fix(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
anyio (changelog)	==4.11.0 → ==4.12.1				minor
asttokens	==3.0.0 → ==3.0.1				patch
attrs (changelog)	==25.3.0 → ==25.4.0				minor
babel (source)	==2.17.0 → ==2.18.0				minor
cems-nuclei	==3.0.1 → ==3.2.0				minor
certifi	==2025.8.3 → ==2025.11.12				minor
charset-normalizer (changelog)	==3.4.3 → ==3.4.4				patch
click (changelog)	==8.3.0 → ==8.3.1				patch
docutils (changelog)	==0.21.2 → ==0.22.4				minor
duckdb (changelog)	==1.4.0 → ==1.4.4				patch
fonttools	==4.60.0 → ==4.61.1				minor
idna (changelog)	==3.10 → ==3.11				minor
iniconfig	==2.1.0 → ==2.3.0				minor
ipython	==9.1.0 → ==9.10.0			project.optional-dependencies	minor
ipython	==9.1.0 → ==9.10.0				minor
jiter	==0.11.0 → ==0.13.0				minor
jsonschema (changelog)	==4.25.1 → ==4.26.0				minor
jupyter-core	==5.8.1 → ==5.9.1				minor
loro	==1.8.1 → ==1.10.3				minor
marimo	>0.14,<0.15 → >0.19,<0.20			project.optional-dependencies	minor
marimo	==0.14.17 → ==0.19.11				minor
markdown (changelog)	==3.9 → ==3.10.2				minor
markupsafe (changelog)	==3.0.2 → ==3.0.3				patch
matplotlib	==3.10.6 → ==3.10.8				patch
matplotlib-inline	==0.1.7 → ==0.2.1				minor
micropip	==0.10.1 → ==0.11.0				minor
narwhals	==2.5.0 → ==2.16.0				minor
numpy (changelog)	==2.3.3 → ==2.4.2				minor
orjson (changelog)	==3.11.3 → ==3.11.7				patch
pandas	==2.3.2 → ==2.3.3				patch
parso	==0.8.5 → ==0.8.6				patch
platformdirs (changelog)	==4.4.0 → ==4.9.2				minor
polars (changelog)	==1.33.1 → ==1.38.1				minor
psutil	==7.1.0 → ==7.2.2				minor
pydantic (changelog)	==2.11.9 → ==2.12.5				minor
pydantic-core	==2.33.2 → ==2.41.5				minor
pyjwt	==2.10.1 → ==2.11.0				minor
pymdown-extensions	==10.16.1 → ==10.21				minor
pyparsing	==3.2.5 → ==3.3.2				minor
python	3.13 → 3.14			uses-with	minor
pyyaml (source)	==6.0.2 → ==6.0.3				patch
referencing (changelog)	==0.36.2 → ==0.37.0				minor
rpds-py	==0.27.1 → ==0.30.0				minor
ruff (source, changelog)	==0.13.1 → ==0.15.1				minor
sphinx-autodoc-typehints (changelog)	==3.1.0 → ==3.6.3			project.optional-dependencies	minor
sphinx-autodoc-typehints (changelog)	==3.1.0 → ==3.6.3				minor
sphinx-rtd-theme	==3.0.2 → ==3.1.0			project.optional-dependencies	minor
sphinx-rtd-theme	==3.0.2 → ==3.1.0				minor
sqlglot	==27.17.0 → ==27.29.0				minor
starlette (changelog)	==0.48.0 → ==0.52.1				minor
tomlkit	==0.13.3 → ==0.14.0				minor
tqdm (changelog)	==4.67.1 → ==4.67.3				patch
typing-inspection (changelog)	==0.4.1 → ==0.4.2				patch
tzdata	==2025.2 → ==2025.3				minor
urllib3 (changelog)	==2.5.0 → ==2.6.3				minor
uvicorn (changelog)	==0.37.0 → ==0.41.0				minor
wcwidth	==0.2.14 → ==0.6.0				minor

---

Release Notes

agronholm/anyio (anyio)

v4.12.1

Compare Source

• Changed all functions currently raising the private NoCurrentAsyncBackend exception (since v4.12.0) to instead raise the public NoEventLoopError exception (#​1048)
• Fixed anyio.functools.lru_cache not working with instance methods (#​1042)

v4.12.0

Compare Source

• Added support for asyncio's task call graphs on Python 3.14 and later when using AnyIO's task groups (#​1025)
• Added an asynchronous implementation of the functools module (#​1001)
• Added support for uvloop=True on Windows via the winloop implementation (#​960; PR by @​Vizonex)
• Added support for use as a context manager to anyio.lowlevel.RunVar (#​1003)
• Added __all__ declarations to public submodules (anyio.lowlevel etc.) (#​1009)
• Added the ability to set the token count of a CapacityLimiter to zero (#​1019; requires Python 3.10 or later when using Trio)
• Added parameters case_sensitive and recurse_symlinks along with support for path-like objects to anyio.Path.glob() and anyio.Path.rglob() (#​1033; PR by @​northisup)
• Dropped sniffio as a direct dependency and added the get_available_backends() function (#​1021)
• Fixed Process.stdin.send() not raising ClosedResourceError and BrokenResourceError on asyncio. Previously, a non-AnyIO exception was raised in such cases (#​671; PR by @​gschaffner)
• Fixed Process.stdin.send() not checkpointing before writing data on asyncio (#​1002; PR by @​gschaffner)
• Fixed a race condition where cancelling a Future from BlockingPortal.start_task_soon() would sometimes not cancel the async function (#​1011; PR by @​gschaffner)
• Fixed the presence of the pytest plugin causing breakage with older versions of pytest (<= 6.1.2) (#​1028; PR by @​saper)
• Fixed a rarely occurring RuntimeError: Set changed size during iteration while shutting down the process pool when using the asyncio backend (#​985)

gristlabs/asttokens (asttokens)

v3.0.1

Compare Source

python-attrs/attrs (attrs)

v25.4.0

Compare Source

Backwards-incompatible Changes

• Class-level kw_only=True behavior is now consistent with dataclasses.

  Previously, a class that sets kw_only=True makes all attributes keyword-only, including those from base classes.
  If an attribute sets kw_only=False, that setting is ignored, and it is still made keyword-only.

  Now, only the attributes defined in that class that doesn't explicitly set kw_only=False are made keyword-only.

  This shouldn't be a problem for most users, unless you have a pattern like this:

  @​attrs.define(kw_only=True)
  class Base:
      a: int
      b: int = attrs.field(default=1, kw_only=False)
  
  @​attrs.define
  class Subclass(Base):
      c: int

  Here, we have a kw_only=True attrs class (Base) with an attribute that sets kw_only=False and has a default (Base.b), and then create a subclass (Subclass) with required arguments (Subclass.c).
  Previously this would work, since it would make Base.b keyword-only, but now this fails since Base.b is positional, and we have a required positional argument (Subclass.c) following another argument with defaults.
  #​1457

Changes

• Values passed to the __init__() method of attrs classes are now correctly passed to __attrs_pre_init__() instead of their default values (in cases where kw_only was not specified).
  #​1427

• Added support for Python 3.14 and PEP 749.
  #​1446,
  #​1451

• attrs.validators.deep_mapping() now allows to leave out either key_validator xor value_validator.
  #​1448

• attrs.validators.deep_iterator() and attrs.validators.deep_mapping() now accept lists and tuples for all validators and wrap them into a attrs.validators.and_().
  #​1449

• Added a new experimental way to inspect classes:

  attrs.inspect(cls) returns the effective class-wide parameters that were used by attrs to construct the class.

  The returned class is the same data structure that attrs uses internally to decide how to construct the final class.
  #​1454

• Fixed annotations for attrs.field(converter=...).
  Previously, a tuple of converters was only accepted if it had exactly one element.
  #​1461

• The performance of attrs.asdict() has been improved by 45–260%.
  #​1463

• The performance of attrs.astuple() has been improved by 49–270%.
  #​1469

• The type annotation for attrs.validators.or_() now allows for different types of validators.

  This was only an issue on Pyright.
  #​1474

python-babel/babel (babel)

v2.18.0

Compare Source

Happy 2026! This release is, coincidentally, also being made from FOSDEM.

We will aspire for a slightly less glacial release cadence in this year;
there are interesting features in the pipeline.

Features

* Core: Add `babel.core.get_cldr_version()` by @​akx in :gh:`1242`
* Core: Use CLDR 47 by @​tomasr8 in :gh:`1210`
* Core: Use canonical IANA zone names in zone_territories by @​akx in :gh:`1220`
* Messages: Improve extract performance via ignoring directories early during os.walk by @​akx in :gh:`968`
* Messages: Merge in per-format keywords and auto_comments by @​akx in :gh:`1243`
* Messages: Update keywords for extraction of dpgettext and dnpgettext by @​mardiros in :gh:`1235`
* Messages: Validate all plurals in Python format checker by @​tomasr8 in :gh:`1188`
* Time: Use standard library `timezone` instead of `FixedOffsetTimezone` by @​akx in :gh:`1203`

Bugfixes

• Core: Fix formatting for "Empty locale identifier" exception added in #​1164 by @​akx in :gh:1184
• Core: Improve handling of no-inheritance-marker in timezone data by @​akx in :gh:1194
• Core: Make the number pattern regular expression more efficient by @​akx in :gh:1213
• Messages: Keep translator comments next to the translation function call by @​akx in :gh:1196
• Numbers: Fix KeyError that occurred when formatting compact currencies of exactly one thousand in several locales by @​bartbroere in :gh:1246

Other improvements

* Core: Avoid unnecessary uses of `map()` by @​akx in :gh:`1180`
* Messages: Have init-catalog create directories too by @​akx in :gh:`1244`
* Messages: Optimizations for read_po by @​akx in :gh:`1200`
* Messages: Use pathlib.Path() in catalog frontend; improve test coverage by @​akx in :gh:`1204`

Infrastructure and documentation

• CI: Renovate CI & lint tools by @​akx in :gh:1228
• CI: Tighten up CI with Zizmor by @​akx in :gh:1230
• CI: make job permissions explicit by @​akx in :gh:1227
• Docs: Add SECURITY.md by @​akx in :gh:1229
• Docs: Remove u string prefix from docs by @​verhovsky in :gh:1174
• Docs: Update dates.rst with current unicode.org tr35 link by @​clach04 in :gh:1189
• General: Add some PyPI classifiers by @​tomasr8 in :gh:1186
• General: Apply reformatting by hand and with Ruff by @​akx in :gh:1202
• General: Test on and declare support for Python 3.14 by @​akx in :gh:1233
• Tests: Convert Unittest testcases with setup/teardown to fixtures by @​akx in :gh:1240
• Tests: Mark PyPy CI flake as xfail by @​akx in :gh:1197
• Tests: Move pytest config to pyproject.toml by @​tomasr8 in :gh:1187
• Tests: Unwrap most unittest test cases to bare functions by @​akx in :gh:1241

cemsbv/nuclei (cems-nuclei)

v3.2.0

Compare Source

Features

• Set PileCore version "v4" as latest

v3.1.0

Compare Source

Bug Fixes

• Deps: Update all non-major dependencies (#​239)

Features

• Add PileCore v4 to routing table

Miscellaneous Tasks

• Ci:
  • Disable pyink in github super-linter
  • Move from dependabot to renovate

Deploy

• Update deploy_docs.yaml

certifi/python-certifi (certifi)

v2025.11.12

Compare Source

v2025.10.5

Compare Source

jawah/charset_normalizer (charset-normalizer)

v3.4.4

Compare Source

Changed

• Bound setuptools to a specific constraint setuptools>=68,<=81.
• Raised upper bound of mypyc for the optional pre-built extension to v1.18.2

Removed

• setuptools-scm as a build dependency.

Misc

• Enforced hashes in dev-requirements.txt and created ci-requirements.txt for security purposes.
• Additional pre-built wheels for riscv64, s390x, and armv7l architectures.
• Restore multiple.intoto.jsonl in GitHub releases in addition to individual attestation file per wheel.

pallets/click (click)

v8.3.1

Compare Source

Released 2025-11-15

• Don't discard pager arguments by correctly using subprocess.Popen. :issue:3039
  :pr:3055
• Replace Sentinel.UNSET default values by None as they're passed through
  the Context.invoke() method. :issue:3066 :issue:3065 :pr:3068
• Fix conversion of Sentinel.UNSET happening too early, which caused incorrect
  behavior for multiple parameters using the same name. :issue:3071 :pr:3079
• Hide Sentinel.UNSET values as None when looking up for other parameters
  through the context inside parameter callbacks. :issue:3136 :pr:3137
• Fix rendering when prompt and confirm parameter prompt_suffix is
  empty. :issue:3019 :pr:3021
• When Sentinel.UNSET is found during parsing, it will skip calls to
  type_cast_value. :issue:3069 :pr:3090

duckdb/duckdb-python (duckdb)

v1.4.4: Bugfix Release

Compare Source

DuckDB core v1.4.4 Changelog: duckdb/duckdb@v1.4.3...v1.4.4

What's Changed in the Python Extension

• fix polars tests by @​evertlammerts in #​218
• tests for string and binary views by @​evertlammerts in #​221
• Quote view names in unregister by @​evertlammerts in #​222
• Limit string nodes in Polars expressions to constant expressions by @​evertlammerts in #​225
• Escape identifiers in relation aggregations by @​evertlammerts in #​272
• Fix DECREF bug during interpreter shutdown by @​evertlammerts in #​275
• Support for Pandas 3.0.0 by @​evertlammerts in #​277
• Prepare for v1.4.4 by @​evertlammerts in #​280

Full Changelog: duckdb/duckdb-python@v1.4.3...v1.4.4

v1.4.3: Python DuckDB v1.4.3

Compare Source

What's Changed

• Fix project metadata by @​evertlammerts in #​174
• Add filename_pattern to to_parquet Python API by @​matthewbayer in #​201
• add windows arm64 build by @​evertlammerts in #​211
• fix adbc test imports by @​evertlammerts in #​215
• add file_size_bytes to to_parquet by @​nicornk in #​204
• [minor][spark] Minor bugfixes by @​Dharin-shah in #​180

New Contributors

• @​matthewbayer made their first contribution in #​201
• @​nicornk made their first contribution in #​204

Full Changelog: duckdb/duckdb-python@v1.4.2...v1.4.3

v1.4.2: Python DuckDB v1.4.2

Compare Source

This is a bug fix release for various issues discovered after we released v1.4.1.

Also see the DuckDB v1.4.2 Changelog.

What's Changed

• Add Python 3.14 support by @​evertlammerts in #​116
• Fix ADBC driver path resolution when importlib.util was not implicitly loaded by @​henryharbeck in #​135
• add targeted test workflow by @​evertlammerts in #​145
• Remove xfail annotations on adbc tests by @​evertlammerts in #​147
• fix config dict value typehint by @​evertlammerts in #​151
• Add df data and tz type columns back into the same loc after type con… by @​evertlammerts in #​150
• Enable pyarrow with python 3.14 by @​evertlammerts in #​152
• spark imports by @​evertlammerts in #​157
• Fix failing test due to changed error msg by @​evertlammerts in #​158
• Add explicit .pl(lazy=True) overload by @​J-Meyers in #​172
• Fix InsertRelation on attached database by @​evertlammerts in #​155

Full Changelog: duckdb/duckdb-python@v1.4.1...v1.4.2

v1.4.1

Compare Source

DuckDB Core: v1.4.1

Bug Fixes

• ADBC Driver: Fixed ADBC driver implementation (#​81)
• SQLAlchemy compatibility: Added __hash__ method overload (#​61)
• Error Handling: Reset PyErr before throwing Python exceptions (#​69)
• Polars Lazyframes: Fixed Polars expression pushdown (#​102)

Code Quality Improvements & Developer Experience

• MyPy Support: MyPy is functional again and better integrated with the dev workflow
• Stubs: Re-created and manually curated stubs for the binary extension
• Type Shadowing: Deprecated typing and functional modules
• Linting & Formatting: Comprehensive code quality improvements with Ruff
• Type Annotations: Added missing overloads and improved type coverage
• Pre-commit Integration: Added ruff, clang-format, cmake-format and mypy configs
• CI/CD: Added code quality workflow

fonttools/fonttools (fonttools)

v4.61.1

Compare Source

• [otlLib] buildCoverage: return empty Coverage instead of None (#​4003, #​4004).
• [instancer] bug fix in avar2 full instancing (#​4002).
• [designspaceLib] Preserve empty conditionsets when serializing to XML (#​4001).
• [fontBu ilder] Fix FontBuilder setupOS2() default params globally polluted (#​3996, #​3997).
• [ttFont] Add more typing annotations to ttFont, xmlWriter, sfnt, varLib.models and others (#​3952, #​3826).
• Explicitly test and declare support for Python 3.14, even though we were already shipping pre-built wheels for it (#​3990).

v4.61.0

Compare Source

• [varLib.main]: SECURITY Only use basename(vf.filename) to prevent path traversal attacks when running fonttools varLib command-line script, or code which invokes fonttools.varLib.main(). Fixes CVE-2025-66034, see: GHSA-768j-98cg-p3fv.
• [feaLib] Sort BaseLangSysRecords by tag (#​3986).
• Drop support for EOL Python 3.9 (#​3982).
• [instancer] Support --remove-overlaps for fonts with CFF2 table (#​3975).
• [CFF2ToCFF] Add --remove-overlaps option (#​3976).
• [feaLib] Raise an error for rsub with NULL target (#​3979).
• [bezierTools] Fix logic bug in curveCurveIntersections (#​3963).
• [feaLib] Error when condition sets have the same name (#​3958).
• [cu2qu.ufo] skip processing empty glyphs to support sparse kerning masters (#​3956).
• [unicodedata] Update to Unicode 17. Require unicodedata2 >= 17.0.0 when installed with 'unicode' extra.

v4.60.2

Compare Source

• Backport release Same as 4.61.0 but without "Drop support for EOL Python 3.9" change to allow downstream projects still on Python 3.9 to avail of the security fix for CVE-2025-66034 (#​3994, #​3999).

v4.60.1

Compare Source

• [ufoLib] Reverted accidental method name change in UFOReader.getKerningGroupConversionRenameMaps
  that broke compatibility with downstream projects like defcon (#​3948, #​3947, robotools/defcon#478).
• [ufoLib] Added test coverage for getKerningGroupConversionRenameMaps method (#​3950).
• [subset] Don't try to subset BASE table; pass it through by default instead (#​3949).
• [subset] Remove empty BaseRecord entries in MarkBasePos lookups (#​3897, #​3892).
• [subset] Add pruning for MarkLigPos and MarkMarkPos lookups (#​3946).
• [subset] Remove duplicate features when subsetting (#​3945).
• [Docs] Added documentation for the visitor module (#​3944).

kjd/idna (idna)

v3.11

Compare Source

pytest-dev/iniconfig (iniconfig)

v2.3.0

Compare Source

=====

• add IniConfig.parse() classmethod with strip_inline_comments parameter (fixes #​55)
  • by default (strip_inline_comments=True), inline comments are properly stripped from values
  • set strip_inline_comments=False to preserve old behavior if needed
• IniConfig() constructor maintains backward compatibility (does not strip inline comments)
• users should migrate to IniConfig.parse() for correct comment handling
• add strip_section_whitespace parameter to IniConfig.parse() (regarding #​4)
  • opt-in parameter to strip Unicode whitespace from section names
  • when True, strips Unicode whitespace (U+00A0, U+2000, U+3000, etc.) from section names
  • when False (default), preserves existing behavior for backward compatibility
• clarify Unicode whitespace handling (regarding #​4)
  • since iniconfig 2.0.0 (Python 3 only), all strings are Unicode by default
  • Python 3's str.strip() has handled Unicode whitespace since Python 3.0 (2008)
  • iniconfig automatically benefits from this in all supported versions (Python >= 3.10)
  • key names and values have Unicode whitespace properly stripped using Python's built-in methods

v2.2.0

Compare Source

=====

• drop Python 3.8 and 3.9 support (now requires Python >= 3.10)
• add Python 3.14 classifier
• migrate from hatchling to setuptools 77 with setuptools_scm
• adopt PEP 639 license specifiers and PEP 740 build attestations
• migrate from black + pyupgrade to ruff
• migrate CI to uv and unified test workflow
• automate GitHub releases and PyPI publishing via Trusted Publishing
• include tests in sdist
• modernize code for Python 3.10+ (remove future annotations, TYPE_CHECKING guards)
• rename _ParsedLine to ParsedLine

ipython/ipython (ipython)

v9.10.0

Compare Source

v9.9.0

Compare Source

v9.8.0

Compare Source

v9.7.0

Compare Source

v9.6.0

Compare Source

v9.5.0

Compare Source

v9.4.0

Compare Source

v9.3.0

Compare Source

v9.2.0

Compare Source

pydantic/jiter (jiter)

v0.13.0

Compare Source

What's Changed

• bump PyO3 to 0.28 by @​davidhewitt in #​233

Full Changelog: pydantic/jiter@v0.12.0...v0.13.0

v0.12.0: 2025-11-09

Compare Source

What's Changed

• chore: pyo3-v0.27.x by @​jessekrubin in #​228
• derive Default for enums by @​davidhewitt in #​229

Full Changelog: pydantic/jiter@v0.11.1...v0.12.0

v0.11.1: 2025-10-17

Compare Source

What's Changed

• jiter-python: modify pyproject.toml to include license in wheels by @​justeph in #​222
• refactor: convert all downcasts to casts by @​jessekrubin in #​221
• Upgrade GitHub actions/checkout and actions/setup-python by @​cclauss in #​225
• Add GraalPy 3.12 wheels by @​msimacek in #​223
• ci: add builds for windows 11 arm by @​davidhewitt in #​210
• release: 0.11.1 by @​davidhewitt in #​227

New Contributors

• @​justeph made their first contribution in #​222
• @​cclauss made their first contribution in #​225

Full Changelog: pydantic/jiter@v0.11.0...v0.11.1

python-jsonschema/jsonschema (jsonschema)

v4.26.0

Compare Source

=======

• Decrease import time by delaying importing of urllib.request (#​1416).

jupyter/jupyter_core (jupyter-core)

v5.9.1

Compare Source

v5.9.0

Compare Source

(Full Changelog)

Enhancements made

• nicer traceback in missing loop case outside except in run_sync #​437 (@​AThePeanut4)

Bugs fixed

• Fix missing f specifier in f-string used to print config file path #​433 (@​krassowski)
• validate inputs to is_hidden #​429 (@​minrk)

Maintenance and upkeep improvements

• try to fix some downstream tests #​448 (@​Carreau)
• remove deprecation warning, platformdirs won't become default #​447 (@​minrk)
• Bump github/codeql-action from 3 to 4 in the actions group #​446 (@​dependabot)
• require python 3.10, start to test on 3.14 and 3.14-free-threaded #​445 (@​Carreau)
• remove pywin32 dependency so free-threading can fly (like pypy) #​441 (@​stonebig)
• Bump the actions group across 1 directory with 2 updates #​440 (@​dependabot)

Documentation improvements

• [Docs] Use extension:filetype mapping in sphinx configuration #​443 (@​Carreau)

Contributors to this release

(GitHub contributors page for this release)

@​AThePeanut4 | @​Carreau | @​dependabot | @​krassowski | @​minrk | @​nikimagic | @​stonebig

loro-dev/loro-py (loro)

v1.10.3

Compare Source

v1.10.0

Compare Source

v1.8.2

[Compare Source](https://redirect.github.com/loro-dev/l

[coveralls]

Pull Request Test Coverage Report for Build 22127199315

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 92.258%

---

Totals
Change from base Build 18002325789:	0.0%
Covered Lines:	143
Relevant Lines:	155

---

💛 - Coveralls