chore(deps)(deps): bump the production-dependencies group across 1 directory with 5 updates

[dependabot]

Warning

Dependabot will stop supporting python v3.9!

Please upgrade to one of the following versions: v3.9, v3.10, v3.11, v3.12, v3.13, or v3.14.

Bumps the production-dependencies group with 5 updates in the / directory:

Package	From	To
graphql-core	3.2.3	3.2.8
openpyxl	3.1.2	3.1.5
xlrd	2.0.1	2.0.2
sqlalchemy	2.0.39	2.0.50
drf-yasg	1.21.7	1.21.15

Updates graphql-core from 3.2.3 to 3.2.8

Release notes

Sourced from graphql-core's releases.

v3.2.8

Patch-release GraphQL-core v3.2.8, based on GraphQL.js v16.9.0.

This patch-release supports Python 3.7 to 3.14.

One change has been backported from the v3.3 branch:

• Require non-empty directive locations

Also, for backward compatibility, introspection.TypeResolvers is available again, as alias for TypeFields.

Thanks to all who are sponsoring me (@​Cito) for maintaining this project.

v3.2.7

Patch-release GraphQL-core v3.2.7, based on GraphQL.js v16.9.0.

This patch-release supports Python 3.7 to 3.14.

The following changes have been backported from the v3.3 branch:

• Keep extensions when sorting schemas
• Introduce "recommended" validation rules
• Implement OneOf Input Objects via @​oneOf directive
• Values can now be passed to GraphQLEnumType as a thunk
• Solved issues with pickled schemas

Thanks to all who are sponsoring me (@​Cito) for maintaining this project.

v3.2.6

Patch-release GraphQL-core v3.2.6, based on GraphQL.js v16.8.2.

This patch-release supports Python 3.6 to 3.13. Notable fixes:

• Transform input objects used as default values (#206)
• Allow deep copy of schema with directive with args of custom type (#210)

Thanks to all who are sponsoring me (@​Cito) for maintaining this project.

v3.2.5

Patch-release GraphQL-core v3.2.5, based on GraphQL.js v16.8.2.

This patch-release supports Python 3.6 to 3.13.

Thanks to all who are sponsoring me (@​Cito) for maintaining this project.

v3.2.4

Patch-release GraphQL-core v3.2.4, based on GraphQL.js v16.8.2.

This patch-release supports Python 3.6 to 3.12 and includes these changes:

... (truncated)

Commits

• a78b548 Bump version
• c026723 Update year of copyright
• a8c3348 Export TypeResolvers for backward compatibility
• b6fd7b2 Update dependencies
• 663d00d backport: Require non-empty directive locations
• 42328a6 backport: Solve issues with pickled schemas (#173)
• dd4d5a1 Bump JavaScript version
• ba6b6e4 backport: Enable passing values configuration to GraphQLEnumType as a thunk
• 6687245 backport: Add @​oneOf support to introspection query (#241)
• 18df18e backport: Implement OneOf Input Objects via @​oneOf directive
• Additional commits viewable in compare view

Updates openpyxl from 3.1.2 to 3.1.5

Updates xlrd from 2.0.1 to 2.0.2

Changelog

Sourced from xlrd's changelog.

2.0.2 (14 June 2025)

• Fix bug reading sheets containing invalid formulae.

Thanks to sanshi42 for the fix!

Commits

• 3a19d22 Prepare for 2.0.2 release
• f3521c8 Merge pull request #380 from sanshi42/master
• 99270dd Improve test coverage for invalid formula handling
• 18e314e bugfix: Fix an occasional compatibility issue when using Excel formulas
• 0c4e80b Update README.rst
• f45f630 emboldening breaks RTD rendering, and likely won't help :-(
• b37d159 embolden for the hard of thinking
• 58ccbb1 admit defeat
• See full diff in compare view

Updates sqlalchemy from 2.0.39 to 2.0.50

Release notes

Sourced from sqlalchemy's releases.

2.0.50

Released: May 24, 2026

orm

• [orm] [bug] Fixed issue where using _orm.joinedload() with PropComparator.of_type() targeting a joined-table subclass combined with PropComparator.and_() referencing a column on that subclass would generate invalid SQL, where the subclass column was not adapted to the subquery alias. Pull request courtesy Joaquin Hui Gomez.

  References: #13203

• [orm] [bug] Fixed issue where the presence of a SessionEvents.do_orm_execute() event hook would cause internal execution options such as yield_per and loader-specific state from the first orm_pre_session_exec pass to leak into the second pass, leading to errors when using relationship loaders such as selectinload() and immediateload(). The execution options passed to the second compilation pass are now based on the original options plus only the explicit updates made via ORMExecuteState.update_execution_options() within the event hook.

  References: #13301

• [orm] [bug] Fixed issue where using _orm.with_polymorphic() on a leaf class (a subclass with no further descendants) or a non-inherited class would fail with an AttributeError when used in an ORM statement, due to _orm.configure_mappers() not being triggered implicitly. The fix ensures that AliasedInsp participates in the _post_inspect hook, triggering mapper configuration during ORM statement compilation.

  References: #13319

sql

• [sql] [bug] Fixed issue where floor division (//) between a Float or Numeric numerator and an Integer denominator would omit the FLOOR() SQL wrapper on dialects where Dialect.div_is_floordiv is True (the default, including PostgreSQL and SQLite). FLOOR() is now applied if either the denominator or the numerator is a non-integer, so that expressions such as float_col // int_col render as FLOOR(float_col / int_col) instead of the incorrect float_col / int_col. Pull request courtesy r266-tech.

  References: #10528

postgresql

... (truncated)

Commits

• See full diff in compare view

Updates drf-yasg from 1.21.7 to 1.21.15

Release notes

Sourced from drf-yasg's releases.

1.21.15

IMPROVED: Use Python's native dict instead of OrderedDict (#954) FIXED: Fix Python 3.12 type parameter syntax with from __future__ import annotations (#921)

1.21.14

FIXED: Fix missing swagger-ui sourcemaps (#950)

1.21.12

FIXED: Bring the bundled swagger ui up to date (#944) IMPROVED: Update the logout button to use a POST request. (#945) ADDED: Add a live demo domain (#946) ADDED: Handle annotations that are not available at runtime (#941)

1.21.11

FIXED: Fix list views with parameters in last path segment not named "list" views (#917) ADDED: Allow overriding produces/consumes with @​swagger_auto_schema decorator (#916) FIXED: Fix filter parameters not appearing in swagger with django-filter>=25 (#926) IMPROVED: Update Python, Django, and DRF versions and packaging configuration (#922) IMPROVED: Remove usage of pkg_resources (#928) FIXED: Fix call_view_method warning to include the method name again (#923) ADDED: Add a hide download button option (#848) ADDED: Add ruff linters (#903)

1.21.10

FIXED: Fix type hints when using postponed evaluation of annotations (PEP-563) (#840) IMPROVED: Update JSON & YAML renderers to not use a "." in their format string (#911) FIXED: Fix lint errors when comparing types with == instead of is (#868) IMPROVED: Update swagger-ui-dist to address CVE-2021-46708 (#904)

1.21.9

ADDED: Added support for zoneinfo object fields (#908)

1.21.8

ADDED: Python 3.11 and 3.12 support (#891) FIXED: Fix pkg_resources version lookups for Python 3.9+ (#891)

Changelog

Sourced from drf-yasg's changelog.

######### Changelog #########

---

1.21.15

---

IMPROVED: Use Python's native dict instead of OrderedDict (:pr:954) FIXED: Fix Python 3.12 type parameter syntax with from __future__ import annotations (:pr:921)

---

1.21.14

---

---

1.21.13

---

FIXED: Fix missing swagger-ui sourcemaps (:pr:950)

---

1.21.12

---

FIXED: Bring the bundled swagger ui up to date (:pr:944) IMPROVED: Update the logout button to use a POST request. (:pr:945) ADDED: Add a live demo domain (:pr:946) ADDED: Handle annotations that are not available at runtime (:pr:941)

---

1.21.11

---

FIXED: Fix list views with parameters in last path segment not named "list" views (:pr:917) ADDED: Allow overriding produces/consumes with @​swagger_auto_schema decorator (:pr:916) FIXED: Fix filter parameters not appearing in swagger with django-filter>=25 (:pr:926) IMPROVED: Update Python, Django, and DRF versions and packaging configuration (:pr:922) IMPROVED: Remove usage of pkg_resources (:pr:928) FIXED: Fix call_view_method warning to include the method name again (:pr:923) ADDED: Add a hide download button option (:pr:848) ADDED: Add ruff linters (:pr:903)

---

1.21.10

---

FIXED: Fix type hints when using postponed evaluation of annotations (PEP-563) (:pr:840) IMPROVED: Update JSON & YAML renderers to not use a "." in their format string (:pr:911) FIXED: Fix lint errors when comparing types with == instead of is (:pr:868)

... (truncated)

Commits

• d40c97f Add version 1.21.15 details to the changelog (#956)
• 2e37afd Modernise and add .DS_Store to the .gitignore (#955)
• 76a138a Use Python's native dict instead of OrderedDict (#954)
• b55ba0f fix Python 3.12 type parameter syntax with ``from future import annotatio...
• 7dceb27 Add version 1.21.14 details to the changelog (#952)
• 763cdd6 Add version 1.21.13 details to the changelog (#951)
• a0559fc Add missing swagger-ui sourcemaps (#950)
• 2bf74d0 Add version 1.21.12 details to the changelog (#948)
• b421e89 swagger ui fix (#944)
• 40fee2b Add live demo domain and environment variables (#946)
• Additional commits viewable in compare view

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!