[DEPS]: Bump the python group with 6 updates

[dependabot]

Bumps the python group with 6 updates:

Package	From	To
fastapi	0.136.3	0.137.2
pytest	9.0.3	9.1.0
ruff	0.15.17	0.15.18
anyio	4.13.0	4.14.0
certifi	2026.5.20	2026.6.17
pydantic-core	2.46.4	2.47.0

Updates fastapi from 0.136.3 to 0.137.2

Release notes

Sourced from fastapi's releases.

0.137.2

Features

• ✨ Add iter_route_contexts() for advanced use cases that used to use router.routes (e.g. Jupyverse). PR #15785 by @​tiangolo.

Translations

• 🌐 Fix broken Markdown in Korean custom response docs. PR #15774 by @​kooqooo.
• 🌐 Update translations for fr (update-outdated). PR #15761 by @​tiangolo.
• 🌐 Update translations for zh-hant (update-outdated). PR #15760 by @​tiangolo.
• 🌐 Update translations for de (update-outdated). PR #15759 by @​tiangolo.
• 🌐 Update translations for ko (update-outdated). PR #15757 by @​tiangolo.
• 🌐 Update translations for uk (update-outdated). PR #15756 by @​tiangolo.
• 🌐 Update translations for zh (update-outdated). PR #15755 by @​tiangolo.
• 🌐 Update translations for tr (update-outdated). PR #15754 by @​tiangolo.
• 🌐 Update translations for pt (update-outdated). PR #15753 by @​tiangolo.
• 🌐 Update translations for es (update-outdated). PR #15752 by @​tiangolo.
• 🌐 Update translations for ja (update-outdated). PR #15751 by @​tiangolo.
• 🌐 Update translations for ru (update-outdated). PR #15758 by @​tiangolo.

Internal

• 🔧 Update sponsors: add BairesDev. PR #15787 by @​tiangolo.
• 🔨 Update sponsors script to simplify previews. PR #15786 by @​tiangolo.
• ⬆ Bump the python-packages group across 1 directory with 7 updates. PR #15777 by @​dependabot[bot].
• ⬆ Bump cryptography from 46.0.7 to 48.0.1. PR #15779 by @​dependabot[bot].
• ⬆ Bump aiohttp from 3.14.0 to 3.14.1. PR #15781 by @​dependabot[bot].
• ⬆ Bump starlette from 1.2.1 to 1.3.1. PR #15780 by @​dependabot[bot].
• ⬆ Bump astral-sh/setup-uv from 8.1.0 to 8.2.0 in the github-actions group. PR #15776 by @​dependabot[bot].
• ⬆ Bump https://github.com/crate-ci/typos from v1.47.1 to v1.47.2 in the pre-commit group. PR #15775 by @​dependabot[bot].
• ⬆ Bump python-multipart from 0.0.30 to 0.0.32. PR #15778 by @​dependabot[bot].
• ⏪️ Revert removing scripts, only remove coverage.sh. PR #15772 by @​tiangolo.
• 🔥 Remove unused scripts. PR #15771 by @​tiangolo.
• 🔧 Add ty configs to check docs sources. PR #15770 by @​tiangolo.
• 🔧 Add ty configs to check docs sources. PR #15769 by @​tiangolo.

0.137.1

Fixes

• 🚨 Fix typing checks for APIRoute. PR #15765 by @​tiangolo.
• 🐛 Fix bug, allow empty path in path operation in prefixless router. PR #15763 by @​tiangolo.

0.137.0

Breaking Changes

• ♻️ Refactor internals to preserve APIRouter and APIRoute instances. PR #15745 by @​tiangolo.

Unblocks ✨ SO MANY THINGS ✨

Before this, router.include_router(other_router) would take each path operation from other_router and "clone" it, or recreate it from scratch.

... (truncated)

Commits

• 6a0ba7b 🔖 Release version 0.137.2 (#15790)
• 5d421ae 📝 Update release notes
• 6ac1220 ✨ Add iter_route_contexts() for advanced use cases that used to use `router...
• 7feb17f 📝 Update release notes
• d514109 🔧 Update sponsors: add BairesDev (#15787)
• 1c1edb9 📝 Update release notes
• 32d711f 🔨 Update sponsors script to simplify previews (#15786)
• 202b2d2 📝 Update release notes
• e26e643 ⬆ Bump the python-packages group across 1 directory with 7 updates (#15777)
• c66d1c2 📝 Update release notes
• Additional commits viewable in compare view

Updates pytest from 9.0.3 to 9.1.0

Release notes

Sourced from pytest's releases.

9.1.0

pytest 9.1.0 (2026-06-13)

Removals and backward incompatible breaking changes

• #14533: When using --doctest-modules, autouse fixtures with module, package or session scope that are defined inline in Python test modules (not plugins or conftests) will now possibly execute twice.

  If this is undesirable, move the fixture definition to a conftest.py file if possible.

  Technical explanation for those interested: When using --doctest-modules, pytest possibly collects Python modules twice, once as pytest.Module and once as a DoctestModule (depending on the configuration). Due to improvements in pytest's fixture implementation, if e.g. the DoctestModule collects a fixture, it is now visible to it only, and not to the Module. This means that both need to register the fixtures independently.

Deprecations (removal in next major release)

• #10819: Added a deprecation warning for class-scoped fixtures defined as instance methods (without @classmethod). Such fixtures set attributes on a different instance than the test methods use, leading to unexpected behavior. Use @classmethod decorator instead -- by yastcher.

  See 10819 and 14011.

• #12882: Calling request.getfixturevalue() <pytest.FixtureRequest.getfixturevalue> during teardown to request a fixture that was not already requested is now deprecated and will become an error in pytest 10.

  See dynamic-fixture-request-during-teardown for details.

• #13409: Using non-~collections.abc.Collection iterables (such as generators, iterators, or custom iterable objects) for the argvalues parameter in @pytest.mark.parametrize <pytest.mark.parametrize ref> and metafunc.parametrize <pytest.Metafunc.parametrize> is now deprecated.

  These iterables get exhausted after the first iteration, leading to tests getting unexpectedly skipped in cases such as running pytest.main() multiple times, using class-level parametrize decorators, or collecting tests multiple times.

  See parametrize-iterators for details and suggestions.

• #13946: The private config.inicfg attribute is now deprecated. Use config.getini() <pytest.Config.getini> to access configuration values instead.

  See config-inicfg for more details.

• #14004: Passing baseid to ~pytest.FixtureDef or nodeid strings to fixture registration APIs is now deprecated. These are internal pytest APIs that are used by some plugins.

  Use the node parameter instead for fixture scoping. This enables more robust node-based matching instead of string prefix matching. If you've used nodeid=None, pass node=session instead.

  This will be removed in pytest 10.

• #14335: The method of configuring hooks using markers, deprecated since pytest 7.2, is now scheduled to be removed in pytest 10. See hook-markers for more details.

• #14434: The --pastebin option is now deprecated.

... (truncated)

Commits

• b2522cf Prepare release version 9.1.0
• 368d2fc [refactor] Tighten SetComparisonFunction to Iterator[str] (#14587)
• ff77cd8 [refactor] Make base assertion comparisons return an iterator instead of a li...
• 0d8491a build(deps): Bump actions/stale from 10.2.0 to 10.3.0
• 4a809d9 Merge pull request #14568 from pytest-dev/register-fixture
• 5dfa385 Fix recursion traceback test to cover all styles (#14582)
• f52ff0c Add pytest.register_fixture
• a8ac094 Merge pull request #14567 from pytest-dev/more-visibility-deprecate
• e5620cd [pre-commit.ci] pre-commit autoupdate (#14577)
• 2ce9c6d Merge pull request #14540 from minbang930/fix-14533-doctest-module-fixtures
• Additional commits viewable in compare view

Updates ruff from 0.15.17 to 0.15.18

Release notes

Sourced from ruff's releases.

0.15.18

Release Notes

Released on 2026-06-18.

Preview features

• Handle nested ruff:ignore comments (#25791)
• Stop displaying severity in output (#26050)
• Use human-readable names in CLI output (#25937)
• Use human-readable names in LSP and playground diagnostics (#26058)
• [pydocstyle] Prevent property docstrings starting with verbs (D421) (#23775)
• [flake8-pyi] Extend PYI033 to Python files (#26129)

Bug fixes

• Detect equivalent numeric mapping keys (#26009)
• Detect mapping keys equivalent to booleans (#25982)
• Detect repeated signed and complex dictionary keys (#26007)

Rule changes

• [flake8-pyi] Rename PYI033 to legacy-type-comment (#26131)

Performance

• Use ThinVec for call keywords (#25999)
• Inline parser recovery context checks (#26038)
• Match parser keywords as bytes (#26037)
• Move value parsing out of lexing (#25360)

Server

• Render subdiagnostics and secondary annotations as related information (#26011)

Documentation

• Update fix availability for always-fixable rules (#26091)
• [flake8-tidy-imports] Add fix safety section (TID252) (#17491)

Parser

• Reject __debug__ lambda parameters (#26022)
• Reject _ as a match-pattern target (#25977)
• Reject multiple starred names in sequence patterns (#25976)
• Reject parenthesized star imports (#26021)
• Reject starred comprehension targets (#26023)
• Reject unparenthesized generator expressions in class bases (#25978)
• Reject yield expressions after commas (#26024)
• Validate function type parameter default order (#25981)

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.18

Released on 2026-06-18.

Preview features

• Handle nested ruff:ignore comments (#25791)
• Stop displaying severity in output (#26050)
• Use human-readable names in CLI output (#25937)
• Use human-readable names in LSP and playground diagnostics (#26058)
• [pydocstyle] Prevent property docstrings starting with verbs (D421) (#23775)
• [flake8-pyi] Extend PYI033 to Python files (#26129)

Bug fixes

• Detect equivalent numeric mapping keys (#26009)
• Detect mapping keys equivalent to booleans (#25982)
• Detect repeated signed and complex dictionary keys (#26007)

Rule changes

• [flake8-pyi] Rename PYI033 to legacy-type-comment (#26131)

Performance

• Use ThinVec for call keywords (#25999)
• Inline parser recovery context checks (#26038)
• Match parser keywords as bytes (#26037)
• Move value parsing out of lexing (#25360)

Server

• Render subdiagnostics and secondary annotations as related information (#26011)

Documentation

• Update fix availability for always-fixable rules (#26091)
• [flake8-tidy-imports] Add fix safety section (TID252) (#17491)

Parser

• Reject __debug__ lambda parameters (#26022)
• Reject _ as a match-pattern target (#25977)
• Reject multiple starred names in sequence patterns (#25976)
• Reject parenthesized star imports (#26021)
• Reject starred comprehension targets (#26023)
• Reject unparenthesized generator expressions in class bases (#25978)
• Reject yield expressions after commas (#26024)
• Validate function type parameter default order (#25981)

... (truncated)

Commits

• 6686f63 Bump 0.15.18 (#26135)
• efbb732 [ty] Suggest keyword-only arguments between variadic parameters (#26134)
• c256d5f [ty] Support Annotated[Any, ...] as a class base (#26133)
• 19a4bea [flake8-pyi] Rename PYI033 to legacy-type-comment (#26131)
• 1d9866c Bump ecosystem-analyzer commit (#26130)
• 8656c73 [ty] Compact indexed AST node storage (#25998)
• c17c8d9 [ty] Garbage-collect cached constraint sets (#26116)
• ef0fb8f [ty] Fix bound TypeVar default cycle recovery (#26124)
• b83c024 [flake8-pyi] Extend PYI033 to Python files in preview (#26129)
• e8a5e38 Update Rust crate zip to v8 (#26078)
• Additional commits viewable in compare view

Updates anyio from 4.13.0 to 4.14.0

Release notes

Sourced from anyio's releases.

4.14.0

• Added support for Python 3.15

• Added an asynchronous implementation of the itertools module (#998; PR by @​11kkw)

• Added the local_port parameter to connect_tcp() to allow binding to a specific local port before connecting (#1067; PR by @​nullwiz)

• Added support for custom capacity limiters in async path and file I/O functions and classes

• Added the create_task() task group method for easier asyncio migration (returns a TaskHandle) (#1098)

• Changed TaskGroup.start_soon() to return a TaskHandle

• Added an option for TaskGroup.start() to return a TaskHandle (which then contains the start value in the start_value property)

• Added the cancel() convenience method to TaskGroup as a shortcut for cancelling the task group's cancel scope

• Improved the error message when a known backend is not installed to suggest the install command (#1115; PR by @​EmmanuelNiyonshuti)

• Improved anyio.Path to preserve subclass types by returning Self in methods that return path objects (#1130; PR by @​EmmanuelNiyonshuti)

• Changed the parameter type annotation in anyio.Path.write_bytes() to accept any ReadableBuffer, thus allowing it to accept bytearray and memoryview to match pathlib.Path.write_bytes() (#1135; PR by @​SAY-5)

• Changed several type annotations to only accept callables returning coroutine-like objects instead of arbitrary awaitables:

  • TaskGroup.start_soon()
  • TaskGroup.start()
  • anyio.from_thread.run()

  This reverts an earlier change from v3.7.0 which was made in error. (#1153)

• Changed anyio.run to support callables returning arbitrary awaitables at runtime on all backends. Previously, this only worked on asyncio (#1171; PR by @​gschaffner)

• Changed several classes (and their subclasses) to have __slots__ (with __weakref__):

  • anyio.CancelScope
  • anyio.CapacityLimiter
  • anyio.Condition
  • anyio.Event
  • anyio.Lock
  • anyio.ResourceGuard
  • anyio.Semaphore

• Fixed cancellation exception escaping a cancel scope when triggered via check_cancelled() in a worker thread (#1113)

• Fixed TaskGroup raising AttributeError instead of a clear error when entered more than once (#1109; PR by @​bahtya)

• Fixed lost type information when passing arguments to lru_cache (#1104; PR by @​Graeme22)

• Fixed test resumption after KeyboardInterrupt in async generator fixtures on the asyncio backend (#1060; PR by @​EmmanuelNiyonshuti)

... (truncated)

Commits

• ffe9133 Bumped up the version
• f8b9f01 Fixed asyncio lock waiter deadlocks after cancellation (#1145)
• d517ee1 [pre-commit.ci] pre-commit autoupdate (#1176)
• 550b68e Make anyio.run support Awaitable at runtime on all backends (#1171)
• 29a5e04 Fixed FastAPI test run
• 4d752ac Updated downstream test setups for FastAPI and Anthropic MCP
• ebdc950 Added task handle support to start() and start_soon() (#1153)
• f32bfb8 Fixed test suite compatibility issues with Pytest 9.1.0
• 85f7e8e Added __slots__ to several classes
• b7ea84c [pre-commit.ci] pre-commit autoupdate (#1165)
• Additional commits viewable in compare view

Updates certifi from 2026.5.20 to 2026.6.17

Commits

• d0ac52f 2026.06.17 (#418)
• d46de62 Bump actions/checkout from 6.0.2 to 6.0.3 (#417)
• 6c183ec fix: update Requests docs link to canonical URL (#415)
• 36e3568 Bump dessant/lock-threads from 6.0.0 to 6.0.2
• See full diff in compare view

Updates pydantic-core from 2.46.4 to 2.47.0

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
codemaru	Ready	Preview, Comment	Jun 18, 2026 8:26pm

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.