chore(deps): bump the uv group across 1 directory with 2 updates

[dependabot]

Bumps the uv group with 2 updates in the / directory: prefect and dulwich.

Updates prefect from 3.6.13 to 3.6.28.dev2

Release notes

Sourced from prefect's releases.

3.6.28.dev2: Nightly Development Release

What's Changed

Bug Fixes 🐞

• Skip uv pip freeze in bundle creation when a non-uv launcher is set by @​devin-ai-integration[bot] in PrefectHQ/prefect#21607
• Fix DNS rebinding TOCTOU bypass in validate_restricted_url by @​devin-ai-integration[bot] in PrefectHQ/prefect#21591

Development & Tidiness 🧹

• fix(tests): prevent aiosqlite teardown race in legacy events/out test by @​devin-ai-integration[bot] in PrefectHQ/prefect#21619

Documentation 📓

• docs: Add release notes for prefect-kubernetes==0.7.8 by @​devin-ai-integration[bot] in PrefectHQ/prefect#21611

Uncategorized

• docs: clarify that uv pip freeze is skipped only for execution launcher overrides by @​github-actions[bot] in PrefectHQ/prefect#21613
• Fix _UnpicklingFuture.add_done_callback swallowing deserialization errors by @​saschwartz in PrefectHQ/prefect#21612
• fix(tests): raise asyncpg connection_timeout in unit test mode by @​devin-ai-integration[bot] in PrefectHQ/prefect#21614

Full Changelog: PrefectHQ/prefect@3.6.28.dev1...3.6.28.dev2

3.6.28.dev1: Nightly Development Release

What's Changed

Bug Fixes 🐞

• fix(prefect-shell): kill whole process tree on ShellOperation cleanup by @​zzstoatzz in PrefectHQ/prefect#21586

Uncategorized

• docs: document SIGTERM bridge and sanitize_subprocess_env in utilities AGENTS.md by @​github-actions[bot] in PrefectHQ/prefect#21604
• docs: document JSDOM CSS custom property and matchMedia mocking patterns by @​github-actions[bot] in PrefectHQ/prefect#21605

Full Changelog: PrefectHQ/prefect@3.6.27...3.6.28.dev1

3.6.27 - When I cancel, you cancel

Enhancements ➕➕

• Remove causal ordering from task run recorder by @​chuqCTC in #21458
• Enable cascading cancellation for in-process subflows by @​desertaxle in #21477
• Relax work-pool storage CLI to allow ambient cloud credentials by @​desertaxle in #21578

Bug Fixes 🐞

• Bump pydocket to >=0.19.0 and drop the fakeredis pin by @​chrisguidry in #21512
• URL-encode credentials in dict fallback path for git clone by @​devin-ai-integration in #21540
• Handle missing anyio.NoEventLoopError on older anyio versions by @​devin-ai-integration in #21539
• Fix serve not clearing work pool config on existing deployments by @​vyagubov in #21528
• Add validation for malformed block document placeholder format by @​kuishou68 in #21501
• Handle PydanticInvalidForJsonSchema in parameter schema generation by @​devin-ai-integration in #21571
• Eagerly rebuild task-run submission schemas by @​desertaxle in #21556
• Propagate contextvars to the flow heartbeat thread by @​devin-ai-integration in #21577

... (truncated)

Commits

• 6f89b6d fix(tests): raise asyncpg connection_timeout in unit test mode (#21614)
• 1589b45 fix(tests): prevent aiosqlite teardown race in legacy events/out test (#21619)
• 7c70ac5 Fix DNS rebinding TOCTOU bypass in validate_restricted_url (#21591)
• 3458636 Fix _UnpicklingFuture.add_done_callback swallowing deserialization errors (#2...
• 3d18732 docs: clarify that uv pip freeze is skipped only for execution launcher overr...
• 36207f9 Skip uv pip freeze in bundle creation when a non-uv launcher is set (#21607)
• 8ab8ac4 docs: Add release notes for prefect-kubernetes==0.7.8 (#21611)
• 6373056 fix(prefect-shell): kill whole process tree on ShellOperation cleanup (#21586)
• 6dd5af5 docs: document JSDOM CSS custom property and matchMedia mocking patterns (#21...
• 9f9bed7 fix(ui-v2): default deployment detail tab to Details to match V1 (#21601)
• Additional commits viewable in compare view

Updates dulwich from 0.24.7 to 1.2.5

Release notes

Sourced from dulwich's releases.

dulwich 1.2.5

This is a security release. All users are encouraged to upgrade.

Security fixes

• GHSA-gfhv-vqv2-4544 -- Validate submodule paths in porcelain.submodule_update (and thus porcelain.clone(recurse_submodules=True)). A crafted upstream repository could carry a submodule whose path was .git/hooks (or any other path inside .git or above the work tree), causing the submodule's tree contents to be written there with their executable bits intact. The dulwich analogue of git's CVE-2024-32002 / CVE-2024-32004. (Reported by tonghuaroot)

• CVE-2026-42305 -- Harden tree path validation against entry names that are harmless on POSIX but dangerous when checked out on Windows. validate_path_element_ntfs now also rejects Windows path separators, the alternate data stream marker :, NTFS 8.3 short-name aliases of .git, and reserved Windows device names. core.protectNTFS now defaults to true on every platform, and both core.protectNTFS and core.protectHFS are now read under their correct option names. (Reported by Christopher Toth)

• CVE-2026-42563 -- Shell-quote values substituted into ProcessMergeDriver commands. A malicious branch could inject shell commands when a merge driver referencing %P was configured. (Reported by Ravishanker Kusuma (hayageek))

• CVE-2026-47712 -- Sanitize commit subjects used in porcelain.format_patch filenames so a malicious subject (e.g. x/../../x) cannot direct the generated patch outside outdir. (Reported by Christopher Toth)

• receive.maxInputSize -- Honour receive.maxInputSize in ReceivePackHandler. Previously a remote unauthenticated client could send a tiny crafted pack that declared a huge dest_size and trigger hundreds of MB of allocation over git-receive-pack. (Reported by Liyi, Ziyue, Strick, Maurice and Chenchen @ University of Sydney)

dulwich-1.2.4

Tolerate ref names with empty path components (e.g. `refs/tags//v1.0`) for now, emitting a `DeprecationWarning` rather than raising a `RefFormatError`. Such names are constructed by older Poetry releases (fixed in Poetry 2.4.0) and were silently accepted before Dulwich 1.2.3. `local_branch_name`, `local_tag_name` and `local_replace_name` likewise warn about, and strip, a leading slash instead of raising `ValueError`. Both will become errors again in a future release. (Jelmer Vernooij, #2192)

dulwich-1.2.1

Changes since 1.2.0

• Derive the LFS endpoint as the remote's on-disk LFS store (<remote>/.git/lfs for worktrees, <remote>/lfs for bare repos) when remote.origin.url points at a local filesystem path or file:// URL, matching git-lfs behaviour. Previously the built-in smudge filter constructed an HTTP-style <remote>.git/info/lfs path that did not exist on disk, leaving LFS-tracked files as pointers when cloning from a local repo.

• Deduplicate objects when writing a multi-pack-index. Objects present in multiple packs (e.g. after git gc creates a cruft pack) would otherwise produce an OIDL chunk with repeated SHAs, causing git multi-pack-index verify to fail with "oid lookup out of order". (#2152)

• Extend ignorecase and precomposeunicode support to index lookups. (#1807)

1.2.0

Notable changes since 1.1.0

New features

• Add am command and porcelain.am() for applying mailbox-style email patches (git am), with state persistence for --continue, --skip, --abort, and --quit recovery (#1692).
• Add apply command and porcelain.apply_patch() for applying unified diffs, including rename/copy detection, binary patches with Git's base85 encoding, and --3way merge fallback (#1784).
• Expand log command options: --oneline, --abbrev-commit, --author, --committer, --grep, --since/--after, --until/--before, -n/--max-count, --no-merges, --merges, --stat, -p/--patch, --name-only, and --follow (#1779).
• Add support for push options (-o/--push-option) in push, enabling AGit flow and other server-side push option workflows.
• Add missing push options: --all, --tags, --delete, --dry-run, --prune, --set-upstream, --follow-tags, and --mirror (#1844).
• Add support for atomic push operations (--atomic): either all ref updates succeed or none are applied (#1781).
• Add support for extensions.relativeworktrees repository extension, allowing worktrees to use relative paths (#2112).

... (truncated)

Changelog

Sourced from dulwich's changelog.

1.2.5 2026-05-28

• SECURITY(GHSA-gfhv-vqv2-4544): Validate submodule paths in porcelain.submodule_update (and thus porcelain.clone(recurse_submodules=True)). A crafted upstream repository could carry a submodule whose path was .git/hooks (or any other path inside .git or above the work tree), causing the submodule's tree contents to be written there with their executable bits intact -- dropping a hook that later commands would run. Submodule paths are now rejected if they are absolute or carry a component that the configured path validator refuses, and the submodule's own tree is materialized with the same validator. This is the dulwich analogue of git's CVE-2024-32002 / CVE-2024-32004. (Jelmer Vernooij; reported by tonghuaroot)

• SECURITY(CVE-2026-42305): Harden tree path validation against entry names that are harmless on POSIX but dangerous when checked out on Windows. A crafted tree could previously carry such names through to the work tree. validate_path_element_ntfs now also rejects:

  • Windows path separators, so an entry named .git\hooks\pre-commit.exe can no longer materialize a file inside .git that Git for Windows would execute.
  • The alternate data stream marker : (e.g. .git::$INDEX_ALLOCATION, which writes into .git directly).
  • NTFS 8.3 short-name aliases of .git (git~<digits>); only git~1 was rejected before.
  • Reserved Windows device names (CON, PRN, AUX, NUL, COM1-COM9, LPT1-LPT9), including with an extension or trailing dots/spaces such as NUL.txt or COM1 .bar.

  In addition, core.protectNTFS now defaults to true on every platform (matching git after CVE-2019-1353), so a POSIX clone no longer accepts paths that would be unsafe on a later Windows clone, and both core.protectNTFS and core.protectHFS are now read under their correct option names, having previously been silently ignored. POSIX users who need literal NTFS-unsafe filenames can opt out with core.protectNTFS=false. (Jelmer Vernooij; reported by Christopher Toth)

• SECURITY (CVE-2026-42563): Shell-quote values substituted into ProcessMergeDriver commands. %P is a path from the git tree, so a malicious branch could inject shell commands when the user had a merge driver configured that referenced %P. (Jelmer Vernooij; reported by Ravishanker Kusuma (hayageek))

• SECURITY(CVE-2026-47712): Sanitize commit subjects used in porcelain.format_patch filenames so a malicious subject (e.g. x/../../x) cannot direct the generated patch outside outdir. get_summary now matches git's format_sanitized_subject.

... (truncated)

Commits

• 073f4df Release 1.2.5
• 5f85d3e tests: fix Windows-only failures in NTFS and merge-driver tests
• 25313ad Merge branch 'advisory-5'
• 1ca1814 submodule: Reject unsafe submodule paths in submodule_update
• 3559ef1 Merge branch 'advisory-4'
• f860ca4 server: Honour receive.maxInputSize to bound received packs
• 0fd6e6b Merge branch 'advisory-3'
• 0110b88 Merge branch 'advisory-2'
• 49eb56e Add NEWS entry for CVE-2026-42305
• 57efc4a Merge branch 'advisory-1'
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Summary by cubic

Update prefect to 3.6.28.dev2 and dulwich to 1.2.5 to pull in bug fixes and critical security patches. Pins in pyproject.toml were updated and uv.lock was refreshed.

• Dependencies
  • prefect 3.6.28.dev2: picks up recent fixes; no app code changes required.
  • dulwich 1.2.5: security hardening (reject unsafe submodule paths, sanitize Windows paths, quote merge driver args, sanitize patch filenames, honor receive.maxInputSize).

^{Written for commit ff6dcda. Summary will update on new commits.}

Review in cubic