Update all dependencies

[red-hat-konflux]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
actions/checkout (changelog)	action	digest	8e8c483 → de0fac2
astral-sh/ruff-pre-commit	repository	patch	v0.15.12 → v0.15.15
astral-sh/setup-uv (changelog)	action	digest	803947b → 37802ad
gunicorn (changelog)	project.dependencies	major	>=25,<25.2 → >=26,<26.1
pre-commit/mirrors-mypy	repository	major	v1.20.2 → v2.1.0
quay.io/fedora/python-313	final	major	20260319 → 20260529
renovatebot/pre-commit-hooks	repository	minor	43.150.0 → 43.205.2
stomp.py	project.dependencies	major	>=8.1.2,<9.0 → >=9,<9.1

Note: The pre-commit manager in Renovate is not supported by the pre-commit maintainers or community. Please do not report any problems there, instead create a Discussion in the Renovate repository if you have any questions.

---

Release Notes

astral-sh/ruff-pre-commit (astral-sh/ruff-pre-commit)

v0.15.15

Compare Source

See: https://github.com/astral-sh/ruff/releases/tag/0.15.15

v0.15.14

Compare Source

See: https://github.com/astral-sh/ruff/releases/tag/0.15.14

v0.15.13

Compare Source

See: https://github.com/astral-sh/ruff/releases/tag/0.15.13

benoitc/gunicorn (gunicorn)

v26.0.0

Compare Source

Breaking Changes

• Eventlet worker removed: The eventlet worker class has been dropped. Migrate to gevent, gthread, or tornado.

New Features

• ASGI Framework Compatibility Suite: New end-to-end compatibility test harness covering Starlette, FastAPI, Litestar, Quart, Sanic, and BlackSheep. Current grid passes 438/444 tests (98%).
• ASGI Test Suite Expansion: 134 additional ASGI unit tests covering protocol semantics, lifespan, websockets, and chunked framing.

Security

• HTTP/1.1 Request-Target Validation (RFC 9112 sections 3.2.3, 3.2.4):
  • Reject authority-form request-target outside CONNECT
  • Reject asterisk-form request-target outside OPTIONS
  • Reject relative-reference request-targets
• Header Field Hardening (RFC 9110):
  • Reject control characters in header field-value (section 5.5)
  • Reject forbidden trailer field-names (section 6.5.1)
  • Reject Content-Length list form (RFC 9112 section 6.3)
• Request Smuggling Hardening:
  • Tighten keepalive gate and scope finish_body byte cap
  • Keep _body_receiver alive across the keepalive smuggling gate so pipelined requests cannot re-enter a closed body
  • Address parser/protocol findings from a six-point WSGI/ASGI audit
• PROXY Protocol (ASGI): Enforce proxy_allow_ips and tighten v1/v2 parsing in the ASGI callback parser.
• Connection Draining: Drain the connection on close per RFC 9112 section 9.6 to prevent reset-on-close truncation.

Bug Fixes

• Body Framing on HEAD/204/304:
  • Keep Content-Length on HEAD and 304 responses (#​3621)
  • Drop body framing on HEAD/204/304 even when the framework set it
  • Warn once when an ASGI app emits a body for a no-body response
• HTTP/2 ASGI:
  • Fix _handle_stream_ended to set _body_complete in the async HTTP/2 handler so request bodies finalize correctly on stream end
  • Add InvalidChunkExtension mapping and fast-parser support in ASGI tests (#​3565)
• HTTP/1.1 100-Continue: Stop adding Transfer-Encoding: chunked to 100-Continue interim responses.
• WebSocket Close Handshake (RFC 6455):
  • Comply with the close handshake state machine
  • Close the transport after the close handshake completes
  • Fix binary send when the text key is None
• Early Hints: Validate headers in the early_hints callback to match process_headers; pass only the header name to InvalidHeader (#​3588).
• ASGI Framework Fixes:
  • Fix ASGI disconnect handling for Django-style apps
  • Fix Litestar request handling (use raw ASGI receive for body/headers)
  • Fix Litestar HTTP endpoints for compatibility tests
  • Fix Quart headers endpoint to normalize keys to lowercase
  • Fix Quart WebSocket close test app (missing accept())
  • Fix duplicate Transfer-Encoding header for BlackSheep streaming

Refactoring

• Split BodyReceiver._closed into separate transport and body-wait flags for clearer keepalive/EOF semantics.

Changes

• Fast HTTP Parser: Require gunicorn_h1c >= 0.6.5. Drop the last python_only test markers; the C extension is now used wherever available (CPython only; PyPy continues to use the Python parser).
• Test Dependencies: Add h2 and uvloop to the testing extra; remove eventlet.
• Docker Build: Bump GitHub Actions docker/setup-qemu-action, docker/setup-buildx-action, docker/login-action, docker/build-push-action, and docker/metadata-action to current major versions.

Full changelog: benoitc/gunicorn@25.3.0...26.0.0

v25.3.0: Gunicorn 25.3.0

Compare Source

Bug Fixes

• HTTP/2 ASGI Body Duplication: Fix request body being received twice in HTTP/2
  ASGI requests, causing JSON parsing errors with "Extra data" messages
  (#​3558)

• ASGI Chunked EOF Handling: Add finish() method to callback parser to handle
  chunked encoding edge case where connection closes before final CRLF after zero-chunk

• HTTP/2 Documentation: Fix http_protocols examples to use comma-separated string
  instead of list syntax (#​3561)

• Chunked Encoding: Reject chunk extensions containing bare CR bytes per RFC 9112
  (#​3556)

• Request Line Limit: Fix --limit-request-line 0 to mean unlimited as documented,
  instead of using default maximum. Works with both Python and fast C parser.
  (#​3563)

Security

• ASGI Parser Header Validation: Add security checks per RFC 9110/9112:
  • Reject duplicate Content-Length headers
  • Reject requests with both Content-Length and Transfer-Encoding
  • Reject chunked transfer encoding in HTTP/1.0
  • Reject stacked chunked encoding
  • Validate Transfer-Encoding values
  • Strict chunk size validation

Changes

• Fast HTTP Parser: Update to gunicorn_h1c >= 0.6.3 for asgi_headers property
  and InvalidChunkExtension validation for bare CR rejection

• ASGI PROXY Protocol: Add PROXY protocol v1/v2 support to callback parser

• Docker Images: Update to Python 3.14

v25.2.0: Gunicorn 25.2.0

Compare Source

New Features

• Fast HTTP Parser (gunicorn_h1c 0.4.1): Integrate new exception types and limit parameters from gunicorn_h1c 0.4.1 for both WSGI and ASGI workers
  • Requires gunicorn_h1c >= 0.4.1 for http_parser='fast'
  • Falls back to Python parser in auto mode if version not met
  • Proper HTTP status codes for limit errors (414, 431)

Bug Fixes

• uWSGI Async Workers: Fix InvalidUWSGIHeader: incomplete header error when using gevent or gthread workers with uwsgi protocol behind nginx. (#​3552, PR #​3554)

• FileWrapper Iterator Protocol: Add __iter__ and __next__ methods to FileWrapper for full PEP 3333 compliance. (#​3396, PR #​3550)

Performance

• ASGI HTTP Parser Optimizations: Improve ASGI worker HTTP parsing performance
  • Callback-based parsing with direct bytearray buffer operations
  • Use bytearray.find() directly instead of converting to bytes first
  • Use index-based iteration for header parsing instead of list.pop(0) (O(1) vs O(n))

pre-commit/mirrors-mypy (pre-commit/mirrors-mypy)

v2.1.0

Compare Source

v2.0.0

Compare Source

renovatebot/pre-commit-hooks (renovatebot/pre-commit-hooks)

v43.205.2

Compare Source

See https://github.com/renovatebot/renovate/releases/tag/43.205.2 for more changes

v43.205.1

Compare Source

See https://github.com/renovatebot/renovate/releases/tag/43.205.1 for more changes

v43.205.0

Compare Source

See https://github.com/renovatebot/renovate/releases/tag/43.205.0 for more changes

v43.204.1

Compare Source

See https://github.com/renovatebot/renovate/releases/tag/43.204.1 for more changes

v43.204.0

Compare Source

See https://github.com/renovatebot/renovate/releases/tag/43.204.0 for more changes

v43.203.0

Compare Source

See https://github.com/renovatebot/renovate/releases/tag/43.203.0 for more changes

v43.202.1

Compare Source

See https://github.com/renovatebot/renovate/releases/tag/43.202.1 for more changes

v43.202.0

Compare Source

See https://github.com/renovatebot/renovate/releases/tag/43.202.0 for more changes

v43.201.3

Compare Source

See https://github.com/renovatebot/renovate/releases/tag/43.201.3 for more changes

v43.201.2

Compare Source

See https://github.com/renovatebot/renovate/releases/tag/43.201.2 for more changes

v43.201.1

Compare Source

See https://github.com/renovatebot/renovate/releases/tag/43.201.1 for more changes

v43.200.1

Compare Source

See https://github.com/renovatebot/renovate/releases/tag/43.200.1 for more changes

jasonrbriggs/stomp.py (stomp.py)

v9.0.0

Compare Source

• Update to docopt-ng (as per issue #​442)
• Pass ssl version from ssl_params (#​440)
• Use single thread for IO when using TLS (https://codeberg.org/jasonrbriggs/stomp.py/pulls/452, original github issue: #​450)
• Added SSL error message from cert validation to log warning (https://codeberg.org/jasonrbriggs/stomp.py/pulls/449)
• Rename stomp.logging to stomp.log, since python doesn't "like" overloading the logging module

v8.3.0

Compare Source

• Yanked because of the change from "logging" to "log" which is obviously not backwards compatible.

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.