chore(deps): bump the python-dependencies group across 1 directory with 5 updates

[dependabot]

Warning

Dependabot will stop supporting python v3.9!

Please upgrade to one of the following versions: v3.9, v3.10, v3.11, v3.12, v3.13, or v3.14.

Updates the requirements on apscheduler, aiofiles, fastapi, uvicorn and tomli to permit the latest version.
Updates apscheduler to 3.11.2

Release notes

Sourced from apscheduler's releases.

3.11.2

• Fixed an issue where a job using a CronTrigger scheduled in a repeated time interval during DST transitions could cause the scheduler to get stuck in an infinite loop (#1021; PR by @​soulofakuma)

Commits

• 0f70950 Added the release version
• bc404e6 Updated publish actions
• c3aa155 Updated pre-commit modules
• ad6b2dc Added fix for get_next_fire_time not advancing through fold with unfolded pre...
• f4df139 Added the release version
• 25be7b7 Fixed CronTrigger getting stuck on fallback DST transition (#1079)
• 1261386 Updated etcd image repository name
• b1f5636 Fixed shutdown() not raising the correct exception for some schedulers
• 6c72a51 Backported release job from master
• 4b96510 Added the release version
• Additional commits viewable in compare view

Updates aiofiles to 25.1.0

Release notes

Sourced from aiofiles's releases.

v25.1.0

• Switch to uv + add Python v3.14 support. (#219)
• Add ruff formatter and linter. #216
• Drop Python 3.8 support. If you require it, use version 24.1.0. #204

New Contributors

• @​danielsmyers made their first contribution in Tinche/aiofiles#185
• @​stankudrow made their first contribution in Tinche/aiofiles#192
• @​waketzheng made their first contribution in Tinche/aiofiles#221

Full Changelog: Tinche/aiofiles@v24.1.0...v25.1.0

Changelog

Sourced from aiofiles's changelog.

25.1.0 (2025-10-09)

• Switch to uv + add Python v3.14 support. (#219)
• Add ruff formatter and linter. #216
• Drop Python 3.8 support. If you require it, use version 24.1.0. #204

24.1.0 (2024-06-24)

• Import os.link conditionally to fix importing on android. #175
• Remove spurious items from aiofiles.os.__all__ when running on Windows.
• Switch to more modern async idioms: Remove types.coroutine and make AiofilesContextManager an awaitable instead a coroutine.
• Add aiofiles.os.path.abspath and aiofiles.os.getcwd. #174
• aiofiles is now tested on Python 3.13 too. #184
• Drop Python 3.7 support. If you require it, use version 23.2.1.

23.2.1 (2023-08-09)

• Import os.statvfs conditionally to fix importing on non-UNIX systems. #171 #172
• aiofiles is now also tested on Windows.

23.2.0 (2023-08-09)

• aiofiles is now tested on Python 3.12 too. #166 #168
• On Python 3.12, aiofiles.tempfile.NamedTemporaryFile now accepts a delete_on_close argument, just like the stdlib version.
• On Python 3.12, aiofiles.tempfile.NamedTemporaryFile no longer exposes a delete attribute, just like the stdlib version.
• Added aiofiles.os.statvfs and aiofiles.os.path.ismount. #162
• Use PDM instead of Poetry. #169

23.1.0 (2023-02-09)

• Added aiofiles.os.access. #146
• Removed aiofiles.tempfile.temptypes.AsyncSpooledTemporaryFile.softspace. #151
• Added aiofiles.stdin, aiofiles.stdin_bytes, and other stdio streams. #154
• Transition to asyncio.get_running_loop (vs asyncio.get_event_loop) internally.

22.1.0 (2022-09-04)

... (truncated)

Commits

• 348f5ef v25.1.0
• 5e1bb8f docs: update readme to use ruff badge (#221)
• 6fdc25c Move to uv. (#219)
• 1989132 set 'function' as a default fixture loop scope value
• 8986452 add the 'asyncio_default_fixture_loop_scope=session' option
• ccab1ff update pytest-asyncio==1.0.0
• 8727c96 add PR #216 into the CHANGELOG
• a9388e5 add TID and ignore TID252
• 7603664 remove [ruff].exclude keyval
• 7c49a5c add final newlines
• Additional commits viewable in compare view

Updates fastapi to 0.128.8

Release notes

Sourced from fastapi's releases.

0.128.8

Docs

• 📝 Fix grammar in docs/en/docs/tutorial/first-steps.md. PR #14708 by @​SanjanaS10.

Internal

• 🔨 Tweak PDM hook script. PR #14895 by @​tiangolo.
• ♻️ Update build setup for fastapi-slim, deprecate it, and make it only depend on fastapi. PR #14894 by @​tiangolo.

Commits

• bdd2005 🔖 Release version 0.128.8
• 1ed9bd4 📝 Update release notes
• aac30fd 🔨 Tweak PDM hook script (#14895)
• 417f1ee 📝 Update release notes
• ffb8965 ♻️ Update build setup for fastapi-slim, deprecate it, and make it only depe...
• 93fa935 📝 Update release notes
• f0f3e7a 📝 Fix grammar in docs/en/docs/tutorial/first-steps.md (#14708)
• 8f82c94 🔖 Release version 0.128.7
• 5bb3423 📝 Update release notes
• 6ce5e3e ✅ Tweak comment in test to reference PR (#14885)
• Additional commits viewable in compare view

Updates uvicorn to 0.39.0

Release notes

Sourced from uvicorn's releases.

Version 0.39.0

What's Changed

• explicitly start ASGI run with empty context by @​pmeier in Kludex/uvicorn#2742
• fix(websockets): Send close frame on ASGI return by @​Kludex in Kludex/uvicorn#2769

New Contributors

• @​pmeier made their first contribution in Kludex/uvicorn#2742

Full Changelog: Kludex/uvicorn@0.38.0...0.39.0

Changelog

Sourced from uvicorn's changelog.

0.39.0 (December 21, 2025)

Fixed

• Send close frame on ASGI return for WebSockets (#2769)
• Explicitly start ASGI run with empty context (#2742)

0.38.0 (October 18, 2025)

Added

• Support Python 3.14 (#2723)

0.37.0 (September 23, 2025)

Added

• Add --timeout-worker-healthcheck option (#2711)
• Add os.PathLike[str] type to ssl_ca_certs (#2676)

0.36.1 (September 23, 2025)

Fixed

• Raise an exception when calling removed Config.setup_event_loop() (#2709)

0.36.0 (September 20, 2025)

Added

• Support custom IOLOOPs (#2435)
• Allow to provide importable string in --http, --ws and --loop (#2658)

0.35.0 (June 28, 2025)

Added

• Add WebSocketsSansIOProtocol (#2540)

Changed

• Refine help message for option --proxy-headers (#2653)

0.34.3 (June 1, 2025)

Fixed

• Don't include cwd() when non-empty --reload-dirs is passed (#2598)
• Apply get_client_addr formatting to WebSocket logging (#2636)

... (truncated)

Commits

• 4f40b84 Version 0.39.0 (#2770)
• 5692dfc fix(websockets): Send close frame on ASGI return (#2769)
• 4194764 chore(deps): bump the github-actions group with 2 updates (#2763)
• d94bf28 explicitly start ASGI run with empty context (#2742)
• 8ae0bcb chore(deps): bump the github-actions group with 2 updates (#2748)
• 4744ff9 Add groups configuration for GitHub Actions (#2747)
• 0391372 chore(deps): bump astral-sh/setup-uv from 6.8.0 to 7.1.2 (#2746)
• 69a6ae3 Improve typing in test_http.py (#2740)
• 3850ad6 Version 0.38.0 (#2733)
• 9b3f17a Support Python 3.14 (#2723)
• Additional commits viewable in compare view

Updates tomli to 2.4.1

Changelog

Sourced from tomli's changelog.

2.4.1

• Fixed
  • Limit number of parts of a TOML key to address quadratic time complexity

2.4.0

• Added
  • TOML v1.1.0 compatibility
  • Binary wheels for Windows arm64

2.3.0

• Added
  • Binary wheels for Python 3.14 (also free-threaded)
• Performance
  • Reduced import time

2.2.1

• Fixed
  • Don't attempt to compile binary wheels for Python 3.8, 3.9 and 3.10 where cibuildwheel depends on a conflicting Tomli version

2.2.0

• Added
  • mypyc generated binary wheels for common platforms

2.1.0

• Deprecated
  • Instantiating TOMLDecodeError with free-form arguments. msg, doc and pos arguments should be given.
• Added
  • msg, doc, pos, lineno and colno attributes to TOMLDecodeError

2.0.2

• Removed
  • Python 3.7 support
• Improved
  • Make loads raise TypeError not AttributeError on bad input types that do not have the replace attribute. Improve error message when bytes is received.
• Type annotations
  • Type annotate load input as typing.IO[bytes] (previously typing.BinaryIO).

2.0.1

• Improved
  • Make bundling easier by using relative imports internally and adding license and copyright notice to source files.

... (truncated)

Commits

• c5f4469 Bump version: 2.4.0 → 2.4.1
• 2bcd262 Add change log for 2.4.1 and 2.3.1
• e1fdb94 Limit number of parts of a key (#286)
• c20c491 pre-commit autoupdate
• 920e20b Update performance benchmark and results
• 064e492 Merge pull request #280 from hukkin/version-2.4.0
• a678e6f Bump version: 2.3.0 → 2.4.0
• b8a1358 Tests: remove now needless "TOML compliance"->"burntsushi" format conversion
• 4979375 Update GitHub actions
• f890dd1 Update pre-commit hooks
• Additional commits viewable in compare view

[github-actions]

😷 屎山代码检测报告

🎯 本次检测概览

「代码开始散发气味，谨慎维护」

维度	数据
屎山指数	39.56 / 100
屎山等级	糟糕级
检测时间	2026/5/31 18:33:06

🎭 整体印象

有点臭味，但还不至于熏死人

🧭 下一步

这代码像个叛逆期的青少年，需要适当管教才能成才

---

📥 详细数据

• 查看完整分析报告
• 下载 Markdown 报告

由 fuck-u-code 自动检测 · 本评论不代表人类观点

[kilo-code-bot]

Code Review Summary

Status: No Issues Found in Diff | Recommendation: Merge

Overview

Severity	Count
CRITICAL	0
WARNING	0
SUGGESTION	0

PR Analysis

This PR only updates requirements.txt to bump minimum dependency versions:

• apscheduler: 3.10 → 3.11.2
• aiofiles: 23.2 → 25.1.0
• fastapi: 0.110 → 0.128.8 (with upper bound now <0.129 instead of <1.0)
• uvicorn: 0.29 → 0.39.0
• tomli: 2.0 → 2.4.1 (for Python < 3.11)

These are safe version bumps that maintain compatibility while ensuring security patches are included.

Codebase Review (Existing Code)

The broader codebase was reviewed for AstrBot plugin compliance:

✅ Strengths:

• Logger imports: All files correctly import from astrbot.api ✓
• Filter decorator: Correctly imported from astrbot.api.event ✓
• Data persistence: Uses StarTools.get_data_dir() properly ✓
• Event handlers: All include event parameter correctly ✓
• Async patterns: All I/O properly wrapped in asyncio.to_thread() ✓
• Plugin registration: Follows AstrBot v3.5.20+ pattern (no @register) ✓
• No security vulnerabilities: No hardcoded secrets or unsafe operations ✓

⚠️ Pre-existing Code Quality Notes (not in diff):

• ~97 lines exceed 120 characters (PEP 8 line length)
• ~79 instances of broad except Exception: catching (could be more specific)
• Some comments mention reserved variables not actively used (e.g., last_bot_message_time)
• Exception handler state tracking differs slightly between main.py and LifecycleMixin

These are pre-existing characteristics of the codebase and do not affect the safety of this version bump PR.

Files Reviewed (24 files)

• main.py - Plugin entry point with proper AstrBot v3.5.20+ structure
• core/chat_flow.py - Proactive message orchestration
• core/data_storage.py - Session persistence with async I/O
• core/llm_adapter.py - Context management and LLM calls
• core/message_events.py - Event listeners for user messages
• core/message_sender.py - Message delivery with formatting
• core/notification_center.py - Remote notification system
• core/plugin_lifecycle.py - Plugin initialization/termination
• core/session_config.py - Configuration management
• core/session_override_manager.py - Per-session config overrides
• core/session_parser.py - UMO parsing utilities
• core/task_scheduler.py - Timer and scheduler management
• core/telemetry_manager.py - Anonymous usage telemetry
• core/web_admin_server.py - Web-based plugin configuration UI
• utils/time_utils.py - Quiet hours detection
• utils/version.py - Version management utilities
• Plus __init__.py files and 7 other core modules

Code评审团

人物一：毒舌架构师（Tony the Tormentor）

"哎哟喂，看看这97行长度的代码行，PEP 8看了都要连夜扛着火车跑路！79个except Exception？这是在用异常处理当控制流吗？不过嘛...至少没把密码硬编码在代码里，也没用print()调试，这点比某些'专家'强一点点。异步I/O包装得还行，不算太离谱。"

人物二：Python 老兵（Margaret the Mentor）

"嗯，代码结构挺清晰的，职责分离做得不错。每个mixin都有明确的关注点，事件处理器的模式也很统一。telemetry_manager.py里的脱敏处理很细致，既保护隐私又保留统计价值。web_admin_server.py虽然庞大，但路由组织得井井有条。版本更新策略保守而明智 - 只做最小必要升级，降低破坏性变更风险。"

人物三：未来架构师（Alex the Visionary）

"这个插件展示了现代Python异步编程的很多最佳实践！使用asyncio.to_thread()处理阻塞操作，保持事件循环流畅。StarTools集成得很优雅，完全遵循AstrBot的插件架构。telemetry系统设计得很巧妙，完全匿名化但仍能提供有价值的运行时洞察。未来可以考虑用__all__明确导出接口，或者引入更精细的异常层次结构，但这已经是成熟的工业级代码了。"

---

_{Reviewed by ling-2.6-1t-20260423:free · 2,562,978 tokens}