chore(deps): bump the pip-root-updates group with 5 updates

[dependabot]

Bumps the pip-root-updates group with 5 updates:

Package	From	To
flwr	1.29.0	1.30.0
cryptography	46.0.7	48.0.0
python-socketio	5.16.1	5.16.2
python-engineio	4.13.1	4.13.2
pytest-asyncio	1.3.0	1.4.0

Updates flwr from 1.29.0 to 1.30.0

Release notes

Sourced from flwr's releases.

Flower 1.30.0

Thanks to our contributors

We would like to give our special thanks to all the contributors who made the new version of Flower possible (in git shortlog order):

Charles Beauville, Chong Shen Ng, Daniel J. Beutel, Daniel Nata Nugraha, Heng Pan, Javier, Micah Sheller, Mohammad Naseri, Patrick Foley, Taner Topal, Yan Gao

What's new?

• Introduce the task system for executor process lifecycle management (#7030, #7031, #7036, #7040, #7044, #7047, #7053, #7054, #7058, #7068, #7069, #7078, #7079, #7080, #7081, #7083, #7087, #7088, #7089, #7090, #7094, #7095, #7097, #7100, #7101, #7102, #7105, #7106, #7110, #7111, #7112, #7115, #7116, #7117, #7118, #7122, #7139, #7144, #7151, #7153, #7157, #7158, #7163, #7167, #7180, #7184, #7197)

  Introduces the task system as the foundation for managing task process lifecycles across the framework. Tasks represent executable units such as flwr-serverapp and flwr-clientapp, enabling consistent creation, claiming, activation, heartbeat tracking, completion, and logging. The change also refactors existing run and executor workflows to operate on tasks and links a run status to its primary task for improved orchestration and lifecycle tracking.

• Add initial runtime version compatibility checks across framework components (#7038, #7067, #7077, #7084, #7091, #7092, #7093, #7103, #7107, #7108, #7113, #7141, #7146, #7160, #7191)

  Introduces runtime version compatibility metadata and checks across Flower runtime components. AppIo communication for flwr-serverapp, flwr-simulation, and flwr-clientapp now enforces matching major.minor Flower releases, which prevents incompatible app runtime combinations from proceeding. Control API and Fleet API also observe runtime version metadata to prepare these paths for stricter compatibility handling in future releases.

• Add TLS support for AppIo APIs (#6986, #7046, #7175)

  Introduces TLS support for the ServerAppIo and ClientAppIo APIs. Adds root certificate configuration for flwr- commands and flower-superexec. Find out more details in the TLS guide.

• Support dynamic ClientAppIo ports in SuperNode (#7128)

  Fixes support for localhost:0 in the SuperNode ClientAppIo API.

• Improve framework CI and release workflows (#7007, #7034, #7041, #7055, #7072, #7073, #7086, #7138, #7145, #7152, #7154, #7159, #7166, #7170, #7176, #7187)

• Improve framework documentation (#7006, #7011, #7022, #7050, #7150, #7186)

• General improvements (#7013, #7021, #7024, #7025, #7027, #7028, #7037, #7043, #7051, #7056, #7057, #7061, #7063, #7104, #7109, #7123, #7124, #7125, #7134, #7136, #7140, #7143, #7148, #7149, #7161, #7162, #7165, #7172, #7183, #7192, #7195, #7196, #7200, #7204)

  As always, many parts of the Flower framework and quality infrastructure were improved and updated.

Incompatible changes

• Disallow manually running internal flwr-* commands (#7019)

  Removes support for manually starting flwr-serverapp, flwr-simulation, and flwr-clientapp; these commands can only be launched by SuperExec.

Commits

• fae9542 feat(framework): Update changelog for 1.30.0 (#7193)
• b189159 refactor(framework): Simplify check for ray being installed (#7204)
• 709329f ci(intelligence:skip): Update Intelligence TS CI setup (#7198)
• 370a279 refactor(framework): Ensure correct clientapp task expiry handling (#7197)
• 7d78faa docs(framework): Update the example output of flwr list in docs (#7200)
• a3d5dcd refactor(framework): Avoid raising RuntimeError when pulling task input fai...
• 7954b58 feat(framework): Show status details in the table (#7195)
• c28f237 refactor(framework): Move code in finally branch to the exit handler to ens...
• e552c2e refactor(framework): Remove special handler for invitation system gRPC error ...
• 5d34682 fix(framework): Change runtime version check warning message (#7191)
• Additional commits viewable in compare view

Updates cryptography from 46.0.7 to 48.0.0

Changelog

Sourced from cryptography's changelog.

48.0.0 - 2026-05-04

* **BACKWARDS INCOMPATIBLE:** Support for Python 3.8 has been removed.
  ``cryptography`` now requires Python 3.9 or later.
* **BACKWARDS INCOMPATIBLE:** Loading an X.509 CRL whose inner
  ``TBSCertList.signature`` algorithm does not match the outer
  ``signatureAlgorithm`` now raises ``ValueError``. Previously, such CRLs
  were parsed successfully and only rejected during signature validation.
* Added support for :doc:`/hazmat/primitives/asymmetric/mlkem` and
  :doc:`/hazmat/primitives/asymmetric/mldsa` when using OpenSSL 3.5.0 or
  later, in addition to the existing AWS-LC and BoringSSL support. This means
  post-quantum algorithms are now available to users of our wheels.

Note: Going forward, we do not guarantee that all functionality

in cryptography will be available when building against

OpenSSL. See :doc:/statements/state-of-openssl for more information.

.. _v47-0-0:
47.0.0 - 2026-04-24

• Support for Python 3.8 is deprecated and will be removed in the next cryptography release.
• BACKWARDS INCOMPATIBLE: Support for binary elliptic curves (SECT* classes) has been removed. These curves are rarely used and have additional security considerations that make them undesirable.
• BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.1.x has been removed. OpenSSL 3.0.0 or later is now required. LibreSSL, BoringSSL, and AWS-LC continue to be supported.
• BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 4.1.
• BACKWARDS INCOMPATIBLE: Loading keys with unsupported algorithms or keys with unsupported explicit curve encodings now raises :class:~cryptography.exceptions.UnsupportedAlgorithm instead of ValueError. This change affects :func:~cryptography.hazmat.primitives.serialization.load_pem_private_key, :func:~cryptography.hazmat.primitives.serialization.load_der_private_key, :func:~cryptography.hazmat.primitives.serialization.load_pem_public_key, :func:~cryptography.hazmat.primitives.serialization.load_der_public_key, and :meth:~cryptography.x509.Certificate.public_key when called on certificates with unsupported public key algorithms.
• BACKWARDS INCOMPATIBLE: When parsing elliptic curve private keys, we now reject keys that incorrectly encode a private key of the wrong length because such keys are impossible to process in a constant-time manner. We do not believe keys with this problem are in wide use, however we may revert this change based on the feedback we receive.
• Deprecated passing 64-bit (8-byte) and 128-bit (16-byte) keys to :class:~cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES. In a

... (truncated)

Commits

• 8e03e30 bump for 48.0.0 release (#14796)
• 295e0d2 Add AGENTS.md with CLAUDE.md symlink (#14794)
• 104a2de Bump BoringSSL, OpenSSL, AWS-LC in CI (#14793)
• 67ec1e5 call check_length early on AesSiv::encrypt (#14792)
• b2da57a changelog for mldsa/mlkem for openssl (#14791)
• 3cf44ad ML-KEM OpenSSL support (#14781)
• 2e31639 ML-DSA OpenSSL support (#14773)
• 5affe5a fix rust nightly clippy (#14790)
• 2e73ca4 bump rust-openssl dep and update EcPoint::mul_generator to mul_generator2 (#1...
• 82ebd3b Bump BoringSSL, OpenSSL, AWS-LC in CI (#14785)
• Additional commits viewable in compare view

Updates python-socketio from 5.16.1 to 5.16.2

Release notes

Sourced from python-socketio's releases.

Release 5.16.2

See CHANGES.md for release notes.

Changelog

Sourced from python-socketio's changelog.

python-socketio change log

Release 5.16.2 - 2026-05-21

• Prevent unnecessary resource allocations #1574 (commit)
• Add zizmor to CI builds #1570 (commit)

Release 5.16.1 - 2026-02-06

• Use configured JSON module in managers #1549 (commit)
• Admin UI fixes: remove duplicate tasks, report transport upgrades (commit)
• Switch to Furo documentation template (commit)
• Add Python free-threading to CI #1554 (commit)

Release 5.16.0 - 2025-12-24

• Address deprecation warnings (commit)
• Drop Python 3.8 and 3.9 from CI builds (commit)

Release 5.15.1 - 2025-12-16

• Restore support multiple arguments via pubsub emits #1540 (commit)

Release 5.15.0 - 2025-11-22

• Retry initial Redis connection #1534 ([commit #1](miguelgrinberg/python-socketio@1e903e1) [commit #2](miguelgrinberg/python-socketio@5e898a9))
• Correctly regenerate RabbitMQ binding after a connection failure #1516 (commit) (thanks Gritty_dev!)
• Support ext_type in the MsgPackPacket class #1521 (commit)
• Support sending bytesarrays when using pub/sub managers (commit)
• Fix typos in documentation #1520 (commit) (thanks Lê Nam Khánh!)
• Improvements to the logging documentation (commit)

Release 5.14.3 - 2025-10-29

• Support Python's native ConnectionRefusedError exception to reject a connection #1515 (commit)
• Push binary data to the aiopika client manager #1514 (commit)

Release 5.14.2 - 2025-10-15

• Restore binary message support in message queue setups #1509 (commit)
• Fix formatting of client connection error #1507 (commit)
• Add 3.14 and pypy-3.11 CI tasks (commit)
• Improve documentation of the BaseManager.get_participants() method (commit)

Release 5.14.1 - 2025-10-02

• Restore support for rediss:// URLs, and add support for valkeys:// as well (commit)
• Add support for Redis connections using unix sockets #1503 (commit) (thanks Darren Chang!)

Release 5.14.0 - 2025-09-30

... (truncated)

Commits

• 6e2b717 Release 5.16.2
• cb65829 update python-engineio version
• ca140fe prevent unnecessary resource allocation (#1574)
• b29beef tox configuration
• e898130 Bump ujson from 5.4.0 to 5.12.1 in /examples/server/sanic (#1573) #nolog
• 05c32f5 Bump qs and body-parser in /examples/server/javascript (#1572) #nolog
• 287dc67 Bump qs and body-parser in /examples/client/javascript (#1571) #nolog
• 664dc27 add zizmor to ci (#1570)
• 14c6236 Bump django in /examples/server/wsgi/django_socketio (#1566) #nolog
• 29b2e5c Bump aiohttp from 3.13.3 to 3.13.4 in /examples/server/aiohttp (#1565) #nolog
• Additional commits viewable in compare view

Updates python-engineio from 4.13.1 to 4.13.2

Release notes

Sourced from python-engineio's releases.

Release 4.13.2

See CHANGES.md for release notes.

Changelog

Sourced from python-engineio's changelog.

python-engineio change log

Release 4.13.2 - 2026-05-21

• Prevent unnecessary resource allocations #441 (commit)
• Add zizmor to CI builds #437 (commit)

Release 4.13.1 - 2026-02-06

• Document that a process can have only one custom JSON module (commit)
• Switch to Furo documentation template (commit)

Release 4.13.0 - 2025-12-24

• Apply escaping rules when parsing cookie values (commit)
• Several minor improvements to the aiohttp integration #419 (commit) (thanks PaulWasTaken!)
• Clarify logging behavior in documentation #421 (commit) (thanks ZipFile!)
• Address deprecation warnings #422 (commit)
• Add 3.14 and pypy-3.11 CI builds (commit)
• Drop Python 3.8 and 3.9 from CI builds (commit)

Release 4.12.3 - 2025-09-28

• Reset client queue upon disconnection #414 (commit)
• Support ['*'] in addition to '*' in the cors_allowed_origins option #410 (commit) (thanks Wu Clan!)

Release 4.12.2 - 2025-06-04

• Support new monkey-patched gevent Queue class in the client #403 (commit)
• Better support of the ASGI spec when interpreting WebSocket events #405 (commit) (thanks Eric Zhang!)

Release 4.12.1 - 2025-05-11

• Accept empty binary values in the async server #404 (commit)
• Add SPDX license identifier #401 (commit) (thanks Marc Mueller!)

Release 4.12.0 - 2025-04-12

• Optimize packet parsing to avoid unnecessary calls to JSON parser #399 (commit)
• Pass environ as a second argument to callable option cors_allowed_origins #398 (commit) (thanks wft-swas!)

Release 4.11.2 - 2024-12-29

• Fix incorrect disconnection reason reported when browser page is closed (commit)

Release 4.11.1 - 2024-12-17

• Remove debugging prints 😊 (commit)

Release 4.11.0 - 2024-12-17

... (truncated)

Commits

• b698159 Release 4.13.2
• ceeeb5e prevent unnecessary resource allocation (#441)
• eb771e0 tox configuration
• 74c3a0b Bump qs and body-parser in /examples/client/javascript (#440) #nolog
• e2278e1 Bump qs and body-parser in /examples/server/javascript (#439) #nolog
• a35f46d remove unnecessary build dependency
• 8963cca Bump ujson from 5.4.0 to 5.12.1 in /examples/server/sanic (#438) #nolog
• 68eb36a add zizmor to ci (#437)
• 9cf6b72 Bump aiohttp from 3.13.3 to 3.13.4 in /examples/server/aiohttp (#435) #nolog
• 1d08ca3 Bump path-to-regexp from 0.1.12 to 0.1.13 in /examples/client/javascript (#43...
• Additional commits viewable in compare view

Updates pytest-asyncio from 1.3.0 to 1.4.0

Release notes

Sourced from pytest-asyncio's releases.

pytest-asyncio v1.4.0

1.4.0 - 2026-05-26

Deprecated

• Overriding the event_loop_policy fixture is deprecated. Use the pytest_asyncio_loop_factories hook instead. (#1419)

Added

• Added the pytest_asyncio_loop_factories hook to parametrize asyncio tests with custom event loop factories.

  The hook returns a mapping of factory names to loop factories, and pytest.mark.asyncio(loop_factories=[...]) selects a subset of configured factories per test. When a single factory is configured, test names are unchanged.

  Synchronous @pytest_asyncio.fixture functions now see the correct event loop when custom loop factories are configured, even when test code disrupts the current event loop (e.g., via asyncio.run() or asyncio.set_event_loop(None)). (#1164)

Changed

• Improved the readability of the warning message that is displayed when asyncio_default_fixture_loop_scope is unset (#1298)
• Only import asyncio.AbstractEventLoopPolicy for type checking to avoid raising a DeprecationWarning. (#1394)
• Updated minimum supported pytest version to v8.4.0. (#1397)

Fixed

• Fixed a ResourceWarning: unclosed event loop warning that could occur when a synchronous test called asyncio.run() or otherwise unset the current event loop after pytest-asyncio had run an async test or fixture. (#724)

Notes for Downstream Packagers

• Added dependency on sphinx-tabs >= 3.5 to organize documentation examples into tabs. (#1395)

pytest-asyncio v1.4.0a2

1.4.0a2 - 2026-05-02

Deprecated

• Overriding the event_loop_policy fixture is deprecated. Use the pytest_asyncio_loop_factories hook instead. (#1419)

Added

• Added the pytest_asyncio_loop_factories hook to parametrize asyncio tests with custom event loop factories.

  The hook returns a mapping of factory names to loop factories, and pytest.mark.asyncio(loop_factories=[...]) selects a subset of configured factories per test. When a single factory is configured, test names are unchanged on pytest 8.4+.

  Synchronous @pytest_asyncio.fixture functions now see the correct event loop when custom loop factories are configured, even when test code disrupts the current event loop (e.g., via asyncio.run() or asyncio.set_event_loop(None)). (#1164)

Changed

• Improved the readability of the warning message that is displayed when asyncio_default_fixture_loop_scope is unset (#1298)
• Only import asyncio.AbstractEventLoopPolicy for type checking to avoid raising a DeprecationWarning. (#1394)

... (truncated)

Commits

• 6e14cd2 chore: Prepare release of v1.4.0.
• 4b900fb Build(deps): Bump codecov/codecov-action from 6.0.0 to 6.0.1
• ab9f632 Build(deps): Bump zipp from 3.23.1 to 4.1.0
• a56fc77 Build(deps): Bump hypothesis from 6.152.6 to 6.152.8
• e8bae9b Build(deps): Bump requests from 2.34.0 to 2.34.2
• fc43340 Build(deps): Bump idna from 3.14 to 3.15
• 762eaf5 Build(deps): Bump jaraco-functools from 4.4.0 to 4.5.0
• b62e222 Build(deps): Bump click from 8.3.3 to 8.4.0
• 9190447 Build(deps): Bump pydantic from 2.13.3 to 2.13.4
• 82a393c ci: Remove unnecessary debug output.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[rwilliamspbg-ops]

@copilot review workflow failures and fix