues/10779">#10779</a></strong>)</li> <li><strong>SSRF via <code>socketPath</code>:</strong> Rejects non-string <code>socketPath</code> values and adds an opt-in <code>allowedSocketPaths</code> config option to restrict permitted Unix domain socket paths, returning <code>AxiosError</code> <code>ERR_BAD_OPTION_VALUE</code> on mismatch. (<strong><a href="https://redirect.github.com/axios/axios/issues/10777">#10777</a></strong>)</li> <li><strong>Supply-chain Hardening:</strong> Added <code>.npmrc</code> with <code>ignore-scripts=true</code>, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded <code>SECURITY.md</code>/<code>THREATMODEL.md</code> with provenance verification (<code>npm audit signatures</code>), 60-day resolution policy, and maintainer incident-response runbook. (<strong><a href="https://redirect.github.com/axios/axios/issues/10776">#10776</a></strong>)</li> </ul> <h2>🚀 New Features</h2> <ul> <li><strong><code>allowedSocketPaths</code> Config Option:</strong> New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (<strong><a href="https://redirect.github.com/axios/axios/issues/10777">#10777</a></strong>)</li> </ul> <h2>🐛 Bug Fixes</h2> <ul> <li><strong>Keep-alive Socket Memory Leak:</strong> Installs a single per-socket <code>error</code> listener tracking the active request via <code>kAxiosSocketListener</code>/<code>kAxiosCurrentReq</code>, eliminating per-request listener accumulation, <code>MaxListenersExceededWarning</code>, and linear heap growth under concurrent or long-running keep-alive workloads (fixes <a href="https://redirect.github.com/axios/axios/issues/10780">#10780</a>). (<strong><a href="https://redirect.github.com/axios/axios/issues/10788">#10788</a></strong>)</li> </ul> <h2>🔧 Maintenance & Chores</h2> <ul> <li><strong>Changelog:</strong> Updated <code>CHANGELOG.md</code> with v1.15.1 release notes. (<strong><a href="https://redirect.github.com/axios/axios/issues/10781">#10781</a></strong>)</li> </ul> <p><a href="https://github.com/axios/axios/compare/v1.15.1...v1.15.2">Full Changelog</a></p> <h2>v1.15.1</h2> <p>This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.</p> <h2>🔒 Security Fixes</h2> <ul> <li><strong>Header Injection Hardening:</strong> Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (<strong><a href="https://redirect.github.com/axios/axios/issues/10749">#10749</a></strong>)</li> <li><strong>CRLF Stripping in Multipart Headers:</strong> Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (<strong><a href="https://redirect.github.com/axios/axios/issues/10758">#10758</a></strong>)</li> <li><strong>Prototype Pollution / Auth Bypass:</strong> Replaced unsafe <code>in</code> checks with <code>hasOwnProperty</code> to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (<strong><a href="https://redirect.github.com/axios/axios/issues/10761">#10761</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10760">#10760</a></strong>)</li> <li><strong><code>withXSRFToken</code> Truthy Bypass:</strong> Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (<strong><a href="https://redirect.github.com/axios/axios/issues/10762">#10762</a></strong>)</li> <li><strong><code>maxBodyLength</code> With Zero Redirects:</strong> Enforces <code>maxBodyLength</code> even when <code>maxRedirects</code> is set to <code>0</code>, closing a bypass path for oversized request bodies. (<strong><a href="https://redirect.github.com/axios/axios/issues/10753">#10753</a></strong>)</li> <li><strong>Streamed Response <code>maxContentLength</code> Bypass:</strong> Applies <code>maxContentLength</code> to streamed responses that previously bypassed the cap. (<strong><a href="https://redirect.github.com/axios/axios/issues/10754">#10754</a></strong>)</li> <li><strong>Follow-up CVE Completion:</strong> Completes an earlier incomplete CVE fix to fully close the regression window. (<strong><a href="https://redirect.github.com/axios/axios/issues/10755">#10755</a></strong>)</li> </ul> <h2>🚀 New Features</h2> <ul> <li><strong>AI-Based Docs Translations:</strong> Initial scaffold for AI-assisted translations of the documentation site. (<strong><a href="https://redirect.github.com/axios/axios/issues/10705">#10705</a></strong>)</li> <li><strong><code>Location</code> Request Header Type:</strong> Adds <code>Location</code> to <code>CommonRequestHeadersList</code> for accurate typing of redirect-aware requests. (<strong><a href="https://redirect.github.com/axios/axios/issues/7528">#7528</a></strong>)</li> </ul> <h2>🐛 Bug Fixes</h2> <ul> <li><strong>FormData Handling:</strong> Removes <code>Content-Type</code> when no boundary is present on <code>FormData</code> fetch requests, supports multi-select fields, cancels <code>request.body</code> instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (<strong><a href="https://redirect.github.com/axios/axios/issues/7314">#7314</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10676">#10676</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10702">#10702</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10726">#10726</a></strong>)</li> <li><strong>HTTP Adapter:</strong> Handles socket-only request errors without leaking keep-alive listeners. (<strong><a href="https://redirect.github.com/axios/axios/issues/10576">#10576</a></strong>)</li> <li><strong>Progress Events:</strong> Clamps <code>loaded</code> to <code>total</code> for computable upload/download progress events. (<strong><a href="https://redirect.github.com/axios/axios/issues/7458">#7458</a></strong>)</li> <li><strong>Types:</strong> Aligns <code>runWhen</code> type with the runtime behaviour in <code>InterceptorManager</code> and makes response header keys case-insensitive. (<strong><a href="https://redirect.github.com/axios/axios/issues/7529">#7529</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10677">#10677</a></strong>)</li> <li><strong><code>buildFullPath</code>:</strong> Uses strict equality in the base/relative URL check. (<strong><a href="https://redirect.github.com/axios/axios/issues/7252">#7252</a></strong>)</li> <li><strong><code>AxiosURLSearchParams</code> Regex:</strong> Improves the regex used for param serialisation to avoid edge-case mismatches. (<strong><a href="https://redirect.github.com/axios/axios/issues/10736">#10736</a></strong>)</li> <li><strong>Resilient Value Parsing:</strong> Parses out header/config values instead of throwing on malformed input. (<strong><a href="https://redirect.github.com/axios/axios/issues/10687">#10687</a></strong>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/axios/axios/blob/v1.x/CHANGELOG.md">axios's changelog</a>.</em></p> <blockquote> <h2>v1.15.2 - April 21, 2026</h2> <p>This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in <code>allowedSocketPaths</code> allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.</p> <h2>🔒 Security Fixes</h2> <ul> <li><strong>Prototype Pollution Hardening (HTTP Adapter):</strong> Hardened the Node HTTP adapter and <code>resolveConfig</code>/<code>mergeConfig</code>/validator paths to read only own properties and use null-prototype config objects, preventing polluted <code>auth</code>, <code>baseURL</code>, <code>socketPath</code>, <code>beforeRedirect</code>, and <code>insecureHTTPParser</code> from influencing requests. (<strong><a href="https://redirect.github.com/axios/axios/issues/10779">#10779</a></strong>)</li> <li><strong>SSRF via <code>socketPath</code>:</strong> Rejects non-string <code>socketPath</code> values and adds an opt-in <code>allowedSocketPaths</code> config option to restrict permitted Unix domain socket paths, returning <code>AxiosError</code> <code>ERR_BAD_OPTION_VALUE</code> on mismatch. (<strong><a href="https://redirect.github.com/axios/axios/issues/10777">#10777</a></strong>)</li> <li><strong>Supply-chain Hardening:</strong> Added <code>.npmrc</code> with <code>ignore-scripts=true</code>, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded <code>SECURITY.md</code>/<code>THREATMODEL.md</code> with provenance verification (<code>npm audit signatures</code>), 60-day resolution policy, and maintainer incident-response runbook. (<strong><a href="https://redirect.github.com/axios/axios/issues/10776">#10776</a></strong>)</li> </ul> <h2>🚀 New Features</h2> <ul> <li><strong><code>allowedSocketPaths</code> Config Option:</strong> New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (<strong><a href="https://redirect.github.com/axios/axios/issues/10777">#10777</a></strong>)</li> </ul> <h2>🐛 Bug Fixes</h2> <ul> <li><strong>Keep-alive Socket Memory Leak:</strong> Installs a single per-socket <code>error</code> listener tracking the active request via <code>kAxiosSocketListener</code>/<code>kAxiosCurrentReq</code>, eliminating per-request listener accumulation, <code>MaxListenersExceededWarning</code>, and linear heap growth under concurrent or long-running keep-alive workloads (fixes <a href="https://redirect.github.com/axios/axios/issues/10780">#10780</a>). (<strong><a href="https://redirect.github.com/axios/axios/issues/10788">#10788</a></strong>)</li> </ul> <h2>🔧 Maintenance & Chores</h2> <ul> <li><strong>Changelog:</strong> Updated <code>CHANGELOG.md</code> with v1.15.1 release notes. (<strong><a href="https://redirect.github.com/axios/axios/issues/10781">#10781</a></strong>)</li> </ul> <p><a href="https://github.com/axios/axios/compare/v1.15.1...v1.15.2">Full Changelog</a></p> <hr /> <h2>v1.15.1 - April 19, 2026</h2> <p>This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.</p> <h2>🔒 Security Fixes</h2> <ul> <li> <p><strong>Header Injection Hardening:</strong> Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (<strong><a href="https://redirect.github.com/axios/axios/issues/10749">#10749</a></strong>)</p> </li> <li> <p><strong>CRLF Stripping in Multipart Headers:</strong> Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (<strong><a href="https://redirect.github.com/axios/axios/issues/10758">#10758</a></strong>)</p> </li> <li> <p><strong>Prototype Pollution / Auth Bypass:</strong> Replaced unsafe <code>in</code> checks with <code>hasOwnProperty</code> to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (<strong><a href="https://redirect.github.com/axios/axios/issues/10761">#10761</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10760">#10760</a></strong>)</p> </li> <li> <p><strong><code>withXSRFToken</code> Truthy Bypass:</strong> Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (<strong><a href="https://redirect.github.com/axios/axios/issues/10762">#10762</a></strong>)</p> </li> <li> <p><strong><code>maxBodyLength</code> With Zero Redirects:</strong> Enforces <code>maxBodyLength</code> even when <code>maxRedirects</code> is set to <code>0</code>, closing a bypass path for oversized request bodies. (<strong><a href="https://redirect.github.com/axios/axios/issues/10753">#10753</a></strong>)</p> </li> <li> <p><strong>Streamed Response <code>maxContentLength</code> Bypass:</strong> Applies <code>maxContentLength</code> to streamed responses that previously bypassed the cap. (<strong><a href="https://redirect.github.com/axios/axios/issues/10754">#10754</a></strong>)</p> </li> <li> <p><strong>Follow-up CVE Completion:</strong> Completes an earlier incomplete CVE fix to fully close the regression window. (<strong><a href="https://redirect.github.com/axios/axios/issues/10755">#10755</a></strong>)</p> </li> </ul> <h2>🚀 New Features</h2> <ul> <li><strong>AI-Based Docs Translations:</strong> Initial scaffold for AI-assisted translations of the documentation site. (<strong><a href="https://redirect.github.com/axios/axios/issues/10705">#10705</a></strong>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
3a59b5e4bb |
Bump @typescript-eslint/eslint-plugin from 8.57.0 to 8.58.0 in /frontend (#1677)
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 8.57.0 to 8.58.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/typescript-eslint/typescript-eslint/releases">@typescript-eslint/eslint-plugin's releases</a>.</em></p> <blockquote> <h2>v8.58.0</h2> <h2>8.58.0 (2026-03-30)</h2> <h3>🚀 Features</h3> <ul> <li>support TypeScript 6 (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12124">#12124</a>)</li> </ul> <h3>🩹 Fixes</h3> <ul> <li><strong>eslint-plugin:</strong> crash in <code>no-unnecessary-type-arguments</code> (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12163">#12163</a>)</li> <li><strong>eslint-plugin:</strong> [no-extraneous-class] handle index signatures (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12142">#12142</a>)</li> <li><strong>eslint-plugin:</strong> [prefer-regexp-exec] avoid fixing unknown RegExp flags (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12161">#12161</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>ej shafran <a href="https://github.com/ej-shafran"><code>@ej-shafran</code></a></li> <li>Evyatar Daud <a href="https://github.com/StyleShit"><code>@StyleShit</code></a></li> <li>GG ZIBLAKING</li> <li>milkboy2564 <a href="https://github.com/SeolJaeHyeok"><code>@SeolJaeHyeok</code></a></li> <li>teee32 <a href="https://github.com/teee32"><code>@teee32</code></a></li> </ul> <p>See <a href="https://github.com/typescript-eslint/typescript-eslint/releases/tag/v8.58.0">GitHub Releases</a> for more information.</p> <p>You can read about our <a href="https://typescript-eslint.io/users/versioning">versioning strategy</a> and <a href="https://typescript-eslint.io/users/releases">releases</a> on our website.</p> <h2>v8.57.2</h2> <h2>8.57.2 (2026-03-23)</h2> <h3>🩹 Fixes</h3> <ul> <li><strong>eslint-plugin:</strong> [prefer-optional-chain] remove dangling closing parenthesis (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11865">#11865</a>)</li> <li><strong>eslint-plugin:</strong> [array-type] ignore Array and ReadonlyArray without type arguments (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11971">#11971</a>)</li> <li><strong>eslint-plugin:</strong> [no-restricted-types] flag banned generics in extends or implements (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12120">#12120</a>)</li> <li><strong>eslint-plugin:</strong> [no-unsafe-return] false positive on unwrapping generic (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12125">#12125</a>)</li> <li><strong>eslint-plugin:</strong> [no-unsafe-return] false positive on unwrapping generic (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12125">#12125</a>)</li> <li><strong>eslint-plugin:</strong> [no-useless-default-assignment] skip reporting false positives for unresolved type parameters (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12127">#12127</a>)</li> <li><strong>eslint-plugin:</strong> [prefer-readonly-parameter-types] preserve type alias infomation (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11954">#11954</a>)</li> <li><strong>typescript-estree:</strong> skip createIsolatedProgram fallback for projectService (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12066">#12066</a>, <a href="https://redirect.github.com/typescript-eslint/typescript-eslint/issues/12065">#12065</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>Kirk Waiblinger <a href="https://github.com/kirkwaiblinger"><code>@kirkwaiblinger</code></a></li> <li>Konv Suu</li> <li>mdm317</li> <li>Newton Yuan <a href="https://github.com/NewtonYuan"><code>@NewtonYuan</code></a></li> <li>RyoheiYamamoto</li> <li>SungHyun627 <a href="https://github.com/SungHyun627"><code>@SungHyun627</code></a></li> <li>Tamashoo <a href="https://github.com/Tamashoo"><code>@Tamashoo</code></a></li> </ul> <p>See <a href="https://github.com/typescript-eslint/typescript-eslint/releases/tag/v8.57.2">GitHub Releases</a> for more information.</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md">@typescript-eslint/eslint-plugin's changelog</a>.</em></p> <blockquote> <h2>8.58.0 (2026-03-30)</h2> <h3>🚀 Features</h3> <ul> <li>support TypeScript 6 (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12124">#12124</a>)</li> </ul> <h3>🩹 Fixes</h3> <ul> <li><strong>eslint-plugin:</strong> [prefer-regexp-exec] avoid fixing unknown RegExp flags (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12161">#12161</a>)</li> <li><strong>eslint-plugin:</strong> [no-extraneous-class] handle index signatures (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12142">#12142</a>)</li> <li><strong>eslint-plugin:</strong> crash in <code>no-unnecessary-type-arguments</code> (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12163">#12163</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>ej shafran <a href="https://github.com/ej-shafran"><code>@ej-shafran</code></a></li> <li>Evyatar Daud <a href="https://github.com/StyleShit"><code>@StyleShit</code></a></li> <li>GG ZIBLAKING</li> <li>milkboy2564 <a href="https://github.com/SeolJaeHyeok"><code>@SeolJaeHyeok</code></a></li> <li>teee32 <a href="https://github.com/teee32"><code>@teee32</code></a></li> </ul> <p>See <a href="https://github.com/typescript-eslint/typescript-eslint/releases/tag/v8.58.0">GitHub Releases</a> for more information.</p> <p>You can read about our <a href="https://typescript-eslint.io/users/versioning">versioning strategy</a> and <a href="https://typescript-eslint.io/users/releases">releases</a> on our website.</p> <h2>8.57.2 (2026-03-23)</h2> <h3>🩹 Fixes</h3> <ul> <li><strong>eslint-plugin:</strong> [prefer-readonly-parameter-types] preserve type alias infomation (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11954">#11954</a>)</li> <li><strong>eslint-plugin:</strong> [no-useless-default-assignment] skip reporting false positives for unresolved type parameters (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12127">#12127</a>)</li> <li><strong>eslint-plugin:</strong> [no-unsafe-return] false positive on unwrapping generic (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12125">#12125</a>)</li> <li><strong>eslint-plugin:</strong> [no-restricted-types] flag banned generics in extends or implements (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12120">#12120</a>)</li> <li><strong>eslint-plugin:</strong> [array-type] ignore Array and ReadonlyArray without type arguments (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11971">#11971</a>)</li> <li><strong>eslint-plugin:</strong> [prefer-optional-chain] remove dangling closing parenthesis (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/11865">#11865</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>Kirk Waiblinger <a href="https://github.com/kirkwaiblinger"><code>@kirkwaiblinger</code></a></li> <li>Konv Suu</li> <li>mdm317</li> <li>Newton Yuan <a href="https://github.com/NewtonYuan"><code>@NewtonYuan</code></a></li> <li>SungHyun627 <a href="https://github.com/SungHyun627"><code>@SungHyun627</code></a></li> <li>Tamashoo <a href="https://github.com/Tamashoo"><code>@Tamashoo</code></a></li> </ul> <p>See <a href="https://github.com/typescript-eslint/typescript-eslint/releases/tag/v8.57.2">GitHub Releases</a> for more information.</p> <p>You can read about our <a href="https://typescript-eslint.io/users/versioning">versioning strategy</a> and <a href="https://typescript-eslint.io/users/releases">releases</a> on our website.</p> <h2>8.57.1 (2026-03-16)</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
110833b014 |
Bump starlette from 0.52.1 to 1.0.0 in /backend (#1675)
Bumps [starlette](https://github.com/Kludex/starlette) from 0.52.1 to 1.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Kludex/starlette/releases">starlette's releases</a>.</em></p> <blockquote> <h2>Version 1.0.0</h2> <p>Starlette 1.0 is here! 🎉</p> <p>After nearly eight years since its creation, Starlette has reached its first stable release.</p> <p>A special thank you to <a href="https://github.com/lovelydinosaur"><code>@lovelydinosaur</code></a>, the creator of Starlette, Uvicorn, HTTPX and MkDocs, whose work helped to lay the foundation for the modern async Python ecosystem. 🙏</p> <p>Thank you to <a href="https://github.com/adriangb"><code>@adriangb</code></a>, <a href="https://github.com/graingert"><code>@graingert</code></a>, <a href="https://github.com/agronholm"><code>@agronholm</code></a>, <a href="https://github.com/florimondmanca"><code>@florimondmanca</code></a>, <a href="https://github.com/aminalaee"><code>@aminalaee</code></a>, <a href="https://github.com/tiangolo"><code>@tiangolo</code></a>, <a href="https://github.com/alex-oleshkevich"><code>@alex-oleshkevich</code></a>, <a href="https://github.com/abersheeran"><code>@abersheeran</code></a>, and <a href="https://github.com/uSpike"><code>@uSpike</code></a> for helping make Starlette what it is today. And to all my sponsors - especially <a href="https://github.com/tiangolo"><code>@tiangolo</code></a>, <a href="https://github.com/huggingface"><code>@huggingface</code></a>, and <a href="https://github.com/elevenlabs"><code>@elevenlabs</code></a> - thank you for your support!</p> <p>Thank you to all <a href="https://github.com/encode/starlette/graphs/contributors">290+ contributors</a> who have shaped Starlette over the years! ❤️</p> <p>Read more on the <a href="https://marcelotryle.com/blog/2026/03/22/starlette-10-is-here/">blog post</a>.</p> <p>Check out the full release notes at <a href="https://www.starlette.io/release-notes/#100-march-22-2026">https://www.starlette.io/release-notes/#100-march-22-2026</a></p> <hr /> <p><strong>Full Changelog</strong>: <a href="https://github.com/encode/starlette/compare/1.0.0rc1...1.0.0">https://github.com/encode/starlette/compare/1.0.0rc1...1.0.0</a></p> <h2>Version 1.0.0rc1</h2> <p>We're ready! 🚀</p> <p>The first release candidate for Starlette 1.0 is here! After years on ZeroVer, we're finally making the jump.</p> <p>This release removes all deprecated features marked for 1.0.0, along with some last-minute bug fixes.</p> <p>A special thank you to <a href="https://github.com/lovelydinosaur"><code>@lovelydinosaur</code></a>, the creator of Starlette, Uvicorn, HTTPX and MkDocs, whose work helped to lay the foundation for the modern async Python ecosystem. 🙏</p> <p>Thank you to <a href="https://github.com/adriangb"><code>@adriangb</code></a>, <a href="https://github.com/graingert"><code>@graingert</code></a>, <a href="https://github.com/agronholm"><code>@agronholm</code></a>, <a href="https://github.com/florimondmanca"><code>@florimondmanca</code></a>, <a href="https://github.com/aminalaee"><code>@aminalaee</code></a>, <a href="https://github.com/tiangolo"><code>@tiangolo</code></a>, <a href="https://github.com/alex-oleshkevich"><code>@alex-oleshkevich</code></a>, and <a href="https://github.com/abersheeran"><code>@abersheeran</code></a> for helping make Starlette what it is today. And to all my sponsors - especially <a href="https://github.com/tiangolo"><code>@tiangolo</code></a>, <a href="https://github.com/huggingface"><code>@huggingface</code></a>, and <a href="https://github.com/elevenlabs"><code>@elevenlabs</code></a> - thank you for your support!</p> <p>Thank you to all <a href="https://github.com/encode/starlette/graphs/contributors">290+ contributors</a> who have shaped Starlette over the years!</p> <p>Check out the full release notes at <a href="https://www.starlette.io/release-notes/#100rc1-february-23-2026">https://www.starlette.io/release-notes/#100rc1-february-23-2026</a></p> <hr /> <p><strong>Full Changelog</strong>: <a href="https://github.com/Kludex/starlette/compare/0.52.1...1.0.0rc1">https://github.com/Kludex/starlette/compare/0.52.1...1.0.0rc1</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Kludex/starlette/blob/main/docs/release-notes.md">starlette's changelog</a>.</em></p> <blockquote> <h2>1.0.0 (March 22, 2026)</h2> <p>Starlette 1.0 is here!</p> <p>After nearly eight years since its creation, Starlette has reached its first stable release. Thank you to everyone who tested the release candidate and reported issues.</p> <p>You can read more on the <a href="https://marcelotryle.com/blog/2026/03/22/starlette-10-is-here/">blog post</a>.</p> <h4>Added</h4> <ul> <li>Track session access and modification in <code>SessionMiddleware</code> <a href="https://redirect.github.com/encode/starlette/pull/3166">#3166</a>.</li> </ul> <h4>Fixed</h4> <ul> <li>Handle websocket denial responses in <code>StreamingResponse</code> and <code>FileResponse</code> <a href="https://redirect.github.com/encode/starlette/pull/3189">#3189</a>.</li> <li>Use <code>bytearray</code> for field accumulation in <code>FormParser</code> <a href="https://redirect.github.com/encode/starlette/pull/3179">#3179</a>.</li> <li>Move <code>parser.finalize()</code> inside try/except in <code>MultiPartParser.parse()</code> <a href="https://redirect.github.com/encode/starlette/pull/3153">#3153</a>.</li> </ul> <h2>1.0.0rc1 (February 23, 2026)</h2> <p>We're ready! I'm thrilled to announce the first release candidate for Starlette 1.0.</p> <p>Starlette was created in June 2018 by Tom Christie, and has been on ZeroVer for years. Today, it's downloaded almost <a href="https://pypistats.org/packages/starlette">10 million times a day</a>, serves as the foundation for FastAPI, and has inspired many other frameworks. In the age of AI, Starlette continues to play an important role as a dependency of the Python MCP SDK.</p> <p>This release focuses on removing deprecated features that were marked for removal in 1.0.0, along with some last minute bug fixes. It's a release candidate, so we can gather feedback from the community before the final 1.0.0 release soon.</p> <p>A huge thank you to all the contributors who have helped make Starlette what it is today. In particular, I'd like to recognize:</p> <ul> <li><a href="https://github.com/lovelydinosaur">Kim Christie</a> - The original creator of Starlette, Uvicorn, and MkDocs, and the current maintainer of HTTPX. Kim's work helped lay the foundation for the modern async Python ecosystem.</li> <li><a href="https://github.com/adriangb">Adrian Garcia Badaracco</a> - One of the smartest people I know, whom I have the pleasure of working with at Pydantic.</li> <li><a href="https://github.com/graingert">Thomas Grainger</a> - My async teacher, always ready to help with questions.</li> <li><a href="https://github.com/agronholm">Alex Grönholm</a> - Another async mentor, always prompt to help with questions.</li> <li><a href="https://github.com/florimondmanca">Florimond Manca</a> - Always present in the early days of both Starlette and Uvicorn, and helped a lot in the ecosystem.</li> <li><a href="https://github.com/aminalaee">Amin Alaee</a> - Contributed a lot with file-related PRs.</li> <li><a href="https://github.com/tiangolo">Sebastián Ramírez</a> - Maintains FastAPI upstream, and always in contact to help with upstream issues.</li> <li><a href="https://github.com/alex-oleshkevich">Alex Oleshkevich</a> - Helped a lot on templates and many discussions.</li> <li><a href="https://github.com/abersheeran">abersheeran</a> - My go-to person when I need help on many subjects.</li> </ul> <p>I'd also like to thank my sponsors for their support. A special thanks to <a href="https://github.com/tiangolo"><code>@tiangolo</code></a>, <a href="https://github.com/huggingface"><code>@huggingface</code></a>, and <a href="https://github.com/elevenlabs"><code>@elevenlabs</code></a> for their generous sponsorship, and to all my other sponsors:</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
17f0b797af |
Bump react-i18next from 16.6.2 to 17.0.1 in /frontend (#1674)
Bumps [react-i18next](https://github.com/i18next/react-i18next) from 16.6.2 to 17.0.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/i18next/react-i18next/blob/master/CHANGELOG.md">react-i18next's changelog</a>.</em></p> <blockquote> <h2>17.0.1</h2> <ul> <li>chore: bump minimum i18next peer dependency to <code>>= 26.0.1</code> <em>(forgot to do it in last version)</em></li> <li>fix: migrate test setup from removed legacy <code>interpolation.format</code> to <code>i18n.services.formatter.add()</code> (i18next v26)</li> </ul> <h2>17.0.0</h2> <h3>Potentially breaking changes</h3> <ul> <li>fix: <code>transKeepBasicHtmlNodesFor</code> now correctly preserves HTML tag names when children contain interpolations or mixed content <a href="https://redirect.github.com/i18next/i18next-cli/issues/230">230</a> <ul> <li>Previously, <code><strong>{{name}}</strong></code> was incorrectly serialized as <code><1>{{name}}</1></code> — the tag name was only preserved for plain string children</li> <li>This bug existed since the feature was introduced and affects auto-generated keys (when no explicit <code>i18nKey</code> is provided)</li> <li>If you rely on auto-generated Trans keys containing indexed tags for kept HTML elements with interpolation children, you will need to update your translation files</li> </ul> </li> </ul> <h3>Other changes</h3> <ul> <li>updated dev dependencies (vitest, rollup plugins, happy-dom, typescript, etc.)</li> </ul> <h3>16.6.6</h3> <ul> <li>fix(peer-deps): bump i18next peer dependency to <code>>= 25.10.9</code> to match required type exports (<code>ConstrainTarget</code>, <code>ApplyTarget</code>, <code>GetSource</code>) used by <code>TransSelector</code> <a href="https://redirect.github.com/i18next/react-i18next/issues/1911">1911</a></li> </ul> <h3>16.6.5</h3> <ul> <li>fix(types): selector keyPrefix overload in <code>useTranslation</code> no longer matches when <code>keyPrefix</code> is absent, fixing <code>defaultNS: false</code> with explicit <code>ns</code> option <a href="https://redirect.github.com/i18next/i18next/issues/2412">2412</a></li> </ul> <h3>16.6.4</h3> <ul> <li>allow TypeScript 6 as peer dependency <a href="https://redirect.github.com/i18next/react-i18next/issues/1910">1910</a></li> </ul> <h3>16.6.3</h3> <ul> <li>fix(types): merge <code>TransSelector</code> overloads into a single signature so <code>typeof Trans</code> remains extendable <a href="https://redirect.github.com/i18next/react-i18next/issues/1909">1909</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
b6591d7a92 |
Bump @tabler/icons-react from 3.40.0 to 3.41.0 in /frontend (#1673)
Bumps [@tabler/icons-react](https://github.com/tabler/tabler-icons/tree/HEAD/packages/icons-react) from 3.40.0 to 3.41.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/tabler/tabler-icons/releases"><code>@tabler/icons-react</code>'s releases</a>.</em></p> <blockquote> <h2>Release 3.41.0</h2> <!-- raw HTML omitted --> <h3>18 new icons:</h3> <ul> <li><code>outline/brand-jira</code></li> <li><code>outline/car-off-road</code></li> <li><code>outline/car-suspension</code></li> <li><code>outline/credit-card-hand</code></li> <li><code>outline/device-3d-camera</code></li> <li><code>outline/device-3d-lens</code></li> <li><code>outline/device-screen</code></li> <li><code>outline/iceberg</code></li> <li><code>outline/jetski</code></li> <li><code>outline/olympic-torch</code></li> <li><code>outline/parking-meter</code></li> <li><code>outline/pillow</code></li> <li><code>outline/pipeline</code></li> <li><code>outline/quote-open</code></li> <li><code>outline/scan-letter-a</code></li> <li><code>outline/scan-letter-t</code></li> <li><code>outline/segway</code></li> <li><code>outline/x-mark</code></li> </ul> <h3>New features</h3> <ul> <li><strong>Angular support</strong>: new <code>@tabler/icons-angular</code> package with components, build pipeline, unit tests, and <code>test/test-angular</code> sample app (<a href="https://github.com/tabler/tabler-icons/tree/HEAD/packages/icons-react/issues/1091">#1091</a>).</li> <li><strong>SVG validation</strong>: validation for <code><g></code> elements; broader SVG icon validation improvements (<a href="https://github.com/tabler/tabler-icons/tree/HEAD/packages/icons-react/issues/1487">#1487</a>); more consistent SVG path syntax (<a href="https://github.com/tabler/tabler-icons/tree/HEAD/packages/icons-react/issues/1488">#1488</a>).</li> <li><strong><code>icons-react</code></strong>: JSDoc with icon previews in generated output (<a href="https://github.com/tabler/tabler-icons/tree/HEAD/packages/icons-react/issues/1472">#1472</a>).</li> <li><strong><code>icons-react-native</code></strong>: <code>react-native-svg</code> added as a <strong>peer dependency</strong> (<a href="https://github.com/tabler/tabler-icons/tree/HEAD/packages/icons-react/issues/1475">#1475</a>).</li> <li><strong><code>icons-solidjs</code></strong>: SSR support via <code>rollup-preset-solid</code> and JSX/TSX component refactor (<a href="https://github.com/tabler/tabler-icons/tree/HEAD/packages/icons-react/issues/1493">#1493</a>).</li> </ul> <h3>Fixed icons</h3> <ul> <li><strong><code>outline/brand-kbin</code></strong> and <strong><code>outline/volume-4</code></strong>: adjusted for compatibility with <code>buildJsIcons</code> (<a href="https://github.com/tabler/tabler-icons/tree/HEAD/packages/icons-react/issues/1469">#1469</a>).</li> <li><strong><code>outline/number-35-small</code></strong> through <strong><code>outline/number-50-small</code></strong>: updated Unicode values (<a href="https://github.com/tabler/tabler-icons/tree/HEAD/packages/icons-react/issues/1494">#1494</a>).</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
a158f25616 |
Bump postcss from 8.5.0 to 8.5.10 in /frontend (#1672)
Bumps [postcss](https://github.com/postcss/postcss) from 8.5.0 to 8.5.10. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/postcss/postcss/releases">postcss's releases</a>.</em></p> <blockquote> <h2>8.5.10</h2> <ul> <li>Fixed XSS via unescaped <code></style></code> in non-bundler cases (by <a href="https://github.com/TharVid"><code>@TharVid</code></a>).</li> </ul> <h2>8.5.9</h2> <ul> <li>Speed up source map encoding paring in case of the error.</li> </ul> <h2>8.5.8</h2> <ul> <li>Fixed <code>Processor#version</code>.</li> </ul> <h2>8.5.7</h2> <ul> <li>Improved source map annotation cleaning performance (by CodeAnt AI).</li> </ul> <h2>8.5.6</h2> <ul> <li>Fixed <code>ContainerWithChildren</code> type discriminating (by <a href="https://github.com/Goodwine"><code>@Goodwine</code></a>).</li> </ul> <h2>8.5.5</h2> <ul> <li>Fixed <code>package.json</code>→<code>exports</code> compatibility with some tools (by <a href="https://github.com/JounQin"><code>@JounQin</code></a>).</li> </ul> <h2>8.5.4</h2> <ul> <li>Fixed Parcel compatibility issue (by <a href="https://github.com/git-sumitchaudhary"><code>@git-sumitchaudhary</code></a>).</li> </ul> <h2>8.5.3</h2> <ul> <li>Added more details to <code>Unknown word</code> error (by <a href="https://github.com/hiepxanh"><code>@hiepxanh</code></a>).</li> <li>Fixed types (by <a href="https://github.com/romainmenke"><code>@romainmenke</code></a>).</li> <li>Fixed docs (by <a href="https://github.com/catnipan"><code>@catnipan</code></a>).</li> </ul> <h2>8.5.2</h2> <ul> <li>Fixed end position of rules with semicolon (by <a href="https://github.com/romainmenke"><code>@romainmenke</code></a>).</li> </ul> <h2>8.5.1</h2> <ul> <li>Fixed backwards compatibility for complex cases (by <a href="https://github.com/romainmenke"><code>@romainmenke</code></a>).</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/postcss/postcss/blob/main/CHANGELOG.md">postcss's changelog</a>.</em></p> <blockquote> <h2>8.5.10</h2> <ul> <li>Fixed XSS via unescaped <code></style></code> in non-bundler cases (by <a href="https://github.com/TharVid"><code>@TharVid</code></a>).</li> </ul> <h2>8.5.9</h2> <ul> <li>Speed up source map encoding paring in case of the error.</li> </ul> <h2>8.5.8</h2> <ul> <li>Fixed <code>Processor#version</code>.</li> </ul> <h2>8.5.7</h2> <ul> <li>Improved source map annotation cleaning performance (by CodeAnt AI).</li> </ul> <h2>8.5.6</h2> <ul> <li>Fixed <code>ContainerWithChildren</code> type discriminating (by <a href="https://github.com/Goodwine"><code>@Goodwine</code></a>).</li> </ul> <h2>8.5.5</h2> <ul> <li>Fixed <code>package.json</code>→<code>exports</code> compatibility with some tools (by <a href="https://github.com/JounQin"><code>@JounQin</code></a>).</li> </ul> <h2>8.5.4</h2> <ul> <li>Fixed Parcel compatibility issue (by <a href="https://github.com/git-sumitchaudhary"><code>@git-sumitchaudhary</code></a>).</li> </ul> <h2>8.5.3</h2> <ul> <li>Added more details to <code>Unknown word</code> error (by <a href="https://github.com/hiepxanh"><code>@hiepxanh</code></a>).</li> <li>Fixed types (by <a href="https://github.com/romainmenke"><code>@romainmenke</code></a>).</li> <li>Fixed docs (by <a href="https://github.com/catnipan"><code>@catnipan</code></a>).</li> </ul> <h2>8.5.2</h2> <ul> <li>Fixed end position of rules with semicolon (by <a href="https://github.com/romainmenke"><code>@romainmenke</code></a>).</li> </ul> <h2>8.5.1</h2> <ul> <li>Fixed backwards compatibility for complex cases (by <a href="https://github.com/romainmenke"><code>@romainmenke</code></a>).</li> </ul> <h2>8.5 “Duke Alloces”</h2> <ul> <li>Added <code>Input#document</code> for sources like CSS-in-JS or HTML (by <a href="https://github.com/romainmenke"><code>@romainmenke</code></a>).</li> </ul> <h2>8.4.49</h2> <ul> <li>Fixed custom syntax without <code>source.offset</code> (by <a href="https://github.com/romainmenke"><code>@romainmenke</code></a>).</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
dae5d1d023 |
Bump postcss from 8.5.6 to 8.5.10 in /docs (#1671)
Bumps [postcss](https://github.com/postcss/postcss) from 8.5.6 to 8.5.10. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/postcss/postcss/releases">postcss's releases</a>.</em></p> <blockquote> <h2>8.5.10</h2> <ul> <li>Fixed XSS via unescaped <code></style></code> in non-bundler cases (by <a href="https://github.com/TharVid"><code>@TharVid</code></a>).</li> </ul> <h2>8.5.9</h2> <ul> <li>Speed up source map encoding paring in case of the error.</li> </ul> <h2>8.5.8</h2> <ul> <li>Fixed <code>Processor#version</code>.</li> </ul> <h2>8.5.7</h2> <ul> <li>Improved source map annotation cleaning performance (by CodeAnt AI).</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/postcss/postcss/blob/main/CHANGELOG.md">postcss's changelog</a>.</em></p> <blockquote> <h2>8.5.10</h2> <ul> <li>Fixed XSS via unescaped <code></style></code> in non-bundler cases (by <a href="https://github.com/TharVid"><code>@TharVid</code></a>).</li> </ul> <h2>8.5.9</h2> <ul> <li>Speed up source map encoding paring in case of the error.</li> </ul> <h2>8.5.8</h2> <ul> <li>Fixed <code>Processor#version</code>.</li> </ul> <h2>8.5.7</h2> <ul> <li>Improved source map annotation cleaning performance (by CodeAnt AI).</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
6cb1ffffb3 |
Bump i18next-http-backend from 3.0.2 to 3.0.5 in /frontend (#1669)
Bumps [i18next-http-backend](https://github.com/i18next/i18next-http-backend) from 3.0.2 to 3.0.5. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/i18next/i18next-http-backend/blob/master/CHANGELOG.md">i18next-http-backend's changelog</a>.</em></p> <blockquote> <h3>3.0.5</h3> <p>Security release — all issues found via an internal audit. See published advisory <a href="https://github.com/i18next/i18next-http-backend/security/advisories/GHSA-q89c-q3h5-w34g">GHSA-q89c-q3h5-w34g</a>.</p> <ul> <li>security: refuse to build request URLs when <code>lng</code> or <code>ns</code> values contain path-traversal, URL-structure (<code>?</code>, <code>#</code>, <code>%</code>, <code>@</code>, whitespace), path separators, control characters, prototype keys, or exceed 128 chars. Prevents path traversal / SSRF / URL injection via attacker-controlled language-code values. <code>isSafeUrlSegment</code> is permissive for legitimate i18next language codes (any BCP-47-like shape, underscores, hyphens, dots, <code>+</code>-joined multi-language requests) (<a href="https://github.com/i18next/i18next-http-backend/security/advisories/GHSA-q89c-q3h5-w34g">GHSA-q89c-q3h5-w34g</a>)</li> <li>security: per-instance <code>omitFetchOptions</code> — the fetch-options-stripping fallback is now scoped to a single backend instance via <code>options._omitFetchOptions</code> instead of a module-level boolean. One instance hitting a "not implemented" fetch error no longer permanently strips <code>requestOptions</code> (including <code>credentials</code>, <code>mode</code>, <code>cache</code>) from every other backend instance in the same process</li> <li>security: strip CR/LF/NUL and other C0/C1 control characters from <code>lng</code>/<code>ns</code> / URL values before they appear in error-callback strings (CWE-117 log forging)</li> <li>security: redact <code>user:password</code> credentials from URLs before including them in error-callback strings — prevents leaking basic-auth credentials embedded in <code>loadPath</code> / <code>addPath</code></li> <li>security: iterate own enumerable keys only (<code>Object.keys</code> + prototype-key guard) in <code>addQueryString</code> and in the <code>customHeaders</code> loop in XHR mode — prevents prototype-pollution amplification into the URL and request headers</li> <li>chore: ignore <code>.env*</code> and <code>*.pem</code>/<code>*.key</code> files in <code>.gitignore</code></li> </ul> <h3>3.0.4</h3> <ul> <li>use own interpolation function for loadPath and addPath instead of relying on i18next's interpolator <a href="https://redirect.github.com/i18next/i18next/issues/2420">i18next#2420</a> — this means only <code>{{lng}}</code> and <code>{{ns}}</code> placeholders are supported; custom interpolation prefix/suffix from i18next config no longer applies to backend paths</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
454bdf4538 |
Bump python-dotenv from 1.2.1 to 1.2.2 in /backend (#1668)
Bumps [python-dotenv](https://github.com/theskumar/python-dotenv) from 1.2.1 to 1.2.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/theskumar/python-dotenv/releases">python-dotenv's releases</a>.</em></p> <blockquote> <h2>v1.2.2</h2> <h3>Added</h3> <ul> <li>Support for Python 3.14, including the free-threaded (3.14t) build. (#)</li> </ul> <h3>Changed</h3> <ul> <li>The <code>dotenv run</code> command now forwards flags directly to the specified command by <a href="https://github.com/bbc2"><code>@bbc2</code></a> in <a href="https://redirect.github.com/theskumar/python-dotenv/pull/607">theskumar/python-dotenv#607</a></li> <li>Improved documentation clarity regarding override behavior and the reference page.</li> <li>Updated PyPy support to version 3.11.</li> <li>Documentation for FIFO file support.</li> <li>Support for Python 3.9.</li> </ul> <h3>Fixed</h3> <ul> <li>Improved <code>set_key</code> and <code>unset_key</code> behavior when interacting with symlinks by <a href="https://github.com/bbc2"><code>@bbc2</code></a> in <a href=" |
||
|
dependabot[bot]
|
81d43f3079 |
Bump actions/setup-node from 6 to 6.3.0 (#1667)
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 6 to 6.3.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/setup-node/releases">actions/setup-node's releases</a>.</em></p> <blockquote> <h2>v6.3.0</h2> <h2>What's Changed</h2> <h3>Enhancements:</h3> <ul> <li>Support parsing <code>devEngines</code> field by <a href="https://github.com/susnux"><code>@susnux</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1283">actions/setup-node#1283</a></li> </ul> <blockquote> <p>When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.</p> </blockquote> <h3>Dependency updates:</h3> <ul> <li>Fix npm audit issues by <a href="https://github.com/gowridurgad"><code>@gowridurgad</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1491">actions/setup-node#1491</a></li> <li>Replace uuid with crypto.randomUUID() by <a href="https://github.com/trivikr"><code>@trivikr</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1378">actions/setup-node#1378</a></li> <li>Upgrade minimatch from 3.1.2 to 3.1.5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1498">actions/setup-node#1498</a></li> </ul> <h3>Bug fixes:</h3> <ul> <li>Remove hardcoded bearer for mirror-url <a href="https://github.com/marco-ippolito"><code>@marco-ippolito</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1467">actions/setup-node#1467</a></li> <li>Scope test lockfiles by package manager and update cache tests by <a href="https://github.com/gowridurgad"><code>@gowridurgad</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1495">actions/setup-node#1495</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/susnux"><code>@susnux</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1283">actions/setup-node#1283</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-node/compare/v6...v6.3.0">https://github.com/actions/setup-node/compare/v6...v6.3.0</a></p> <h2>v6.2.0</h2> <h2>What's Changed</h2> <h3>Documentation</h3> <ul> <li>Documentation update related to absence of Lockfile by <a href="https://github.com/mahabaleshwars"><code>@mahabaleshwars</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1454">actions/setup-node#1454</a></li> <li>Correct mirror option typos by <a href="https://github.com/MikeMcC399"><code>@MikeMcC399</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1442">actions/setup-node#1442</a></li> <li>Readme update on checkout version v6 by <a href="https://github.com/deining"><code>@deining</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1446">actions/setup-node#1446</a></li> <li>Readme typo fixes <a href="https://github.com/munyari"><code>@munyari</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1226">actions/setup-node#1226</a></li> <li>Advanced document update on checkout version v6 by <a href="https://github.com/aparnajyothi-y"><code>@aparnajyothi-y</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1468">actions/setup-node#1468</a></li> </ul> <h3>Dependency updates:</h3> <ul> <li>Upgrade <code>@actions/cache</code> to v5.0.1 by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1449">actions/setup-node#1449</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/mahabaleshwars"><code>@mahabaleshwars</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1454">actions/setup-node#1454</a></li> <li><a href="https://github.com/MikeMcC399"><code>@MikeMcC399</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1442">actions/setup-node#1442</a></li> <li><a href="https://github.com/deining"><code>@deining</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1446">actions/setup-node#1446</a></li> <li><a href="https://github.com/munyari"><code>@munyari</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1226">actions/setup-node#1226</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-node/compare/v6...v6.2.0">https://github.com/actions/setup-node/compare/v6...v6.2.0</a></p> <h2>v6.1.0</h2> <h2>What's Changed</h2> <h3>Enhancement:</h3> <ul> <li>Remove always-auth configuration handling by <a href="https://github.com/priyagupta108"><code>@priyagupta108</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1436">actions/setup-node#1436</a></li> </ul> <h3>Dependency updates:</h3> <ul> <li>Upgrade <code>@actions/cache</code> from 4.0.3 to 4.1.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1384">actions/setup-node#1384</a></li> <li>Upgrade actions/checkout from 5 to 6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-node/pull/1439">actions/setup-node#1439</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
github-actions[bot]
|
366c4c438b |
Update contributors in readme (#1666)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
3b61f5c979 |
Bump mako from 1.3.10 to 1.3.11 in /backend (#1665)
Bumps [mako](https://github.com/sqlalchemy/mako) from 1.3.10 to 1.3.11. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sqlalchemy/mako/releases">mako's releases</a>.</em></p> <blockquote> <h1>1.3.11</h1> <p>Released: Tue Apr 14 2026</p> <h2>bug</h2> <ul> <li> <p><strong>[bug] [template]</strong> Fixed issue in <code>TemplateLookup</code> where a URI with a double-slash prefix (e.g. <code>//../../</code>) could bypass the directory traversal check in <code>Template</code>, allowing reads of arbitrary files outside of the template directory. The issue was caused by an inconsistency in how leading slashes were stripped between <code>TemplateLookup.get_template()</code> and <code>Template</code> initialization.</p> <p>References: <a href="https://redirect.github.com/sqlalchemy/mako/issues/434">#434</a></p> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/sqlalchemy/mako/commits">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/evroon/bracket/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Erik Vroon
|
aa5ff361a7 | Update deps (#1663) | ||
|
Byte
|
1843347dca |
Fix provided port in docs (#1652)
The port in the docker compose seems to be 8400, however the docs say it's 3000. Users may not know why they are seeing Connection refused issues |
||
|
dependabot[bot]
|
c4b05352a3 |
Bump python-multipart from 0.0.22 to 0.0.26 in /backend (#1662)
Bumps [python-multipart](https://github.com/Kludex/python-multipart) from 0.0.22 to 0.0.26. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Kludex/python-multipart/releases">python-multipart's releases</a>.</em></p> <blockquote> <h2>Version 0.0.26</h2> <h2>What's Changed</h2> <ul> <li>Skip preamble before first multipart boundary by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/python-multipart/pull/262">Kludex/python-multipart#262</a></li> <li>Silently discard epilogue data after the closing boundary by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/python-multipart/pull/259">Kludex/python-multipart#259</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/Kludex/python-multipart/compare/0.0.25...0.0.26">https://github.com/Kludex/python-multipart/compare/0.0.25...0.0.26</a></p> <h2>Version 0.0.25</h2> <h2>What's Changed</h2> <ul> <li>Apply Apache-2.0 properly by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/python-multipart/pull/247">Kludex/python-multipart#247</a></li> <li>Handle multipart headers case-insensitively by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/python-multipart/pull/252">Kludex/python-multipart#252</a></li> <li>Emit <code>field_end</code> for trailing bare field names on finalize by <a href="https://github.com/bysiber"><code>@bysiber</code></a> in <a href="https://redirect.github.com/Kludex/python-multipart/pull/230">Kludex/python-multipart#230</a></li> <li>Add <code>UPLOAD_DELETE_TMP</code> to <code>FormParser</code> config by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/python-multipart/pull/254">Kludex/python-multipart#254</a></li> <li>Remove custom FormParser classes by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/python-multipart/pull/257">Kludex/python-multipart#257</a></li> <li>Handle CTE values case-insensitively by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/python-multipart/pull/258">Kludex/python-multipart#258</a></li> <li>Add MIME content type info to File by <a href="https://github.com/jhnstrk"><code>@jhnstrk</code></a> in <a href="https://redirect.github.com/Kludex/python-multipart/pull/143">Kludex/python-multipart#143</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/Kludex/python-multipart/compare/0.0.24...0.0.25">https://github.com/Kludex/python-multipart/compare/0.0.24...0.0.25</a></p> <h2>Version 0.0.24</h2> <h2>What's Changed</h2> <ul> <li>Validate <code>chunk_size</code> in <code>parse_form()</code> by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/python-multipart/pull/244">Kludex/python-multipart#244</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/Kludex/python-multipart/compare/0.0.23...0.0.24">https://github.com/Kludex/python-multipart/compare/0.0.23...0.0.24</a></p> <h2>Version 0.0.23</h2> <h2>What's Changed</h2> <ul> <li>Remove unused <code>trust_x_headers</code> parameter and <code>X-File-Name</code> fallback by <a href="https://github.com/jhnstrk"><code>@jhnstrk</code></a> in <a href="https://redirect.github.com/Kludex/python-multipart/pull/196">Kludex/python-multipart#196</a></li> <li>Return processed length from <code>QuerystringParser._internal_write</code> by <a href="https://github.com/bysiber"><code>@bysiber</code></a> in <a href="https://redirect.github.com/Kludex/python-multipart/pull/229">Kludex/python-multipart#229</a></li> <li>Cleanup metadata dunders from <code>__init__.py</code> by <a href="https://github.com/Chesars"><code>@Chesars</code></a> in <a href="https://redirect.github.com/Kludex/python-multipart/pull/227">Kludex/python-multipart#227</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Chesars"><code>@Chesars</code></a> made their first contribution in <a href="https://redirect.github.com/Kludex/python-multipart/pull/227">Kludex/python-multipart#227</a></li> <li><a href="https://github.com/bysiber"><code>@bysiber</code></a> made their first contribution in <a href="https://redirect.github.com/Kludex/python-multipart/pull/229">Kludex/python-multipart#229</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/Kludex/python-multipart/compare/0.0.22...0.0.23">https://github.com/Kludex/python-multipart/compare/0.0.22...0.0.23</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Kludex/python-multipart/blob/master/CHANGELOG.md">python-multipart's changelog</a>.</em></p> <blockquote> <h2>0.0.26 (2026-04-10)</h2> <ul> <li>Skip preamble before the first multipart boundary more efficiently <a href="https://redirect.github.com/Kludex/python-multipart/pull/262">#262</a>.</li> <li>Silently discard epilogue data after the closing multipart boundary <a href="https://redirect.github.com/Kludex/python-multipart/pull/259">#259</a>.</li> </ul> <h2>0.0.25 (2026-04-10)</h2> <ul> <li>Add MIME content type info to <code>File</code> <a href="https://redirect.github.com/Kludex/python-multipart/pull/143">#143</a>.</li> <li>Handle CTE values case-insensitively <a href="https://redirect.github.com/Kludex/python-multipart/pull/258">#258</a>.</li> <li>Remove custom <code>FormParser</code> classes <a href="https://redirect.github.com/Kludex/python-multipart/pull/257">#257</a>.</li> <li>Add <code>UPLOAD_DELETE_TMP</code> to <code>FormParser</code> config <a href="https://redirect.github.com/Kludex/python-multipart/pull/254">#254</a>.</li> <li>Emit <code>field_end</code> for trailing bare field names on finalize <a href="https://redirect.github.com/Kludex/python-multipart/pull/230">#230</a>.</li> <li>Handle multipart headers case-insensitively <a href="https://redirect.github.com/Kludex/python-multipart/pull/252">#252</a>.</li> <li>Apply Apache-2.0 properly <a href="https://redirect.github.com/Kludex/python-multipart/pull/247">#247</a>.</li> </ul> <h2>0.0.24 (2026-04-05)</h2> <ul> <li>Validate <code>chunk_size</code> in <code>parse_form()</code> <a href="https://redirect.github.com/Kludex/python-multipart/pull/244">#244</a>.</li> </ul> <h2>0.0.23 (2026-04-05)</h2> <ul> <li>Remove unused <code>trust_x_headers</code> parameter and <code>X-File-Name</code> fallback <a href="https://redirect.github.com/Kludex/python-multipart/pull/196">#196</a>.</li> <li>Return processed length from <code>QuerystringParser._internal_write</code> <a href="https://redirect.github.com/Kludex/python-multipart/pull/229">#229</a>.</li> <li>Cleanup metadata dunders from <code>__init__.py</code> <a href="https://redirect.github.com/Kludex/python-multipart/pull/227">#227</a>.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Copilot
|
1044914a48 |
fix: enforce dashboard_public check for unauthenticated API access (GHSA-9mjc-6fp2-hm9v) (#1660)
## Summary
Fixes the missing `dashboard_public` check security vulnerability
(GHSA-9mjc-6fp2-hm9v).
### Root cause
The `user_authenticated_or_public_dashboard` dependency in `auth.py`
only verified that the tournament existed in the database, but never
checked whether `dashboard_public = True`. This allowed unauthenticated
users to access sensitive tournament data on the following endpoints
even when the tournament was not publicly shared:
- `GET /tournaments/{tournament_id}` (partially protected by an explicit
post-dependency check)
- `GET /tournaments/{tournament_id}/courts`
- `GET /tournaments/{tournament_id}/teams`
- `GET /tournaments/{tournament_id}/rankings`
- `GET /tournaments/{tournament_id}/stages`
### Changes
- **`backend/bracket/routes/auth.py`**: Added `not
tournaments_fetched[0].dashboard_public` to the check in
`user_authenticated_or_public_dashboard`. Unauthenticated requests to a
tournament with `dashboard_public=False` now receive a 401 response.
- **`backend/bracket/routes/tournaments.py`**: Removed the now-redundant
explicit `dashboard_public` check in `get_tournament` (the dependency
handles it now).
- **`backend/tests/integration_tests/api/tournaments_test.py`**: Added
`test_non_public_tournament_endpoints_blocked_for_unauthenticated_users`
to assert that all affected endpoints return 401 for unauthenticated
requests when `dashboard_public=False`.
Note: `user_authenticated_or_public_dashboard_by_endpoint_name` (used
for the `GET /tournaments?endpoint_name=` route) was not affected — it
delegates to `sql_get_tournament_by_endpoint_name` which already
includes `AND dashboard_public IS TRUE` in its SQL query.
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: evroon <11857441+evroon@users.noreply.github.com>
|
||
|
dependabot[bot]
|
561467a342 |
Bump pytest from 9.0.1 to 9.0.3 in /backend (#1659)
Bumps [pytest](https://github.com/pytest-dev/pytest) from 9.0.1 to 9.0.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pytest-dev/pytest/releases">pytest's releases</a>.</em></p> <blockquote> <h2>9.0.3</h2> <h1>pytest 9.0.3 (2026-04-07)</h1> <h2>Bug fixes</h2> <ul> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/12444">#12444</a>: Fixed <code>pytest.approx</code> which now correctly takes into account <code>~collections.abc.Mapping</code> keys order to compare them.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/13634">#13634</a>: Blocking a <code>conftest.py</code> file using the <code>-p no:</code> option is now explicitly disallowed.</p> <p>Previously this resulted in an internal assertion failure during plugin loading.</p> <p>Pytest now raises a clear <code>UsageError</code> explaining that conftest files are not plugins and cannot be disabled via <code>-p</code>.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/13734">#13734</a>: Fixed crash when a test raises an exceptiongroup with <code>__tracebackhide__ = True</code>.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14195">#14195</a>: Fixed an issue where non-string messages passed to <!-- raw HTML omitted -->unittest.TestCase.subTest()<!-- raw HTML omitted --> were not printed.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/14343">#14343</a>: Fixed use of insecure temporary directory (CVE-2025-71176).</p> </li> </ul> <h2>Improved documentation</h2> <ul> <li><a href="https://redirect.github.com/pytest-dev/pytest/issues/13388">#13388</a>: Clarified documentation for <code>-p</code> vs <code>PYTEST_PLUGINS</code> plugin loading and fixed an incorrect <code>-p</code> example.</li> <li><a href="https://redirect.github.com/pytest-dev/pytest/issues/13731">#13731</a>: Clarified that capture fixtures (e.g. <code>capsys</code> and <code>capfd</code>) take precedence over the <code>-s</code> / <code>--capture=no</code> command-line options in <code>Accessing captured output from a test function <accessing-captured-output></code>.</li> <li><a href="https://redirect.github.com/pytest-dev/pytest/issues/14088">#14088</a>: Clarified that the default <code>pytest_collection</code> hook sets <code>session.items</code> before it calls <code>pytest_collection_finish</code>, not after.</li> <li><a href="https://redirect.github.com/pytest-dev/pytest/issues/14255">#14255</a>: TOML integer log levels must be quoted: Updating reference documentation.</li> </ul> <h2>Contributor-facing changes</h2> <ul> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/12689">#12689</a>: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible <a href="https://app.codecov.io/gh/pytest-dev/pytest/tests">on the web interface</a>.</p> <p>-- by <code>aleguy02</code></p> </li> </ul> <h2>9.0.2</h2> <h1>pytest 9.0.2 (2025-12-06)</h1> <h2>Bug fixes</h2> <ul> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/13896">#13896</a>: The terminal progress feature added in pytest 9.0.0 has been disabled by default, except on Windows, due to compatibility issues with some terminal emulators.</p> <p>You may enable it again by passing <code>-p terminalprogress</code>. We may enable it by default again once compatibility improves in the future.</p> <p>Additionally, when the environment variable <code>TERM</code> is <code>dumb</code>, the escape codes are no longer emitted, even if the plugin is enabled.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/13904">#13904</a>: Fixed the TOML type of the <code>tmp_path_retention_count</code> settings in the API reference from number to string.</p> </li> <li> <p><a href="https://redirect.github.com/pytest-dev/pytest/issues/13946">#13946</a>: The private <code>config.inicfg</code> attribute was changed in a breaking manner in pytest 9.0.0. Due to its usage in the ecosystem, it is now restored to working order using a compatibility shim. It will be deprecated in pytest 9.1 and removed in pytest 10.</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
737ba642f3 |
Bump @vitejs/plugin-react from 5.2.0 to 6.0.1 in /frontend (#1658)
Bumps [@vitejs/plugin-react](https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react) from 5.2.0 to 6.0.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite-plugin-react/releases"><code>@vitejs/plugin-react</code>'s releases</a>.</em></p> <blockquote> <h2>plugin-react@6.0.1</h2> <h3>Expand <code>@rolldown/plugin-babel</code> peer dep range (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/1146">#1146</a>)</h3> <p>Expanded <code>@rolldown/plugin-babel</code> peer dep range to include <code>^0.2.0</code>.</p> <h2>plugin-react@6.0.0</h2> <h3>Remove Babel Related Features (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/1123">#1123</a>)</h3> <p>Vite 8+ can handle React Refresh Transform by Oxc and doesn't need Babel for it. With that, there are no transform applied that requires Babel. To reduce the installation size of this plugin, babel is no longer a dependency of this plugin and the related features are removed.</p> <p>If you are using Babel, you can use <code>@rolldown/plugin-babel</code> together with this plugin:</p> <pre lang="diff"><code> import { defineConfig } from 'vite' import react from '@vitejs/plugin-react' +import babel from '@rolldown/plugin-babel' <p>export default defineConfig({ plugins: [</p> <ul> <li> <pre><code>react({ </code></pre> </li> <li> <pre><code> babel: { </code></pre> </li> <li> <pre><code> plugins: ['@babel/plugin-proposal-throw-expressions'], </code></pre> </li> <li> <pre><code> }, </code></pre> </li> <li> <pre><code>}), </code></pre> </li> </ul> <ul> <li> <pre><code>react(), </code></pre> </li> <li> <pre><code>babel({ </code></pre> </li> <li> <pre><code> plugins: ['@babel/plugin-proposal-throw-expressions'], </code></pre> </li> <li> <pre><code>}), </code></pre> ] }) </code></pre></li> </ul> <p>For React compiler users, you can use <code>reactCompilerPreset</code> for easier setup with preconfigured filter to improve build performance:</p> <pre lang="diff"><code> import { defineConfig } from 'vite' -import react from '@vitejs/plugin-react' +import react, { reactCompilerPreset } from '@vitejs/plugin-react' +import babel from '@rolldown/plugin-babel' <p>export default defineConfig({ plugins: [</p> <ul> <li>react({</li> <li> <pre><code> babel: { </code></pre> </li> <li> <pre><code> plugins: ['babel-plugin-react-compiler'], </code></pre> </li> <li> <pre><code> }, </code></pre> </li> <li>}),</li> </ul> <ul> <li>react(),</li> <li>babel({</li> <li> <pre><code> presets: [reactCompilerPreset()] </code></pre> </li> </ul> <p></tr></table> </code></pre></p> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react/CHANGELOG.md"><code>@vitejs/plugin-react</code>'s changelog</a>.</em></p> <blockquote> <h2>6.0.1 (2026-03-13)</h2> <h3>Expand <code>@rolldown/plugin-babel</code> peer dep range (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/1146">#1146</a>)</h3> <p>Expanded <code>@rolldown/plugin-babel</code> peer dep range to include <code>^0.2.0</code>.</p> <h2>6.0.0 (2026-03-12)</h2> <h2>6.0.0-beta.0 (2026-03-03)</h2> <h3>Remove Babel Related Features (<a href="https://redirect.github.com/vitejs/vite-plugin-react/pull/1123">#1123</a>)</h3> <p>Vite 8+ can handle React Refresh Transform by Oxc and doesn't need Babel for it. With that, there are no transform applied that requires Babel. To reduce the installation size of this plugin, babel is no longer a dependency of this plugin and the related features are removed.</p> <p>If you are using Babel, you can use <code>@rolldown/plugin-babel</code> together with this plugin:</p> <pre lang="diff"><code> import { defineConfig } from 'vite' import react from '@vitejs/plugin-react' +import babel from '@rolldown/plugin-babel' <p>export default defineConfig({ plugins: [</p> <ul> <li> <pre><code>react({ </code></pre> </li> <li> <pre><code> babel: { </code></pre> </li> <li> <pre><code> plugins: ['@babel/plugin-proposal-throw-expressions'], </code></pre> </li> <li> <pre><code> }, </code></pre> </li> <li> <pre><code>}), </code></pre> </li> </ul> <ul> <li> <pre><code>react(), </code></pre> </li> <li> <pre><code>babel({ </code></pre> </li> <li> <pre><code> plugins: ['@babel/plugin-proposal-throw-expressions'], </code></pre> </li> <li> <pre><code>}), </code></pre> ] }) </code></pre></li> </ul> <p>For React compiler users, you can use <code>reactCompilerPreset</code> for easier setup with preconfigured filter to improve build performance:</p> <pre lang="diff"><code> import { defineConfig } from 'vite' -import react from '@vitejs/plugin-react' +import react, { reactCompilerPreset } from '@vitejs/plugin-react' +import babel from '@rolldown/plugin-babel' <p>export default defineConfig({ plugins: [</p> <ul> <li>react({</li> <li> <pre><code> babel: { </code></pre> </li> <li> <pre><code> plugins: ['babel-plugin-react-compiler'], </code></pre> </li> <li> <pre><code> }, </code></pre> </li> </ul> <p></tr></table> </code></pre></p> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
16af31c7b9 |
Bump starlette from 0.49.1 to 0.52.1 in /backend (#1657)
Bumps [starlette](https://github.com/Kludex/starlette) from 0.49.1 to 0.52.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Kludex/starlette/releases">starlette's releases</a>.</em></p> <blockquote> <h2>Version 0.52.1</h2> <h2>What's Changed</h2> <ul> <li>Only use <code>typing_extensions</code> in older Python versions by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/starlette/pull/3109">Kludex/starlette#3109</a></li> </ul> <hr /> <p><strong>Full Changelog</strong>: <a href="https://github.com/Kludex/starlette/compare/0.52.0...0.52.1">https://github.com/Kludex/starlette/compare/0.52.0...0.52.1</a></p> <h2>Version 0.52.0</h2> <p>In this release, <code>State</code> can be accessed using dictionary-style syntax for improved type safety (<a href="https://redirect.github.com/Kludex/starlette/pull/3036">#3036</a>).</p> <pre lang="python"><code>from collections.abc import AsyncIterator from contextlib import asynccontextmanager from typing import TypedDict <p>import httpx</p> <p>from starlette.applications import Starlette from starlette.requests import Request</p> <p>class State(TypedDict): http_client: httpx.AsyncClient</p> <p><a href="https://github.com/asynccontextmanager"><code>@asynccontextmanager</code></a> async def lifespan(app: Starlette) -> AsyncIterator[State]: async with httpx.AsyncClient() as client: yield {"http_client": client}</p> <p>async def homepage(request: Request[State]): client = request.state["http_client"] # If you run the below line with mypy or pyright, it will reveal the correct type. reveal_type(client) # Revealed type is 'httpx.AsyncClient' </code></pre></p> <p>See <a href="https://github.com/Kludex/starlette/blob/HEAD/lifespan.md#accessing-state">Accessing State</a> for more details.</p> <hr /> <p><strong>Full Changelog</strong>: <a href="https://github.com/Kludex/starlette/compare/0.51.0...0.52.0">https://github.com/Kludex/starlette/compare/0.51.0...0.52.0</a></p> <h2>Version 0.51.0</h2> <h2>Added</h2> <ul> <li>Add <code>allow_private_network</code> in <code>CORSMiddleware</code> <a href="https://redirect.github.com/Kludex/starlette/pull/3065">#3065</a>.</li> </ul> <h2>Changed</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Kludex/starlette/blob/main/docs/release-notes.md">starlette's changelog</a>.</em></p> <blockquote> <h2>0.52.1 (January 18, 2026)</h2> <h4>Fixed</h4> <ul> <li>Only use <code>typing_extensions</code> in older Python versions <a href="https://redirect.github.com/Kludex/starlette/pull/3109">#3109</a>.</li> </ul> <h2>0.52.0 (January 18, 2026)</h2> <p>In this release, <code>State</code> can be accessed using dictionary-style syntax for improved type safety (<a href="https://redirect.github.com/Kludex/starlette/pull/3036">#3036</a>).</p> <pre lang="python"><code>from collections.abc import AsyncIterator from contextlib import asynccontextmanager from typing import TypedDict <p>import httpx</p> <p>from starlette.applications import Starlette from starlette.requests import Request</p> <p>class State(TypedDict): http_client: httpx.AsyncClient</p> <p><a href="https://github.com/asynccontextmanager"><code>@asynccontextmanager</code></a> async def lifespan(app: Starlette) -> AsyncIterator[State]: async with httpx.AsyncClient() as client: yield {"http_client": client}</p> <p>async def homepage(request: Request[State]): client = request.state["http_client"] # If you run the below line with mypy or pyright, it will reveal the correct type. reveal_type(client) # Revealed type is 'httpx.AsyncClient' </code></pre></p> <p>See <a href="https://github.com/Kludex/starlette/blob/main/docs/lifespan.md#accessing-state">Accessing State</a> for more details.</p> <h2>0.51.0 (January 10, 2026)</h2> <h4>Added</h4> <ul> <li>Add <code>allow_private_network</code> in <code>CORSMiddleware</code> <a href="https://redirect.github.com/Kludex/starlette/pull/3065">#3065</a>.</li> </ul> <h4>Changed</h4> <ul> <li>Increase warning stacklevel on <code>DeprecationWarning</code> for wsgi module <a href="https://redirect.github.com/Kludex/starlette/pull/3082">#3082</a>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Copilot
|
10db82f397 |
Add 1-month cooldown to all Dependabot update configurations (#1656)
Dependabot was configured to create PRs immediately after new versions
were published. Adding a 30-day cooldown across all ecosystems reduces
churn from short-lived or unstable releases.
## Changes
- Added `cooldown: default-days: 30` to all five package ecosystems in
`.github/dependabot.yml`:
- `uv` (backend)
- `npm` (frontend, docs)
- `github-actions`
- `docker`
- `docker-compose`
```yaml
- package-ecosystem: "uv"
directory: "/backend"
schedule:
interval: "weekly"
cooldown:
default-days: 30
```
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: evroon <11857441+evroon@users.noreply.github.com>
|
||
|
dependabot[bot]
|
0d8ee4adf9 |
Bump pyrefly from 0.58.0 to 0.60.0 in /backend (#1647)
Bumps [pyrefly](https://github.com/facebook/pyrefly) from 0.58.0 to 0.60.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/facebook/pyrefly/releases">pyrefly's releases</a>.</em></p> <blockquote> <h2>Pyrefly v0.60.0</h2> <p><strong>Full Changelog</strong>: <a href="https://github.com/facebook/pyrefly/compare/0.59.1...0.60.0">https://github.com/facebook/pyrefly/compare/0.59.1...0.60.0</a></p> <h2>Pyrefly v0.59.1</h2> <p>Fixed a performance regression in 0.59.0.</p> <p><strong>Full Changelog</strong>: <a href="https://github.com/facebook/pyrefly/compare/0.59.0...0.59.1">https://github.com/facebook/pyrefly/compare/0.59.0...0.59.1</a></p> <h2>Pyrefly v0.59.0</h2> <p><strong>Status : Beta</strong><br /> <em><strong>Release date:</strong> March 30, 2026</em></p> <p>Pyrefly v0.59.0 bundles <strong>153 commits</strong> from <strong>20 contributors</strong>.</p> <hr /> <h2>✨ New & Improved</h2> <table> <thead> <tr> <th align="left">Area</th> <th align="left">What’s new</th> </tr> </thead> <tbody> <tr> <td align="left"><strong>Type Checking</strong></td> <td align="left">- You can now use <code>while...else</code> statements with returns in the <code>else</code> clause without triggering a false positive <code>missing-explicit-return</code> error. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Pyrefly now correctly handles type inference for nested empty dictionaries when constructing TypedDict instances, avoiding <code>implicit-any</code> errors. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Error messages now highlight related code with inline labels; for example, an unsupported * operation will show the types of both operands directly in the source snippet</td> </tr> <tr> <td align="left"><strong>Language Server</strong></td> <td align="left">- LSP hover information for classes now displays constructor signature and docstring. <!-- raw HTML omitted --><!-- raw HTML omitted -->- Support additional LSP functionality for notebooks, including find-references and rename.</td> </tr> <tr> <td align="left"><strong>Performance</strong></td> <td align="left">- Faster typechecking in large pythonc codebases, up to 2x faster on recent benchmarks on real world projects <!-- raw HTML omitted --><!-- raw HTML omitted -->- Reduced CPU usage through smarter caching of module resolution results <!-- raw HTML omitted --><!-- raw HTML omitted -->- Improved performance of the LSP server by reducing redundant workspace diagnostic publishes.</td> </tr> </tbody> </table> <hr /> <h2>🐛 bug fixes</h2> <p>We closed 16 bug issues this release 👏</p> <ul> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/2026">#2026</a>: Fixed an issue where recursive bounded generics were incorrectly reported as <code>object</code>, ensuring accurate type checking.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/2812">#2812</a>: Resolved a false positive <code>invalid-type-var</code> error when persisting the <code>get</code> method of a fully-annotated <code>dict</code>.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/2804">#2804</a>: Fixed an <code>implicit-any</code> false positive that occurred with TypedDict items, improving code readability.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/2868">#2868</a>: Pyrefly now correctly recognizes <code>while...else</code> statements with returns in the <code>else</code> clause as exhaustive.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/2814">#2814</a>: Enhanced hover information for <code>datetime.datetime</code> imports to display constructor signatures and docstrings.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/2896">#2896</a>: Fixed a <code>bad-argument-type</code> error that occurred when using double-underscore arguments.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/2893">#2893</a>: Pyrefly now correctly handles dict Literal key types as subtypes of str key types.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/2865">#2865</a>: Resolved an issue where tuple subclasses with overridden <code>__getitem__</code> were not recognized.</li> <li><a href="https://redirect.github.com/facebook/pyrefly/issues/2871">#2871</a>: Fixed a false positive error when using <code>isinstance</code> with <code>type | X</code>.</li> <li>And more! <a href="https://redirect.github.com/facebook/pyrefly/issues/2444">#2444</a>, <a href="https://redirect.github.com/facebook/pyrefly/issues/1270">#1270</a>, <a href="https://redirect.github.com/facebook/pyrefly/issues/2900">#2900</a>, <a href="https://redirect.github.com/facebook/pyrefly/issues/2862">#2862</a>, <a href="https://redirect.github.com/facebook/pyrefly/issues/2853">#2853</a></li> </ul> <p>Thank-you to all our contributors who found these bugs and reported them! Did you know this is one of the most helpful contributions you can make to an open-source project? If you find any bugs in Pyrefly we want to know about them! Please open a bug report issue <a href="https://github.com/facebook/pyrefly/issues">here</a></p> <hr /> <h2>📦 Upgrade</h2> <pre lang="shell"><code>pip install --upgrade pyrefly==0.59.0 </code></pre> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
5ee9fcbacf |
Bump fastapi from 0.128.0 to 0.135.3 in /backend (#1650)
Bumps [fastapi](https://github.com/fastapi/fastapi) from 0.128.0 to 0.135.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/fastapi/fastapi/releases">fastapi's releases</a>.</em></p> <blockquote> <h2>0.135.3</h2> <h3>Features</h3> <ul> <li>✨ Add support for <code>@app.vibe()</code>. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15280">#15280</a> by <a href="https://github.com/tiangolo"><code>@tiangolo</code></a>. <ul> <li>New docs: <a href="https://fastapi.tiangolo.com/advanced/vibe/">Vibe Coding</a>.</li> </ul> </li> </ul> <h3>Docs</h3> <ul> <li>✏️ Fix typo for <code>client_secret</code> in OAuth2 form docstrings. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/14946">#14946</a> by <a href="https://github.com/bysiber"><code>@bysiber</code></a>.</li> </ul> <h3>Internal</h3> <ul> <li>👥 Update FastAPI People - Experts. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15279">#15279</a> by <a href="https://github.com/tiangolo"><code>@tiangolo</code></a>.</li> <li>⬆ Bump orjson from 3.11.7 to 3.11.8. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15276">#15276</a> by <a href="https://github.com/apps/dependabot"><code>@dependabot[bot]</code></a>.</li> <li>⬆ Bump ruff from 0.15.0 to 0.15.8. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15277">#15277</a> by <a href="https://github.com/apps/dependabot"><code>@dependabot[bot]</code></a>.</li> <li>👥 Update FastAPI GitHub topic repositories. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15274">#15274</a> by <a href="https://github.com/tiangolo"><code>@tiangolo</code></a>.</li> <li>⬆ Bump fastmcp from 2.14.5 to 3.2.0. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15267">#15267</a> by <a href="https://github.com/apps/dependabot"><code>@dependabot[bot]</code></a>.</li> <li>👥 Update FastAPI People - Contributors and Translators. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15270">#15270</a> by <a href="https://github.com/tiangolo"><code>@tiangolo</code></a>.</li> <li>⬆ Bump requests from 2.32.5 to 2.33.0. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15228">#15228</a> by <a href="https://github.com/apps/dependabot"><code>@dependabot[bot]</code></a>.</li> <li>👷 Add ty check to <code>lint.sh</code>. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15136">#15136</a> by <a href="https://github.com/svlandeg"><code>@svlandeg</code></a>.</li> </ul> <h2>0.135.2</h2> <h3>Upgrades</h3> <ul> <li>⬆️ Increase lower bound to <code>pydantic >=2.9.0.</code> and fix the test suite. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15139">#15139</a> by <a href="https://github.com/svlandeg"><code>@svlandeg</code></a>.</li> </ul> <h3>Docs</h3> <ul> <li>📝 Add missing last release notes dates. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15202">#15202</a> by <a href="https://github.com/tiangolo"><code>@tiangolo</code></a>.</li> <li>📝 Update docs for contributors and team members regarding translation PRs. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15200">#15200</a> by <a href="https://github.com/YuriiMotov"><code>@YuriiMotov</code></a>.</li> <li>💄 Fix code blocks in reference docs overflowing table width. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15094">#15094</a> by <a href="https://github.com/YuriiMotov"><code>@YuriiMotov</code></a>.</li> <li>📝 Fix duplicated words in docstrings. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15116">#15116</a> by <a href="https://github.com/AhsanSheraz"><code>@AhsanSheraz</code></a>.</li> <li>📝 Add docs for <code>pyproject.toml</code> with <code>entrypoint</code>. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15075">#15075</a> by <a href="https://github.com/tiangolo"><code>@tiangolo</code></a>.</li> <li>📝 Update links in docs to no longer use the classes external-link and internal-link. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15061">#15061</a> by <a href="https://github.com/tiangolo"><code>@tiangolo</code></a>.</li> <li>🔨 Add JS and CSS handling for automatic <code>target=_blank</code> for links in docs. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15063">#15063</a> by <a href="https://github.com/tiangolo"><code>@tiangolo</code></a>.</li> <li>💄 Update styles for internal and external links in new tab. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15058">#15058</a> by <a href="https://github.com/tiangolo"><code>@tiangolo</code></a>.</li> <li>📝 Add documentation for the FastAPI VS Code extension. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15008">#15008</a> by <a href="https://github.com/savannahostrowski"><code>@savannahostrowski</code></a>.</li> <li>📝 Fix doctrings for <code>max_digits</code> and <code>decimal_places</code>. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/14944">#14944</a> by <a href="https://github.com/YuriiMotov"><code>@YuriiMotov</code></a>.</li> <li>📝 Add dates to release notes. PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15001">#15001</a> by <a href="https://github.com/YuriiMotov"><code>@YuriiMotov</code></a>.</li> </ul> <h3>Translations</h3> <ul> <li>🌐 Update translations for zh (update-outdated). PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15177">#15177</a> by <a href="https://github.com/tiangolo"><code>@tiangolo</code></a>.</li> <li>🌐 Update translations for zh-hant (update-outdated). PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15178">#15178</a> by <a href="https://github.com/tiangolo"><code>@tiangolo</code></a>.</li> <li>🌐 Update translations for zh-hant (add-missing). PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15176">#15176</a> by <a href="https://github.com/tiangolo"><code>@tiangolo</code></a>.</li> <li>🌐 Update translations for zh (add-missing). PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15175">#15175</a> by <a href="https://github.com/tiangolo"><code>@tiangolo</code></a>.</li> <li>🌐 Update translations for ja (update-outdated). PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15171">#15171</a> by <a href="https://github.com/tiangolo"><code>@tiangolo</code></a>.</li> <li>🌐 Update translations for ko (update-outdated). PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15170">#15170</a> by <a href="https://github.com/tiangolo"><code>@tiangolo</code></a>.</li> <li>🌐 Update translations for tr (update-outdated). PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15172">#15172</a> by <a href="https://github.com/tiangolo"><code>@tiangolo</code></a>.</li> <li>🌐 Update translations for ko (add-missing). PR <a href="https://redirect.github.com/fastapi/fastapi/pull/15168">#15168</a> by <a href="https://github.com/tiangolo"><code>@tiangolo</code></a>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
3754040f22 |
Bump vite from 7.3.2 to 8.0.5 in /frontend (#1641)
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 7.3.2 to 8.0.5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite/releases">vite's releases</a>.</em></p> <blockquote> <h2>v8.0.5</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.5/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v8.0.4</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.4/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>create-vite@8.0.3</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/create-vite@8.0.3/packages/create-vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v8.0.3</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.3/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>create-vite@8.0.2</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/create-vite@8.0.2/packages/create-vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v8.0.2</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.2/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>create-vite@8.0.1</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/create-vite@8.0.1/packages/create-vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v8.0.1</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.1/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>plugin-legacy@8.0.1</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/plugin-legacy@8.0.1/packages/plugin-legacy/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>create-vite@8.0.0</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/create-vite@8.0.0/packages/create-vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>plugin-legacy@8.0.0</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/plugin-legacy@8.0.0/packages/plugin-legacy/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v8.0.0</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.0/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v8.0.0-beta.18</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.0-beta.18/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v8.0.0-beta.17</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.0-beta.17/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v8.0.0-beta.16</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.0-beta.16/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v8.0.0-beta.15</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.0-beta.15/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <h2>v8.0.0-beta.14</h2> <p>Please refer to <a href="https://github.com/vitejs/vite/blob/v8.0.0-beta.14/packages/vite/CHANGELOG.md">CHANGELOG.md</a> for details.</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md">vite's changelog</a>.</em></p> <blockquote> <h2><!-- raw HTML omitted --><a href="https://github.com/vitejs/vite/compare/v8.0.4...v8.0.5">8.0.5</a> (2026-04-06)<!-- raw HTML omitted --></h2> <h3>Bug Fixes</h3> <ul> <li>apply server.fs check to env transport (<a href="https://redirect.github.com/vitejs/vite/issues/22159">#22159</a>) (<a href=" |
||
|
github-actions[bot]
|
92d0648e53 |
Update contributors in readme (#1653)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
9299e9c3b7 |
Bump docker/login-action from 3 to 4 (#1595)
Bumps [docker/login-action](https://github.com/docker/login-action) from 3 to 4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/login-action/releases">docker/login-action's releases</a>.</em></p> <blockquote> <h2>v4.0.0</h2> <ul> <li>Node 24 as default runtime (requires <a href="https://github.com/actions/runner/releases/tag/v2.327.1">Actions Runner v2.327.1</a> or later) by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/login-action/pull/929">docker/login-action#929</a></li> <li>Switch to ESM and update config/test wiring by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/login-action/pull/927">docker/login-action#927</a></li> <li>Bump <code>@actions/core</code> from 1.11.1 to 3.0.0 in <a href="https://redirect.github.com/docker/login-action/pull/919">docker/login-action#919</a></li> <li>Bump <code>@aws-sdk/client-ecr</code> from 3.890.0 to 3.1000.0 in <a href="https://redirect.github.com/docker/login-action/pull/909">docker/login-action#909</a> <a href="https://redirect.github.com/docker/login-action/pull/920">docker/login-action#920</a></li> <li>Bump <code>@aws-sdk/client-ecr-public</code> from 3.890.0 to 3.1000.0 in <a href="https://redirect.github.com/docker/login-action/pull/909">docker/login-action#909</a> <a href="https://redirect.github.com/docker/login-action/pull/920">docker/login-action#920</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.63.0 to 0.77.0 in <a href="https://redirect.github.com/docker/login-action/pull/910">docker/login-action#910</a> <a href="https://redirect.github.com/docker/login-action/pull/928">docker/login-action#928</a></li> <li>Bump <code>@isaacs/brace-expansion</code> from 5.0.0 to 5.0.1 in <a href="https://redirect.github.com/docker/login-action/pull/921">docker/login-action#921</a></li> <li>Bump js-yaml from 4.1.0 to 4.1.1 in <a href="https://redirect.github.com/docker/login-action/pull/901">docker/login-action#901</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/login-action/compare/v3.7.0...v4.0.0">https://github.com/docker/login-action/compare/v3.7.0...v4.0.0</a></p> <h2>v3.7.0</h2> <ul> <li>Add <code>scope</code> input to set scopes for the authentication token by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/login-action/pull/912">docker/login-action#912</a></li> <li>Add support for AWS European Sovereign Cloud ECR by <a href="https://github.com/dphi"><code>@dphi</code></a> in <a href="https://redirect.github.com/docker/login-action/pull/914">docker/login-action#914</a></li> <li>Ensure passwords are redacted with <code>registry-auth</code> input by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/login-action/pull/911">docker/login-action#911</a></li> <li>build(deps): bump lodash from 4.17.21 to 4.17.23 in <a href="https://redirect.github.com/docker/login-action/pull/915">docker/login-action#915</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/login-action/compare/v3.6.0...v3.7.0">https://github.com/docker/login-action/compare/v3.6.0...v3.7.0</a></p> <h2>v3.6.0</h2> <ul> <li>Add <code>registry-auth</code> input for raw authentication to registries by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/login-action/pull/887">docker/login-action#887</a></li> <li>Bump <code>@aws-sdk/client-ecr</code> to 3.890.0 in <a href="https://redirect.github.com/docker/login-action/pull/882">docker/login-action#882</a> <a href="https://redirect.github.com/docker/login-action/pull/890">docker/login-action#890</a></li> <li>Bump <code>@aws-sdk/client-ecr-public</code> to 3.890.0 in <a href="https://redirect.github.com/docker/login-action/pull/882">docker/login-action#882</a> <a href="https://redirect.github.com/docker/login-action/pull/890">docker/login-action#890</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.62.1 to 0.63.0 in <a href="https://redirect.github.com/docker/login-action/pull/883">docker/login-action#883</a></li> <li>Bump brace-expansion from 1.1.11 to 1.1.12 in <a href="https://redirect.github.com/docker/login-action/pull/880">docker/login-action#880</a></li> <li>Bump undici from 5.28.4 to 5.29.0 in <a href="https://redirect.github.com/docker/login-action/pull/879">docker/login-action#879</a></li> <li>Bump tmp from 0.2.3 to 0.2.4 in <a href="https://redirect.github.com/docker/login-action/pull/881">docker/login-action#881</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/login-action/compare/v3.5.0...v3.6.0">https://github.com/docker/login-action/compare/v3.5.0...v3.6.0</a></p> <h2>v3.5.0</h2> <ul> <li>Support dual-stack endpoints for AWS ECR by <a href="https://github.com/Spacefish"><code>@Spacefish</code></a> <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/login-action/pull/874">docker/login-action#874</a> <a href="https://redirect.github.com/docker/login-action/pull/876">docker/login-action#876</a></li> <li>Bump <code>@aws-sdk/client-ecr</code> to 3.859.0 in <a href="https://redirect.github.com/docker/login-action/pull/860">docker/login-action#860</a> <a href="https://redirect.github.com/docker/login-action/pull/878">docker/login-action#878</a></li> <li>Bump <code>@aws-sdk/client-ecr-public</code> to 3.859.0 in <a href="https://redirect.github.com/docker/login-action/pull/860">docker/login-action#860</a> <a href="https://redirect.github.com/docker/login-action/pull/878">docker/login-action#878</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.57.0 to 0.62.1 in <a href="https://redirect.github.com/docker/login-action/pull/870">docker/login-action#870</a></li> <li>Bump form-data from 2.5.1 to 2.5.5 in <a href="https://redirect.github.com/docker/login-action/pull/875">docker/login-action#875</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/login-action/compare/v3.4.0...v3.5.0">https://github.com/docker/login-action/compare/v3.4.0...v3.5.0</a></p> <h2>v3.4.0</h2> <ul> <li>Bump <code>@actions/core</code> from 1.10.1 to 1.11.1 in <a href="https://redirect.github.com/docker/login-action/pull/791">docker/login-action#791</a></li> <li>Bump <code>@aws-sdk/client-ecr</code> to 3.766.0 in <a href="https://redirect.github.com/docker/login-action/pull/789">docker/login-action#789</a> <a href="https://redirect.github.com/docker/login-action/pull/856">docker/login-action#856</a></li> <li>Bump <code>@aws-sdk/client-ecr-public</code> to 3.758.0 in <a href="https://redirect.github.com/docker/login-action/pull/789">docker/login-action#789</a> <a href="https://redirect.github.com/docker/login-action/pull/856">docker/login-action#856</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.35.0 to 0.57.0 in <a href="https://redirect.github.com/docker/login-action/pull/801">docker/login-action#801</a> <a href="https://redirect.github.com/docker/login-action/pull/806">docker/login-action#806</a> <a href="https://redirect.github.com/docker/login-action/pull/858">docker/login-action#858</a></li> <li>Bump cross-spawn from 7.0.3 to 7.0.6 in <a href="https://redirect.github.com/docker/login-action/pull/814">docker/login-action#814</a></li> <li>Bump https-proxy-agent from 7.0.5 to 7.0.6 in <a href="https://redirect.github.com/docker/login-action/pull/823">docker/login-action#823</a></li> <li>Bump path-to-regexp from 6.2.2 to 6.3.0 in <a href="https://redirect.github.com/docker/login-action/pull/777">docker/login-action#777</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/login-action/compare/v3.3.0...v3.4.0">https://github.com/docker/login-action/compare/v3.3.0...v3.4.0</a></p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
11db33e70e |
Bump docker/metadata-action from 5 to 6 (#1596)
Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 5 to 6. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/docker/metadata-action/releases">docker/metadata-action's releases</a>.</em></p> <blockquote> <h2>v6.0.0</h2> <ul> <li>Node 24 as default runtime (requires <a href="https://github.com/actions/runner/releases/tag/v2.327.1">Actions Runner v2.327.1</a> or later) by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/metadata-action/pull/605">docker/metadata-action#605</a></li> <li>List inputs now preserve <code>#</code> inside values while still supporting full-line <code>#</code> comments by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/metadata-action/pull/607">docker/metadata-action#607</a></li> <li>Switch to ESM and update config/test wiring by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/metadata-action/pull/602">docker/metadata-action#602</a></li> <li>Bump lodash from 4.17.21 to 4.17.23 in <a href="https://redirect.github.com/docker/metadata-action/pull/588">docker/metadata-action#588</a></li> <li>Bump <code>@actions/core</code> from 1.11.1 to 3.0.0 in <a href="https://redirect.github.com/docker/metadata-action/pull/599">docker/metadata-action#599</a></li> <li>Bump <code>@actions/github</code> from 6.0.1 to 9.0.0 in <a href="https://redirect.github.com/docker/metadata-action/pull/597">docker/metadata-action#597</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.68.0 to 0.79.0 in <a href="https://redirect.github.com/docker/metadata-action/pull/604">docker/metadata-action#604</a></li> <li>Bump <code>@isaacs/brace-expansion</code> from 5.0.0 to 5.0.1 in <a href="https://redirect.github.com/docker/metadata-action/pull/600">docker/metadata-action#600</a></li> <li>Bump semver from 7.7.3 to 7.7.4 in <a href="https://redirect.github.com/docker/metadata-action/pull/603">docker/metadata-action#603</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/metadata-action/compare/v5.10.0...v6.0.0">https://github.com/docker/metadata-action/compare/v5.10.0...v6.0.0</a></p> <h2>v5.10.0</h2> <ul> <li>Bump <code>@docker/actions-toolkit</code> from 0.66.0 to 0.68.0 in <a href="https://redirect.github.com/docker/metadata-action/pull/559">docker/metadata-action#559</a> <a href="https://redirect.github.com/docker/metadata-action/pull/569">docker/metadata-action#569</a></li> <li>Bump js-yaml from 3.14.1 to 3.14.2 in <a href="https://redirect.github.com/docker/metadata-action/pull/564">docker/metadata-action#564</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/metadata-action/compare/v5.9.0...v5.10.0">https://github.com/docker/metadata-action/compare/v5.9.0...v5.10.0</a></p> <h2>v5.9.0</h2> <ul> <li>Add <code>tag-names</code> output to return tag names without image base name by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/metadata-action/pull/553">docker/metadata-action#553</a></li> <li>Bump <code>@babel/runtime-corejs3</code> from 7.14.7 to 7.28.2 in <a href="https://redirect.github.com/docker/metadata-action/pull/539">docker/metadata-action#539</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.62.1 to 0.66.0 in <a href="https://redirect.github.com/docker/metadata-action/pull/555">docker/metadata-action#555</a></li> <li>Bump brace-expansion from 1.1.11 to 1.1.12 in <a href="https://redirect.github.com/docker/metadata-action/pull/540">docker/metadata-action#540</a></li> <li>Bump csv-parse from 5.6.0 to 6.1.0 in <a href="https://redirect.github.com/docker/metadata-action/pull/532">docker/metadata-action#532</a></li> <li>Bump semver from 7.7.2 to 7.7.3 in in <a href="https://redirect.github.com/docker/metadata-action/pull/554">docker/metadata-action#554</a></li> <li>Bump tmp from 0.2.3 to 0.2.5 in <a href="https://redirect.github.com/docker/metadata-action/pull/541">docker/metadata-action#541</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/metadata-action/compare/v5.8.0...v5.9.0">https://github.com/docker/metadata-action/compare/v5.8.0...v5.9.0</a></p> <h2>v5.8.0</h2> <ul> <li>New <code>is_not_default_branch</code> global expression by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/metadata-action/pull/535">docker/metadata-action#535</a></li> <li>Allow to match part of the git tag or value for semver/pep440 types by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/metadata-action/pull/536">docker/metadata-action#536</a> <a href="https://redirect.github.com/docker/metadata-action/pull/537">docker/metadata-action#537</a></li> <li>Bump <code>@actions/github</code> from 6.0.0 to 6.0.1 in <a href="https://redirect.github.com/docker/metadata-action/pull/523">docker/metadata-action#523</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.56.0 to 0.62.1 in <a href="https://redirect.github.com/docker/metadata-action/pull/526">docker/metadata-action#526</a></li> <li>Bump form-data from 2.5.1 to 2.5.5 in <a href="https://redirect.github.com/docker/metadata-action/pull/533">docker/metadata-action#533</a></li> <li>Bump moment-timezone from 0.5.47 to 0.6.0 in <a href="https://redirect.github.com/docker/metadata-action/pull/525">docker/metadata-action#525</a></li> <li>Bump semver from 7.7.1 to 7.7.2 in <a href="https://redirect.github.com/docker/metadata-action/pull/524">docker/metadata-action#524</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/metadata-action/compare/v5.7.0...v5.8.0">https://github.com/docker/metadata-action/compare/v5.7.0...v5.8.0</a></p> <h2>v5.7.0</h2> <ul> <li>Global expressions support for labels and annotations by <a href="https://github.com/crazy-max"><code>@crazy-max</code></a> in <a href="https://redirect.github.com/docker/metadata-action/pull/489">docker/metadata-action#489</a></li> <li>Support disabling outputs as environment variables by <a href="https://github.com/omus"><code>@omus</code></a> in <a href="https://redirect.github.com/docker/metadata-action/pull/497">docker/metadata-action#497</a></li> <li>Bump <code>@docker/actions-toolkit</code> from 0.44.0 to 0.56.0 in <a href="https://redirect.github.com/docker/metadata-action/pull/507">docker/metadata-action#507</a> <a href="https://redirect.github.com/docker/metadata-action/pull/509">docker/metadata-action#509</a></li> <li>Bump csv-parse from 5.5.6 to 5.6.0 in <a href="https://redirect.github.com/docker/metadata-action/pull/482">docker/metadata-action#482</a></li> <li>Bump moment-timezone from 0.5.46 to 0.5.47 in <a href="https://redirect.github.com/docker/metadata-action/pull/501">docker/metadata-action#501</a></li> <li>Bump semver from 7.6.3 to 7.7.1 in <a href="https://redirect.github.com/docker/metadata-action/pull/504">docker/metadata-action#504</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/docker/metadata-action/compare/v5.6.1...v5.7.0">https://github.com/docker/metadata-action/compare/v5.6.1...v5.7.0</a></p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
cbee85a53d |
Bump axios from 1.14.0 to 1.15.0 in /frontend (#1655)
Bumps [axios](https://github.com/axios/axios) from 1.14.0 to 1.15.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/axios/axios/releases">axios's releases</a>.</em></p> <blockquote> <h2>v1.15.0</h2> <p>This release delivers two critical security patches, adds runtime support for Deno and Bun, and includes significant CI hardening, documentation improvements, and routine dependency updates.</p> <h2>⚠️ Important Changes</h2> <ul> <li><strong>Deprecation:</strong> <code>url.parse()</code> usage has been replaced to address Node.js deprecation warnings. If you are on a recent version of Node.js, this resolves console warnings you may have been seeing. (<strong><a href="https://redirect.github.com/axios/axios/issues/10625">#10625</a></strong>)</li> </ul> <h2>🔒 Security Fixes</h2> <ul> <li><strong>Proxy Handling:</strong> Fixed a <code>no_proxy</code> hostname normalisation bypass that could lead to Server-Side Request Forgery (SSRF). (<strong><a href="https://redirect.github.com/axios/axios/issues/10661">#10661</a></strong>)</li> <li><strong>Header Injection:</strong> Fixed an unrestricted cloud metadata exfiltration vulnerability via a header injection chain. (<strong><a href="https://redirect.github.com/axios/axios/issues/10660">#10660</a></strong>)</li> </ul> <h2>🚀 New Features</h2> <ul> <li><strong>Runtime Support:</strong> Added compatibility checks and documentation for Deno and Bun environments. (<strong><a href="https://redirect.github.com/axios/axios/issues/10652">#10652</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10653">#10653</a></strong>)</li> </ul> <h2>🔧 Maintenance & Chores</h2> <ul> <li><strong>CI Security:</strong> Hardened workflow permissions to least privilege, added the <code>zizmor</code> security scanner, pinned action versions, and gated npm publishing with OIDC and environment protection. (<strong><a href="https://redirect.github.com/axios/axios/issues/10618">#10618</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10619">#10619</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10627">#10627</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10637">#10637</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10666">#10666</a></strong>)</li> <li><strong>Dependencies:</strong> Bumped <code>serialize-javascript</code>, <code>handlebars</code>, <code>picomatch</code>, <code>vite</code>, and <code>denoland/setup-deno</code> to latest versions. Added a 7-day Dependabot cooldown period. (<strong><a href="https://redirect.github.com/axios/axios/issues/10574">#10574</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10572">#10572</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10568">#10568</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10663">#10663</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10664">#10664</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10665">#10665</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10669">#10669</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10670">#10670</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10616">#10616</a></strong>)</li> <li><strong>Documentation:</strong> Unified docs, improved <code>beforeRedirect</code> credential leakage example, clarified <code>withCredentials</code>/<code>withXSRFToken</code> behaviour, HTTP/2 support notes, async/await timeout error handling, header case preservation, and various typo fixes. (<strong><a href="https://redirect.github.com/axios/axios/issues/10649">#10649</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10624">#10624</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/7452">#7452</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/7471">#7471</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10654">#10654</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10644">#10644</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10589">#10589</a></strong>)</li> <li><strong>Housekeeping:</strong> Removed stale files, regenerated lockfile, and updated sponsor scripts and blocks. (<strong><a href="https://redirect.github.com/axios/axios/issues/10584">#10584</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10650">#10650</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10582">#10582</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10640">#10640</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10659">#10659</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10668">#10668</a></strong>)</li> <li><strong>Tests:</strong> Added regression coverage for urlencoded <code>Content-Type</code> casing. (<strong><a href="https://redirect.github.com/axios/axios/issues/10573">#10573</a></strong>)</li> </ul> <h2>🌟 New Contributors</h2> <p>We are thrilled to welcome our new contributors. Thank you for helping improve Axios:</p> <ul> <li><strong><a href="https://github.com/raashish1601"><code>@raashish1601</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10573">#10573</a></strong>)</li> <li><strong><a href="https://github.com/Kilros0817"><code>@Kilros0817</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10625">#10625</a></strong>)</li> <li><strong><a href="https://github.com/ashstrc"><code>@ashstrc</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10624">#10624</a></strong>)</li> <li><strong><a href="https://github.com/Abhi3975"><code>@Abhi3975</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10589">#10589</a></strong>)</li> <li><strong><a href="https://github.com/theamodhshetty"><code>@theamodhshetty</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/7452">#7452</a></strong>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/axios/axios/blob/v1.x/CHANGELOG.md">axios's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <h2><a href="https://github.com/axios/axios/compare/v1.13.2...v1.13.3">1.13.3</a> (2026-01-20)</h2> <h3>Bug Fixes</h3> <ul> <li><strong>http2:</strong> Use port 443 for HTTPS connections by default. (<a href="https://redirect.github.com/axios/axios/issues/7256">#7256</a>) (<a href=" |
||
|
dependabot[bot]
|
31669606db |
Bump next from 16.2.1 to 16.2.3 in /docs (#1654)
Bumps [next](https://github.com/vercel/next.js) from 16.2.1 to 16.2.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vercel/next.js/releases">next's releases</a>.</em></p> <blockquote> <h2>v16.2.3</h2> <blockquote> <p>[!NOTE] This release is backporting security and bug fixes. For more information about the fixed security vulnerability, please see <a href="https://vercel.com/changelog/summary-of-cve-2026-23869">https://vercel.com/changelog/summary-of-cve-2026-23869</a>. The release does <strong>not</strong> include all pending features/changes on canary.</p> </blockquote> <h3>Core Changes</h3> <ul> <li>Ensure app-page reports stale ISR revalidation errors via onRequestError (<a href="https://redirect.github.com/vercel/next.js/issues/92282">#92282</a>)</li> <li>Fix [Bug]: manifest.ts breaks HMR in Next.js 16.2 (<a href="https://redirect.github.com/vercel/next.js/issues/91981">#91981</a> through <a href="https://redirect.github.com/vercel/next.js/issues/92273">#92273</a>)</li> <li>Deduplicate output assets and detect content conflicts on emit (<a href="https://redirect.github.com/vercel/next.js/issues/92292">#92292</a>)</li> <li>Fix styled-jsx race condition: styles lost due to concurrent rendering (<a href="https://redirect.github.com/vercel/next.js/issues/92459">#92459</a>)</li> <li>turbo-tasks-backend: stability fixes for task cancellation and error handling (<a href="https://redirect.github.com/vercel/next.js/issues/92254">#92254</a>)</li> </ul> <h3>Credits</h3> <p>Huge thanks to <a href="https://github.com/icyJoseph"><code>@icyJoseph</code></a>, <a href="https://github.com/sokra"><code>@sokra</code></a>, <a href="https://github.com/wbinnssmith"><code>@wbinnssmith</code></a>, <a href="https://github.com/eps1lon"><code>@eps1lon</code></a> and <a href="https://github.com/ztanner"><code>@ztanner</code></a> for helping!</p> <h2>v16.2.2</h2> <blockquote> <p>[!NOTE] This release is backporting bug fixes. It does <strong>not</strong> include all pending features/changes on canary.</p> </blockquote> <h3>Core Changes</h3> <ul> <li>backport: Move expanded adapters docs to API reference (<a href="https://redirect.github.com/vercel/next.js/issues/92115">#92115</a>) (<a href="https://redirect.github.com/vercel/next.js/issues/92129">#92129</a>)</li> <li>Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (<a href="https://redirect.github.com/vercel/next.js/issues/92130">#92130</a>)</li> <li>[create-next-app] Skip interactive prompts when CLI flags are provided (<a href="https://redirect.github.com/vercel/next.js/issues/91840">#91840</a>)</li> <li>next.config.js: Accept an option for serverFastRefresh (<a href="https://redirect.github.com/vercel/next.js/issues/91968">#91968</a>)</li> <li>Turbopack: enable server HMR for app route handlers (<a href="https://redirect.github.com/vercel/next.js/issues/91466">#91466</a>)</li> <li>Turbopack: exclude metadata routes from server HMR (<a href="https://redirect.github.com/vercel/next.js/issues/92034">#92034</a>)</li> <li>Fix CI for glibc linux builds</li> <li>Backport: disable bmi2 in qfilter <a href="https://redirect.github.com/vercel/next.js/issues/92177">#92177</a></li> <li>[backport] Fix CSS HMR on Safari (<a href="https://redirect.github.com/vercel/next.js/issues/92174">#92174</a>)</li> </ul> <h3>Credits</h3> <p>Huge thanks to <a href="https://github.com/nextjs-bot"><code>@nextjs-bot</code></a>, <a href="https://github.com/icyJoseph"><code>@icyJoseph</code></a>, <a href="https://github.com/ijjk"><code>@ijjk</code></a>, <a href="https://github.com/gaojude"><code>@gaojude</code></a>, <a href="https://github.com/wbinnssmith"><code>@wbinnssmith</code></a>, <a href="https://github.com/lukesandberg"><code>@lukesandberg</code></a>, and <a href="https://github.com/bgw"><code>@bgw</code></a> for helping!</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Byte
|
d5ea177e8f |
Mounting to /var/lib/postgres/data is no longer allowed after Postgres 18 (#1651)
I got an error when running bracket through the provided compose because mounting directly to the postgres data directory is not allowed after version 18 |
||
|
dependabot[bot]
|
c3329869fb |
Bump sentry-sdk from 2.56.0 to 2.57.0 in /backend (#1649)
Bumps [sentry-sdk](https://github.com/getsentry/sentry-python) from 2.56.0 to 2.57.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/getsentry/sentry-python/releases">sentry-sdk's releases</a>.</em></p> <blockquote> <h2>2.57.0</h2> <h3>New Features ✨</h3> <h4>Langchain</h4> <ul> <li>Set <code>gen_ai.operation.name</code> and <code>gen_ai.pipeline.name</code> on LLM spans by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5849">#5849</a></li> <li>Broaden AI provider detection beyond OpenAI and Anthropic by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5707">#5707</a></li> <li>Update LLM span operation to <code>gen_ai.generate_text</code> by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5796">#5796</a></li> </ul> <h4>Other</h4> <ul> <li> <p>Add experimental async transport by <a href="https://github.com/BYK"><code>@BYK</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5646">#5646</a></p> <p>See <a href="https://github.com/getsentry/sentry-python/discussions/5919">https://github.com/getsentry/sentry-python/discussions/5919</a> for details.</p> </li> </ul> <h3>Bug Fixes 🐛</h3> <h4>Openai</h4> <ul> <li>Only wrap types with <code>_iterator</code> for streamed responses by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5917">#5917</a></li> <li>Always set <code>gen_ai.response.streaming</code> for Responses by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5697">#5697</a></li> <li>Simplify Responses input handling by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5695">#5695</a></li> <li>Use <code>max_output_tokens</code> for Responses API by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5693">#5693</a></li> <li>Always set <code>gen_ai.response.streaming</code> for Completions by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5692">#5692</a></li> <li>Simplify Completions input handling by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5690">#5690</a></li> <li>Simplify embeddings input handling by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5688">#5688</a></li> </ul> <h4>Other</h4> <ul> <li>(google-genai) Guard response extraction by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5869">#5869</a></li> <li>Add cycle detection to exceptions_from_error by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5880">#5880</a></li> </ul> <h3>Internal Changes 🔧</h3> <h4>Ai</h4> <ul> <li>Remove unused GEN_AI_PIPELINE operation constant by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5886">#5886</a></li> <li>Rename generate_text to text_completion by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5885">#5885</a></li> </ul> <h4>Langchain</h4> <ul> <li>Add text completion test by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5740">#5740</a></li> <li>Add tool execution test by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5739">#5739</a></li> <li>Add basic agent test with Responses call by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5726">#5726</a></li> <li>Replace mocks with <code>httpx</code> types by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5724">#5724</a></li> <li>Consolidate span origin assertion by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5723">#5723</a></li> <li>Consolidate available tools assertion by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5721">#5721</a></li> </ul> <h4>Openai</h4> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/getsentry/sentry-python/blob/master/CHANGELOG.md">sentry-sdk's changelog</a>.</em></p> <blockquote> <h2>2.57.0</h2> <h3>New Features ✨</h3> <h4>Langchain</h4> <ul> <li>Set <code>gen_ai.operation.name</code> and <code>gen_ai.pipeline.name</code> on LLM spans by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5849">#5849</a></li> <li>Broaden AI provider detection beyond OpenAI and Anthropic by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5707">#5707</a></li> <li>Update LLM span operation to <code>gen_ai.generate_text</code> by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5796">#5796</a></li> </ul> <h4>Other</h4> <ul> <li> <p>Add experimental async transport by <a href="https://github.com/BYK"><code>@BYK</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5646">#5646</a></p> <p>See <a href="https://github.com/getsentry/sentry-python/discussions/5919">https://github.com/getsentry/sentry-python/discussions/5919</a> for details.</p> </li> </ul> <h3>Bug Fixes 🐛</h3> <h4>Openai</h4> <ul> <li>Only wrap types with <code>_iterator</code> for streamed responses by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5917">#5917</a></li> <li>Always set <code>gen_ai.response.streaming</code> for Responses by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5697">#5697</a></li> <li>Simplify Responses input handling by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5695">#5695</a></li> <li>Use <code>max_output_tokens</code> for Responses API by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5693">#5693</a></li> <li>Always set <code>gen_ai.response.streaming</code> for Completions by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5692">#5692</a></li> <li>Simplify Completions input handling by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5690">#5690</a></li> <li>Simplify embeddings input handling by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5688">#5688</a></li> </ul> <h4>Other</h4> <ul> <li>(google-genai) Guard response extraction by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5869">#5869</a></li> <li>Add cycle detection to exceptions_from_error by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5880">#5880</a></li> </ul> <h3>Internal Changes 🔧</h3> <h4>Ai</h4> <ul> <li>Remove unused GEN_AI_PIPELINE operation constant by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5886">#5886</a></li> <li>Rename generate_text to text_completion by <a href="https://github.com/ericapisani"><code>@ericapisani</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5885">#5885</a></li> </ul> <h4>Langchain</h4> <ul> <li>Add text completion test by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5740">#5740</a></li> <li>Add tool execution test by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5739">#5739</a></li> <li>Add basic agent test with Responses call by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5726">#5726</a></li> <li>Replace mocks with <code>httpx</code> types by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5724">#5724</a></li> <li>Consolidate span origin assertion by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5723">#5723</a></li> <li>Consolidate available tools assertion by <a href="https://github.com/alexander-alderman-webb"><code>@alexander-alderman-webb</code></a> in <a href="https://redirect.github.com/getsentry/sentry-python/pull/5721">#5721</a></li> </ul> <h4>Openai</h4> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
ef1693d389 |
Bump mypy from 1.19.0 to 1.20.0 in /backend (#1648)
Bumps [mypy](https://github.com/python/mypy) from 1.19.0 to 1.20.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/python/mypy/blob/master/CHANGELOG.md">mypy's changelog</a>.</em></p> <blockquote> <h1>Mypy Release Notes</h1> <h2>Next Release</h2> <h2>Mypy 1.20</h2> <p>We’ve just uploaded mypy 1.20.0 to the Python Package Index (<a href="https://pypi.org/project/mypy/">PyPI</a>). Mypy is a static type checker for Python. This release includes new features, performance improvements and bug fixes. You can install it as follows:</p> <pre><code>python3 -m pip install -U mypy </code></pre> <p>You can read the full documentation for this release on <a href="http://mypy.readthedocs.io">Read the Docs</a>.</p> <h3>Planned Changes to Defaults and Flags in Mypy 2.0</h3> <p>As a reminder, we are planning to enable <code>--local-partial-types</code> by default in mypy 2.0, which will likely be the next feature release. This will often require at least minor code changes. This option is implicitly enabled by mypy daemon, so this makes the behavior of daemon and non-daemon modes consistent.</p> <p>Note that this release improves the compatibility of <code>--local-partial-types</code> significantly to make the switch easier (see below for more).</p> <p>This can also be configured in a mypy configuration file (use <code>False</code> to disable):</p> <pre><code>local_partial_types = True </code></pre> <p>For more information, refer to the <a href="https://mypy.readthedocs.io/en/stable/command_line.html#cmdoption-mypy-local-partial-types">documentation</a>.</p> <p>We will also enable <code>--strict-bytes</code> by default in mypy 2.0. This usually requires at most minor code changes to adopt. For more information, refer to the <a href="https://mypy.readthedocs.io/en/stable/command_line.html#cmdoption-mypy-strict-bytes">documentation</a>.</p> <p>Finally, <code>--allow-redefinition-new</code> will be renamed to <code>--allow-redefinition</code>. If you want to continue using the older <code>--allow-redefinition</code> semantics which are less flexible (e.g. limited support for conditional redefinitions), you can switch to <code>--allow-redefinition-old</code>, which is currently supported as an alias to the legacy <code>--allow-redefinition</code> behavior. To use <code>--allow-redefinition</code> in the upcoming mypy 2.0, you can't use <code>--no-local-partial-types</code>. For more information, refer to the <a href="https://mypy.readthedocs.io/en/stable/command_line.html#cmdoption-mypy-allow-redefinition-new">documentation</a>.</p> <h3>Better Type Narrowing</h3> <p>Mypy's implementation of narrowing has been substantially reworked. Mypy will now narrow more aggressively, more consistently, and more correctly. In particular, you are likely to notice new narrowing behavior in equality expressions (<code>==</code>), containment expressions (<code>in</code>),</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
b95f381f0d |
Bump uvicorn from 0.42.0 to 0.44.0 in /backend (#1646)
Bumps [uvicorn](https://github.com/Kludex/uvicorn) from 0.42.0 to 0.44.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Kludex/uvicorn/releases">uvicorn's releases</a>.</em></p> <blockquote> <h2>Version 0.44.0</h2> <h2>What's Changed</h2> <ul> <li>Implement websocket keepalive pings for websockets-sansio by <a href="https://github.com/Kludex"><code>@Kludex</code></a> in <a href="https://redirect.github.com/Kludex/uvicorn/pull/2888">Kludex/uvicorn#2888</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/Kludex/uvicorn/compare/0.43.0...0.44.0">https://github.com/Kludex/uvicorn/compare/0.43.0...0.44.0</a></p> <h2>Version 0.43.0</h2> <h2>Changed</h2> <ul> <li>Emit <code>http.disconnect</code> ASGI <code>receive()</code> event on server shutting down for streaming responses (<a href="https://redirect.github.com/Kludex/uvicorn/issues/2829">#2829</a>)</li> <li>Use native <code>context</code> parameter for <code>create_task</code> on Python 3.11+ (<a href="https://redirect.github.com/Kludex/uvicorn/issues/2859">#2859</a>)</li> <li>Drop cast in ASGI types (<a href="https://redirect.github.com/Kludex/uvicorn/issues/2875">#2875</a>)</li> </ul> <hr /> <p><strong>Full Changelog</strong>: <a href="https://github.com/Kludex/uvicorn/compare/0.42.0...0.43.0">https://github.com/Kludex/uvicorn/compare/0.42.0...0.43.0</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Kludex/uvicorn/blob/main/docs/release-notes.md">uvicorn's changelog</a>.</em></p> <blockquote> <h2>0.44.0 (April 6, 2026)</h2> <h3>Added</h3> <ul> <li>Implement websocket keepalive pings for websockets-sansio (<a href="https://redirect.github.com/Kludex/uvicorn/issues/2888">#2888</a>)</li> </ul> <h2>0.43.0 (April 3, 2026)</h2> <p>You can quit Uvicorn now. We heard you, <a href="https://github.com/pamelafox"><code>@pamelafox</code></a> - all 47 of your Ctrl+C's (thanks for flagging it, and thanks to <a href="https://github.com/tiangolo"><code>@tiangolo</code></a> for the fix 🙏). <a href="https://x.com/pamelafox/status/2039097686155227623">See the tweet</a>.</p> <h3>Changed</h3> <ul> <li>Emit <code>http.disconnect</code> ASGI <code>receive()</code> event on server shutting down for streaming responses (<a href="https://redirect.github.com/Kludex/uvicorn/issues/2829">#2829</a>)</li> <li>Use native <code>context</code> parameter for <code>create_task</code> on Python 3.11+ (<a href="https://redirect.github.com/Kludex/uvicorn/issues/2859">#2859</a>)</li> <li>Drop cast in ASGI types (<a href="https://redirect.github.com/Kludex/uvicorn/issues/2875">#2875</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |