deps(deps): bump the python-minor-and-patch group with 11 updates

[dependabot]

Bumps the python-minor-and-patch group with 11 updates:

Package	From	To
numpy	2.4.4	2.4.5
django-denorm-iplweb	1.10.2	1.11.1
django-reversion	6.1.0	6.2.0
requests	2.34.0	2.34.2
django-multiseek	0.9.49	0.10.1
django-formtools	2.5.1	2.6.1
django-site-blog	0.2.0	0.2.1
django-first-run-wizard	0.1.0	0.1.1
ruff	0.15.12	0.15.13
pytest-testcontainers-django	0.2.1	0.2.2
django-dev-helpers	0.1.10	0.1.11

Updates numpy from 2.4.4 to 2.4.5

Release notes

Sourced from numpy's releases.

v2.4.5 (May 15, 2026)

NumPy 2.4.5 Release Notes

NumPy 2.4.5 is a patch release that fixes bugs discovered after the 2.4.4 release, has some typing improvements, and maintains infrastructure.

This release supports Python versions 3.11-3.14

Contributors

A total of 17 people contributed to this release. People with a "+" by their names contributed a patch for the first time.

• Aleksei Nikiforov
• Anarion Zuo +
• Ankit Ahlawat
• Breno Favaretto +
• Charles Harris
• Igor Krivenko +
• Ijtihed Kilani +
• Joren Hammudoglu
• Maarten Baert +
• Matti Picus
• Nathan Goldbaum
• Praneeth Kodumagulla +
• Ralf Gommers
• RoomWithOutRoof +
• Sebastian Berg
• Warren Weckesser
• div +

Pull requests merged

A total of 28 pull requests were merged for this release.

• #31093: MAINT: Prepare 2.4.x for further development
• #31182: TYP: fix np.shape assignability issue for python lists (#31171)
• #31197: ENH: Return rank 0 for empty matrices in matrix_rank (#30422)
• #31198: CI/BUG: add native jobs for s390x, fix bug in pack_inner...
• #31199: BUG: f2py map complex_long_double to NPY_CLONGDOUBLE
• #31205: MAINT: f2py: Stop setting re._MAXCACHE to 50.
• #31206: BUG: fix heap buffer overflow in timedelta to string casts
• #31207: MAINT: Rename ppc64le and s390x workflow (#31121)
• #31208: BUG: Fix matvec/vecmat in-place aliasing (out=input produces...
• #31209: TYP: tile: accept numpy scalars and arrays as second argument...
• #31211: DEP: Undo deprecation for np.dtype() signature used by old pickles...
• #31212: REV: Manual revert of float16 svml use (#31178)
• #31222: TYP: ix_ fix for boolean and non-1d input (#31218)
• #31329: BUG: incorrect temp elision for new-style (NEP 43) user-defined...
• #31330: TYP: fix sliding_window_view axis parameter typing

... (truncated)

Commits

• 26e8185 Merge pull request #31441 from charris/prepare-2.4.5
• 573110c REL: Prepare for the NumPy 2.4.5 release.
• be6123a Merge pull request #31426 from jorenham/backport-31425
• a286f52 TYP: Fix DTypeLike runtime type-checker support
• f880727 Merge pull request #31404 from charris/backport-31399
• 626d469 Merge pull request #31402 from charris/backport-31397
• a42bd48 Merge pull request #31401 from charris/backport-31396
• 207ad05 TYP: _NestedSequence type parameter default to work around a mypy issue (#3...
• 309b637 BUG: exclude pycache directories from wheels (#31397)
• 8ded93c BUG: Avoid UB in safe_[add,sub,mul] helpers (#31396)
• Additional commits viewable in compare view

Updates django-denorm-iplweb from 1.10.2 to 1.11.1

Release notes

Sourced from django-denorm-iplweb's releases.

1.11.0 — race conditions & deadlock handling

Bug fixes (race conditions & deadlocks in the flush pipeline)

Reported symptom: OperationalError: deadlock detected leaking from denorm_queue workers under concurrent load. Root-cause audit produced 13 distinct test reproducers under a real Postgres via pytest-testcontainers-django; all 15 tests now pass.

• flush_single now retries on Postgres 40001 / 40P01 with exponential backoff + jitter via the new denorm.retry_on_serialization_failure decorator. Skips retry when already inside an outer transaction.atomic() because Postgres aborts the whole top-level tx and SAVEPOINT rollback can't recover it — callers in that situation should wrap their outer atomic in the same decorator.

• Lock and delete only the DirtyInstance PKs we explicitly claimed in flush_single (was: re-evaluate the queryset at delete time, silently wiping rows inserted by triggers during obj.save() or by another worker).

• Distinguish "row is locked elsewhere" from "row truly gone" in flush_single's DoesNotExist branch — orphan markers are now cleaned up instead of churning through every future flush cycle.

• Replace suppress_autotime() with update_fields exclusion. The old approach mutated class-level Field.auto_now and leaked across threads in the same process, silently dropping timestamp updates on concurrent saves.

• flush_via_queue dedupes the fan-out: one Celery subtask per distinct (content_type, object_id) via Min(pk), not per DirtyInstance row.

• DirtyInstance.content_object_for_update uses skip_locked=True — contending workers skip the row instead of blocking on it.

• denorm_queue command survives connection loss (DB restart, pg_terminate_backend, pooler reconnect, network blip) via a reconnect-with-backoff wrapper around the LISTEN/poll loop.

• DenormMiddleware stops swallowing DatabaseError — with retry now internal to flush_single, anything that still raises is retry-exhausted or non-retryable and must surface to the caller.

• New migration 0017_dirtyinstance_unique_index: functional unique index on (content_type_id, COALESCE(object_id, -1), COALESCE(func_name, '')). Activates the previously-dead EXCEPTION WHEN unique_violation handler in TriggerActionInsert; enables ignore_conflicts=True in rebuild_instances_of for concurrent rebuild idempotency.

New public API

from denorm import retry_on_serialization_failure
@​retry_on_serialization_failure
def transfer_funds(...):
with transaction.atomic():
# any code whose denorm triggers might deadlock
...

Compatibility

The unique index in migration 0017 deletes pre-existing duplicate DirtyInstance rows (a.id < b.id AND content_type_id = AND object_id IS NOT DISTINCT FROM AND func_name IS NOT DISTINCT FROM) before creating the index. No data loss for live operation — duplicate rows represented the same "dirty" state. Run python manage.py migrate denorm after upgrading.

Changelog

Sourced from django-denorm-iplweb's changelog.

1.11.1

• fix: denorm.tasks.flush_single is now keyed by the logical (content_type_id, object_id) pair instead of a representative DirtyInstance pk. Previously, if the captured marker was deleted by a concurrent flush path between flush_via_queue enqueue and task execution, and a fresh marker for the same pair was inserted in the meantime, the queued task aborted on DoesNotExist and the new marker was orphaned until the next flush cycle.
• fix: denorm/templates/denorm/dirty_instances_count.html is now included in the built wheel via [tool.setuptools.package-data]. Without it, dirty_instances_count raised TemplateDoesNotExist for users installing from PyPI.
• CI: tests/test_deadlocks.py (deadlock and race-regression suite) is now executed by tox alongside the existing test_app suite.

1.11.0

• Fix race conditions and deadlock handling in the flush pipeline (retry on serialization failures, deletion-by-pk after select_for_update, deduplicated subtask fan-out, no global Field.auto_now mutation during flush).
• Add dirty_instances_count view with a configurable access policy (DENORM_DIRTY_INSTANCES_VIEW_ACCESS = staff / authenticated / public).

Commits

• a59e677 bump version 1.11.0 -> 1.11.1
• 85025e4 Fix flush_via_queue race, missing template in wheel, and wire deadlock tests ...
• dc30922 bump version 1.10.2 -> 1.11.0
• d58d6d0 Fix race conditions and deadlock handling in flush pipeline
• f10770c Add dirty_instances_count view with configurable access policy
• See full diff in compare view

Updates django-reversion from 6.1.0 to 6.2.0

Release notes

Sourced from django-reversion's releases.

v6.2.0

What's Changed

• Add explicit Django versions to classifiers by @​Michael-Deveau in etianen/django-reversion#995
• Added tests for Django 6.0 by @​etianen in etianen/django-reversion#996
• Feature: add custom object id field by @​philippeducasse in etianen/django-reversion#999

New Contributors

• @​Michael-Deveau made their first contribution in etianen/django-reversion#995
• @​philippeducasse made their first contribution in etianen/django-reversion#999

Full Changelog: etianen/django-reversion@v6.1.0...v6.2.0

Changelog

Sourced from django-reversion's changelog.

6.2.0 - 2026-05-12

• Added object_id_field to reversion.register() (@​philippeducasse).

Commits

• cfbba63 v6.2.0
• 9d31110 Merge pull request #999 from philippeducasse/feat/object-id-field
• 7d81001 docs: document object_id_field parameter in register()
• d27560a perf: skip db query when object_id_field is pk in admin views
• b1e3f67 refactor: resolve object_id_field to concrete field at registration
• d5c51ae fix: linting error
• e13bb70 fix: apply object_id_field to get_deleted and get_for_object
• d3fbf84 fix: refactored code to simplify logic
• 9d0936f test: move CustomObjectId admin registration to setUp/tearDown
• eedcbef style: fix flake8 line length and blank line issues
• Additional commits viewable in compare view

Updates requests from 2.34.0 to 2.34.2

Release notes

Sourced from requests's releases.

v2.34.2

2.34.2 (2026-05-14)

• Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2342-2026-05-14

v2.34.1

2.34.1 (2026-05-13)

Bugfixes

• Widened json input type from dict and list to Mapping and Sequence. (#7436)
• Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
• Response.reason moved from str | None to str to improve handling for users. (#7437)
• Fixed a bug where some bodies with custom __getattr__ implementations weren't being properly detected as Iterables. (#7433)

New Contributors

• @​k223kim made their first contribution in psf/requests#7433

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2341-2026-05-13

Changelog

Sourced from requests's changelog.

2.34.2 (2026-05-14)

• Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

2.34.1 (2026-05-13)

Bugfixes

• Widened json input type from dict and list to Mapping and Sequence. (#7436)
• Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
• Response.reason moved from str | None to str to improve handling for users. (#7437)
• Fixed a bug where some bodies with custom __getattr__ implementations weren't being properly detected as Iterables. (#7433)

Commits

• 6e83187 v2.34.2
• 84d10f0 Move Request.headers back to Mapping (#7441)
• b7b549b v2.34.1
• e511bc7 Fix mutability issues with headers input types (#7431)
• 5691f59 Update JsonType containers to read-based collections (#7436)
• 2144213 Constrain Response.reason to str (#7437)
• 6404f34 Fix prepare_body stream detection for __getattr__-based file wrappers (#7...
• See full diff in compare view

Updates django-multiseek from 0.9.49 to 0.10.1

Changelog

Sourced from django-multiseek's changelog.

0.10.1

multiseek core:

• MultiseekRegistry.get_query_recursive no longer flags a clause with impacts_query() == False (e.g. CONTAINS with an empty value) as an UnknownOperation error. It's now a silent no-op, matching what the semantics always claimed. Previously users saw an "Errors occurred" banner the moment they clicked Send Query on the default empty field.
• UnknownOperation raised in parse_field now includes the list of valid operators for the offending field, instead of just naming the invalid one.
• Parse failures inside get_query_recursive are logged at WARNING with exc_info=True so the server log shows traceback / context instead of a bare UnknownOperation().

Example projects (under examples/, not shipped on PyPI):

• Four runnable reference frontends — Foundation 6 + jQuery (vendored), Bootstrap 5 + jQuery, Bootstrap 5 + Alpine.js, and pure htmx — plus a run_example.sh setup/run/test helper at the repo root.
• Each ships a manage.py fetch_assets command that downloads its JS/CSS dependencies into static/multiseek/vendor/ so the demos don't depend on public CDNs at runtime (and CI doesn't fail when an egress is blocked).
• Playwright smoke tests for every variant.

0.10.0

Security & correctness:

• CSRF protection enforced on /results/ and /save_form/. Previously every multiseek URL was wrapped in csrf_exempt. Downstream projects with custom templates must include {% csrf_token %} and surface the token to their JS layer. The bundled templates handle this automatically.
• Concurrency race fixed on the cached MultiseekRegistry: parse errors no longer live on shared instance state. get_query() and get_query_for_model() accept an optional errors= list parameter. Backwards compatible for callers that ignore it.
• XSS escape in describe_multiseek_data(): user-supplied prev_op and operator are HTML-escaped before being inlined into the description rendered with |safe. StringQueryObject.value_for_description now returns a SafeString.
• URL routing: load_form/<pk> no longer accepts trailing path segments. All url()/re_path patterns migrated to path() with <int:> converters where applicable.
• Manual-exclusion list-full returns HTTP 400 (Bad Request) instead of 403 (Forbidden).

... (truncated)

Commits

• 16defa0 Bump version 0.10.0 -> 0.10.1
• 54bfc09 HISTORY.rst entry for 0.10.1; ruff format on logic.py
• 3ddc666 Document examples/ + run_example.sh in README
• 06b8ce6 Add run_example.sh — set up / run / test the example projects
• d88e9dc Untrack bootstrap vendor JS/CSS (accidentally committed last round)
• 8947247 Add fetch_assets command + switch every example to local frontend deps
• dca3c8c htmx: add Sort by + Report type UI
• 34374c0 Make "report type" actually change the rendering
• 2b85779 Load select2 in Foundation + Bootstrap examples — autocomplete now works
• ca9350d Richer demo dataset + real htmx autocomplete (no degradation)
• Additional commits viewable in compare view

Updates django-formtools from 2.5.1 to 2.6.1

Changelog

Sourced from django-formtools's changelog.

2.6.1 (2026-05-16)

• Add missing .mo files for translations updated in 2.6

• Add support for Django 6.0

2.6 (2026-05-16)

• Fix form validation in default templates (#265)

• Exclude tests from wheels

• Improved performance when using condition_dict (#291)

• Dropped support for Python < 3.9 and Django < 4.2

• Added support for Django 5.1/5.2

• Updated translations

Commits

• cd973c0 Updated Changelog for the 2.6.1 release
• 4f0c2b3 Add support for Django 6.0
• 20a4b80 Add forgotten .mo files when updating translations
• 71ae863 Updated Changelog for the 2.6 release
• 58c65e4 Updated translations from Tranifex
• a68af7b Add test to cover cached data
• a26136a Possibly more widely-applicable fix
• d0083b4 Fix edge case with popping form_list
• b20f8b5 Formatting
• d879b9b Improve formatting
• Additional commits viewable in compare view

Updates django-site-blog from 0.2.0 to 0.2.1

Changelog

Sourced from django-site-blog's changelog.

[0.2.1] - 2026-05-13

Added

• ArticleQuerySet.published() and ArticleQuerySet.visible_on_site(site), exposed via Article.objects as chainable methods. Centralizes the inverted-M2M visibility query so list / detail / feed views can share one implementation without re-deriving it (and without accidentally reaching for Article.on_site, which drops "visible everywhere" articles). visible_on_site() accepts a Site instance or its primary key.

Changed

• ArticleDetailView.get_queryset and the demo HomeListView both switched to Article.objects.published().visible_on_site(site), so the two views share a single source of truth for the visibility semantics.

Documentation

• README: corrected django-model-utils version range to >=5,<6 (matches pyproject.toml; the 0.2.0 release notes already documented the bump but the version table was missed). Rewrote the "How site assignment works" section around get_current_site(request) instead of the obsolete direct-SITE_ID example, and showcased the new chained queryset API. Added a "Security — trust boundary on article_body" section calling out the |safe rendering path.

Fixed

• Article.article_body admin help text: removed "displaythe" concatenation typo (missing space between two adjacent translatable string literals). Same correction applied to the frozen help text in 0001_initial; the migration change is state-only (no SQL effect).

Commits

• 57f8ae2 chore(release): 0.2.1 — centralized queryset + doc fixes
• See full diff in compare view

Updates django-first-run-wizard from 0.1.0 to 0.1.1

Changelog

Sourced from django-first-run-wizard's changelog.

[0.1.1] - 2026-05-13

Fixed

• AdminUserCreationForm now passes an unsaved User(username=…, email=…) instance to password_validation.validate_password() so UserAttributeSimilarityValidator actually fires — previously a password identical to the username silently passed. This matches the contract used by django.contrib.auth.forms.UserCreationForm, the Django admin, and the createsuperuser management command.

Changed

• Example project (example/example_project/settings.py) now ships the Django default AUTH_PASSWORD_VALIDATORS (UserAttributeSimilarity, MinimumLength, CommonPassword, NumericPassword) so the wizard's first- superuser step enforces the same rules out of the box.

Infrastructure

• Test settings (tests/settings.py) gained the same default AUTH_PASSWORD_VALIDATORS block, and the suite now exercises too-short-password and password-equals-username rejection paths.

Commits

• 33ef8db Release 0.1.1: enforce AUTH_PASSWORD_VALIDATORS in admin-user step
• d55cdae Modernize GH Actions: Node 24 runtime + correct uv cache key
• b9d1a02 Fix CI: install gettext + format the auto-generated migration
• See full diff in compare view

Updates ruff from 0.15.12 to 0.15.13

Release notes

Sourced from ruff's releases.

0.15.13

Release Notes

Released on 2026-05-14.

Preview features

• Add a rule to flag lazy imports that are eagerly evaluated (#25016)
• [pylint] Standardize diagnostic message (PLR0914, PLR0917) (#24996)

Bug fixes

• Fix F811 false positive for class methods (#24933)
• Fix setting selection for multi-folder workspace (#24819)
• [eradicate] Fix false positive for lines with leading whitespace (ERA001) (#25122)
• [flake8-pyi] Fix false positive for f-string debug specifier (PYI016) (#24098)

Rule changes

• Always include panic payload in panic diagnostic message (#24873)
• Restrict PYI034 for in-place operations to enclosing class (#24511)
• Improve error message for parameters that are declared global (#24902)
• Update known stdlib (#25103)

Performance

• [isort] Avoid constructing glob::Patterns for literal known modules (#25123)

CLI

• Add TOML examples to --config help text (#25013)
• Colorize ruff check 'All checks passed' (#25085)

Configuration

• Increase max allowed value of line-length setting (#24962)

Documentation

• Add D203 to rules that conflict with the formatter (#25044)
• Clarify COM819 and formatter interaction (#25045)
• Clarify that NotImplemented is a value, not an exception (F901) (#25054)
• Update number of lint rules supported (#24942)

Other changes

• Simplify the playground's markdown template (#24924)

Contributors

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.13

Released on 2026-05-14.

Preview features

• Add a rule to flag lazy imports that are eagerly evaluated (#25016)
• [pylint] Standardize diagnostic message (PLR0914, PLR0917) (#24996)

Bug fixes

• Fix F811 false positive for class methods (#24933)
• Fix setting selection for multi-folder workspace (#24819)
• [eradicate] Fix false positive for lines with leading whitespace (ERA001) (#25122)
• [flake8-pyi] Fix false positive for f-string debug specifier (PYI016) (#24098)

Rule changes

• Always include panic payload in panic diagnostic message (#24873)
• Restrict PYI034 for in-place operations to enclosing class (#24511)
• Improve error message for parameters that are declared global (#24902)
• Update known stdlib (#25103)

Performance

• [isort] Avoid constructing glob::Patterns for literal known modules (#25123)

CLI

• Add TOML examples to --config help text (#25013)
• Colorize ruff check 'All checks passed' (#25085)

Configuration

• Increase max allowed value of line-length setting (#24962)

Documentation

• Add D203 to rules that conflict with the formatter (#25044)
• Clarify COM819 and formatter interaction (#25045)
• Clarify that NotImplemented is a value, not an exception (F901) (#25054)
• Update number of lint rules supported (#24942)

Other changes

• Simplify the playground's markdown template (#24924)

Contributors

• @​MichaReiser

... (truncated)

Commits

• 2afb467 Bump 0.15.13 (#25157)
• 3008796 [ty] classify TypeVar semantic tokens as type parameters (#24891)
• 79470e3 [isort] Avoid constructing glob::Patterns for literal known modules (#25123)
• 2522549 Remove shellcheck from prek (#25154)
• 7db7170 [ty] Support TypedDict key completions in incomplete, anonymous contexts (#25...
• bb3dd53 [ty] Run full iteration analysis on narrowed typevars (#25143)
• 828cdb7 [ty] Isolate file-watching test environment (#25151)
• 89e1d86 [ty] Preserve TypedDict keys through dict unpacking (#24523)
• 86f3064 [ty] Avoid accessing args[0] for static_assert (#25149)
• ed819f9 [ty] Treat custom enum __new__ values as dynamic (#25136)
• Additional commits viewable in compare view

Updates pytest-testcontainers-django from 0.2.1 to 0.2.2

Changelog

Sourced from pytest-testcontainers-django's changelog.

[0.2.2] - 2026-05-14

Fixed

• Serial (no--n) pytest runs no longer connect to the developer's local Postgres port instead of the testcontainer port. Root cause: the rootdir-conftest preload (the mechanism that lets register() calls run before pytest-django's hook) can transitively touch django.conf.settings at module top level — e.g. a BPP-style from django.utils.translation import activate in conftest.py. That triggers Django's lazy Settings to bind before we inject the container's host/port into os.environ, freezing DATABASES["default"]["PORT"] to whatever the developer's .env or shell had set (commonly 5432). Pytest-django's later django.setup() reused that stale cache, so tests opened psycopg connections to the wrong port. pytest-xdist runs accidentally hid the bug because workers are fresh subprocesses that re-import everything against the injected env. Fix: after inject() succeeds, evict the cached LazySettings._wrapped and drop the user's settings sub-package from sys.modules, so the next access (pytest-django's django.setup()) re-imports module-level code with the now-corrected environment.

Commits

• 7e3aecc Release 0.2.2: reset Django settings cache after env injection
• See full diff in compare view

Updates django-dev-helpers from 0.1.10 to 0.1.11

Changelog

Sourced from django-dev-helpers's changelog.

[0.1.11] — 2026-05-13

Added

• New django_dev_helpers.allowed_hosts.inject_allowed_hosts() reads the DEV_HELPERS_ALLOWED_HOSTS env var (comma-separated list set by run-site >= 0.13.0 when binding to a non-loopback address) and unions the entries into settings.ALLOWED_HOSTS from AppConfig.ready(). Lets the dev server be reached from phones / other LAN devices without per-project ALLOWED_HOSTS edits. Idempotent, gated by is_active(), and a no-op when settings already contain * or the var is unset.

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions