Bump the python-dependencies group with 9 updates

[dependabot]

Updates the requirements on akshare, flask, gunicorn, openai, openpyxl, pandas, pytest, pyyaml and ruff to permit the latest version.
Updates akshare to 1.18.63

Changelog

Sourced from akshare's changelog.

1.18.63 fix: fix stock_a_high_low_statistics interface

1. 修复 stock_a_high_low_statistics 接口

1.18.62 fix: fix stock_market_activity_legu interface

1. 修复 stock_market_activity_legu 接口

1.18.61 fix: fix stock_individual_spot_xq interface

1. 修复 stock_individual_spot_xq 接口

1.18.60 fix: fix stock_zh_index_daily_tx interface

1. 修复 stock_zh_index_daily_tx 接口
2. 修复 fund_info_ths 接口
3. 修复 game_hot_rank_taptap 接口

1.18.59 fix: fix stock_board_concept_hist_min_em interface

1. 修复 stock_board_concept_hist_min_em 接口
2. 修复 futures_index_ccidx 接口
3. 修复 stock_rank_cxg_ths 接口
4. 修复 futures_inventory_99 接口

1.18.58 fix: fix stock_individual_spot_xq interface

1. 修复 stock_individual_spot_xq 接口
2. 修复 fund_etf_spot_em 接口
3. 修复 fund_graded_fund_daily_em 接口
4. 修复 fund_hk_fund_hist_em 接口

1.18.57 fix: fix bond_info_detail_cm interface

1. 修复 bond_info_detail_cm 接口

1.18.56 fix: fix stock_zh_a_spot_tx interface

1. 修复 stock_zh_a_spot_tx 接口

1.18.55 fix: fix bond_index_general_cbond interface

1. 修复 bond_index_general_cbond 接口
2. 修复 bond_treasury_index_cbond 接口

1.18.54 fix: fix stock_individual_notice_report interface

1. 修复 stock_individual_notice_report 接口

1.18.53 fix: fix futures_hist_daily_cffex interface

... (truncated)

Commits

• f077137 Dev (#7276)
• d9b1fc9 Merge branch 'main' of github.com:akfamily/akshare
• acf8b82 Dev (#7273)
• d8387b4 Dev (#7272)
• 9e9b50f feat: add version 1.18.62
• c5f8177 fix: fix stock_market_activity_legu
• c56a5fd Dev (#7271)
• 9bef4b7 Dev (#7246)
• f528795 Dev (#7245)
• df2206f Dev (#7240)
• Additional commits viewable in compare view

Updates flask to 3.1.3

Release notes

Sourced from flask's releases.

3.1.3

This is the Flask 3.1.3 security fix release, which fixes a security issue but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.3/ Changes: https://flask.palletsprojects.com/page/changes/#version-3-1-3

• The session is marked as accessed for operations that only access the keys but not the values, such as in and len. GHSA-68rp-wp8r-4726

Changelog

Sourced from flask's changelog.

Version 3.1.3

Released 2026-02-18

• The session is marked as accessed for operations that only access the keys but not the values, such as in and len. :ghsa:68rp-wp8r-4726

Version 3.1.2

Released 2025-08-19

• stream_with_context does not fail inside async views. :issue:5774
• When using follow_redirects in the test client, the final state of session is correct. :issue:5786
• Relax type hint for passing bytes IO to send_file. :issue:5776

Version 3.1.1

Released 2025-05-13

• Fix signing key selection order when key rotation is enabled via SECRET_KEY_FALLBACKS. :ghsa:4grg-w6v8-c28g
• Fix type hint for cli_runner.invoke. :issue:5645
• flask --help loads the app and plugins first to make sure all commands are shown. :issue:5673
• Mark sans-io base class as being able to handle views that return AsyncIterable. This is not accurate for Flask, but makes typing easier for Quart. :pr:5659

Version 3.1.0

Released 2024-11-13

• Drop support for Python 3.8. :pr:5623
• Update minimum dependency versions to latest feature releases. Werkzeug >= 3.1, ItsDangerous >= 2.2, Blinker >= 1.9. :pr:5624,5633
• Provide a configuration option to control automatic option responses. :pr:5496
• Flask.open_resource/open_instance_resource and Blueprint.open_resource take an encoding parameter to use when opening in text mode. It defaults to utf-8. :issue:5504
• Request.max_content_length can be customized per-request instead of only through the MAX_CONTENT_LENGTH config. Added

... (truncated)

Commits

• 22d9247 release version 3.1.3
• 089cb86 Merge commit from fork
• c17f379 request context tracks session access
• 27be933 start version 3.1.3
• 4e652d3 Abort if the instance folder cannot be created (#5903)
• 3d03098 Abort if the instance folder cannot be created
• 407eb76 document using gevent for async (#5900)
• ac5664d document using gevent for async
• 4f79d5b Increase required flit_core version to 3.11 (#5865)
• fe3b215 Increase required flit_core version to 3.11
• Additional commits viewable in compare view

Updates gunicorn to 26.0.0

Release notes

Sourced from gunicorn's releases.

26.0.0

Breaking Changes

• Eventlet worker removed: The eventlet worker class has been dropped. Migrate to gevent, gthread, or tornado.

New Features

• ASGI Framework Compatibility Suite: New end-to-end compatibility test harness covering Starlette, FastAPI, Litestar, Quart, Sanic, and BlackSheep. Current grid passes 438/444 tests (98%).
• ASGI Test Suite Expansion: 134 additional ASGI unit tests covering protocol semantics, lifespan, websockets, and chunked framing.

Security

• HTTP/1.1 Request-Target Validation (RFC 9112 sections 3.2.3, 3.2.4):
  • Reject authority-form request-target outside CONNECT
  • Reject asterisk-form request-target outside OPTIONS
  • Reject relative-reference request-targets
• Header Field Hardening (RFC 9110):
  • Reject control characters in header field-value (section 5.5)
  • Reject forbidden trailer field-names (section 6.5.1)
  • Reject Content-Length list form (RFC 9112 section 6.3)
• Request Smuggling Hardening:
  • Tighten keepalive gate and scope finish_body byte cap
  • Keep _body_receiver alive across the keepalive smuggling gate so pipelined requests cannot re-enter a closed body
  • Address parser/protocol findings from a six-point WSGI/ASGI audit
• PROXY Protocol (ASGI): Enforce proxy_allow_ips and tighten v1/v2 parsing in the ASGI callback parser.
• Connection Draining: Drain the connection on close per RFC 9112 section 9.6 to prevent reset-on-close truncation.

Bug Fixes

• Body Framing on HEAD/204/304:
  • Keep Content-Length on HEAD and 304 responses (#3621)
  • Drop body framing on HEAD/204/304 even when the framework set it
  • Warn once when an ASGI app emits a body for a no-body response
• HTTP/2 ASGI:
  • Fix _handle_stream_ended to set _body_complete in the async HTTP/2 handler so request bodies finalize correctly on stream end
  • Add InvalidChunkExtension mapping and fast-parser support in ASGI tests (#3565)
• HTTP/1.1 100-Continue: Stop adding Transfer-Encoding: chunked to 100-Continue interim responses.
• WebSocket Close Handshake (RFC 6455):
  • Comply with the close handshake state machine
  • Close the transport after the close handshake completes
  • Fix binary send when the text key is None
• Early Hints: Validate headers in the early_hints callback to match process_headers; pass only the header name to InvalidHeader (#3588).
• ASGI Framework Fixes:
  • Fix ASGI disconnect handling for Django-style apps
  • Fix Litestar request handling (use raw ASGI receive for body/headers)
  • Fix Litestar HTTP endpoints for compatibility tests
  • Fix Quart headers endpoint to normalize keys to lowercase
  • Fix Quart WebSocket close test app (missing accept())
  • Fix duplicate Transfer-Encoding header for BlackSheep streaming

... (truncated)

Commits

• 5d819cf release: 26.0.0
• b45c70d Merge pull request #3611 from zc-mattcen/docs-typo
• 99c8d48 Merge pull request #3623 from benoitc/chore/drop-eventlet-add-h2-uvloop-test-...
• 5a655af Merge pull request #3622 from benoitc/test/docker-port-and-ipv4-fixes
• 201df19 chore: remove eventlet worker; add h2 and uvloop to test deps
• f4ac8e1 test: pass action name to dirty client and stabilize after TTOU spam
• 54d38af test: unblock docker fixtures on macOS hosts
• 68843c8 Merge pull request #3621 from benoitc/fix/asgi-preserve-content-length-on-hea...
• 31f2618 Merge pull request #3620 from benoitc/fix/asgi-proxy-protocol-trust-and-parsing
• 41ec752 fix: keep Content-Length on HEAD and 304 responses
• Additional commits viewable in compare view

Updates openai to 2.38.0

Release notes

Sourced from openai's releases.

v2.38.0

2.38.0 (2026-05-21)

Full Changelog: v2.37.0...v2.38.0

Features

• api: api update (33d1d01)
• api: manual updates (a21700a)
• api: update OpenAPI spec or Stainless config (00265c5)

Chores

• api: docs updates (ee10152)
• check release PR custom code sync (2638779)
• remove release automation trigger (bd6eea5)
• trigger release automation (f62d082)

Changelog

Sourced from openai's changelog.

2.38.0 (2026-05-21)

Full Changelog: v2.37.0...v2.38.0

Features

• api: api update (33d1d01)
• api: manual updates (a21700a)
• api: update OpenAPI spec or Stainless config (00265c5)

Chores

• api: docs updates (ee10152)
• check release PR custom code sync (2638779)
• remove release automation trigger (bd6eea5)
• trigger release automation (f62d082)

2.37.0 (2026-05-13)

Full Changelog: v2.36.0...v2.37.0

Features

• api: add service_tier parameter to responses compact method (625827c)
• internal/types: support eagerly validating pydantic iterators (7e527bc)
• Remove unnecessary client_id when using workload identity provider for auth (c39ea8d)

Bug Fixes

• client: add missing f-string prefix in file type error message (c85ebd9)

2.36.0 (2026-05-07)

Full Changelog: v2.35.1...v2.36.0

Features

• api: manual updates (13c639c)
• api: realtime 2 (8fe0ab8)

2.35.1 (2026-05-06)

Full Changelog: v2.35.0...v2.35.1

Bug Fixes

• api: fix imagegen size enum regression (4484653)

... (truncated)

Commits

• e757667 release: 2.38.0
• b85b647 feat(api): api update
• d881c67 Revert "chore: check release PR custom code sync"
• d4a3228 chore: check release PR custom code sync
• 4888838 chore: remove release automation trigger
• 74978f0 chore: trigger release automation
• bab18af chore(api): docs updates
• a6f899a feat(api): manual updates
• 2897485 feat(api): update OpenAPI spec or Stainless config
• a2f1d6c codegen metadata
• Additional commits viewable in compare view

Updates openpyxl to 3.1.5

Updates pandas to 3.0.3

Release notes

Sourced from pandas's releases.

pandas 3.0.3

We are pleased to announce the release of pandas 3.0.3. This is a patch release in the 3.0.x series and includes some regression fixes and bug fixes. We recommend that all users of the 3.0.x series upgrade to this version.

See the full whatsnew for a list of all the changes.

Pandas 3.0 supports Python 3.11 and higher. The release can be installed from PyPI:

python -m pip install --upgrade pandas==3.0.*

Or from conda-forge

conda install -c conda-forge pandas=3.0

Please report any issues with the release on the pandas issue tracker.

Thanks to all the contributors who made this release possible.

Commits

• 72f2fea RLS: 3.0.3 (#65590)
• 2897590 Backport PR #65436 on branch 3.0.x (Account for privatization of matplotlib `...
• 49894b5 Backport PR #65499 on branch 3.0.x (BUG: fix check if pyarrow is installed in...
• 1c6d1e3 [backport 3.0.x] PERF: remove special casing for zoneinfo in tz_localize_to_u...
• 2a54711 Backport PR #64379 on branch 3.0.x (PERF: improve performance with ZoneInfo t...
• 036bb7c Backport PR #65482 on branch 3.0.x (PERF: don't call unique on dtypes for che...
• bf4c182 Backport PR #65410 on branch 3.0.x (TST: also convert str index to object in ...
• dd02d75 [backport 3.0.x] BUG: keep fsspec OpenFile alive for chained URL reads (#6547...
• aef3d0f [backport 3.0.x] CI: lowercase types-pymysql/types-pyyaml to fix mamba 2.6.0 ...
• bb8e248 Backport PR #65399 on branch 3.0.x (DOC: fix source link for classes in the r...
• Additional commits viewable in compare view

Updates pytest to 9.0.3

Release notes

Sourced from pytest's releases.

9.0.3

pytest 9.0.3 (2026-04-07)

Bug fixes

• #12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

• #13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

  Previously this resulted in an internal assertion failure during plugin loading.

  Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

• #13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

• #14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

• #14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

• #13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
• #13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
• #14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
• #14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

• #12689: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible on the web interface.

  -- by aleguy02

Commits

• a7d58d7 Prepare release version 9.0.3
• 089d981 Merge pull request #14366 from bluetech/revert-14193-backport
• 8127eaf Revert "Fix: assertrepr_compare respects dict insertion order (#14050) (#14193)"
• 99a7e60 Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/95d8423bd...
• ddee02a Merge pull request #14343 from bluetech/cve-2025-71176-simple
• 74eac69 doc: Update training info (#14298) (#14301)
• f92dee7 Merge pull request #14267 from pytest-dev/patchback/backports/9.0.x/d6fa26c62...
• 7ee58ac Merge pull request #12378 from Pierre-Sassoulas/fix-implicit-str-concat-and-d...
• 37da870 Merge pull request #14259 from mitre88/patch-4 (#14268)
• c34bfa3 Add explanation for string context diffs (#14257) (#14266)
• Additional commits viewable in compare view

Updates pyyaml to 6.0.3

Release notes

Sourced from pyyaml's releases.

6.0.3

What's Changed

• Support for Python 3.14 and free-threading (experimental).

Full Changelog: yaml/pyyaml@6.0.2...6.0.3

Changelog

Sourced from pyyaml's changelog.

6.0.3 (2025-09-25)

• yaml/pyyaml#864 -- Support for Python 3.14 and free-threading (experimental)

6.0.2 (2024-08-06)

• yaml/pyyaml#808 -- Support for Cython 3.x and Python 3.13

6.0.1 (2023-07-18)

• yaml/pyyaml#702 -- pin Cython build dep to < 3.0

6.0 (2021-10-13)

• yaml/pyyaml#327 -- Change README format to Markdown
• yaml/pyyaml#483 -- Add a test for YAML 1.1 types
• yaml/pyyaml#497 -- fix float resolver to ignore . and ._
• yaml/pyyaml#550 -- drop Python 2.7
• yaml/pyyaml#553 -- Fix spelling of “hexadecimal”
• yaml/pyyaml#556 -- fix representation of Enum subclasses
• yaml/pyyaml#557 -- fix libyaml extension compiler warnings
• yaml/pyyaml#560 -- fix ResourceWarning on leaked file descriptors
• yaml/pyyaml#561 -- always require Loader arg to yaml.load()
• yaml/pyyaml#564 -- remove remaining direct distutils usage

5.4.1 (2021-01-20)

• yaml/pyyaml#480 -- Fix stub compat with older pyyaml versions that may unwittingly load it

5.4 (2021-01-19)

• yaml/pyyaml#407 -- Build modernization, remove distutils, fix metadata, build wheels, CI to GHA
• yaml/pyyaml#472 -- Fix for CVE-2020-14343, moves arbitrary python tags to UnsafeLoader
• yaml/pyyaml#441 -- Fix memory leak in implicit resolver setup
• yaml/pyyaml#392 -- Fix py2 copy support for timezone objects
• yaml/pyyaml#378 -- Fix compatibility with Jython

5.3.1 (2020-03-18)

• yaml/pyyaml#386 -- Prevents arbitrary code execution during python/object/new constructor

5.3 (2020-01-06)

• yaml/pyyaml#290 -- Use is instead of equality for comparing with None
• yaml/pyyaml#270 -- Fix typos and stylistic nit
• yaml/pyyaml#309 -- Fix up small typo
• yaml/pyyaml#161 -- Fix handling of slots
• yaml/pyyaml#358 -- Allow calling add_multi_constructor with None
• yaml/pyyaml#285 -- Add use of safe_load() function in README
• yaml/pyyaml#351 -- Fix reader for Unicode code points over 0xFFFF

... (truncated)

Commits

• 49790e7 Release 6.0.3 (#889)
• 41309b0 Release 6.0.2 (#819)
• dd9f0e1 6.0.2rc1 (#809)
• f5527a2 disable CI trigger on PR edits
• b4d80a7 Python 3.12 + musllinux_1_1_x86_64 wheel support
• c42fa3b 6.0.1 release
• ae08bdc block Cython 3.0+ as a build dep (#702)
• f873cfe Add python 3.11 support (#663)
• See full diff in compare view

Updates ruff to 0.15.14

Release notes

Sourced from ruff's releases.

0.15.14

Release Notes

Released on 2026-05-21.

Preview features

• [airflow] Implement airflow-task-implicit-multiple-outputs (AIR202) (#25152)
• [flake8-use-pathlib] Mark PTH101 fix as unsafe when first argument is a class attribute annotated as int (#25086)
• [pylint] Implement too-many-try-statements (W0717) (#23970)
• [ruff] Add incorrect-decorator-order (RUF074) (#23461)
• [ruff] Add fallible-context-manager (RUF075) (#22844)

Bug fixes

• Fix lambda formatting in interpolated string expressions (#25144)
• Treat generic frozenset annotations as immutable (#25251)
• [flake8-type-checking] Avoid strict behavior when future-annotations are enabled (TC001, TC002, TC003) (#25035)
• [pylint] Avoid false positives in else clause (PLR1733) (#25177)

Rule changes

• [flake8-comprehensions] Skip C417 for lambdas with positional-only parameters (#25272)
• [flake8-simplify] Preserve f-string source verbatim in SIM101 fix (#25061)

Performance

• Avoid unnecessary parser lookahead for operators (#25290)

Documentation

• Update code example setting Neovim LSP log level (#25284)

Other changes

• Add full PEP 798 support (#25104)
• Add a parser recursion limit (#24810)
• Update various ruff_python_stdlib APIs (#25273)

Contributors

• @​ocaballeror
• @​lerebear
• @​samuelcolvin
• @​baltasarblanco
• @​aconal-com
• @​anishgirianish
• @​JelleZijlstra
• @​AlexWaygood
• @​ntBre

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.14

Released on 2026-05-21.

Preview features

• [airflow] Implement airflow-task-implicit-multiple-outputs (AIR202) (#25152)
• [flake8-use-pathlib] Mark PTH101 fix as unsafe when first argument is a class attribute annotated as int (#25086)
• [pylint] Implement too-many-try-statements (W0717) (#23970)
• [ruff] Add incorrect-decorator-order (RUF074) (#23461)
• [ruff] Add fallible-context-manager (RUF075) (#22844)

Bug fixes

• Fix lambda formatting in interpolated string expressions (#25144)
• Treat generic frozenset annotations as immutable (#25251)
• [flake8-type-checking] Avoid strict behavior when future-annotations are enabled (TC001, TC002, TC003) (#25035)
• [pylint] Avoid false positives in else clause (PLR1733) (#25177)

Rule changes

• [flake8-comprehensions] Skip C417 for lambdas with positional-only parameters (#25272)
• [flake8-simplify] Preserve f-string source verbatim in SIM101 fix (#25061)

Performance

• Avoid unnecessary parser lookahead for operators (#25290)

Documentation

• Update code example setting Neovim LSP log level (#25284)

Other changes

• Add full PEP 798 support (#25104)
• Add a parser recursion limit (#24810)
• Update various ruff_python_stdlib APIs (#25273)

Contributors

• @​ocaballeror
• @​lerebear
• @​samuelcolvin
• @​baltasarblanco
• @​aconal-com
• @​anishgirianish
• @​JelleZijlstra
• @​AlexWaygood
• @​ntBre
• @​adityasingh2400

... (truncated)

Commits

• 9ad2da3 Bump 0.15.14 (#25295)
• c714e84 [ty] Modernize setup of union types in mdtests (#25291)
• 8a8e35e [flake8-comprehensions] Skip C417 for lambdas with positional-only parame...
• aea5ed4 Avoid unnecessary parser lookahead for operators (#25290)
• e9d72bb [ty] Allow enum member accesses on self (#25077)
• 6cbd59b Set exclude-newer = "7 days" in our PEP-723 scripts (#25285)
• 9999a39 Update code example on how to update Neovim LSP log level (#25284)
• 67d8c54 [ty] Retain recursively-defined state in binary expressions (#25277)
• 25a3191 [ty] Refine Callable class-decorator fallback for unknown results (#25250)
• c423054 Add a recursion limit to the parser (#24810)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml