Update responder requirement from <4 to <5

[dependabot]

Updates the requirements on responder to permit the latest version.

Release notes

Sourced from responder's releases.

v4.0.0

Highlights

A much lighter install. pip install responder now pulls 35 packages instead of ~64. Two heavy dependency trains moved behind extras:

• responder[cli] — pueblo[sfa-full] and its S3/aiohttp/libarchive stack. Only needed for running remote application targets (responder run https://..., github://, cloud storage). responder run app:api and responder run myapp/core.py still work out of the box.
• responder[graphql] — graphene and graphql-core, for use with api.graphql().

Breaking changes

This is a major release per semver. If you rely on either feature, add the extra:

$ pip install 'responder[cli]'      # remote targets for `responder run`
$ pip install 'responder[graphql]'  # GraphQL support

Everything else is unchanged — no code or API changes beyond the optional imports.

On PyPI: https://pypi.org/project/responder/4.0.0/ Full changelog: https://github.com/kennethreitz/responder/blob/main/CHANGELOG.md

Changelog

Sourced from responder's changelog.

[v4.0.0] - 2026-06-12

Changed

• Breaking: Slimmed the default install from ~60 packages to ~30 by moving heavy dependencies behind extras:
  • pueblo[sfa-full] (which pulls in s3fs, aiobotocore, aiohttp, libarchive-c, and friends) is now the cli extra. responder run still works out of the box for local modules and file paths (app:api, myapp/core.py); only remote targets (URLs, github://, cloud storage) need pip install 'responder[cli]'
  • graphene and graphql-core are now the graphql extra. Install with pip install 'responder[graphql]' to use api.graphql()

[v3.12.0] - 2026-06-12

Added

• Built-in metrics: API(metrics_route="/metrics") serves request counts and latency histograms in Prometheus text format, zero dependencies. Labels use route patterns (/users/{id}) so cardinality stays bounded; error responses are recorded with their real status codes
• Server-side sessions: API(session_backend=...) stores session data in a backend (MemorySessionBackend, RedisSessionBackend, or any object with get/set/delete) with only an opaque ID in the cookie — enabling revocation and unbounded session size. Handler code is unchanged
• Query-parameter validation: @api.route(..., params_model=Model) coerces and validates query strings with Pydantic (422 on failure), exposes the instance as req.state.validated_params, maps repeated keys to list fields, and documents the parameters in the OpenAPI spec
• resp.render(template, **context) — render a Jinja2 template as the HTML response body in one call

[v3.11.0] - 2026-06-11

Added

• HTTP range requests: resp.file() and resp.stream_file() answer Range: bytes=... with 206 Partial Content (suffix and open-ended ranges, 416 for unsatisfiable, Accept-Ranges advertised) — enables video seeking and resumable downloads
• resp.download(path, filename=...) serves files as attachments with proper Content-Disposition (RFC 5987 encoding for non-ASCII names), streamed and resumable
• Request timeouts: API(request_timeout=seconds) answers overrunning handlers with 504 Gateway Timeout (content-negotiated); dependency teardowns still run

Performance

... (truncated)

Commits

• 32581f0 Bump version to 4.0.0 and update changelog
• 09e5bb5 Move pueblo and graphene behind 'cli' and 'graphql' extras
• a1a4895 Bump version to 3.12.0 and update changelog
• 2b4a557 Add metrics, server-side sessions, query-param validation, resp.render
• b94f76b Bump version to 3.11.0 and update changelog
• 737026f Add range requests, downloads, request timeouts, and route caching
• 7c3be4f Bump version to 3.10.0 and update changelog
• 3c2e42e Add slash redirects, request size limits, auto-ETag, after-response tasks
• 832be9e Bump version to 3.9.1 and update changelog
• 6a28ff3 Add conditional requests, upload streaming, rate-limit backends, app state
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.56%. Comparing base (e99ba07) to head (8d8f371).

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #52   +/-   ##
=======================================
  Coverage   82.56%   82.56%           
=======================================
  Files          12       12           
  Lines         218      218           
=======================================
  Hits          180      180           
  Misses         38       38           

Flag	Coverage Δ
unittests	82.56% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[amotl]

Migrated pueblo[sfa-full] and its S3/aiohttp/libarchive stack to responder[cli]. This is only needed for running remote application targets (responder run https://..., github://, cloud storage). responder run app:api and responder run myapp/core.py still work out of the box.

Please verify this detail with Vasuki's use of responder. Are there test cases in place?