chore(deps): Bump the minor-and-patch group in /a2a/git_issue_agent with 4 updates

[dependabot]

Bumps the minor-and-patch group in /a2a/git_issue_agent with 4 updates: litellm, python-multipart, starlette and lxml.

Updates litellm from 1.84.0 to 1.86.2

Release notes

Sourced from litellm's releases.

v1.86.2

Verify Docker Image Signature

All LiteLLM Docker images are signed with cosign. Every release is signed with the same key introduced in commit 0112e53.

Verify using the pinned commit hash (recommended):

A commit hash is cryptographically immutable, so this is the strongest way to ensure you are using the original signing key:

cosign verify \
  --key https://raw.githubusercontent.com/BerriAI/litellm/0112e53046018d726492c814b3644b7d376029d0/cosign.pub \
  ghcr.io/berriai/litellm:v1.86.2

Verify using the release tag (convenience):

Tags are protected in this repository and resolve to the same key. This option is easier to read but relies on tag protection rules:

cosign verify \
  --key https://raw.githubusercontent.com/BerriAI/litellm/v1.86.2/cosign.pub \
  ghcr.io/berriai/litellm:v1.86.2

Expected output:

The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

---

What's Changed

• chore(proxy): cherry-pick #28547 onto patch/v1.86.1 by @​yuneng-berri in BerriAI/litellm#28969
• chore: uv lock for 1.86.2 by @​yuneng-berri in BerriAI/litellm#28972

Full Changelog: BerriAI/litellm@v1.86.1...v1.86.2

v1.85.2

Verify Docker Image Signature

All LiteLLM Docker images are signed with cosign. Every release is signed with the same key introduced in commit 0112e53.

Verify using the pinned commit hash (recommended):

A commit hash is cryptographically immutable, so this is the strongest way to ensure you are using the original signing key:

... (truncated)

Commits

• 72fdccb chore: uv lock for 1.86.2 (#28972)
• be557c8 chore(proxy): cherry-pick #28547 onto patch/v1.86.1 (#28969)
• a8caf28 chore(release): 1.86.1 (#28823)
• a13cd21 Merge pull request #28744 from BerriAI/litellm_/bold-lumiere-b74316
• 9e7192e fix(docker): restore npm to non_root builder image (#28519)
• a72414a Merge pull request #28100 from BerriAI/litellm_internal_staging
• cf9b5e4 [Infra] Bump versions (#28094)
• 1b0ae3a fix(mcp-oauth): PROXY_BASE_URL escape hatch + diagnostic logging for {"detail...
• 3d5a9ed feat: add Terraform stacks for deploying LiteLLM on AWS and GCP (#27673)
• fbe0ee8 fix(proxy): sort BYOK models by their displayed name in /v2/model/info (#28079)
• Additional commits viewable in compare view

Updates python-multipart from 0.0.28 to 0.0.29

Release notes

Sourced from python-multipart's releases.

Version 0.0.29

What's Changed

• Handle malformed RFC 2231 continuations in parse_options_header by @​manunio in Kludex/python-multipart#270

Full Changelog: Kludex/python-multipart@0.0.28...0.0.29

Changelog

Sourced from python-multipart's changelog.

0.0.29 (2026-05-17)

• Handle malformed RFC 2231 continuations in parse_options_header #270.

Commits

• e3d6853 Version 0.0.29 (#288)
• a60dcdc Handle malformed RFC 2231 continuations in parse_options_header (#270)
• 75c33b2 Add 7-day cooldown for dependency resolution via uv exclude-newer (#286)
• a078b8e Bump urllib3 from 2.6.3 to 2.7.0 (#285)
• See full diff in compare view

Updates starlette from 1.0.0 to 1.2.0

Release notes

Sourced from starlette's releases.

Version 1.2.0

What's Changed

• Support httpx2 in the test client by @​Kludex in Kludex/starlette#3291

Full Changelog: Kludex/starlette@1.1.0...1.2.0

Version 1.1.0

What's Changed

• Use "application/octet-stream" as the FileResponse media type fallback by @​ATOM00blue in Kludex/starlette#3283
• Only dispatch standard HTTP verbs in HTTPEndpoint by @​Kludex in Kludex/starlette#3286
• Reject absolute paths in StaticFiles.lookup_path by @​Kludex in Kludex/starlette#3287

New Contributors

• @​ATOM00blue made their first contribution in Kludex/starlette#3283

Full Changelog: Kludex/starlette@1.0.1...1.1.0

Version 1.0.1

What's Changed

• Ignore malformed Host header when constructing request.url by @​Kludex in Kludex/starlette#3279

Full Changelog: Kludex/starlette@1.0.0...1.0.1

Changelog

Sourced from starlette's changelog.

1.2.0 (May 28, 2026)

Added

• Support httpx2 in the test client #3291.

1.1.0 (May 23, 2026)

Added

• Use "application/octet-stream" as the FileResponse media type fallback #3283.

Fixed

• Only dispatch standard HTTP verbs in HTTPEndpoint #3286.
• Reject absolute paths in StaticFiles.lookup_path #3287.

1.0.1 (May 21, 2026)

Fixed

• Ignore malformed Host header when constructing request.url #3279.

Commits

• 4060987 Version 1.2.0 (#3300)
• 1e289ca Migrate docs deploy from Cloudflare Pages to Workers Static Assets (#3282)
• 100f05a Add httpx2 as a dev dependency (#3295)
• 508023b Support httpx2 in the test client (#3291)
• a4ff83b Version 1.1.0 (#3289)
• fd53168 Reject absolute paths in StaticFiles.lookup_path (#3287)
• e3f9722 Only dispatch standard HTTP verbs in HTTPEndpoint (#3286)
• 348f86d Use "application/octet-stream" as the FileResponse media type fallback (#...
• 48f8e33 Version 1.0.1 (#3281)
• f078832 Remove Hugging Face sponsor block from docs (#3280)
• Additional commits viewable in compare view

Updates lxml from 6.1.0 to 6.1.1

Changelog

Sourced from lxml's changelog.

6.1.1 (2026-05-18)

Bugs fixed

• The known link attributes in lxml.html.defs.link_attrs were missing xlink:href, which can be used for URL bypass attacks in embedded SVG/MathML/etc. content. https://github.com/fedora-python/lxml_html_clean/security/advisories/GHSA-4jhm-jv67-739f

• The Linux wheels use a patched libxslt 1.1.43, fixing CVE-2025-7424 and CVE-2025-11731.

• The Windows wheels use libxslt 1.1.45, fixing CVE-2025-7424 and CVE-2025-11731.

Commits

• b4a4c59 Build: Fix build in Py3.8.
• a116dcb Fix typo: type annotions -> type annotations in PEP 560 comments (GH-504)
• 7287a75 Prepare release of 6.1.1.
• 5927a6d Add missing "xlink:href" to the known HTML link attributes.
• 23efeb4 Build: Fix build in Py3.8.
• 2c0563b Build: Add bug patch for libxslt 1.1.43 and apply it during the static librar...
• 8a35fcc Fix doctest in PyPy3.9.
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions