Bump the minor-and-patch group across 1 directory with 11 updates

[dependabot]

Bumps the minor-and-patch group with 11 updates in the /syncbot directory:

Package	From	To
certifi	2026.2.25	2026.5.20
charset-normalizer	3.4.6	3.4.7
idna	3.11	3.16
mako	1.3.10	1.3.12
psycopg2-binary	2.9.11	2.9.12
pymysql	1.1.2	1.2.0
requests	2.33.0	2.34.2
slack-bolt	1.27.0	1.28.0
slack-sdk	3.41.0	3.42.0
sqlalchemy	2.0.48	2.0.49
urllib3	2.6.3	2.7.0

Updates certifi from 2026.2.25 to 2026.5.20

Commits

• d7ea151 2026.05.20 (#413)
• 5dddfb0 2026.04.22 (#410)
• f99eccd Bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 (#404)
• 918bed0 Bump actions/upload-artifact from 7.0.0 to 7.0.1 (#405)
• 0a49067 Bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 (#403)
• acf6ce8 Bump actions/download-artifact from 8.0.0 to 8.0.1 (#398)
• feb0ed2 Bump actions/download-artifact from 7.0.0 to 8.0.0 (#397)
• d9c11a5 Bump actions/upload-artifact from 6.0.0 to 7.0.0 (#396)
• See full diff in compare view

Updates charset-normalizer from 3.4.6 to 3.4.7

Release notes

Sourced from charset-normalizer's releases.

Version 3.4.7

3.4.7 (2026-04-02)

Changed

• Pre-built optimized version using mypy[c] v1.20.
• Relax setuptools constraint to setuptools>=68,<82.1.

Fixed

• Correctly remove SIG remnant in utf-7 decoded string. (#718) (#716)

Changelog

Sourced from charset-normalizer's changelog.

3.4.7 (2026-04-02)

Changed

• Pre-built optimized version using mypy[c] v1.20.
• Relax setuptools constraint to setuptools>=68,<82.1.

Fixed

• Correctly remove SIG remnant in utf-7 decoded string. (#718) (#716)

Commits

• 0f07891 Merge pull request #729 from jawah/release-3.4.7
• fdbeb29 chore: update dev, and ci requirements
• b66f922 chore: add ft classifier
• f94249d chore: add test cases for utf_7 recent fix
• 95c866f chore: bump version to 3.4.7
• 4f429bb chore: bump mypy pre-commit to v1.20
• b579cd6 fix: correctly remove SIG remnant in utf-7 decoded string
• 58bf944 ⬆️ Bump github/codeql-action from 4.32.4 to 4.35.1 (#728)
• 44cf8a1 ⬆️ Bump actions/download-artifact from 8.0.0 to 8.0.1 (#726)
• 362bc20 ⬆️ Bump docker/setup-qemu-action from 3.7.0 to 4.0.0 (#725)
• Additional commits viewable in compare view

Updates idna from 3.11 to 3.16

Changelog

Sourced from idna's changelog.

3.16 (2026-05-22)

• Add a command-line interface (python -m idna, also available as the idna script). Encodes or decodes one or more domains supplied as arguments or on standard input, with options to select A-label or U-label output and control error handling.
• Raise the minimum supported Python version to 3.9
• Various code quality improvements

3.15 (2026-05-12)

• Enforce DNS-length cap on individual labels early in check_label, short-circuiting contextual-rule processing for oversized input while staying compatible with UTS 46 usage.
• Tidy core helpers: hoist bidi category sets to module-level frozensets (avoiding per-codepoint list construction), simplify length checks, and reuse the shared _unicode_dots_re from idna.core in the codec module.
• Use raise ... from err for proper exception chaining and switch internal string formatting to f-strings.
• Allow flit_core 4.x in the build backend.
• Expand the ruff lint set (flake8-bugbear, flake8-simplify, pyupgrade, perflint) and apply the surfaced fixes; pin lint CI to Python 3.14.
• Add Dependabot configuration for GitHub Actions.
• Convert README and HISTORY from reStructuredText to Markdown.
• Reference CVE-2026-45409 for the 3.14 advisory in place of the initial GHSA identifier.

Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for contributions to this release.

3.14 (2026-05-10)

• Removed opportunity to process long inputs into quadratic time by rejecting oversize inputs up-front. Closes a bypass of the CVE-2024-3651 mitigation. [CVE-2026-45409]

Thanks to Stan Ulbrych for reporting the issue.

3.13 (2026-04-22)

• Correct classification error for codepoint U+A7F1

3.12 (2026-04-21)

• Update to Unicode 17.0.0.
• Issue a deprecation warning for the transitional argument.
• Added lazy-loading to provide some performance improvements.
• Removed vestiges of code related to Python 2 support, including

... (truncated)

Commits

• 6d1a0de Release 3.16
• 4e6cbe2 Demote installation instruction to usage section
• 223533c Merge branch 'readme-simplification' into release-3.16
• b1640b2 Bump version to 3.16rc0
• 3a86113 Update history for 3.16 release
• d4bc9e7 Merge pull request #246 from kjd/python-3.9
• a21d9fc Update deprecation policy
• b464926 Raise minimum Python to 3.9 and modernize typing
• 7f3b15e Explicit example not needed
• 7530c70 Remove unnecessary print()
• Additional commits viewable in compare view

Updates mako from 1.3.10 to 1.3.12

Release notes

Sourced from mako's releases.

1.3.12

Released: Tue Apr 28 2026

bug

• [bug] [template] Fixed issue in TemplateLookup where a URI with backslash path separators (e.g. \..\secret.txt) could bypass the directory traversal check on Windows, allowing reads of arbitrary files outside of the template directory. Backslash characters in URIs are now normalized to forward slashes before path resolution.

  References: #435

1.3.11

Released: Tue Apr 14 2026

bug

• [bug] [template] Fixed issue in TemplateLookup where a URI with a double-slash prefix (e.g. //../../) could bypass the directory traversal check in Template, allowing reads of arbitrary files outside of the template directory. The issue was caused by an inconsistency in how leading slashes were stripped between TemplateLookup.get_template() and Template initialization.

  References: #434

Commits

• See full diff in compare view

Updates psycopg2-binary from 2.9.11 to 2.9.12

Changelog

Sourced from psycopg2-binary's changelog.

Current release

What's new in psycopg 2.9.12 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Fix infinite loop with malformed interval (:ticket:1835).

What's new in psycopg 2.9.11 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Add support for Python 3.14.
• Avoid a segfault passing more arguments than placeholders if Python is built with assertions enabled (:ticket:[#1791](https://github.com/psycopg/psycopg2/issues/1791)).
• Add riscv64 platform binary packages (:ticket:[#1813](https://github.com/psycopg/psycopg2/issues/1813)).
• ~psycopg2.errorcodes map and ~psycopg2.errors classes updated to PostgreSQL 18.
• Drop support for Python 3.8.

What's new in psycopg 2.9.10 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Add support for Python 3.13.
• Receive notifications on commit (:ticket:[#1728](https://github.com/psycopg/psycopg2/issues/1728)).
• ~psycopg2.errorcodes map and ~psycopg2.errors classes updated to PostgreSQL 17.
• Drop support for Python 3.7.

What's new in psycopg 2.9.9 ^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Add support for Python 3.12.
• Drop support for Python 3.6.

What's new in psycopg 2.9.8 ^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Wheel package bundled with PostgreSQL 16 libpq in order to add support for recent features, such as sslcertmode.

What's new in psycopg 2.9.7 ^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Fix propagation of exceptions raised during module initialization (:ticket:[#1598](https://github.com/psycopg/psycopg2/issues/1598)).

... (truncated)

Commits

• 3a6d9d6 ci: include almalinux in whieel building
• ebca6bf chore: bump to version 3.9.12
• 0196f02 build(deps): bump pypa/cibuildwheel from 3.3.1 to 3.4.0
• d157bdc build(deps): bump docker/setup-qemu-action from 3 to 4
• 7fccc0f build(deps): bump actions/upload-artifact from 6 to 7
• d52a61e chore: bump dependency libraries
• b231d72 chore: fix building binary images
• 6d76e84 Merge pull request #1836 from psycopg/fix-1835
• f7e314c fix: overflow in malformed interval
• eb905c1 docs: replace bare except clause with except Exception
• Additional commits viewable in compare view

Updates pymysql from 1.1.2 to 1.2.0

Release notes

Sourced from pymysql's releases.

v1.2.0

What's Changed

• Bump the all-dependencies group with 2 updates by @​dependabot[bot] in PyMySQL/PyMySQL#1232
• Reorganize TLS options: implement PREFERRED/REQUIRED SSL mode behavior by @​Copilot in PyMySQL/PyMySQL#1234
• Support MySQL 8 row/column alias syntax in executemany INSERT regex by @​Copilot in PyMySQL/PyMySQL#1235
• Expose SQLSTATE on MySQL protocol exceptions without changing exception formatting by @​Copilot in PyMySQL/PyMySQL#1236
• Reject non-finite decimal.Decimal query parameters (NaN, sNaN, ±Infinity) by @​Copilot in PyMySQL/PyMySQL#1237
• docs: update outdated requirements and reference links by @​Copilot in PyMySQL/PyMySQL#1239
• Prepare CHANGELOG for v1.2.0 release from v1.1.3 changes by @​Copilot in PyMySQL/PyMySQL#1238
• deprecate db and passwd again by @​methane in PyMySQL/PyMySQL#1240
• deprecate reconnect in Connection.ping() by @​methane in PyMySQL/PyMySQL#1241
• Deprecate Connection.set_charset() at runtime and document warning behavior by @​Copilot in PyMySQL/PyMySQL#1243
• Release v1.2.0 by @​methane in PyMySQL/PyMySQL#1244

New Contributors

• @​Copilot made their first contribution in PyMySQL/PyMySQL#1234

Full Changelog: PyMySQL/PyMySQL@v1.1.3...v1.2.0

v1.1.3

What's Changed

• callproc: escape procname by @​methane in PyMySQL/PyMySQL#1225
• use ubuntu-slim and dependabot by @​methane in PyMySQL/PyMySQL#1226
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in PyMySQL/PyMySQL#1227
• Bump codecov/codecov-action from 5 to 6 by @​dependabot[bot] in PyMySQL/PyMySQL#1228
• Bump actions/setup-python from 5 to 6 by @​dependabot[bot] in PyMySQL/PyMySQL#1229
• release 1.1.3 by @​methane in PyMySQL/PyMySQL#1230

New Contributors

• @​dependabot[bot] made their first contribution in PyMySQL/PyMySQL#1227

Full Changelog: PyMySQL/PyMySQL@v1.1.2...v1.1.3

Changelog

Sourced from pymysql's changelog.

v1.2.0

Release date: 2026-05-19

Breaking changes

• Connection.ping() change the default to not reconnect and deprecate reconnect argument. Create a new connection if you want to reconnect. (#1241)

• Error classes in Cursor class are removed. (#1240)

• connect() arguments db and passwd now emit DeprecationWarning. Use database and password instead. (#1240)

• Reorganize TLS connection behavior.

  • PyMySQL uses TLS by default when server supports it. Use ssl_disabled=True to prohibit SSL. (#1213)

  • When ssl_verify_cert=True, ssl_verify_identity=True, an ssl.SSLContext is passed, or when any other SSL option is configured, the connection requires SSL and raises OperationalError (CR_SSL_CONNECTION_ERROR) if the server doesn't support it. (#1234)

Other changes

• Support MySQL 8 row/column alias syntax in executemany INSERT regex. (#1235)
• Expose SQLSTATE on MySQL protocol exceptions without changing exception formatting. (#1236)
• Reject non-finite decimal.Decimal query parameters (NaN, sNaN, ±Infinity). (#1237)
• Connection.set_charset(charset) now emits DeprecationWarning.

v1.1.3

Release date: 2026-05-01

Security

• Fix Cursor.callproc() didn't escape procedure name. (#1206) There was a possibility of SQL injection when calling a procedure with a string received from an untrusted source as the procedure name.

  NOTICE: This change may cause backward compatibility issues. If you specified a procedure name like "dbname.funcname", the previous version called CALL dbname.funcname, but from this version, it will call CALL `dbname.funcname` so you cannot specify procedure name with database name anymore.

Commits

• 0f1c324 use ubuntu-latest for pypi publishing
• 53b16b2 Release v1.2.0 (#1244)
• 637fe7e Deprecate Connection.set_charset() at runtime and document warning behavior...
• 23ca04a add AGENTS.md
• 7349a44 deprecate reconnect in Connection.ping() (#1241)
• ad5c50c update CHANGELOG
• c963edb Deprecation and removals (#1240)
• af6b9b4 Prepare CHANGELOG for v1.2.0 release from v1.1.3 changes (#1238)
• c7bf73f docs: update outdated requirements and reference links (#1239)
• c532b8d Reject non-finite decimal.Decimal query parameters (NaN, sNaN, `±Infini...
• Additional commits viewable in compare view

Updates requests from 2.33.0 to 2.34.2

Release notes

Sourced from requests's releases.

v2.34.2

2.34.2 (2026-05-14)

• Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2342-2026-05-14

v2.34.1

2.34.1 (2026-05-13)

Bugfixes

• Widened json input type from dict and list to Mapping and Sequence. (#7436)
• Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
• Response.reason moved from str | None to str to improve handling for users. (#7437)
• Fixed a bug where some bodies with custom __getattr__ implementations weren't being properly detected as Iterables. (#7433)

New Contributors

• @​k223kim made their first contribution in psf/requests#7433

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2341-2026-05-13

v2.34.0

2.34.0 (2026-05-11)

Announcements

• Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue.

  Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for helping review and test the types ahead of the release. (#7272)

Improvements

• Digest Auth hashing algorithms have added usedforsecurity=False to clarify security considerations. (#7310)
• Requests added support for Python 3.15 based on beta1. Downstream projects should be able to start testing prior to its release in October. (#7422)
• Requests added support for Python 3.14t. (#7419)

Bugfixes

• Response.history no longer contains a reference to itself, preventing accidental looping when traversing the history list. (#7328)
• Requests no longer performs greedy matching on no_proxy domains. The

... (truncated)

Changelog

Sourced from requests's changelog.

2.34.2 (2026-05-14)

• Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

2.34.1 (2026-05-13)

Bugfixes

• Widened json input type from dict and list to Mapping and Sequence. (#7436)
• Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
• Response.reason moved from str | None to str to improve handling for users. (#7437)
• Fixed a bug where some bodies with custom __getattr__ implementations weren't being properly detected as Iterables. (#7433)

2.34.0 (2026-05-11)

Announcements

• Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue.

  Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for helping review and test the types ahead of the release. (#7272)

Improvements

• Digest Auth hashing algorithms have added usedforsecurity=False to clarify security considerations. (#7310)
• Requests added support for Python 3.15 based on beta1. Downstream projects should be able to start testing prior to its release in October. (#7422)
• Requests added support for Python 3.14t. (#7419)

Bugfixes

• Response.history no longer contains a reference to itself, preventing accidental looping when traversing the history list. (#7328)
• Requests no longer performs greedy matching on no_proxy domains. The proxy_bypass implementation has been updated with CPython's fix from bpo-39057. (#7427)
• Requests no longer incorrectly strips duplicate leading slashes in URI paths. This should address user issues with specific presigned URLs. Note the full fix requires urllib3 2.7.0+. (#7315)

... (truncated)

Commits

• 6e83187 v2.34.2
• 84d10f0 Move Request.headers back to Mapping (#7441)
• b7b549b v2.34.1
• e511bc7 Fix mutability issues with headers input types (#7431)
• 5691f59 Update JsonType containers to read-based collections (#7436)
• 2144213 Constrain Response.reason to str (#7437)
• 6404f34 Fix prepare_body stream detection for __getattr__-based file wrappers (#7...
• 0b401c7 v2.34.0
• 86b378d Align Session.get parameters with requests.get (#7429)
• a4f9a59 Port bpo-39057 to Requests (#7427)
• Additional commits viewable in compare view

Updates slack-bolt from 1.27.0 to 1.28.0

Release notes

Sourced from slack-bolt's releases.

v1.28.0

What's Changed

Bring magic to a conversation with say_stream for streaming messages and show loading status with set_status. Now available for app.event and app.message listeners:

@app.event("app_mention")
def handle_mention(say_stream, set_status):
    set_status(
        status="Thinking...",
        loading_messages=["Waking up...", "Loading a witty response..."],
    )
    stream = say_stream(buffer_size=100)
    stream.append(markdown_text="Thinking... :thinking_face:\n\n")
    stream.append(markdown_text="Here is my response!")
    stream.stop()

🚀 Enhancements

• feat: add support for say_stream utility in #1462 - Thanks @​WilliamBergamin!
• feat: surface the set_status argument to listeners if required event details are available in #1465 - Thanks @​WilliamBergamin!
• feat: add agent set status to BoltAgent in #1441 - Thanks @​srtaalej!
• feat(agent): add set_suggested_prompts helper in #1442 - Thanks @​zimeg!
• feat(agent): default to message 'ts' when no 'thread_ts' is available for 'agent.chat_stream(...)' in #1444 - Thanks @​zimeg!
• Add 'agent: BoltAgent' listener argument in #1437 - Thanks @​mwbrooks!

🐛 Bug Fixes

• fix: pin setuptools to maintain support for pyramid adapter in #1436 - Thanks @​WilliamBergamin!
• fix(agent): match channel_id api argument for set_status and set_suggested_prompts in #1446 - Thanks @​zimeg!
• fix(assistant): get_thread_context calls store.find() for user_message events in #1453 - Thanks @​srtaalej!
• fix(assistant): improve middleware dispatch and inject kwargs in middleware in #1456 - Thanks @​WilliamBergamin!
• fix: improve the robustness of the payload extract logic in #1464 - Thanks @​WilliamBergamin!
• fix: Remove 'agent: BoltAgent' listener argument in #1466 - Thanks @​WilliamBergamin!
• refactor: rename AttachingAgentKwargs middleware to AttachingConversationKwargs in #1473 - Thanks @​WilliamBergamin!

📚 Documentation

• docs: updates old links throughout in #1409 - Thanks @​lukegalbraithrussell!
• docs: updates outmoded links and standardizes markdown links in #1410 - Thanks @​lukegalbraithrussell!
• Docs: Add headings so copy as markdown button shows up in #1443 - Thanks @​haleychaas!

🧰 Maintenance

• fix: update the release instructions in #1400 - Thanks @​WilliamBergamin!
• chore: improve testing around assistant utilities in #1461 - Thanks @​WilliamBergamin!
• chore: replace sleep-based polling with Event synchronization in tests in #1467 - Thanks @​WilliamBergamin!
• chore: fix test warnings across test suite in #1468 - Thanks @​WilliamBergamin!
• chore: improve type checking behavior in #1470 - Thanks @​WilliamBergamin!

... (truncated)

Commits

• c64d69d chore(release): version 1.28.0 (#1480)
• 064ef2e chore: remove experiment around say_stream (#1471)
• dbe1590 chore(deps): bump dependabot/fetch-metadata from 2.5.0 to 3.0.0 (#1477)
• 13a6dff chore(deps): bump slackapi/slack-github-action from 2.1.1 to 3.0.1 (#1476)
• 3f9d376 chore(deps): bump codecov/codecov-action from 5.5.2 to 6.0.0 (#1475)
• 4dee16d chore(deps): bump actions/download-artifact from 8.0.0 to 8.0.1 (#1474)
• 9d0e0af refactor: rename AttachingAgentKwargs middleware to AttachingConversationKwar...
• 8908885 chore: improve type checking behavior (#1470)
• f11dbfb fix(assistant): get_thread_context calls store.find() for user_message events...
• 98a8f59 chore: fix test warnings across test suite (#1468)
• Additional commits viewable in compare view

Updates slack-sdk from 3.41.0 to 3.42.0

Release notes

Sourced from slack-sdk's releases.

v3.42.0

What's Changed

🚀 Enhancements

• feat: add authorship arguments to assistant threads and chat stream by @​zimeg in slackapi/python-slack-sdk#1862
• feat(blocks): add Card, Carousel, and Alert block types by @​srtaalej in slackapi/python-slack-sdk#1865
• feat(models): add BlockChunk type to chat.{start,append,stop}Stream methods by @​srtaalej in slackapi/python-slack-sdk#1872
• feat: add highlight_type to files.completeUploadExternal and files_upload_v2 by @​zimeg in slackapi/python-slack-sdk#1875

🐛 Bug Fixes

• fix: pass default ssl=True to aiohttp to avoid deprecation warning by @​WilliamBergamin in slackapi/python-slack-sdk#1843
• fix: Improve type annotations in SignatureVerifier by @​BHSPitMonkey in slackapi/python-slack-sdk#1845
• Fix typo in SectionBlock field validation by @​Lexicality in slackapi/python-slack-sdk#1848
• fix: improve Socket Mode client stability and correctness by @​WilliamBergamin in slackapi/python-slack-sdk#1854
• fix: pin cryptography<46 for PyPy 3.10 CI builds by @​WilliamBergamin in slackapi/python-slack-sdk#1860
• fix: resolve OAuth installation store bugs and typos by @​WilliamBergamin in slackapi/python-slack-sdk#1864

📚 Documentation

• docs - adds chat_stream helper to python sdk docs (removing from bolt-py) by @​lukegalbraithrussell in slackapi/python-slack-sdk#1846
• docs(maintainers): adding block kit types instructions by @​srtaalej in slackapi/python-slack-sdk#1861

📦 Other changes

• chore: fix formatting based on new black version by @​WilliamBergamin in slackapi/python-slack-sdk#1842
• chore: fix test warnings across test suite by @​WilliamBergamin in slackapi/python-slack-sdk#1844
• chore(deps): bump actions/download-artifact from 8.0.0 to 8.0.1 by @​dependabot[bot] in slackapi/python-slack-sdk#1849
• chore(deps): bump codecov/codecov-action from 5.5.2 to 6.0.0 by @​dependabot[bot] in slackapi/python-slack-sdk#1851
• chore(deps): bump dependabot/fetch-metadata from 2.5.0 to 3.0.0 by @​dependabot[bot] in slackapi/python-slack-sdk#1852
• chore(deps): bump slackapi/slack-github-action from 2.1.1 to 3.0.1 by @​dependabot[bot] in slackapi/python-slack-sdk#1850
• chore(deps): bump slackapi/slack-github-action from 3.0.1 to 3.0.2 by @​dependabot[bot] in slackapi/python-slack-sdk#1869
• chore(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 by @​dependabot[bot] in slackapi/python-slack-sdk#1871
• chore(deps): bump dependabot/fetch-metadata from 3.0.0 to 3.1.0 by @​dependabot[bot] in slackapi/python-slack-sdk#1868
• chore(deps): bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 by @​dependabot[bot] in slackapi/python-slack-sdk#1870
• chore(release): version 3.42.0 by @​zimeg in slackapi/python-slack-sdk#1876

New Contributors

• @​BHSPitMonkey made their first contribution in slackapi/python-slack-sdk#1845
• @​Lexicality made their first contribution in slackapi/python-slack-sdk#1848

Full Changelog: slackapi/python-slack-sdk@v3.41.0...v3.42.0 Milestone: https://github.com/slackapi/python-slack-sdk/milestone/118?closed=1

Commits

• 4f7eeee chore(release): version 3.42.0 (#1876)
• e69ba32 feat: add highlight_type to files.completeUploadExternal and files_upload_v2 ...
• beecde2 feat(models): add BlockChunk type to chat.{start,append,stop}Stream methods (...
• 73d255a feat(blocks): add Card, Carousel, and Alert block types (#1865)
• 60bd43d feat: add authorship arguments to assistant threads and chat stream (#1862)
• 726538c chore(deps): bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 (#1870)
• 5338c2d chore(deps): bump dependabot/fetch-metadata from 3.0.0 to 3.1.0 (#1868)
• 632a205 chore(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 (#1871)
• bec3906 chore(deps): bump slackapi/slack-github-action from 3.0.1 to 3.0.2 (#1869)
• 69163d6 fix: resolve OAuth installation store bugs and typos (#1864)
• Additional commits viewable in compare view

Updates sqlalchemy from 2.0.48 to 2.0.49

Release notes

Sourced from sqlalchemy's releases.

2.0.49

Released: April 3, 2026

orm

• [orm] [bug] Fixed issue where _orm.Session.get() would bypass the identity map and emit unnecessary SQL when with_for_update=False was passed, rather than treating it equivalently to the default of None. Pull request courtesy of Joshua Swanson.

  References: #13176

• [orm] [bug] Fixed issue where chained _orm.joinedload() options would not be applied correctly when the final relationship in the chain is declared on a base mapper and accessed through a subclass mapper in a _orm.with_polymorphic() query. The path registry now correctly computes the natural path when a property declared on a base class is accessed through a path containing a subclass mapper, ensuring the loader option can be located during query compilation.

  References: #13193

• [orm] [bug] [inheritance] Fixed issue where using _orm.Load.options() to apply a chained loader option such as _orm.joinedload() or _orm.selectinload() with _orm.PropComparator.of_type() for a polymorphic relationship would not generate the necessary clauses for the polymorphic subclasses. The polymorphic loading strategy is now correctly propagated when using a call such as joinedload(A.b).options(joinedload(B.c.of_type(poly))) to match the behavior of direct chaining e.g. joinedload(A.b).joinedload(B.c.of_type(poly)).

  References: #13202

• [orm] [bug] [inheritance] Fixed issue where using chained loader options such as _orm.selectinload() after _orm.joinedload() with _orm.PropComparator.of_type() for a polymorphic relationship would not properly apply the chained loader option. The loader option is now correctly applied when using a call such as joinedload(A.b.of_type(poly)).selectinload(poly.SubClass.c) to eagerly load related objects.

  References: #13209

typing

• [typing] [bug] Fixed a typing issue where the typed members of :data:.func would return the appropriate class of the same name, however this creates an issue for

... (truncated)

Commits

• See full diff in compare view

Updates urllib3 from 2.6.3 to 2.7.0

Release notes

Sourced from urllib3's releases.

2.7.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

• Decompression-bomb safeguards of the streaming API were bypassed:

  1. When HTTPResponse.drain_conn() was called after the response had been read and decompressed partially. (Reported by @​Cycloctane)
  2. During the second HTTPResponse.read(amt=N) or HTTPResponse.stream(amt=N) call when the response was decompressed using the official Brotli library. (Reported by @​kimkou2024)

  See GHSA-mf9v-mfxr-j63j for details.

• HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by @​christos-spearbit)

Deprecations and Removals

• Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (urllib3/urllib3#3763)
• Removed support for end-of-life Python 3.9. (urllib3/urllib3#3720)
• Removed support for end-of-life PyPy3.10. (urllib3/urllib3#4979)
• Bumped the minimum supported pyOpenSSL version to 19.0.0. (urllib3/urllib3#3777)

Bugfixes

• Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. (urllib3/urllib3#3636)
• Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True. (urllib3/urllib3#4967)
• Fixed HTTPResponse.stream() and HTTPResponse.read_chunked() to handle amt=0. (urllib3/urllib3#3793)
• Updated _TYPE_BODY type alias to include missing Iterable[str], matching the documented and runtime behavior of chunked request bodies. (urllib3/urllib3#3798)
• Fixed LocationParseError when paths resembling schemeless URIs were passed to HTTPConnectionPool.urlopen(). (urllib3/urllib3#3352)
• Fixed BaseHTTPResponse.readinto() type annotation to accept memoryview in addition to bytearray, matching the io.RawIOBase.readinto contract and enabling use with io.BufferedReader without type errors. (urllib3/urllib3#3764)

Changelog

Sourced from urllib3's changelog.

2.7.0 (2026-05-07)

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

• Decompression-bomb safeguards of the streaming API were bypassed:

  1. When HTTPResponse.drain_conn() was called after the response had been read and decompressed partially.
  2. During the second HTTPResponse.read(amt=N) or HTTPResponse.stream(amt=N) call when the response was decompressed using the official Brotli <https://pypi.org/project/brotli/>__ library.

  See GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>__ for details.

• HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc <https://gith...

  Description has been truncated