Bump the minor-and-patch group across 1 directory with 6 updates

[dependabot]

Bumps the minor-and-patch group with 6 updates in the /syncbot directory:

Package	From	To
charset-normalizer	3.4.6	3.4.7
cryptography	46.0.6	46.0.7
mako	1.3.10	1.3.11
requests	2.33.0	2.33.1
slack-bolt	1.27.0	1.28.0
sqlalchemy	2.0.48	2.0.49

Updates charset-normalizer from 3.4.6 to 3.4.7

Release notes

Sourced from charset-normalizer's releases.

Version 3.4.7

3.4.7 (2026-04-02)

Changed

• Pre-built optimized version using mypy[c] v1.20.
• Relax setuptools constraint to setuptools>=68,<82.1.

Fixed

• Correctly remove SIG remnant in utf-7 decoded string. (#718) (#716)

Changelog

Sourced from charset-normalizer's changelog.

3.4.7 (2026-04-02)

Changed

• Pre-built optimized version using mypy[c] v1.20.
• Relax setuptools constraint to setuptools>=68,<82.1.

Fixed

• Correctly remove SIG remnant in utf-7 decoded string. (#718) (#716)

Commits

• 0f07891 Merge pull request #729 from jawah/release-3.4.7
• fdbeb29 chore: update dev, and ci requirements
• b66f922 chore: add ft classifier
• f94249d chore: add test cases for utf_7 recent fix
• 95c866f chore: bump version to 3.4.7
• 4f429bb chore: bump mypy pre-commit to v1.20
• b579cd6 fix: correctly remove SIG remnant in utf-7 decoded string
• 58bf944 ⬆️ Bump github/codeql-action from 4.32.4 to 4.35.1 (#728)
• 44cf8a1 ⬆️ Bump actions/download-artifact from 8.0.0 to 8.0.1 (#726)
• 362bc20 ⬆️ Bump docker/setup-qemu-action from 3.7.0 to 4.0.0 (#725)
• Additional commits viewable in compare view

Updates cryptography from 46.0.6 to 46.0.7

Changelog

Sourced from cryptography's changelog.

46.0.7 - 2026-04-07

* **SECURITY ISSUE**: Fixed an issue where non-contiguous buffers could be
  passed to APIs that accept Python buffers, which could lead to buffer
  overflow. **CVE-2026-39892**
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.6.
.. _v46-0-6:

Commits

• 622d672 46.0.7 release (#14602)
• See full diff in compare view

Updates mako from 1.3.10 to 1.3.11

Release notes

Sourced from mako's releases.

1.3.11

Released: Tue Apr 14 2026

bug

• [bug] [template] Fixed issue in TemplateLookup where a URI with a double-slash prefix (e.g. //../../) could bypass the directory traversal check in Template, allowing reads of arbitrary files outside of the template directory. The issue was caused by an inconsistency in how leading slashes were stripped between TemplateLookup.get_template() and Template initialization.

  References: #434

Commits

• See full diff in compare view

Updates requests from 2.33.0 to 2.33.1

Release notes

Sourced from requests's releases.

v2.33.1

2.33.1 (2026-03-30)

Bugfixes

• Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (#7305)
• Fixed Content-Type header parsing for malformed values. (#7309)
• Improved error consistency for malformed header values. (#7308)

New Contributors

• @​ferdnyc made their first contribution in psf/requests#7277

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2331-2026-03-30

Changelog

Sourced from requests's changelog.

2.33.1 (2026-03-30)

Bugfixes

• Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (#7305)
• Fixed Content-Type header parsing for malformed values. (#7309)
• Improved error consistency for malformed header values. (#7308)

Commits

• 111d2b7 v2.33.1
• f0198e6 Fix malformed value parsing for Content-Type (#7309)
• bc7dd0f Fix cosmetic header validity parsing regex (#7308)
• 4443b1a Fix unintended test extra (#7306)
• 389eea5 Cleanup extracted file after extract_zipped_path test (#7305)
• 7407309 Packaging: DRY out extras definition (#7277)
• See full diff in compare view

Updates slack-bolt from 1.27.0 to 1.28.0

Release notes

Sourced from slack-bolt's releases.

v1.28.0

What's Changed

Bring magic to a conversation with say_stream for streaming messages and show loading status with set_status. Now available for app.event and app.message listeners:

@app.event("app_mention")
def handle_mention(say_stream, set_status):
    set_status(
        status="Thinking...",
        loading_messages=["Waking up...", "Loading a witty response..."],
    )
    stream = say_stream(buffer_size=100)
    stream.append(markdown_text="Thinking... :thinking_face:\n\n")
    stream.append(markdown_text="Here is my response!")
    stream.stop()

🚀 Enhancements

• feat: add support for say_stream utility in #1462 - Thanks @​WilliamBergamin!
• feat: surface the set_status argument to listeners if required event details are available in #1465 - Thanks @​WilliamBergamin!
• feat: add agent set status to BoltAgent in #1441 - Thanks @​srtaalej!
• feat(agent): add set_suggested_prompts helper in #1442 - Thanks @​zimeg!
• feat(agent): default to message 'ts' when no 'thread_ts' is available for 'agent.chat_stream(...)' in #1444 - Thanks @​zimeg!
• Add 'agent: BoltAgent' listener argument in #1437 - Thanks @​mwbrooks!

🐛 Bug Fixes

• fix: pin setuptools to maintain support for pyramid adapter in #1436 - Thanks @​WilliamBergamin!
• fix(agent): match channel_id api argument for set_status and set_suggested_prompts in #1446 - Thanks @​zimeg!
• fix(assistant): get_thread_context calls store.find() for user_message events in #1453 - Thanks @​srtaalej!
• fix(assistant): improve middleware dispatch and inject kwargs in middleware in #1456 - Thanks @​WilliamBergamin!
• fix: improve the robustness of the payload extract logic in #1464 - Thanks @​WilliamBergamin!
• fix: Remove 'agent: BoltAgent' listener argument in #1466 - Thanks @​WilliamBergamin!
• refactor: rename AttachingAgentKwargs middleware to AttachingConversationKwargs in #1473 - Thanks @​WilliamBergamin!

📚 Documentation

• docs: updates old links throughout in #1409 - Thanks @​lukegalbraithrussell!
• docs: updates outmoded links and standardizes markdown links in #1410 - Thanks @​lukegalbraithrussell!
• Docs: Add headings so copy as markdown button shows up in #1443 - Thanks @​haleychaas!

🧰 Maintenance

• fix: update the release instructions in #1400 - Thanks @​WilliamBergamin!
• chore: improve testing around assistant utilities in #1461 - Thanks @​WilliamBergamin!
• chore: replace sleep-based polling with Event synchronization in tests in #1467 - Thanks @​WilliamBergamin!
• chore: fix test warnings across test suite in #1468 - Thanks @​WilliamBergamin!
• chore: improve type checking behavior in #1470 - Thanks @​WilliamBergamin!

... (truncated)

Commits

• c64d69d chore(release): version 1.28.0 (#1480)
• 064ef2e chore: remove experiment around say_stream (#1471)
• dbe1590 chore(deps): bump dependabot/fetch-metadata from 2.5.0 to 3.0.0 (#1477)
• 13a6dff chore(deps): bump slackapi/slack-github-action from 2.1.1 to 3.0.1 (#1476)
• 3f9d376 chore(deps): bump codecov/codecov-action from 5.5.2 to 6.0.0 (#1475)
• 4dee16d chore(deps): bump actions/download-artifact from 8.0.0 to 8.0.1 (#1474)
• 9d0e0af refactor: rename AttachingAgentKwargs middleware to AttachingConversationKwar...
• 8908885 chore: improve type checking behavior (#1470)
• f11dbfb fix(assistant): get_thread_context calls store.find() for user_message events...
• 98a8f59 chore: fix test warnings across test suite (#1468)
• Additional commits viewable in compare view

Updates sqlalchemy from 2.0.48 to 2.0.49

Release notes

Sourced from sqlalchemy's releases.

2.0.49

Released: April 3, 2026

orm

• [orm] [bug] Fixed issue where _orm.Session.get() would bypass the identity map and emit unnecessary SQL when with_for_update=False was passed, rather than treating it equivalently to the default of None. Pull request courtesy of Joshua Swanson.

  References: #13176

• [orm] [bug] Fixed issue where chained _orm.joinedload() options would not be applied correctly when the final relationship in the chain is declared on a base mapper and accessed through a subclass mapper in a _orm.with_polymorphic() query. The path registry now correctly computes the natural path when a property declared on a base class is accessed through a path containing a subclass mapper, ensuring the loader option can be located during query compilation.

  References: #13193

• [orm] [bug] [inheritance] Fixed issue where using _orm.Load.options() to apply a chained loader option such as _orm.joinedload() or _orm.selectinload() with _orm.PropComparator.of_type() for a polymorphic relationship would not generate the necessary clauses for the polymorphic subclasses. The polymorphic loading strategy is now correctly propagated when using a call such as joinedload(A.b).options(joinedload(B.c.of_type(poly))) to match the behavior of direct chaining e.g. joinedload(A.b).joinedload(B.c.of_type(poly)).

  References: #13202

• [orm] [bug] [inheritance] Fixed issue where using chained loader options such as _orm.selectinload() after _orm.joinedload() with _orm.PropComparator.of_type() for a polymorphic relationship would not properly apply the chained loader option. The loader option is now correctly applied when using a call such as joinedload(A.b.of_type(poly)).selectinload(poly.SubClass.c) to eagerly load related objects.

  References: #13209

typing

• [typing] [bug] Fixed a typing issue where the typed members of :data:.func would return the appropriate class of the same name, however this creates an issue for

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.