chore(deps): bump the all group with 13 updates

[dependabot]

Bumps the all group with 13 updates:

Package	From	To
starlette	1.0.0	1.2.1
fastapi	0.136.1	0.136.3
grpcio	1.80.0	1.81.0
grpcio-tools	1.80.0	1.81.0
grpcio-status	1.80.0	1.81.0
grpcio-reflection	1.80.0	1.81.0
opentelemetry-api	1.41.1	1.42.1
opentelemetry-sdk	1.41.1	1.42.1
pyjwt	2.12.1	2.13.0
pytest-asyncio	1.3.0	1.4.0
ruff	0.15.13	0.15.15
uvicorn	0.47.0	0.48.0
ty	0.0.37	0.0.42

Updates starlette from 1.0.0 to 1.2.1

Release notes

Sourced from starlette's releases.

Version 1.2.1

What's Changed

• Use httpx2 for type checking in the testclient module by @​leifwar in Kludex/starlette#3304
• Add assert error for requires() when request param is not Request type by @​KeeganOP in Kludex/starlette#3298

New Contributors

• @​leifwar made their first contribution in Kludex/starlette#3304
• @​diskeu made their first contribution in Kludex/starlette#3243
• @​KeeganOP made their first contribution in Kludex/starlette#3298

Full Changelog: Kludex/starlette@1.2.0...1.2.1

Version 1.2.0

What's Changed

• Support httpx2 in the test client by @​Kludex in Kludex/starlette#3291

Full Changelog: Kludex/starlette@1.1.0...1.2.0

Version 1.1.0

What's Changed

• Use "application/octet-stream" as the FileResponse media type fallback by @​ATOM00blue in Kludex/starlette#3283
• Only dispatch standard HTTP verbs in HTTPEndpoint by @​Kludex in Kludex/starlette#3286
• Reject absolute paths in StaticFiles.lookup_path by @​Kludex in Kludex/starlette#3287

New Contributors

• @​ATOM00blue made their first contribution in Kludex/starlette#3283

Full Changelog: Kludex/starlette@1.0.1...1.1.0

Version 1.0.1

What's Changed

• Ignore malformed Host header when constructing request.url by @​Kludex in Kludex/starlette#3279

Full Changelog: Kludex/starlette@1.0.0...1.0.1

Changelog

Sourced from starlette's changelog.

1.2.1 (May 31, 2026)

Fixed

• Use httpx2 for type checking in the testclient module #3304.
• Add assert error for requires() when the request parameter is not a Request type #3298.

1.2.0 (May 28, 2026)

Added

• Support httpx2 in the test client #3291.

1.1.0 (May 23, 2026)

Added

• Use "application/octet-stream" as the FileResponse media type fallback #3283.

Fixed

• Only dispatch standard HTTP verbs in HTTPEndpoint #3286.
• Reject absolute paths in StaticFiles.lookup_path #3287.

1.0.1 (May 21, 2026)

Fixed

• Ignore malformed Host header when constructing request.url #3279.

Commits

• ef773fe Version 1.2.1 (#3306)
• 3fc68a7 Add sponsors section to docs sidebar (#3305)
• b053f7b chore(deps): bump the python-packages group across 1 directory with 6 updates...
• 1478775 Add assert error for requires() when request param is not Request type (#3298)
• 6576547 Describe disconnected-after-response behavior in test docstring (#3243)
• 9cb1553 Use same module (httpx|httpx2) for type checking as for runtime (#3304)
• 4060987 Version 1.2.0 (#3300)
• 1e289ca Migrate docs deploy from Cloudflare Pages to Workers Static Assets (#3282)
• 100f05a Add httpx2 as a dev dependency (#3295)
• 508023b Support httpx2 in the test client (#3291)
• Additional commits viewable in compare view

Updates fastapi from 0.136.1 to 0.136.3

Release notes

Sourced from fastapi's releases.

0.136.3

Refactors

• ♻️ Do not accept underscore headers when using convert_underscores=True (the default). PR #15589 by @​tiangolo.

0.136.2

Refactors

• ♻️ Validate Server Sent Event fields to avoid applications from sending broken data. PR #15588 by @​tiangolo.

Docs

• 📝 Document --entrypoint CLI option. PR #15464 by @​YuriiMotov.
• 📝 Update and simplify docs about help and management. PR #15583 by @​tiangolo.
• 📝 Add docs references to central contributing docs. PR #15580 by @​tiangolo.
• 📝 Update security policy. PR #15577 by @​tiangolo.
• 🍱 Update sponsors: TalorData image. PR #15562 by @​tiangolo.
• 📝 Update docs, simplify usage of admonitions, only default ones. PR #15553 by @​tiangolo.
• 📝 Fix image URLs in index.md. PR #15534 by @​YuriiMotov.
• ✏️ Fix Azkaban spelling typo in virtual-environments.md‎. PR #15463 by @​isaacbernat.
• 💄 Improve layout and styling. PR #15462 by @​alejsdev.
• 💄 Refactor opinions section with interactive tabs and new logos. PR #15458 by @​alejsdev.
• 📝 Add FastAPI Conf '26 announcement to docs. PR #15457 by @​alejsdev.

Translations

• 🌐 Improve translation consistency in ‎docs/pt/docs/advanced/generate-clients.md‎. PR #15456 by @​Will-thom.
• 🌐 Update translations for ja (update-outdated). PR #15530 by @​tiangolo.
• 🌐 Update translations for uk (update-outdated). PR #15529 by @​tiangolo.
• 🌐 Update translations for pt (update-outdated). PR #15528 by @​tiangolo.
• 🌐 Update translations for de (update-outdated). PR #15527 by @​tiangolo.
• 🌐 Update translations for tr (update-outdated). PR #15526 by @​tiangolo.
• 🌐 Update translations for ko (update-outdated). PR #15525 by @​tiangolo.
• 🌐 Update translations for zh-hant (update-outdated). PR #15524 by @​tiangolo.
• 🌐 Update translations for fr (update-outdated). PR #15522 by @​tiangolo.
• 🌐 Update translations for es (update-outdated). PR #15523 by @​tiangolo.
• 🌐 Update translations for zh (update-outdated). PR #15520 by @​tiangolo.
• 🌐 Update translations for ru (update-outdated). PR #15521 by @​tiangolo.
• 🌐 Fix typos in Spanish LLM-prompt. PR #15472 by @​crr004.

Internal

• ✅ Update tests, don't double dispose the engine. PR #15587 by @​tiangolo.
• ⚡️ Speed up test suite via caching and fixture scopes to make it ~24% faster. PR #13583 by @​dikos1337.
• 🔥 Remove config files now in central GitHub repo. PR #15585 by @​tiangolo.
• ⬆ Bump urllib3 from 2.6.3 to 2.7.0. PR #15502 by @​dependabot[bot].
• ⬆ Bump idna from 3.11 to 3.15. PR #15565 by @​dependabot[bot].
• ⬆ Bump cloudflare/wrangler-action from 3.15.0 to 4.0.0. PR #15571 by @​dependabot[bot].
• 🔧 Migrate docs from MkDocs to Zensical. PR #15563 by @​tiangolo.
• 🔒️ Only allow team members to modify dependencies. PR #15548 by @​svlandeg.

... (truncated)

Commits

• 8206485 🔖 Release version 0.136.3
• c910e01 📝 Update release notes
• 063b5bf ♻️ Do not accept underscore headers when using convert_underscores=True (th...
• 22b02e2 🔖 Release version 0.136.2
• 3b252a2 📝 Update release notes
• c7fb785 ♻️ Validate Server Sent Event fields to avoid applications from sending broke...
• cb83b83 📝 Update release notes
• 00f805c ✅ Update tests, don't double dispose the engine (#15587)
• 3675137 📝 Update release notes
• 7b57e42 📝 Document --entrypoint CLI option (#15464)
• Additional commits viewable in compare view

Updates grpcio from 1.80.0 to 1.81.0

Release notes

Sourced from grpcio's releases.

Release v1.81.0

This is release 1.81.0 (graphic) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

• [EventEngine] Fix a potential use-after-free error on Windows. (#42078)
• [ssl] Server side handshaker factory stores a map of key signers. (#42002)
• [Core] Fix completion queue shutdown race on weak memory models (ARM). (#41510)
• [EventEngine] Fix a Windows race that causes an assertion error. (#41563)
• [grpc_error] enable error_flatten experiment in OSS. (#41471)
• [Python] Trim Python2 backward compatiblity syntax - removed (object) inheritance. (#41708)

Objective-C

• [ObjC] Add receiveNextMessage to GRPCUnaryProtoCall. (#42260)

Python

• [Python] Add typing_extensions dep to aio Bazel target. (#42001)
• [Python] [Pyright] Part 1 - Pyright for src/python/grpcio/grpc/aio/_base_server.py. (#42240)
• [Python] Drop 3.9. (#42145)
• [Python] grpc-status: Relax protobuf dependency upper bound to allow 7.x. (#41948)
• [Python] [Typeguard] Part 5 - Add Typeguard SYNC Stack in tests. (#40278)
• [Python] Remove GIL from ReceiveMessageOperation.un_c method. (#41812)
• [Python] Support observability in AsyncIO stack. (#41573)

Ruby

• [Ruby] Drop support for EOL Ruby 3.1 and clean up. (#41435)
• [Ruby] Composed CallCredentials keep a reference to their source. (#41782)

Release v1.81.0-pre1

This is a prerelease of gRPC Core 1.81.0 (graphic).

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This prerelease contains refinements, improvements, and bug fixes.

Commits

• 8bdf11e [Release] Bump version to 1.81.0 (on v1.81.x branch) (#42432)
• 0029e06 Move all gRPC Session classes to the experimental namespace (#42462)
• 1f18268 [CI] Fix Asan thread_stress_test error by reducing thread count (#42424) (#42...
• ee3fed7 Backport MacOS fix cl/917004588 to v1.81.x (#42441)
• 6244f3b [Release] Bump version to 1.81.0-pre1 (on v1.81.x branch) (#42378)
• 1108777 [Release] Bump core version to 54.0.0 for upcoming release (#42321)
• 74940e8 [fix] Add back the do-while loop that handles the TSI_RESULT correctly.
• 5c6185c [CHTTP2] Assert
• 51bc437 Automated rollback of commit aab1eab78f9fcb3fc6e0aa9c8d7a59de280dbe3f.
• 03a2dc7 [Cleanup] Reduce log noise in latent see.
• Additional commits viewable in compare view

Updates grpcio-tools from 1.80.0 to 1.81.0

Release notes

Sourced from grpcio-tools's releases.

Release v1.81.0

This is release 1.81.0 (graphic) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

• [EventEngine] Fix a potential use-after-free error on Windows. (#42078)
• [ssl] Server side handshaker factory stores a map of key signers. (#42002)
• [Core] Fix completion queue shutdown race on weak memory models (ARM). (#41510)
• [EventEngine] Fix a Windows race that causes an assertion error. (#41563)
• [grpc_error] enable error_flatten experiment in OSS. (#41471)
• [Python] Trim Python2 backward compatiblity syntax - removed (object) inheritance. (#41708)

Objective-C

• [ObjC] Add receiveNextMessage to GRPCUnaryProtoCall. (#42260)

Python

• [Python] Add typing_extensions dep to aio Bazel target. (#42001)
• [Python] [Pyright] Part 1 - Pyright for src/python/grpcio/grpc/aio/_base_server.py. (#42240)
• [Python] Drop 3.9. (#42145)
• [Python] grpc-status: Relax protobuf dependency upper bound to allow 7.x. (#41948)
• [Python] [Typeguard] Part 5 - Add Typeguard SYNC Stack in tests. (#40278)
• [Python] Remove GIL from ReceiveMessageOperation.un_c method. (#41812)
• [Python] Support observability in AsyncIO stack. (#41573)

Ruby

• [Ruby] Drop support for EOL Ruby 3.1 and clean up. (#41435)
• [Ruby] Composed CallCredentials keep a reference to their source. (#41782)

Release v1.81.0-pre1

This is a prerelease of gRPC Core 1.81.0 (graphic).

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This prerelease contains refinements, improvements, and bug fixes.

Commits

• 8bdf11e [Release] Bump version to 1.81.0 (on v1.81.x branch) (#42432)
• 6244f3b [Release] Bump version to 1.81.0-pre1 (on v1.81.x branch) (#42378)
• 820f933 [Python] Drop 3.9 (#42145)
• 451521c [Core CI] Make windows python distrib tests use ccache. (#42171)
• cb09882 [Build] Upgrade protobuf to 33.5 (#41976)
• a2bf3f1 [Release] Bump version to 1.81.0-dev (on master branch) (#41843)
• See full diff in compare view

Updates grpcio-status from 1.80.0 to 1.81.0

Updates grpcio-reflection from 1.80.0 to 1.81.0

Updates opentelemetry-api from 1.41.1 to 1.42.1

Changelog

Sourced from opentelemetry-api's changelog.

Version 1.42.1/0.63b1 (2026-05-21)

Fixed

• Preserve the random trace ID flag when creating child spans instead of always setting the random trace id bit depending on the available trace id generator. (#5241)

Version 1.42.0/0.63b0 (2026-05-19)

Added

• opentelemetry-api, opentelemetry-sdk: add support for 'random-trace-id' flags in W3C traceparent header trace flags. Implementations of IdGenerator that do randomly generate the 56 least significant bits, should also implement a is_trace_id_random methods that returns True. (#4854)
• logs: add exception support to Logger emit and LogRecord attributes (#4908)
• opentelemetry-exporter-otlp-proto-grpc: make retryable gRPC error codes configurable for gRPC exporters (#4917)
• opentelemetry-sdk: Add create_logger_provider/configure_logger_provider to declarative file configuration, enabling LoggerProvider instantiation from config files without reading env vars (#4990)
• opentelemetry-exporter-otlp-json-common: add 'opentelemetry-exporter-otlp-json-common' package for OTLP JSON exporters (#4996)
• opentelemetry-sdk: Add service resource detector support to declarative file configuration via detection_development.detectors[].service (#5003)
• opentelemetry-docker-tests: add docker-tests coverage of opentelemetry-exporter-otlp-proto-grpc and opentelemetry-exporter-otlp-proto-http metrics export (#5030)
• Add registry keyword argument to PrometheusMetricReader to allow passing a custom Prometheus registry (#5055)
• Add WeaverLiveCheck test util (#5088)
• opentelemetry-sdk: add load_entry_point shared utility to declarative file configuration for loading plugins via entry points; refactor propagator loading to use it (#5093)
• opentelemetry-sdk: add sampler plugin loading to declarative file configuration via the opentelemetry_sampler entry point group, matching the spec's PluginComponentProvider mechanism (#5095)

... (truncated)

Commits

• 367e14d Prepare release 1.42.1/0.63b1 (#5243)
• fd8e504 Preserve random trace ID flag for child spans (#5241) (#5242)
• 013045e [release/v1.42.x-0.63bx] Prepare release 1.42.0/0.63b0 (#5225)
• 1731583 ci: Enable GitHub Merge Queue support (#5209)
• 7fab34d fix(config): allow deflate for OTLP HTTP exporters (#5075)
• 0b690d2 ci: validate changelog fragment filenames (#5212)
• d4fabb4 feat(config): exporter plugin loading via entry points for declarative config...
• e19d346 feat(config): generic resource detector plugin loading for declarative config...
• 1d69bd2 sdk/metrics: copy attributes dict to prevent post-recording mutation (#5106)
• 990a611 feat(config): propagator plugin loading via entry points for declarative conf...
• Additional commits viewable in compare view

Updates opentelemetry-sdk from 1.41.1 to 1.42.1

Changelog

Sourced from opentelemetry-sdk's changelog.

Version 1.42.1/0.63b1 (2026-05-21)

Fixed

• Preserve the random trace ID flag when creating child spans instead of always setting the random trace id bit depending on the available trace id generator. (#5241)

Version 1.42.0/0.63b0 (2026-05-19)

Added

• opentelemetry-api, opentelemetry-sdk: add support for 'random-trace-id' flags in W3C traceparent header trace flags. Implementations of IdGenerator that do randomly generate the 56 least significant bits, should also implement a is_trace_id_random methods that returns True. (#4854)
• logs: add exception support to Logger emit and LogRecord attributes (#4908)
• opentelemetry-exporter-otlp-proto-grpc: make retryable gRPC error codes configurable for gRPC exporters (#4917)
• opentelemetry-sdk: Add create_logger_provider/configure_logger_provider to declarative file configuration, enabling LoggerProvider instantiation from config files without reading env vars (#4990)
• opentelemetry-exporter-otlp-json-common: add 'opentelemetry-exporter-otlp-json-common' package for OTLP JSON exporters (#4996)
• opentelemetry-sdk: Add service resource detector support to declarative file configuration via detection_development.detectors[].service (#5003)
• opentelemetry-docker-tests: add docker-tests coverage of opentelemetry-exporter-otlp-proto-grpc and opentelemetry-exporter-otlp-proto-http metrics export (#5030)
• Add registry keyword argument to PrometheusMetricReader to allow passing a custom Prometheus registry (#5055)
• Add WeaverLiveCheck test util (#5088)
• opentelemetry-sdk: add load_entry_point shared utility to declarative file configuration for loading plugins via entry points; refactor propagator loading to use it (#5093)
• opentelemetry-sdk: add sampler plugin loading to declarative file configuration via the opentelemetry_sampler entry point group, matching the spec's PluginComponentProvider mechanism (#5095)

... (truncated)

Commits

• 367e14d Prepare release 1.42.1/0.63b1 (#5243)
• fd8e504 Preserve random trace ID flag for child spans (#5241) (#5242)
• 013045e [release/v1.42.x-0.63bx] Prepare release 1.42.0/0.63b0 (#5225)
• 1731583 ci: Enable GitHub Merge Queue support (#5209)
• 7fab34d fix(config): allow deflate for OTLP HTTP exporters (#5075)
• 0b690d2 ci: validate changelog fragment filenames (#5212)
• d4fabb4 feat(config): exporter plugin loading via entry points for declarative config...
• e19d346 feat(config): generic resource detector plugin loading for declarative config...
• 1d69bd2 sdk/metrics: copy attributes dict to prevent post-recording mutation (#5106)
• 990a611 feat(config): propagator plugin loading via entry points for declarative conf...
• Additional commits viewable in compare view

Updates pyjwt from 2.12.1 to 2.13.0

Release notes

Sourced from pyjwt's releases.

2.13.0

PyJWT 2.13.0 — Security Release

This release bundles five security fixes plus three additional hardening / spec-compliance changes. We recommend all users upgrade.

Security

• GHSA-xgmm-8j9v-c9wx — JWK JSON accepted as HMAC secret (algorithm confusion). HMACAlgorithm.prepare_key previously rejected PEM- and SSH-formatted asymmetric keys but did not catch a JWK passed as a raw JSON string. In a verifier configured with both symmetric and asymmetric algorithms in algorithms=[…] and a raw-JSON JWK as the key, an attacker could forge HS256 tokens using the JWK text as the HMAC secret. The guard has been extended to reject any JWK-shaped JSON. Reported by @​aradona91.

• GHSA-jq35-7prp-9v3f — Algorithm allow-list bypass with PyJWK / PyJWKClient. When verifying with a PyJWK, the caller's algorithms=[…] allow-list was checked against the token header alg as a string only; actual verification used the algorithm bound to the PyJWK. An attacker who controlled a registered JWKS key could sign with one algorithm and advertise another on the header. PyJWT now requires the token header alg to match the PyJWK's algorithm before verification. Reported by @​sushi-gif.

• GHSA-w7vc-732c-9m39 — DoS via base64 decode of unused payload segment when b64=false. For detached-payload JWS (b64=false), the compact-form payload segment was base64-decoded before being discarded in favor of the caller-supplied detached_payload. An attacker could inflate the unused segment to force CPU + memory cost without holding a valid signature. The segment is now required to be empty per RFC 7515 Appendix F, and is no longer decoded. Reported by @​thesmartshadow.

• GHSA-993g-76c3-p5m4 — PyJWKClient accepts non-HTTP(S) URIs. PyJWKClient.fetch_data passed its URI to urllib.request.urlopen, which by default also handles file://, ftp://, and data: schemes. An application that fed an attacker-influenced URI into PyJWKClient could be coerced into reading local files or reaching other unintended schemes. PyJWKClient now rejects any URI whose scheme isn't http or https. Reported by @​KEIJOT.

• GHSA-fhv5-28vv-h8m8 — PyJWKClient cache wiped on fetch error. A finally-block put(jwk_set=None) cleared the JWK Set cache whenever a fetch raised, turning a transient JWKS-endpoint outage into application-wide auth failure. The cache write was moved into the success path; transient errors no longer evict valid cached keys. Reported by @​eddieran.

Fixed

• Reject empty HMAC keys outright in HMACAlgorithm.prepare_key with InvalidKeyError instead of accepting them with only a warning. Defends against the os.getenv("JWT_SECRET", "") footgun. Thanks to @​SnailSploit and @​spartan8806 for the reports.
• Forward per-call options (including enforce_minimum_key_length) from PyJWT.decode through to PyJWS._verify_signature. The option was previously silently dropped between the two layers, so it only took effect when set on the PyJWT instance. Thanks to @​WLUB for the report.
• RFC 7797 §3 compliance for b64=false: the encoder now auto-adds "b64" to crit, and the decoder rejects tokens that set b64=false without listing it in crit. Thanks to @​MachineLearning-Nerd for the report.

Changed

• Migrate the dev, docs, and tests package extras to dependency groups, by @​kurtmckee in #1152.

Upgrade notes

Most fixes are invisible to correctly-configured callers. A few behavioral changes you may encounter:

• Empty HMAC keys now raise. If your app passed "" or b"" as a secret (often via a missing env var, e.g. os.getenv("JWT_SECRET", "")), encode/decode will now raise InvalidKeyError. This is the intended behavior — fix the configuration.
• PyJWK decoding now requires the token's alg to match the JWK's algorithm. Previously a mismatch was silently honored if the header alg appeared in the allow-list. Tokens that relied on this mismatch will now fail with InvalidAlgorithmError.
• PyJWKClient now rejects non-HTTP(S) URIs at construction time. Tests or dev environments that fetched JWKS from file:// URIs need to switch to a local HTTP server or load the JWKS by other means (e.g. construct PyJWKSet.from_dict(...) directly).
• b64=false tokens are now strictly RFC 7515 / 7797 compliant. Tokens with a non-empty compact-form payload segment, or that omit "b64" from crit, will be rejected. PyJWT-produced tokens always satisfy both invariants, so round-trips through PyJWT are unaffected.
• enforce_minimum_key_length set per-call now takes effect. Callers who passed options={"enforce_minimum_key_length": True} to jwt.decode() previously got no enforcement; they will now get InvalidKeyError on undersized keys, as documented.

Full changelog: jpadilla/pyjwt@2.12.1...2.13.0

Changelog

Sourced from pyjwt's changelog.

v2.13.0 <https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0>__

Security

- Reject JWK JSON documents passed as raw HMAC secrets in
  ``HMACAlgorithm.prepare_key`` to close an algorithm-confusion gap that
  the existing PEM/SSH guard did not cover. Reported by @aradona91 in
  `GHSA-xgmm-8j9v-c9wx <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx>`__.
- Bind the JWT header ``alg`` to ``PyJWK.algorithm_name`` during
  verification so the caller's ``algorithms=[...]`` allow-list cannot be
  bypassed when decoding with a ``PyJWK`` / ``PyJWKClient`` key. Reported
  by @sushi-gif in `GHSA-jq35-7prp-9v3f <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f>`__.
- Reject non-``http(s)`` URI schemes in ``PyJWKClient`` so attacker-
  influenced URIs cannot read local files or reach unintended schemes via
  urllib's default ``file://`` / ``ftp://`` / ``data:`` handlers. Reported
  by @KEIJOT in `GHSA-993g-76c3-p5m4 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4>`__.
- Preserve the cached JWK Set on fetch errors in ``PyJWKClient.fetch_data``.
  The previous ``finally``-block ``put(None)`` pattern cleared the cache
  on any transient outage, turning one bad JWKS request into application-
  wide auth failure. Reported by @eddieran in `GHSA-fhv5-28vv-h8m8 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8>`__.
- Skip the unconditional base64 decode of the compact-form payload segment
  when ``b64=false`` is set in the protected header, and require that
  segment to be empty (RFC 7515 Appendix F detached form). Closes an
  unauthenticated DoS amplifier. Reported by @thesmartshadow in
  `GHSA-w7vc-732c-9m39 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39>`__.
Fixed

- Reject empty HMAC keys outright in ``HMACAlgorithm.prepare_key`` with
  ``InvalidKeyError`` instead of accepting them with only a warning.
  Thanks to @SnailSploit and @spartan8806 for independently flagging the
  footgun.
- Forward per-call ``options`` (including ``enforce_minimum_key_length``)
  from ``PyJWT.decode`` through to ``PyJWS._verify_signature`` so the
  option actually takes effect when set at the call site rather than only
  on the ``PyJWT`` instance. Thanks to @WLUB for the report.
- RFC 7797 §3 compliance for ``b64=false``: the encoder now auto-adds
  ``&quot;b64&quot;`` to the ``crit`` header parameter, and the decoder rejects
  tokens that set ``b64=false`` without listing it in ``crit``. Thanks to
  @MachineLearning-Nerd for the report.
Changed



Migrate the dev, docs, and tests package extras to dependency groups by @​kurtmckee in [#1152](https://github.com/jpadilla/pyjwt/issues/1152) &lt;https://github.com/jpadilla/pyjwt/pull/1152&gt;__

Commits

• 7144e45 Apply ruff format
• d2f4bec Restore cast() calls with cross-version type: ignore for prepare_key
• 22f478c Remove redundant casts in RSAAlgorithm.prepare_key and `ECAlgorithm.prepare...
• 95791b1 Bundle security fixes and hardening into 2.13.0
• dcc27a9 [pre-commit.ci] pre-commit autoupdate (#1155)
• 9d08a9a [pre-commit.ci] pre-commit autoupdate (#1146)
• b87c100 Bump codecov/codecov-action from 5 to 6 (#1154)
• 40e3147 Migrate development extras to dependency groups (#1152)
• See full diff in compare view

Updates pytest-asyncio from 1.3.0 to 1.4.0

Release notes

Sourced from pytest-asyncio's releases.

pytest-asyncio v1.4.0

1.4.0 - 2026-05-26

Deprecated

• Overriding the event_loop_policy fixture is deprecated. Use the pytest_asyncio_loop_factories hook instead. (#1419)

Added

• Added the pytest_asyncio_loop_factories hook to parametrize asyncio tests with custom event loop factories.

  The hook returns a mapping of factory names to loop factories, and pytest.mark.asyncio(loop_factories=[...]) selects a subset of configured factories per test. When a single factory is configured, test names are unchanged.

  Synchronous @pytest_asyncio.fixture functions now see the correct event loop when custom loop factories are configured, even when test code disrupts the current event loop (e.g., via asyncio.run() or asyncio.set_event_loop(None)). (#1164)

Changed

• Improved the readability of the warning message that is displayed when asyncio_default_fixture_loop_scope is unset (#1298)
• Only import asyncio.AbstractEventLoopPolicy for type checking to avoid raising a DeprecationWarning. (#1394)
• Updated minimum supported pytest version to v8.4.0. (#1397)

Fixed

• Fixed a ResourceWarning: unclosed event loop warning that could occur when a synchronous test called asyncio.run() or otherwise unset the current event loop after pytest-asyncio had run an async test or fixture. (#724)

Notes for Downstream Packagers

• Added dependency on sphinx-tabs >= 3.5 to organize documentation examples into tabs. (#1395)

pytest-asyncio v1.4.0a2

1.4.0a2 - 2026-05-02

Deprecated

• Overriding the event_loop_policy fixture is deprecated. Use the pytest_asyncio_loop_factories hook instead. (#1419)

Added

• Added the pytest_asyncio_loop_factories hook to parametrize asyncio tests with custom event loop factories.

  The hook returns a mapping of factory names to loop factories, and pytest.mark.asyncio(loop_factories=[...]) selects a subset of configured factories per test. When a single factory is configured, test names are unchanged on pytest 8.4+.

  Synchronous @pytest_asyncio.fixture functions now see the correct event loop when custom loop factories are configured, even when test code disrupts the current event loop (e.g., via asyncio.run() or asyncio.set_event_loop(None)). (#1164)

Changed

• Improved the readability of the warning message that is displayed when asyncio_default_fixture_loop_scope is unset (#1298)
• Only import asyncio.AbstractEventLoopPolicy for type checking to avoid raising a DeprecationWarning. (#1394)

... (truncated)

Commits

• 6e14cd2 chore: Prepare release of v1.4.0.
• 4b900fb Build(deps): Bump codecov/codecov-action from 6.0.0 to 6.0.1
• ab9f632 Build(deps): Bump zipp from 3.23.1 to 4.1.0
• a56fc77 Build(deps): Bump hypothesis from 6.152.6 to 6.152.8
• e8bae9b Build(deps): Bump requests from 2.34.0 to 2.34.2
• fc43340 Build(deps): Bump idna from 3.14 to 3.15
• 762eaf5 Build(deps): Bump jaraco-functools from 4.4.0 to 4.5.0
• b62e222 Build(deps): Bump click from 8.3.3 to 8.4.0
• 9190447 Build(deps): Bump pydantic from 2.13.3 to 2.13.4
• 82a393c ci: Remove unnecessary debug output.
• Additional commits viewable in compare view

Updates ruff from 0.15.13 to 0.15.15

Release notes

Sourced from ruff's releases.

0.15.15

Release Notes

Released on 2026-05-28.

Preview features

• Fix Markdown closing fence handling (#25310)
• [pyflakes] Report duplicate imports in typing.TYPE_CHECKING block (F811) (#22560)

Bug fixes

• [pyflakes] Treat function-scope bare annotations as locals per PEP 526 (F821) (#21540)

Performance

• Avoid redundant TokenValue drops in the lexer (#25300)
• Reduce memory usage by dropping token-excess capacity and improve performance by approximating the initial tokens Vec size (#25354)
• Use ThinVec in AST to shrink Stmt (#25361)

Documentation

• Fix line-length example for --config option (#25389)
• [flake8-comprehensions] Document RecursionError edge case in __len__ (C416) (#25286)
• [mccabe] Improve example (C901) (#25287)
• [pyupgrade] Clarify fix safety docs (UP007, UP045) (#25288)
• [refurb] Document FURB192 exception change for empty sequences (#25317)
• [ruff] Document false negative for user-defined types (RUF013) (#25289)

Formatter

• Fix formatting of lambdas nested within f-strings (#25398)

Server

• Return code action for codeAction/resolve requests that contain no or no valid URL (#25365)

Other changes

• Expand semantic syntax errors for invalid walruses (#25415)

Contributors

• @​chirizxc
• @​ntBre
• @​adityasingh2400

[github-actions]

🧪 Code Coverage (vs main)

⬇️ Download Full Report

No coverage changes.

Generated by coverage-comment.yml