Skip to content

chore(deps): bump the all-dependencies group across 1 directory with 27 updates#162

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/libs/bog-agents/all-dependencies-8a72aab7ad
Open

chore(deps): bump the all-dependencies group across 1 directory with 27 updates#162
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/libs/bog-agents/all-dependencies-8a72aab7ad

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 12, 2026

Copy link
Copy Markdown

Bumps the all-dependencies group with 27 updates in the /libs/bog-agents directory:

Package From To
anyio 4.13.0 4.14.2
langchain-google-genai 4.2.2 4.2.7
wcmatch 10.2.1 11.0
cryptography 48.0.0 49.0.0
pyasn1 0.6.3 0.6.4
starlette 1.2.1 1.3.1
uvicorn 0.47.0 0.51.0
sse-starlette 3.4.4 3.4.5
pypdf 6.13.3 6.14.2
av 17.1.0 18.0.0
pillow 12.2.0 12.3.0
langsmith 0.8.5 0.10.2
langchain-aws 1.5.0 1.6.2
langchain-openai 1.2.1 1.3.5
pytest 9.0.3 9.1.1
pytest-socket 0.7.0 0.8.0
ruff 0.15.13 0.15.21
ty 0.0.37 0.0.59
pytest-asyncio 1.3.0 1.4.0
build 1.5.0 1.5.1
langchain-mistralai 1.1.4 1.1.6
langchain-deepseek 1.0.1 1.1.0
langchain-groq 1.1.2 1.1.3
langchain-fireworks 1.3.1 1.4.4
langchain-baseten 0.2.0 0.2.1
datasets 4.8.5 5.0.0
nltk 3.9.4 3.10.0

Updates anyio from 4.13.0 to 4.14.2

Release notes

Sourced from anyio's releases.

4.14.2

  • Changed ByteReceiveStream.receive() implementations to raise a ValueError when max_bytes is not a positive integer (#1191)
  • Fixed CapacityLimiter.total_tokens rejecting float("inf") when the limiter was instantiated outside of an event loop. The adapter setter checked for infinity by identity (value is math.inf), so only the exact math.inf singleton was accepted, while every backend setter (using math.isinf()) accepts any positive infinity (#1189; PR by @​greymoth-jp).
  • Fixed to_process.run_sync() deadlocking when the worker function writes enough data to sys.stderr to fill the (undrained) pipe buffer. The worker process now redirects sys.stderr to os.devnull as well, matching the documented behavior
  • Fixed TLSStream.wrap() matching an internationalized (unicode) host name against the peer certificate using IDNA 2003 (via the standard library) instead of IDNA 2008, which could cause the host name to be matched against the wrong certificate (#1208)
  • Fixed anyio.open_process() (and run_process()) ignoring the extra_groups argument, as it mistakenly passed the value of the group argument instead (#1209)
  • Fixed CapacityLimiter.acquire_nowait() and CapacityLimiter.acquire_nowait_on_behalf_of() raising trio.WouldBlock instead of anyio.WouldBlock on the trio backend when there are no tokens available (#1218)
  • Fixed CapacityLimiter on the asyncio backend over-granting tokens (borrowed_tokens exceeding total_tokens and available_tokens going negative) when a non-blocking acquire was made in the window between a token being released and the notified waiter resuming. The freed token is now reserved for the woken waiter right away, so the non-blocking acquire correctly raises WouldBlock (#1170; PR by @​gaoflow)
  • Fixed unnecessary CPU spin when delivering cancellation from CancelScope on asyncio under certain conditions, including improper cancel scope nesting (#1111)

4.14.1

  • Fixed teardown of higher-scoped async fixtures failing on asyncio with RuntimeError: Attempted to exit cancel scope in a different task than it was entered in when an async test raise an outcome exception (e.g., pytest.skip(), pytest.xfail(), or pytest.fail()) (#1179; PR by @​EmmanuelNiyonshuti)
  • Fixed CapacityLimiter.total_tokens rejecting a value of 0 when the limiter was instantiated outside of an event loop, contradicting the documented behavior of allowing 0 total tokens (#1183; PR by @​nyxst4ck)

4.14.0

  • Added support for Python 3.15

  • Added an asynchronous implementation of the itertools module (#998; PR by @​11kkw)

  • Added the local_port parameter to connect_tcp() to allow binding to a specific local port before connecting (#1067; PR by @​nullwiz)

  • Added support for custom capacity limiters in async path and file I/O functions and classes

  • Added the create_task() task group method for easier asyncio migration (returns a TaskHandle) (#1098)

  • Changed TaskGroup.start_soon() to return a TaskHandle

  • Added an option for TaskGroup.start() to return a TaskHandle (which then contains the start value in the start_value property)

  • Added the cancel() convenience method to TaskGroup as a shortcut for cancelling the task group's cancel scope

  • Improved the error message when a known backend is not installed to suggest the install command (#1115; PR by @​EmmanuelNiyonshuti)

  • Improved anyio.Path to preserve subclass types by returning Self in methods that return path objects (#1130; PR by @​EmmanuelNiyonshuti)

  • Changed the parameter type annotation in anyio.Path.write_bytes() to accept any ReadableBuffer, thus allowing it to accept bytearray and memoryview to match pathlib.Path.write_bytes() (#1135; PR by @​SAY-5)

  • Changed several type annotations to only accept callables returning coroutine-like objects instead of arbitrary awaitables:

    • TaskGroup.start_soon()
    • TaskGroup.start()
    • anyio.from_thread.run()

    This reverts an earlier change from v3.7.0 which was made in error. (#1153)

  • Changed anyio.run to support callables returning arbitrary awaitables at runtime on all backends. Previously, this only worked on asyncio (#1171; PR by @​gschaffner)

  • Changed several classes (and their subclasses) to have __slots__ (with __weakref__):

    • anyio.CancelScope

... (truncated)

Commits
  • c384f99 Bumped up the version
  • dbba29d Fixed 100% CPU spin on cancel scope misuse (#1217)
  • 6bbc6c3 Fix CapacityLimiter over-granting tokens on asyncio (#1172)
  • 6f82b25 Refactored TestTLSStream.test_receive_invalid_max_bytes() to be less flaky
  • be24b04 Relaxed timeouts to fix test flakiness
  • 8113506 Fix test flakiness caused by slow callback duration logging
  • 1e988b6 Fixed CapacityLimiter raising trio.WouldBlock instead of anyio.WouldBlock (#1...
  • 44713f3 Pin setup-uv to a commit sha across downstream jobs (#1213)
  • f1b7301 Fixed stderr writes in a worker subprocess causing a deadlock (#1207)
  • 212be93 Fix flaky test_tcp_listener_same_port using a hardcoded port (#1206)
  • Additional commits viewable in compare view

Updates langchain-google-genai from 4.2.2 to 4.2.7

Release notes

Sourced from langchain-google-genai's releases.

langchain-google-genai==4.2.7

Changes since libs/genai/v4.2.6

release(genai): 4.2.7 (#1881) fix(genai): handle empty items dict in array schema conversion (#1587) chore(model-profiles): refresh model profile data (#1802) chore: bump vcrpy from 8.1.1 to 8.2.1 in /libs/genai (#1857)

langchain-google-genai==4.2.6

Changes since libs/genai/v4.2.5

release(genai): 4.2.6 (#1871) fix(genai): propagate generation config fields (#1870) fix(genai): support constructor thinking config (#1869) chore: bump langsmith from 0.8.0 to 0.8.18 in /libs/genai (#1860) test(genai,vertexai,community): refresh Gemini model references (#1856) chore: bump types-google-cloud-ndb from 2.4.0.20260402 to 2.4.0.20260518 in /libs/genai (#1778) chore: bump cryptography from 46.0.7 to 48.0.1 in /libs/genai (#1851) chore: bump the major group across 1 directory with 3 updates (#1810) feat(genai,vertexai): add package version metadata (#1841) fix(genai): stop docstring cross-refs resolving to wrong class (#1839) chore(genai,vertexai): bump min version of langchain-core (#1835) test(genai): make tool-calling integration tests deterministic (#1833)

langchain-google-genai==4.2.5

Changes since libs/genai/v4.2.4

release(genai): 4.2.5 (#1831) fix(genai): merge per-request http options into chat config (#1830)

langchain-google-genai==4.2.4

Changes since libs/genai/v4.2.3

release(genai): 4.2.4 (#1815) fix(genai): fix tests (#1814) chore(genai): Update google-genai dependency to support 2.x (#1766) test(genai): force google_search use in structured-output test (#1801) chore: bump the minor-and-patch group across 1 directory with 5 updates (#1797) test(genai): fix context caching assertions, increase flaky retries (#1798) fix(genai): walrus operator precedence in v1 image/file url conversion (#1683) chore(genai): silence pytest-benchmark xdist warning (#1794)

langchain-google-genai==4.2.3

Changes since libs/genai/v4.2.2

release(genai): 4.2.3 (#1795) feat(genai): expose api_version (#1793) chore(model-profiles): refresh model profile data (#1792) chore: bump idna from 3.11 to 3.15 in /libs/genai (#1786) fix(genai): fix tests (#1785)

... (truncated)

Commits
  • 7dea1be release(genai): 4.2.7 (#1881)
  • e1572b5 fix(genai): handle empty items dict in array schema conversion (#1587)
  • a48242a chore(model-profiles): refresh model profile data (#1802)
  • 08f6171 chore: bump vcrpy from 8.1.1 to 8.2.1 in /libs/genai (#1857)
  • f7bba53 chore: bump langgraph-checkpoint from 4.0.0 to 4.1.1 in /libs/vertexai (#1872)
  • 366dd38 chore: bump langgraph-sdk from 0.3.9 to 0.3.15 in /libs/vertexai (#1873)
  • 29780ea release(genai): 4.2.6 (#1871)
  • d2fb18c fix(genai): propagate generation config fields (#1870)
  • 3086854 fix(genai): support constructor thinking config (#1869)
  • 32b18c6 chore: bump langsmith from 0.8.0 to 0.8.18 in /libs/vertexai (#1858)
  • Additional commits viewable in compare view

Updates wcmatch from 10.2.1 to 11.0

Release notes

Sourced from wcmatch's releases.

11.0

  • NEW: Reduce/combine nested EXTGLOB/EXTMATCH regular expression patterns when possible to reduce deeply nested patterns.
  • NEW: Added ZSH style numerical ranges (<0-9>) via new NUMRANGE flag.
  • BREAK: Previously, translation would have a capture group for every extended glob pattern when EXTGLOB/EXTMATCH was enabled. Due to the new feature added that reduces extended glob group nesting, groups no longer appear exactly as specified. Moving forward, capturing groups are not included by default. If you need the old behavior, it can be enabled in a translate() call via the CAPTURE flag. This flag will cause extended glob reduction to be turned off and for capturing groups to be enabled.
  • FIX: Avoid reparsing sequences that have already been deemed not valid.
  • FIX: Halt EXTGLOB/EXTMATCH parsing once an unclosed extended glob pattern is encountered.
  • FIX: Fix case where an empty string would not match a pattern targeting an empty string.
  • FIX: Ensure that consecutive stars are collapsed into a single regular expression pattern.
  • FIX: Fix parsing SPLIT not accounting for POSIX character class.
Commits
  • 6dc2a86 More efficient EXTGLOB/EXTMATCH handling (#237)
  • f488e21 Add ZSH style number ranges
  • 69a0181 Split logic should account for POSIX groups
  • ba0cf42 Ensure stars are collapsed into a single regex
  • 5ca63bb Fix empty string matching
  • b581475 Update deploy pages
  • See full diff in compare view

Updates cryptography from 48.0.0 to 49.0.0

Changelog

Sourced from cryptography's changelog.

49.0.0 - 2026-06-12


* **BACKWARDS INCOMPATIBLE:** Support for ``x86_64`` macOS has been removed.
  We now only publish ``arm64`` wheels for macOS.
* **BACKWARDS INCOMPATIBLE:** Support for 32-bit Windows has been removed.
  Users should move to a 64-bit Python installation.
* **BACKWARDS INCOMPATIBLE:** Removed the deprecated
  ``PUBLIC_KEY_TYPES``, ``PRIVATE_KEY_TYPES``,
  ``CERTIFICATE_PRIVATE_KEY_TYPES``, ``CERTIFICATE_ISSUER_PUBLIC_KEY_TYPES``,
  and ``CERTIFICATE_PUBLIC_KEY_TYPES`` type aliases. Use
  ``PublicKeyTypes``, ``PrivateKeyTypes``, ``CertificateIssuerPrivateKeyTypes``,
  ``CertificateIssuerPublicKeyTypes``, and ``CertificatePublicKeyTypes``
  instead. These were deprecated in version 40.0.
* **BACKWARDS INCOMPATIBLE:** :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ChaCha20`
  now treats the first 4 bytes of the ``nonce`` as a 32-bit little-endian block
  counter (as defined in :rfc:`7539`) and tracks the number of bytes processed.
  Attempting to encrypt or decrypt more data than the counter allows before it
  would overflow now raises a :class:`ValueError` rather than silently diverging
  from RFC 7539. Setting the counter portion of the ``nonce`` to zero allows
  encrypting up to 256 GiB with a given nonce.
* **BACKWARDS INCOMPATIBLE:** Loading an X.509 certificate whose ECDSA or DSA
  signature ``AlgorithmIdentifier`` contains encoded NULL parameters now raises
  a :class:`ValueError`. Such certificates are invalid, but older versions of
  Java emitted them; previously they loaded with a deprecation warning.
* Fixed cross-compilation of the CFFI bindings when ``PYO3_CROSS_LIB_DIR``
  is set. The build now derives the Python include directory from
  ``PYO3_CROSS_LIB_DIR`` instead of querying the host interpreter, which
  previously caused the build to fail during cross-compilations for embedded
  systems, on hosts which have same-version Python development headers
  installed as the target Python.
* Added support for signing and verifying X.509 certificates, certificate
  signing requests, and certificate revocation lists with
  :doc:`/hazmat/primitives/asymmetric/mldsa` keys, as well as loading
  certificates that contain ML-DSA public keys.
* Added :meth:`~cryptography.hazmat.primitives.hpke.KEM.enc_length` to
  :class:`~cryptography.hazmat.primitives.hpke.KEM` so callers can split the
  encapsulated key from the ciphertext returned by
  :meth:`~cryptography.hazmat.primitives.hpke.Suite.encrypt`.
* :meth:`~cryptography.x509.verification.ExtensionPolicy.require_present`,
  :meth:`~cryptography.x509.verification.ExtensionPolicy.may_be_present`, and
  :meth:`~cryptography.x509.verification.ExtensionPolicy.require_not_present`
  now accept any extension type. Previously only a fixed set of extension
  types was supported, which made it impossible to account for otherwise
  unrecognized critical extensions during path validation.
* Added support for using :class:`~cryptography.x509.Certificate`,
  :class:`~cryptography.x509.CertificateSigningRequest`, and
  :class:`~cryptography.x509.CertificateRevocationList` as field types in
  :doc:`/hazmat/asn1/index` structures.
* Added :func:`~cryptography.hazmat.asn1.value_set`, a class decorator that
</tr></table> 

... (truncated)

Commits
  • e300bbe bump version and changelog for 49.0.0 (#15030)
  • fa74cd8 Add external mu (message representative) support for ML-DSA (#14979)
  • f594db3 chore(deps): bump openssl from 0.10.80 to 0.10.81 (#15029)
  • 608e011 chore(deps): bump openssl-sys from 0.9.116 to 0.9.117 (#15028)
  • a322bc4 chore(deps): bump cc from 1.2.63 to 1.2.64 (#15027)
  • 33181a7 Reject critical nameConstraints extensions containing directoryName constrain...
  • 6080dc7 Bump dependencies that dependabot isn't (#15026)
  • 121faa3 chore(deps): bump virtualenv from 21.4.2 to 21.4.3 (#15023)
  • 829520b Add more robust processing for DH parameters. (#15016)
  • 0f05001 Bump downstream dependencies in CI (#15025)
  • Additional commits viewable in compare view

Updates pyasn1 from 0.6.3 to 0.6.4

Release notes

Sourced from pyasn1's releases.

Release 0.6.4

This is a security release.

  • CVE-2026-59885 (GHSA-8ppf-4f7h-5ppj): Fixed quadratic time complexity in the OBJECT IDENTIFIER and RELATIVE-OID decoders. A small crafted substrate encoding many arcs could consume excessive CPU.
  • CVE-2026-59884 (GHSA-m4p7-r5rc-7g4j): Limited BER long-form tag IDs to 20 octets (140 bits). Unbounded tag IDs allowed a crafted substrate to consume excessive CPU and memory.
  • CVE-2026-59886 (GHSA-hm4w-wwcw-mr6r): Fixed excessive memory and CPU consumption in Real.__float__() for values with large base-10 exponents.
  • Pinned PyPI publish GitHub Action to an immutable commit.

All changes are noted in the CHANGELOG.

Changelog

Sourced from pyasn1's changelog.

Revision 0.6.4, released 08-07-2026

  • CVE-2026-59885 (GHSA-8ppf-4f7h-5ppj): Fixed quadratic time complexity in the OBJECT IDENTIFIER and RELATIVE-OID decoders. A small crafted substrate encoding many arcs could consume excessive CPU. Arcs are now accumulated in linear time; decoded values are unchanged (thanks for reporting, tynus2)
  • CVE-2026-59884 (GHSA-m4p7-r5rc-7g4j): Limited BER long-form tag IDs to 20 octets (140 bits), matching the OID arc limit introduced in 0.6.2. Unbounded tag IDs allowed a crafted substrate to consume excessive CPU and memory; longer tag IDs are now rejected with PyAsn1Error. Also fixed Tag and TagSet repr() failing on huge tag (thanks for reporting, mikeappsec) IDs due to the integer-to-string conversion limit (Python 3.11+)
  • CVE-2026-59886 (GHSA-hm4w-wwcw-mr6r): Fixed excessive memory and CPU consumption in Real.float() for values with large base-10 exponents. Conversion no longer materializes huge intermediate integers; values too large to represent as a Python float raise OverflowError promptly, and prettyPrint() renders them as '' as before. Also fixed base-10 mantissa normalization to use exact integer arithmetic; mantissas larger than 2**53 could previously lose precision through float division (thanks for reporting, gvozdila)
  • Pinned PyPI publish GitHub Action to an immutable commit [pr #113](pyasn1/pyasn1#113)
Commits

Updates starlette from 1.2.1 to 1.3.1

Release notes

Sourced from starlette's releases.

Version 1.3.1

What's Changed

Full Changelog: Kludex/starlette@1.3.0...1.3.1

Version 1.3.0

What's Changed

New Contributors

Full Changelog: Kludex/starlette@1.2.1...1.3.0

Changelog

Sourced from starlette's changelog.

1.3.1 (June 12, 2026)

Fixed

  • Enforce max_fields and max_part_size in FormParser #3329.
  • Enforce FormParser limits in parser callbacks #3331.

1.3.0 (June 11, 2026)

Added

  • Add httpx2 to the full extra #3323.
  • Annotate the URLPath protocol parameter with Literal #3285.

Fixed

  • Build request.url from structured components #3326.
  • Clamp oversized suffix ranges in FileResponse #3307.
  • Catch OSError alongside MultiPartException when closing temp files #3191.
  • Avoid collapsing exception groups raised from user code #2830.
  • Use removeprefix to strip the weak ETag indicator in is_not_modified #3193.
  • Fix IndexError in URL.replace() on a URL with no authority #3317.
  • Adjust testclient typing and warnings #3322.
Commits
  • 8ebffd0 Version 1.3.1 (#3330)
  • 25b8e17 Enforce FormParser limits in parser callbacks (#3331)
  • dba1c4b Enforce max_fields and max_part_size in FormParser (#3329)
  • 45e51dc Use StarletteDeprecationWarning instead of DeprecationWarning (#3119)
  • 5f8610c Version 1.3.0 (#3327)
  • 167b585 Build request.url from structured components (#3326)
  • 3730925 Use removeprefix to strip weak ETag indicator in is_not_modified (#3193)
  • e6f7ad1 avoid collapsing exception groups from user code (#2830)
  • 115228f Annotate URLPath protocol parameter with Literal (#3285)
  • 113f193 docs: replace inline ASGI server list with link to canonical implemen… (#3204)
  • Additional commits viewable in compare view

Updates uvicorn from 0.47.0 to 0.51.0

Release notes

Sourced from uvicorn's releases.

Version 0.51.0

What's Changed

Full Changelog: Kludex/uvicorn@0.50.2...0.51.0

Version 0.50.1

What's Changed

New Contributors

Full Changelog: Kludex/uvicorn@0.50.0...0.50.1

Version 0.50.0

What's Changed

Full Changelog: Kludex/uvicorn@0.49.0...0.50.0

Version 0.49.0

What's Changed

Full Changelog: Kludex/uvicorn@0.48.0...0.49.0

Version 0.48.0

What's Changed

Full Changelog: Kludex/uvicorn@0.47.0...0.48.0

Changelog

Sourced from uvicorn's changelog.

0.51.0 (July 8, 2026)

Added

  • Restart workers one at a time on SIGHUP, bringing each replacement up before retiring the old worker, so reloads no longer drop requests (#3025)

Removed

  • Remove colorama from the standard extra (#3027)

0.50.2 (July 6, 2026)

Fixed

  • Require websockets>=13.0, which the default websockets-sansio implementation needs (#3021)

0.50.1 (July 6, 2026)

Fixed

  • Split comma-separated Sec-WebSocket-Protocol values in the websockets-sansio implementation (#3019)

0.50.0 (July 4, 2026)

If you use WebSockets, note that --ws auto now picks the websockets-sansio implementation. You shouldn't need it, but you can pin --ws websockets to get the deprecated legacy one back.

Changed

  • Exit with the dedicated code 3 on any startup failure: app loading, socket bind and lifespan startup errors previously exited with a mix of 0, 1 and 3 (#3001)
  • Stop the multiprocess supervisor when a worker exits with code 3 instead of restarting it forever (#3001)
  • Default --ws auto to websockets-sansio when websockets is installed (#2985)
  • Skip the eager app import in the parent process with --reload or --workers, fixing a memory regression introduced in 0.47.0 (#3012)
  • Build a fresh asgi scope dict per request (#2977)
  • Cache the asgi scope sub-dict per connection (#2976)
  • Avoid copying single-frame WebSocket payloads in websockets-sansio (#2983)
  • Memoize trusted host checks in ProxyHeadersMiddleware (#2970)
  • Replace click.style with an internal ANSI style helper (#2981)

Deprecated

  • Deprecate the legacy websockets implementation; use websockets-sansio or wsproto instead (#2985)

0.49.0 (June 3, 2026)

Changed

  • Bump httptools minimum version to 0.8.0 (#2962)
  • Consume duplicate forwarding headers in ProxyHeadersMiddleware (reverses the 0.48.0 behavior of ignoring them) (#2971)

0.48.0 (May 24, 2026)

... (truncated)

Commits
  • e4d0b05 Version 0.51.0 (#3028)
  • 944e43d Remove colorama from the standard extra (#3027)
  • 2e78770 Restart workers with overlap on SIGHUP for near-zero-downtime reloads (#3025)
  • a1b570c Version 0.50.2 (#3022)
  • 83c7da7 Require websockets>=13.0 for the default sansio implementation (#3021)
  • b4d0116 Version 0.50.1 (#3020)
  • 2a9151d Split comma-separated Sec-WebSocket-Protocol values in the websockets-sansi...
  • 1bf3ab4 Cover the excluded-directory branch in FileFilter with a direct test (#3014)
  • 837b5f9 Deflake multiprocess, reload, and signal supervisor tests (#2975)
  • 21d2c16 Version 0.50.0 (#3013)
  • Additional commits viewable in compare view

Updates sse-starlette from 3.4.4 to 3.4.5

Release notes

Sourced from sse-starlette's releases.

v3.4.5

What's Changed

Full Changelog: sysid/sse-starlette@v3.4.4...v3.4.5

Commits
  • d45e482 Bump version to 3.4.5
  • 32fbde5 Merge pull request #195 from sysid/dependabot/uv/starlette-1.3.1
  • eba4008 Merge pull request #199 from sysid/fix/test-selection
  • 8685f2f fix: test selection
  • 66c734a Merge pull request #198 from sysid/dependabot/uv/ujson-5.13.0
  • fb928d3 Merge pull request #197 from sysid/dependabot/uv/msgpack-1.2.1
  • cf620f4 Merge pull request #196 from sysid/dependabot/uv/cryptography-48.0.1
  • 4a7cd51 chore(deps): bump ujson from 5.12.1 to 5.13.0
  • 6069864 chore(deps): bump msgpack from 1.1.2 to 1.2.1
  • 9485e2b chore(deps): bump cryptography from 46.0.7 to 48.0.1
  • Additional commits viewable in compare view

Updates pypdf from 6.13.3 to 6.14.2

Release notes

Sourced from pypdf's releases.

Version 6.14.2, 2026-06-23

What's new

Security (SEC)

Full Changelog

Version 6.14.1, 2026-06-23

What's new

Security (SEC)

Full Changelog

Version 6.14.0, 2026-06-22

What's new

Security (SEC)

New Features (ENH)

Robustness (ROB)

Full Changelog

Changelog

Sourced from pypdf's changelog.

Version 6.14.2, 2026-06-23

Security (SEC)

  • Avoid infinite loops for incomplete ASCII85 and ASCIIHex inline images (#3892)

Full Changelog

Version 6.14.1, 2026-06-23

Security (SEC)

  • Detect end of stream during inline image end marker detection (#3891)

Full Changelog

Version 6.14.0, 2026-06-22

Security (SEC)

  • Apply general limit for requested image size (#3888)
  • Speed up recovery when reading broken cross-reference table (#3887)

New Features (ENH)

  • Check whether image is displayed on a given page (#3738)

Robustness (ROB)

  • Several fixes

Full Changelog

Commits
  • 2266ee8 REL: 6.14.2
  • 5a33a46 SEC: Avoid infinite loops for incomplete ASCII85 and ASCIIHex inline images (...
  • 1ee4e58 REL: 6.14.1
  • ec3b145 SEC: Detect end of stream during inline image end marker detection (#3891)
  • c6cd82e ROB: Tolerate malformed inline image settings in _read_inline_image (#3889)
  • 0ae42ba ROB: Tolerate malformed page label entries in get_label_from_nums (#3884)
  • 50617b5 ROB: Tolerate malformed Tm operand count in extract_text (#3877)
  • 86e5a82 MAINT: Improve readability (#3874)
  • <...

    Description has been truncated

…27 updates

Bumps the all-dependencies group with 27 updates in the /libs/bog-agents directory:

| Package | From | To |
| --- | --- | --- |
| [anyio](https://github.com/agronholm/anyio) | `4.13.0` | `4.14.2` |
| [langchain-google-genai](https://github.com/langchain-ai/langchain-google) | `4.2.2` | `4.2.7` |
| [wcmatch](https://github.com/facelessuser/wcmatch) | `10.2.1` | `11.0` |
| [cryptography](https://github.com/pyca/cryptography) | `48.0.0` | `49.0.0` |
| [pyasn1](https://github.com/pyasn1/pyasn1) | `0.6.3` | `0.6.4` |
| [starlette](https://github.com/Kludex/starlette) | `1.2.1` | `1.3.1` |
| [uvicorn](https://github.com/Kludex/uvicorn) | `0.47.0` | `0.51.0` |
| [sse-starlette](https://github.com/sysid/sse-starlette) | `3.4.4` | `3.4.5` |
| [pypdf](https://github.com/py-pdf/pypdf) | `6.13.3` | `6.14.2` |
| [av](https://github.com/PyAV-Org/PyAV) | `17.1.0` | `18.0.0` |
| [pillow](https://github.com/python-pillow/Pillow) | `12.2.0` | `12.3.0` |
| [langsmith](https://github.com/langchain-ai/langsmith-sdk) | `0.8.5` | `0.10.2` |
| [langchain-aws](https://github.com/langchain-ai/langchain-aws) | `1.5.0` | `1.6.2` |
| [langchain-openai](https://github.com/langchain-ai/langchain) | `1.2.1` | `1.3.5` |
| [pytest](https://github.com/pytest-dev/pytest) | `9.0.3` | `9.1.1` |
| [pytest-socket](https://github.com/miketheman/pytest-socket) | `0.7.0` | `0.8.0` |
| [ruff](https://github.com/astral-sh/ruff) | `0.15.13` | `0.15.21` |
| [ty](https://github.com/astral-sh/ty) | `0.0.37` | `0.0.59` |
| [pytest-asyncio](https://github.com/pytest-dev/pytest-asyncio) | `1.3.0` | `1.4.0` |
| [build](https://github.com/pypa/build) | `1.5.0` | `1.5.1` |
| [langchain-mistralai](https://github.com/langchain-ai/langchain) | `1.1.4` | `1.1.6` |
| [langchain-deepseek](https://github.com/langchain-ai/langchain) | `1.0.1` | `1.1.0` |
| [langchain-groq](https://github.com/langchain-ai/langchain) | `1.1.2` | `1.1.3` |
| [langchain-fireworks](https://github.com/langchain-ai/langchain) | `1.3.1` | `1.4.4` |
| [langchain-baseten](https://github.com/basetenlabs/langchain-baseten) | `0.2.0` | `0.2.1` |
| [datasets](https://github.com/huggingface/datasets) | `4.8.5` | `5.0.0` |
| [nltk](https://github.com/nltk/nltk) | `3.9.4` | `3.10.0` |



Updates `anyio` from 4.13.0 to 4.14.2
- [Release notes](https://github.com/agronholm/anyio/releases)
- [Commits](agronholm/anyio@4.13.0...4.14.2)

Updates `langchain-google-genai` from 4.2.2 to 4.2.7
- [Release notes](https://github.com/langchain-ai/langchain-google/releases)
- [Commits](langchain-ai/langchain-google@libs/genai/v4.2.2...libs/genai/v4.2.7)

Updates `wcmatch` from 10.2.1 to 11.0
- [Release notes](https://github.com/facelessuser/wcmatch/releases)
- [Commits](facelessuser/wcmatch@10.2.1...11.0)

Updates `cryptography` from 48.0.0 to 49.0.0
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@48.0.0...49.0.0)

Updates `pyasn1` from 0.6.3 to 0.6.4
- [Release notes](https://github.com/pyasn1/pyasn1/releases)
- [Changelog](https://github.com/pyasn1/pyasn1/blob/main/CHANGES.rst)
- [Commits](pyasn1/pyasn1@v0.6.3...v0.6.4)

Updates `starlette` from 1.2.1 to 1.3.1
- [Release notes](https://github.com/Kludex/starlette/releases)
- [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md)
- [Commits](Kludex/starlette@1.2.1...1.3.1)

Updates `uvicorn` from 0.47.0 to 0.51.0
- [Release notes](https://github.com/Kludex/uvicorn/releases)
- [Changelog](https://github.com/Kludex/uvicorn/blob/main/docs/release-notes.md)
- [Commits](Kludex/uvicorn@0.47.0...0.51.0)

Updates `sse-starlette` from 3.4.4 to 3.4.5
- [Release notes](https://github.com/sysid/sse-starlette/releases)
- [Commits](sysid/sse-starlette@v3.4.4...v3.4.5)

Updates `pypdf` from 6.13.3 to 6.14.2
- [Release notes](https://github.com/py-pdf/pypdf/releases)
- [Changelog](https://github.com/py-pdf/pypdf/blob/main/CHANGELOG.md)
- [Commits](py-pdf/pypdf@6.13.3...6.14.2)

Updates `av` from 17.1.0 to 18.0.0
- [Release notes](https://github.com/PyAV-Org/PyAV/releases)
- [Changelog](https://github.com/PyAV-Org/PyAV/blob/main/CHANGELOG.rst)
- [Commits](PyAV-Org/PyAV@v17.1.0...v18.0.0)

Updates `pillow` from 12.2.0 to 12.3.0
- [Release notes](https://github.com/python-pillow/Pillow/releases)
- [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst)
- [Commits](python-pillow/Pillow@12.2.0...12.3.0)

Updates `langsmith` from 0.8.5 to 0.10.2
- [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases)
- [Commits](langchain-ai/langsmith-sdk@v0.8.5...v0.10.2)

Updates `langchain-aws` from 1.5.0 to 1.6.2
- [Release notes](https://github.com/langchain-ai/langchain-aws/releases)
- [Commits](langchain-ai/langchain-aws@langchain-aws==1.5.0...langchain-aws==1.6.2)

Updates `langchain-openai` from 1.2.1 to 1.3.5
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](langchain-ai/langchain@langchain-openai==1.2.1...langchain-openai==1.3.5)

Updates `pytest` from 9.0.3 to 9.1.1
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](pytest-dev/pytest@9.0.3...9.1.1)

Updates `pytest-socket` from 0.7.0 to 0.8.0
- [Release notes](https://github.com/miketheman/pytest-socket/releases)
- [Changelog](https://github.com/miketheman/pytest-socket/blob/main/CHANGELOG.md)
- [Commits](miketheman/pytest-socket@0.7.0...0.8.0)

Updates `ruff` from 0.15.13 to 0.15.21
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ruff@0.15.13...0.15.21)

Updates `ty` from 0.0.37 to 0.0.59
- [Release notes](https://github.com/astral-sh/ty/releases)
- [Changelog](https://github.com/astral-sh/ty/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ty@0.0.37...0.0.59)

Updates `pytest-asyncio` from 1.3.0 to 1.4.0
- [Release notes](https://github.com/pytest-dev/pytest-asyncio/releases)
- [Commits](pytest-dev/pytest-asyncio@v1.3.0...v1.4.0)

Updates `build` from 1.5.0 to 1.5.1
- [Release notes](https://github.com/pypa/build/releases)
- [Changelog](https://github.com/pypa/build/blob/main/CHANGELOG.rst)
- [Commits](pypa/build@1.5.0...1.5.1)

Updates `langchain-mistralai` from 1.1.4 to 1.1.6
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](langchain-ai/langchain@langchain-mistralai==1.1.4...langchain-mistralai==1.1.6)

Updates `langchain-deepseek` from 1.0.1 to 1.1.0
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](langchain-ai/langchain@langchain-deepseek==1.0.1...langchain-deepseek==1.1.0)

Updates `langchain-groq` from 1.1.2 to 1.1.3
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](langchain-ai/langchain@langchain-groq==1.1.2...langchain-groq==1.1.3)

Updates `langchain-fireworks` from 1.3.1 to 1.4.4
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](langchain-ai/langchain@langchain-fireworks==1.3.1...langchain-fireworks==1.4.4)

Updates `langchain-baseten` from 0.2.0 to 0.2.1
- [Release notes](https://github.com/basetenlabs/langchain-baseten/releases)
- [Commits](basetenlabs/langchain-baseten@libs/baseten/v0.2.0...libs/baseten/v0.2.1)

Updates `datasets` from 4.8.5 to 5.0.0
- [Release notes](https://github.com/huggingface/datasets/releases)
- [Commits](huggingface/datasets@4.8.5...5.0.0)

Updates `nltk` from 3.9.4 to 3.10.0
- [Release notes](https://github.com/nltk/nltk/releases)
- [Changelog](https://github.com/nltk/nltk/blob/develop/ChangeLog)
- [Commits](nltk/nltk@3.9.4...v3.10.0)

---
updated-dependencies:
- dependency-name: anyio
  dependency-version: 4.14.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: langchain-google-genai
  dependency-version: 4.2.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: wcmatch
  dependency-version: '11.0'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-dependencies
- dependency-name: cryptography
  dependency-version: 49.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-dependencies
- dependency-name: pyasn1
  dependency-version: 0.6.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: starlette
  dependency-version: 1.3.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: uvicorn
  dependency-version: 0.51.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: sse-starlette
  dependency-version: 3.4.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: pypdf
  dependency-version: 6.14.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: av
  dependency-version: 18.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-dependencies
- dependency-name: pillow
  dependency-version: 12.3.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: langsmith
  dependency-version: 0.10.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: langchain-aws
  dependency-version: 1.6.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: langchain-openai
  dependency-version: 1.3.5
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: pytest
  dependency-version: 9.1.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: pytest-socket
  dependency-version: 0.8.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: ruff
  dependency-version: 0.15.21
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: ty
  dependency-version: 0.0.59
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: pytest-asyncio
  dependency-version: 1.4.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: build
  dependency-version: 1.5.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: langchain-mistralai
  dependency-version: 1.1.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: langchain-deepseek
  dependency-version: 1.1.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: langchain-groq
  dependency-version: 1.1.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: langchain-fireworks
  dependency-version: 1.4.4
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: langchain-baseten
  dependency-version: 0.2.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: datasets
  dependency-version: 5.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: all-dependencies
- dependency-name: nltk
  dependency-version: 3.10.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jul 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants