chore(deps): bump the dev-dependencies group across 1 directory with 15 updates

[dependabot]

Updates the requirements on pydantic, starlette, uvicorn, python-multipart, sqlalchemy, fastapi, opentelemetry-api, opentelemetry-sdk, opentelemetry-instrumentation-starlette, pyjwt, click, pytest-asyncio, coverage, mypy and ruff to permit the latest version.
Updates pydantic to 2.13.4

Release notes

Sourced from pydantic's releases.

v2.13.4 2026-05-06

v2.13.4 (2026-05-06)

What's Changed

Packaging

• Bump libc from 0.2.155 to 0.2.185 by @​Viicos in #13109
• Adapt pydantic-core linker flags on macOS by @​washingtoneg and @​Viicos in #13147

Fixes

• Preserve RootModel core metadata by @​Viicos in #13129

Full Changelog: pydantic/pydantic@v2.13.3...v2.13.4

Changelog

Sourced from pydantic's changelog.

v2.13.4 (2026-05-06)

GitHub release

What's Changed

Packaging

• Bump libc from 0.2.155 to 0.2.185 by @​Viicos in #13109
• Adapt pydantic-core linker flags on macOS by @​washingtoneg and @​Viicos in #13147

Fixes

• Preserve RootModel core metadata by @​Viicos in #13129

v2.13.3 (2026-04-20)

GitHub release

What's Changed

Fixes

• Handle AttributeError subclasses with from_attributes by @​Viicos in #13096

v2.13.2 (2026-04-17)

GitHub release

What's Changed

Fixes

• Fix ValidationInfo.field_name missing with model_validate_json() by @​Viicos in #13084

v2.13.1 (2026-04-15)

GitHub release

What's Changed

Fixes

• Fix ValidationInfo.data missing with model_validate_json() by @​davidhewitt in #13079

v2.13.0 (2026-04-13)

GitHub release

The highlights of the v2.13 release are available in the blog post.

... (truncated)

Commits

• cf67d4b Fix linting
• f0d8a21 Prepare release v2.13.4
• 5e3fe1d Check for pydantic tag pattern in CI
• 7f9edcc Document tagging conventions
• b46a0c9 Adapt pydantic-core linker flags on macOS
• 50629c8 Update to PyPy 7.3.22
• 8522ebb Preserve RootModel core metadata
• a37f3af Adapt MISSING sentinel test to work with unreleased typing_extensions ver...
• 909259a Remove Logfire example in documentation
• 2c4174c Bump libc from 0.2.155 to 0.2.185
• See full diff in compare view

Updates starlette to 1.1.0

Release notes

Sourced from starlette's releases.

Version 1.1.0

What's Changed

• Use "application/octet-stream" as the FileResponse media type fallback by @​ATOM00blue in Kludex/starlette#3283
• Only dispatch standard HTTP verbs in HTTPEndpoint by @​Kludex in Kludex/starlette#3286
• Reject absolute paths in StaticFiles.lookup_path by @​Kludex in Kludex/starlette#3287

New Contributors

• @​ATOM00blue made their first contribution in Kludex/starlette#3283

Full Changelog: Kludex/starlette@1.0.1...1.1.0

Changelog

Sourced from starlette's changelog.

1.1.0 (May 23, 2026)

Added

• Use "application/octet-stream" as the FileResponse media type fallback #3283.

Fixed

• Only dispatch standard HTTP verbs in HTTPEndpoint #3286.
• Reject absolute paths in StaticFiles.lookup_path #3287.

1.0.1 (May 21, 2026)

Fixed

• Ignore malformed Host header when constructing request.url #3279.

1.0.0 (March 22, 2026)

Starlette 1.0 is here!

After nearly eight years since its creation, Starlette has reached its first stable release. Thank you to everyone who tested the release candidate and reported issues.

You can read more on the blog post.

Added

• Track session access and modification in SessionMiddleware #3166.

Fixed

• Handle websocket denial responses in StreamingResponse and FileResponse #3189.
• Use bytearray for field accumulation in FormParser #3179.
• Move parser.finalize() inside try/except in MultiPartParser.parse() #3153.

1.0.0rc1 (February 23, 2026)

We're ready! I'm thrilled to announce the first release candidate for Starlette 1.0.

Starlette was created in June 2018 by Tom Christie, and has been on ZeroVer for years. Today, it's downloaded almost 10 million times a day, serves as the foundation for FastAPI, and has inspired many other frameworks. In the age of AI, Starlette continues to play an important role as a dependency of the Python MCP SDK.

This release focuses on removing deprecated features that were marked for removal in 1.0.0, along with some last minute bug fixes. It's a release candidate, so we can gather feedback from the community before the final 1.0.0 release soon.

A huge thank you to all the contributors who have helped make Starlette what it is today.

... (truncated)

Commits

• a4ff83b Version 1.1.0 (#3289)
• fd53168 Reject absolute paths in StaticFiles.lookup_path (#3287)
• e3f9722 Only dispatch standard HTTP verbs in HTTPEndpoint (#3286)
• 348f86d Use "application/octet-stream" as the FileResponse media type fallback (#...
• 48f8e33 Version 1.0.1 (#3281)
• f078832 Remove Hugging Face sponsor block from docs (#3280)
• 472951e chore(deps): bump the github-actions group with 2 updates (#3277)
• 764dab0 Ignore malformed Host header when constructing request.url (#3279)
• 19d0811 Harden GitHub Actions workflows and Dependabot config (#3276)
• 01f4637 chore(deps): bump idna from 3.10 to 3.15 (#3274)
• Additional commits viewable in compare view

Updates uvicorn to 0.48.0

Release notes

Sourced from uvicorn's releases.

Version 0.48.0

What's Changed

• Default ssl_ciphers to None and use OpenSSL defaults by @​Kludex in Kludex/uvicorn#2940
• Ignore duplicate forwarding headers in ProxyHeadersMiddleware by @​Kludex in Kludex/uvicorn#2944

Full Changelog: Kludex/uvicorn@0.47.0...0.48.0

Changelog

Sourced from uvicorn's changelog.

0.48.0 (May 24, 2026)

Changed

• Default ssl_ciphers to None and use OpenSSL defaults (#2940)

Fixed

• Ignore duplicate forwarding headers in ProxyHeadersMiddleware (#2944)

0.47.0 (May 14, 2026)

Added

• Add ssl_context_factory for custom SSLContext configuration (#2920)

Changed

• Eagerly import the ASGI app in the parent process (#2919)

Fixed

• Treat fd=0 as a valid file descriptor with reload/workers (#2927)

0.46.0 (April 23, 2026)

Added

• Support ws_max_size in wsproto implementation (#2915)
• Support ws_ping_interval and ws_ping_timeout in wsproto implementation (#2916)

Changed

• Use bytearray for incoming WebSocket message buffer in websockets-sansio (#2917)

0.45.0 (April 21, 2026)

Added

• Add --reset-contextvars flag to isolate ASGI request context (#2912)
• Accept os.PathLike for log_config (#2905)
• Accept log_level strings case-insensitively (#2907)

Changed

• Revert "Emit http.disconnect on server shutdown for streaming responses" (#2913)
• Revert "Explicitly start ASGI run with empty context" (#2911)

Fixed

... (truncated)

Commits

• 73e84e5 Version 0.48.0 (#2951)
• 45ea116 Ignore duplicate forwarding headers in ProxyHeadersMiddleware (#2944)
• dd4394c chore(deps): bump idna from 3.11 to 3.15 (#2941)
• abe0781 Default ssl_ciphers to None and use OpenSSL defaults (#2940)
• 479a2c0 Version 0.47.0 (#2937)
• 89347fd Add 7-day cooldown for dependency resolution via uv exclude-newer (#2936)
• 767315b Drop unused contents/actions permissions from zizmor workflow (#2935)
• f25ee43 chore(deps): bump urllib3 from 2.6.3 to 2.7.0 (#2933)
• 8782666 Fix typo in docs/deployment/index.md. (#2932)
• ad5ff87 Treat fd=0 as a valid file descriptor with reload/workers (#2927)
• Additional commits viewable in compare view

Updates python-multipart to 0.0.29

Release notes

Sourced from python-multipart's releases.

Version 0.0.29

What's Changed

• Handle malformed RFC 2231 continuations in parse_options_header by @​manunio in Kludex/python-multipart#270

Full Changelog: Kludex/python-multipart@0.0.28...0.0.29

Changelog

Sourced from python-multipart's changelog.

0.0.29 (2026-05-17)

• Handle malformed RFC 2231 continuations in parse_options_header #270.

0.0.28 (2026-05-10)

• Speed up partial-boundary tail scan via bytes.find #281.
• Cap multipart boundary length at 256 bytes #282.

0.0.27 (2026-04-27)

• Add multipart header limits #267.
• Pass parse offsets via constructors #268.

0.0.26 (2026-04-10)

• Skip preamble before the first multipart boundary more efficiently #262.
• Silently discard epilogue data after the closing multipart boundary #259.

0.0.25 (2026-04-10)

• Add MIME content type info to File #143.
• Handle CTE values case-insensitively #258.
• Remove custom FormParser classes #257.
• Add UPLOAD_DELETE_TMP to FormParser config #254.
• Emit field_end for trailing bare field names on finalize #230.
• Handle multipart headers case-insensitively #252.
• Apply Apache-2.0 properly #247.

0.0.24 (2026-04-05)

• Validate chunk_size in parse_form() #244.

0.0.23 (2026-04-05)

• Remove unused trust_x_headers parameter and X-File-Name fallback #196.
• Return processed length from QuerystringParser._internal_write #229.
• Cleanup metadata dunders from __init__.py #227.

0.0.22 (2026-01-25)

• Drop directory path from filename in File 9433f4b.

0.0.21 (2025-12-17)

• Add support for Python 3.14 and drop EOL 3.8 and 3.9 #216.

0.0.20 (2024-12-16)

• Handle messages containing only end boundary #142.

... (truncated)

Commits

• e3d6853 Version 0.0.29 (#288)
• a60dcdc Handle malformed RFC 2231 continuations in parse_options_header (#270)
• 75c33b2 Add 7-day cooldown for dependency resolution via uv exclude-newer (#286)
• a078b8e Bump urllib3 from 2.6.3 to 2.7.0 (#285)
• 7d8d28b Version 0.0.28 (#284)
• b0dd125 Cap multipart boundary length at 256 bytes (#282)
• d1b5739 Speed up partial-boundary tail scan via bytes.find (#281)
• 09cb8c3 Make the long_boundary benchmark dominated by the patched code path (#280)
• a6467c9 Revert "Switch CodSpeed benchmarks to walltime mode" (#279)
• 9a96900 Switch CodSpeed benchmarks to walltime mode (#278)
• Additional commits viewable in compare view

Updates sqlalchemy to 2.0.50

Release notes

Sourced from sqlalchemy's releases.

2.0.50

Released: May 24, 2026

orm

• [orm] [bug] Fixed issue where using _orm.joinedload() with PropComparator.of_type() targeting a joined-table subclass combined with PropComparator.and_() referencing a column on that subclass would generate invalid SQL, where the subclass column was not adapted to the subquery alias. Pull request courtesy Joaquin Hui Gomez.

  References: #13203

• [orm] [bug] Fixed issue where the presence of a SessionEvents.do_orm_execute() event hook would cause internal execution options such as yield_per and loader-specific state from the first orm_pre_session_exec pass to leak into the second pass, leading to errors when using relationship loaders such as selectinload() and immediateload(). The execution options passed to the second compilation pass are now based on the original options plus only the explicit updates made via ORMExecuteState.update_execution_options() within the event hook.

  References: #13301

• [orm] [bug] Fixed issue where using _orm.with_polymorphic() on a leaf class (a subclass with no further descendants) or a non-inherited class would fail with an AttributeError when used in an ORM statement, due to _orm.configure_mappers() not being triggered implicitly. The fix ensures that AliasedInsp participates in the _post_inspect hook, triggering mapper configuration during ORM statement compilation.

  References: #13319

sql

• [sql] [bug] Fixed issue where floor division (//) between a Float or Numeric numerator and an Integer denominator would omit the FLOOR() SQL wrapper on dialects where Dialect.div_is_floordiv is True (the default, including PostgreSQL and SQLite). FLOOR() is now applied if either the denominator or the numerator is a non-integer, so that expressions such as float_col // int_col render as FLOOR(float_col / int_col) instead of the incorrect float_col / int_col. Pull request courtesy r266-tech.

  References: #10528

postgresql

... (truncated)

Commits

• See full diff in compare view

Updates fastapi to 0.136.3

Release notes

Sourced from fastapi's releases.

0.136.3

Refactors

• ♻️ Do not accept underscore headers when using convert_underscores=True (the default). PR #15589 by @​tiangolo.

Commits

• 8206485 🔖 Release version 0.136.3
• c910e01 📝 Update release notes
• 063b5bf ♻️ Do not accept underscore headers when using convert_underscores=True (th...
• 22b02e2 🔖 Release version 0.136.2
• 3b252a2 📝 Update release notes
• c7fb785 ♻️ Validate Server Sent Event fields to avoid applications from sending broke...
• cb83b83 📝 Update release notes
• 00f805c ✅ Update tests, don't double dispose the engine (#15587)
• 3675137 📝 Update release notes
• 7b57e42 📝 Document --entrypoint CLI option (#15464)
• Additional commits viewable in compare view

Updates opentelemetry-api to 1.42.1

Changelog

Sourced from opentelemetry-api's changelog.

Version 1.42.1/0.63b1 (2026-05-21)

Fixed

• Preserve the random trace ID flag when creating child spans instead of always setting the random trace id bit depending on the available trace id generator. (#5241)

Version 1.42.0/0.63b0 (2026-05-19)

Added

• opentelemetry-api, opentelemetry-sdk: add support for 'random-trace-id' flags in W3C traceparent header trace flags. Implementations of IdGenerator that do randomly generate the 56 least significant bits, should also implement a is_trace_id_random methods that returns True. (#4854)
• logs: add exception support to Logger emit and LogRecord attributes (#4908)
• opentelemetry-exporter-otlp-proto-grpc: make retryable gRPC error codes configurable for gRPC exporters (#4917)
• opentelemetry-sdk: Add create_logger_provider/configure_logger_provider to declarative file configuration, enabling LoggerProvider instantiation from config files without reading env vars (#4990)
• opentelemetry-exporter-otlp-json-common: add 'opentelemetry-exporter-otlp-json-common' package for OTLP JSON exporters (#4996)
• opentelemetry-sdk: Add service resource detector support to declarative file configuration via detection_development.detectors[].service (#5003)
• opentelemetry-docker-tests: add docker-tests coverage of opentelemetry-exporter-otlp-proto-grpc and opentelemetry-exporter-otlp-proto-http metrics export (#5030)
• Add registry keyword argument to PrometheusMetricReader to allow passing a custom Prometheus registry (#5055)
• Add WeaverLiveCheck test util (#5088)
• opentelemetry-sdk: add load_entry_point shared utility to declarative file configuration for loading plugins via entry points; refactor propagator loading to use it (#5093)
• opentelemetry-sdk: add sampler plugin loading to declarative file configuration via the opentelemetry_sampler entry point group, matching the spec's PluginComponentProvider mechanism (#5095)

... (truncated)

Commits

• 367e14d Prepare release 1.42.1/0.63b1 (#5243)
• fd8e504 Preserve random trace ID flag for child spans (#5241) (#5242)
• 013045e [release/v1.42.x-0.63bx] Prepare release 1.42.0/0.63b0 (#5225)
• 1731583 ci: Enable GitHub Merge Queue support (#5209)
• 7fab34d fix(config): allow deflate for OTLP HTTP exporters (#5075)
• 0b690d2 ci: validate changelog fragment filenames (#5212)
• d4fabb4 feat(config): exporter plugin loading via entry points for declarative config...
• e19d346 feat(config): generic resource detector plugin loading for declarative config...
• 1d69bd2 sdk/metrics: copy attributes dict to prevent post-recording mutation (#5106)
• 990a611 feat(config): propagator plugin loading via entry points for declarative conf...
• Additional commits viewable in compare view

Updates opentelemetry-sdk to 1.42.1

Changelog

Sourced from opentelemetry-sdk's changelog.

Version 1.42.1/0.63b1 (2026-05-21)

Fixed

• Preserve the random trace ID flag when creating child spans instead of always setting the random trace id bit depending on the available trace id generator. (#5241)

Version 1.42.0/0.63b0 (2026-05-19)

Added

• opentelemetry-api, opentelemetry-sdk: add support for 'random-trace-id' flags in W3C traceparent header trace flags. Implementations of IdGenerator that do randomly generate the 56 least significant bits, should also implement a is_trace_id_random methods that returns True. (#4854)
• logs: add exception support to Logger emit and LogRecord attributes (#4908)
• opentelemetry-exporter-otlp-proto-grpc: make retryable gRPC error codes configurable for gRPC exporters (#4917)
• opentelemetry-sdk: Add create_logger_provider/configure_logger_provider to declarative file configuration, enabling LoggerProvider instantiation from config files without reading env vars (#4990)
• opentelemetry-exporter-otlp-json-common: add 'opentelemetry-exporter-otlp-json-common' package for OTLP JSON exporters (#4996)
• opentelemetry-sdk: Add service resource detector support to declarative file configuration via detection_development.detectors[].service (#5003)
• opentelemetry-docker-tests: add docker-tests coverage of opentelemetry-exporter-otlp-proto-grpc and opentelemetry-exporter-otlp-proto-http metrics export (#5030)
• Add registry keyword argument to PrometheusMetricReader to allow passing a custom Prometheus registry (#5055)
• Add WeaverLiveCheck test util (#5088)
• opentelemetry-sdk: add load_entry_point shared utility to declarative file configuration for loading plugins via entry points; refactor propagator loading to use it (#5093)
• opentelemetry-sdk: add sampler plugin loading to declarative file configuration via the opentelemetry_sampler entry point group, matching the spec's PluginComponentProvider mechanism (#5095)

... (truncated)

Commits

• 367e14d Prepare release 1.42.1/0.63b1 (#5243)
• fd8e504 Preserve random trace ID flag for child spans (#5241) (#5242)
• 013045e [release/v1.42.x-0.63bx] Prepare release 1.42.0/0.63b0 (#5225)
• 1731583 ci: Enable GitHub Merge Queue support (#5209)
• 7fab34d fix(config): allow deflate for OTLP HTTP exporters (#5075)
• 0b690d2 ci: validate changelog fragment filenames (#5212)
• d4fabb4 feat(config): exporter plugin loading via entry points for declarative config...
• e19d346 feat(config): generic resource detector plugin loading for declarative config...
• 1d69bd2 sdk/metrics: copy attributes dict to prevent post-recording mutation (#5106)
• 990a611 feat(config): propagator plugin loading via entry points for declarative conf...
• Additional commits viewable in compare view

Updates opentelemetry-instrumentation-starlette to 0.63b1

Changelog

Sourced from opentelemetry-instrumentation-starlette's changelog.

Version 1.42.1/0.63b1 (2026-05-21)

No significant changes.

Version 1.42.0/0.63b0 (2026-05-19)

Added

• opentelemetry-exporter-richconsole: Add support for suppressing resource information (#3898)
• opentelemetry-instrumentation: Add experimental metrics attributes Labeler utility (#4288)
• opentelemetry-instrumentation-logging: Add OTEL_PYTHON_LOG_HANDLER_LEVEL and OTEL_PYTHON_LOG_FORMAT environment variables to configure the log level and formatter of the auto-instrumented LoggingHandler. (#4298)
• opentelemetry-instrumentation-sqlite3: Add uninstrument, error status, suppress, and no-op tests (#4335)
• Add BaggageLogProcessor to opentelemetry-processor-baggage (#4371)
• opentelemetry-instrumentation-system-metrics: Add support for process.disk.io metric in system-metrics instrumentation (#4397)
• opentelemetry-instrumentation: Register OTEL_SEMCONV_STABILITY_OPT_IN in environment_variables.py so opentelemetry-instrument exposes a --semconv_stability_opt_in CLI argument (#4438)
• Expand AGENTS.md with instrumentation/GenAI guidance and add PR review instructions. (#4457)
• opentelemetry-instrumentation: update auto-instrumentation to re-inject instrumentation path after init (#4469)
• opentelemetry-instrumentation-dbapi: Add Database client operation duration and returned rows metrics (#4481)

Changed

• Remove redundant pylint: disable=attribute-defined-outside-init comments and add rule to global .pylintrc disable list (#3839)
• Bump pylint to 4.0.5 (#4244)
• opentelemetry-instrumentation-logging: Use LogRecord.getMessage() to format and extract each log record's body text to more closely match the expected usage of the logging system. As a result, all OTel log record bodies

... (truncated)

Commits

• See full diff in compare view

Updates pyjwt to 2.13.0

Release notes

Sourced from pyjwt's releases.

2.13.0

PyJWT 2.13.0 — Security Release

This release bundles five security fixes plus three additional hardening / spec-compliance changes. We recommend all users upgrade.

Security

• GHSA-xgmm-8j9v-c9wx — JWK JSON accepted as HMAC secret (algorithm confusion). HMACAlgorithm.prepare_key previously rejected PEM- and SSH-formatted asymmetric keys but did not catch a JWK passed as a raw JSON string. In a verifier configured with both symmetric and asymmetric algorithms in algorithms=[…] and a raw-JSON JWK as the key, an attacker could forge HS256 tokens using the JWK text as the HMAC secret. The guard has been extended to reject any JWK-shaped JSON. Reported by @​aradona91.

• GHSA-jq35-7prp-9v3f — Algorithm allow-list bypass with PyJWK / PyJWKClient. When verifying with a PyJWK, the caller's algorithms=[…] allow-list was checked against the token header alg as a string only; actual verification used the algorithm bound to the PyJWK. An attacker who controlled a registered JWKS key could sign with one algorithm and advertise another on the header. PyJWT now requires the token header alg to match the PyJWK's algorithm before verification. Reported by @​sushi-gif.

• GHSA-w7vc-732c-9m39 — DoS via base64 decode of unused payload segment when b64=false. For detached-payload JWS (b64=false), the compact-form payload segment was base64-decoded before being discarded in favor of the caller-supplied detached_payload. An attacker could inflate the unused segment to force CPU + memory cost without holding a valid signature. The segment is now required to be empty per RFC 7515 Appendix F, and is no longer decoded. Reported by @​thesmartshadow.

• GHSA-993g-76c3-p5m4 — PyJWKClient accepts non-HTTP(S) URIs. PyJWKClient.fetch_data passed its URI to urllib.request.urlopen, which by default also handles file://, ftp://, and data: schemes. An application that fed an attacker-influenced URI into PyJWKClient could be coerced into reading local files or reaching other unintended schemes. PyJWKClient now rejects any URI whose scheme isn't http or https. Reported by @​KEIJOT.

• GHSA-fhv5-28vv-h8m8 — PyJWKClient cache wiped on fetch error. A finally-block put(jwk_set=None) cleared the JWK Set cache whenever a fetch raised, turning a transient JWKS-endpoint outage into application-wide auth failure. The cache write was moved into the success path; transient errors no longer evict valid cached keys. Reported by @​eddieran.

Fixed

• Reject empty HMAC keys outright in HMACAlgorithm.prepare_key with InvalidKeyError instead of accepting them with only a warning. Defends against the os.getenv("JWT_SECRET", "") footgun. Thanks to @​SnailSploit and @​spartan8806 for the reports.
• Forward per-call options (including enforce_minimum_key_length) from PyJWT.decode through to PyJWS._verify_signature. The option was previously silently dropped between the two layers, so it only took effect when set on the PyJWT instance. Thanks to @​WLUB for the report.
• RFC 7797 §3 compliance for b64=false: the encoder now auto-adds "b64" to crit, and the decoder rejects tokens that set b64=false without listing it in crit. Thanks to @​MachineLearning-Nerd for the report.

Changed

• Migrate the dev, docs, and tests package extras to dependency groups, by @​kurtmckee in #1152.

Upgrade notes

Most fixes are invisible to correctly-configured callers. A few behavioral changes you may encounter:

• Empty HMAC keys now raise. If your app passed "" or b"" as a secret (often via a missing env var, e.g. os.getenv("JWT_SECRET", "")), encode/decode will now raise InvalidKeyError. This is the intended behavior — fix the configuration.
• PyJWK decoding now requires the token's alg to match the JWK's algorithm. Previously a mismatch was silently honored if the header alg appeared in the allow-list. Tokens that relied on this mismatch will now fail with InvalidAlgorithmError.
• PyJWKClient now rejects non-HTTP(S) URIs at construction time. Tests or dev environments that fetched JWKS from file:// URIs need to switch to a local HTTP server or load the JWKS by other means (e.g. construct PyJWKSet.from_dict(...) directly).
• b64=false tokens are now strictly RFC 7515 / 7797 compliant. Tokens with a non-empty compact-form payload segment, or that omit "b64" from crit, will be rejected. PyJWT-produced tokens always satisfy both invariants, so round-trips through PyJWT are unaffected.
• enforce_minimum_key_length set per-call now takes effect. Callers who passed options={"enforce_minimum_key_length": True} to jwt.decode() previously got no enforcement; they will now get InvalidKeyError on undersized keys, as documented.

Full changelog: jpadilla/pyjwt@2.12.1...2.13.0

Changelog

Sourced from pyjwt's changelog.

v2.13.0 <https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0>__

Security

- Reject JWK JSON documents passed as raw HMAC secrets in
  ``HMACAlgorithm.prepare_key`` to close an algorithm-confusion gap that
  the existing PEM/SSH guard did not cover. Reported by @aradona91 in
  `GHSA-xgmm-8j9v-c9wx <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx>`__.
- Bind the JWT header ``alg`` to ``PyJWK.algorithm_name`` during
  verification so the caller's ``algorithms=[...]`` allow-list cannot be
  bypassed when decoding with a ``PyJWK`` / ``PyJWKClient`` key. Reported
  by @sushi-gif in `GHSA-jq35-7prp-9v3f <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f>`__.
- Reject non-``http(s)`` URI schemes in ``PyJWKClient`` so attacker-
  influenced URIs cannot read local files or reach unintended schemes via
  urllib's default ``file://`` / ``ftp://`` / ``data:`` handlers. Reported
  by @KEIJOT in `GHSA-993g-76c3-p5m4 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4>`__.
- Preserve the cached JWK Set on fetch errors in ``PyJWKClient.fetch_data``.
  The previous ``finally``-block ``put(None)`` pattern cleared the cache
  on any transient outage, turning one bad JWKS request into application-
  wide auth failure. Reported by @eddieran in `GHSA-fhv5-28vv-h8m8 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8>`__.
- Skip the unconditional base64 decode of the compact-form payload segment
  when ``b64=false`` is set in the protected header, and require that
  segment to be empty (RFC 7515 Appendix F detached form). Closes an
  unauthenticated DoS amplifier. Reported by @thesmartshadow in
  `GHSA-w7vc-732c-9m39 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39>`__.
Fixed

- Reject empty HMAC keys outright in ``HMACAlgorithm.prepare_key`` with
  ``InvalidKeyError`` instead of accepting them with only a warning.
  Thanks to @SnailSploit and @spartan8806 for independently flagging the
  footgun.
- Forward per-call ``options`` (including ``enforce_minimum_key_length``)
  from ``PyJWT.decode`` through to ``PyJWS._verify_signature`` so the
  option actually takes effect when set at the call site rather than only
  on the ``PyJWT`` instance. Thanks to @WLUB for the report.
- RFC 7797 §3 compliance for ``b64=false``: the encoder now auto-adds
  ``&quot;b64&quot;`` to the ``crit`` header parameter, and the decoder rejects
  tokens that set ``b64=false`` without listing it in ``crit``. Thanks to
  @MachineLearning-Nerd for the report.
Changed



Migrate the dev, docs, and tests package extras to dependency groups by @​kurtmckee in [#1152](https://github.com/jpadilla/pyjwt/issues/1152) &lt;https://github.com/jpadilla/pyjwt/pull/1152&gt;__

v2.12.1 &lt;https://github.com/jpadilla/pyjwt/compare/2.12.0...2.12.1&gt;__
</tr></table>

... (truncated)

Commits

• 7144e45 Apply ruff format
• d2f4bec Restore cast() calls with cross-version type: ignore for prepare_key
• 22f478c Remove redundant casts in RSAAlgorithm.prepare_key and `ECAlgorithm.prepare...
• 95791b1 Bundle security fixes and hardening into 2.13.0
• dcc27a9 [pre-commit.ci] pre-commit autoupdate (#1155)
• 9d08a9a [pre-commit.ci] pre-commit autoupdate (#1146)
• b87c100 Bump codecov/codecov-action from 5 to 6 (#1154)
• 40e3147 Migrate development extras to dependency groups (#1152)
• See full diff in compare view

Updates click to 8.4.1

Release notes

Sourced from click's releases.

8.4.1

This is the Click 8.4.1 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/click/8.4.1/ Changes: https://click.palletsprojects.com/page/changes/#version-8-4-1 Milestone: https://github.com/pallets/click/milestone/32?closed=1

• get_parameter_source() is available during eager callbacks and type conversion again. #3458 #3484
• Zsh completion scripts parse correctly on Windows. #3277 # 3466
• Shell completion of Choice Enum values produces a valid completion result. #3015
• Fix empty byte-string handling in echo. #3487
• Fix closed file error with echo_via_pager. #3449

Changelog

Sourced from click's changelog.

Version 8.4.1

Released 2026-05-21

• get_parameter_source() is available during eager call...

  Description has been truncated