Bump the python-dependencies group with 7 updates

[dependabot]

Bumps the python-dependencies group with 7 updates:

Package	From	To
pydantic	2.12.5	2.13.3
fastapi	0.135.3	0.136.1
zensical	0.0.32	0.0.36
uvicorn	0.44.0	0.46.0
ruff	0.15.9	0.15.12
mypy	1.20.0	1.20.2
pyinstaller	6.19.0	6.20.0

Updates pydantic from 2.12.5 to 2.13.3

Release notes

Sourced from pydantic's releases.

v2.13.3 2026-04-20

v2.13.3 (2026-04-20)

What's Changed

Fixes

• Handle AttributeError subclasses with from_attributes by @​Viicos in #13096

Full Changelog: pydantic/pydantic@v2.13.2...v2.13.3

v2.13.2 2026-04-17

v2.13.2 (2026-04-17)

What's Changed

Fixes

• Fix ValidationInfo.field_name missing with model_validate_json() by @​Viicos in #13084

Full Changelog: pydantic/pydantic@v2.13.1...v2.13.2

v2.13.1 2026-04-15

v2.13.1 (2026-04-15)

What's Changed

Fixes

• Fix ValidationInfo.data missing with model_validate_json() by @​davidhewitt in #13079

Full Changelog: pydantic/pydantic@v2.13.0...v2.13.1

v2.13.0 2026-04-13

v2.13.0 (2026-04-13)

The highlights of the v2.13 release are available in the blog post. Several minor changes (considered non-breaking changes according to our versioning policy) are also included in this release. Make sure to look into them before upgrading.

This release contains the updated pydantic.v1 namespace, matching version 1.10.26 which includes support for Python 3.14.

What's Changed

See the beta releases for all changes sinces 2.12.

Packaging

• Add zizmor for GitHub Actions workflow linting by @​Viicos in #13039
• Update jiter to v0.14.0 to fix a segmentation fault on musl Linux by @​Viicos in #13064

... (truncated)

Changelog

Sourced from pydantic's changelog.

v2.13.3 (2026-04-20)

GitHub release

What's Changed

Fixes

• Handle AttributeError subclasses with from_attributes by @​Viicos in #13096

v2.13.2 (2026-04-17)

GitHub release

What's Changed

Fixes

• Fix ValidationInfo.field_name missing with model_validate_json() by @​Viicos in #13084

v2.13.1 (2026-04-15)

GitHub release

What's Changed

Fixes

• Fix ValidationInfo.data missing with model_validate_json() by @​davidhewitt in #13079

v2.13.0 (2026-04-13)

GitHub release

The highlights of the v2.13 release are available in the blog post. Several minor changes (considered non-breaking changes according to our versioning policy) are also included in this release. Make sure to look into them before upgrading.

This release contains the updated pydantic.v1 namespace, matching version 1.10.26 which includes support for Python 3.14.

What's Changed

See the beta releases for all changes sinces 2.12.

New Features

• Allow default factories of private attributes to take validated model data by @​Viicos in #13013

Changes

... (truncated)

Commits

• 9e9a111 Fix backported test
• 1ec8c6a Prepare release v2.13.3
• fb4f204 Handle AttributeError subclasses with from_attributes
• ca3ddd1 Prepare release v2.13.2
• 000e823 Fix ValidationInfo.field_name missing with model_validate_json()
• d45d8be Prepare release 2.13.1
• 54aca60 Fix ValidationInfo.data missing with model_validate_json()
• 46bf4fa Fix Pydantic release workflow (#13067)
• 1b359ed Prepare release v2.13.0 (#13065)
• b1bf194 Fix model equality when using runtime extra configuration (#13062)
• Additional commits viewable in compare view

Updates fastapi from 0.135.3 to 0.136.1

Release notes

Sourced from fastapi's releases.

0.136.1

Upgrades

• ⬆️ Update Pydantic v2 code to address deprecations. PR #15101 by @​svlandeg.

Internal

• 🔨 Tweak translation script. PR #15174 by @​YuriiMotov.
• ⬆ Bump mkdocs-material from 9.7.1 to 9.7.6. PR #15408 by @​dependabot[bot].
• ⬆ Bump inline-snapshot from 0.31.1 to 0.32.6. PR #15409 by @​dependabot[bot].
• ⬆ Bump pytest-codspeed from 4.3.0 to 4.4.0. PR #15407 by @​dependabot[bot].
• ⬆ Bump pytest-cov from 7.0.0 to 7.1.0. PR #15406 by @​dependabot[bot].
• ⬆ Bump cloudflare/wrangler-action from 3.14.1 to 3.15.0. PR #15405 by @​dependabot[bot].
• ⬆ Bump mypy from 1.19.1 to 1.20.1. PR #15410 by @​dependabot[bot].
• ⬆ Bump python-dotenv from 1.2.1 to 1.2.2. PR #15400 by @​dependabot[bot].
• ⬆ Bump starlette from 0.52.1 to 1.0.0. PR #15397 by @​dependabot[bot].
• ⬆ Bump pygithub from 2.8.1 to 2.9.1. PR #15396 by @​dependabot[bot].
• ⬆ Bump pyjwt from 2.12.0 to 2.12.1. PR #15393 by @​dependabot[bot].
• ⬆ Bump zizmor from 1.23.1 to 1.24.1. PR #15394 by @​dependabot[bot].
• ⬆ Bump strawberry-graphql from 0.312.3 to 0.314.3. PR #15395 by @​dependabot[bot].
• ⬆ Bump python-multipart from 0.0.22 to 0.0.26. PR #15360 by @​dependabot[bot].
• ⬆ Bump authlib from 1.6.9 to 1.6.11. PR #15373 by @​dependabot[bot].
• ⬆ Bump aiohttp from 3.13.3 to 3.13.4. PR #15282 by @​dependabot[bot].
• ⬆ Bump pygments from 2.19.2 to 2.20.0. PR #15263 by @​dependabot[bot].
• ⬆ Bump pymdown-extensions from 10.20.1 to 10.21.2. PR #15391 by @​YuriiMotov.
• ⬆ Bump pillow from 12.1.1 to 12.2.0. PR #15333 by @​dependabot[bot].
• ⬆ Bump pytest from 9.0.2 to 9.0.3. PR #15334 by @​dependabot[bot].
• ⬆ Bump actions/upload-artifact from 7.0.0 to 7.0.1. PR #15374 by @​dependabot[bot].
• ⬆ Bump actions/cache from 5.0.4 to 5.0.5. PR #15385 by @​dependabot[bot].
• 🔧 Update sponsors: remove Zuplo. PR #15369 by @​tiangolo.
• 🔧 Update sponsors: remove Speakeasy. PR #15368 by @​tiangolo.
• 🔒️ Add zizmor and fix audit findings. PR #15316 by @​YuriiMotov.

0.136.0

Upgrades

• ⬆️ Support free-threaded Python 3.14t. PR #15149 by @​svlandeg.

0.135.4

Refactors

• 🔥 Remove April Fool's @app.vibe() 🤪. PR #15363 by @​tiangolo.

Internal

• ⬆ Bump cryptography from 46.0.5 to 46.0.7. PR #15314 by @​dependabot[bot].
• ⬆ Bump strawberry-graphql from 0.307.1 to 0.312.3. PR #15309 by @​dependabot[bot].
• 🔨 Add pre-commit hook to ensure latest release header has date. PR #15293 by @​YuriiMotov.

Commits

• e54e5a8 🔖 Release version 0.136.1
• 9a8a5fd 📝 Update release notes
• 7815a32 ⬆️ Update Pydantic v2 code to address deprecations (#15101)
• ef1c927 📝 Update release notes
• 38039e1 🔨 Tweak translation script (#15174)
• 4fa826c 📝 Update release notes
• c394156 ⬆ Bump mkdocs-material from 9.7.1 to 9.7.6 (#15408)
• ae230ad 📝 Update release notes
• d9eb39d ⬆ Bump inline-snapshot from 0.31.1 to 0.32.6 (#15409)
• 4f8b5d1 📝 Update release notes
• Additional commits viewable in compare view

Updates zensical from 0.0.32 to 0.0.36

Release notes

Sourced from zensical's releases.

0.0.36

Summary

This version adds the missing update of the user interface that should've been included with v0.0.35.

Changelog

Bug fixes

• d4d88f8 ui – update ui to v0.0.15

0.0.35

[!WARNING]

Please update to v0.0.36 – this version is missing some changes to the user interface for the new features.

Summary

This version adds native support for GLightbox, a JavaScript lightbox library to add zoom and gallery features to images. Images can be automatically annotated with the new glightbox Markdown extension. Add the following to zensical.toml:

[project.markdown_extensions.zensical.extensions.glightbox]

[!NOTE]

In order to integrate with configuration in mkdocs.yml, where GLightbox is implemented as a plugin, a compatibility shim is included, so no re-configuration is necessary if you're already using the plugin. Note that our extension is more efficient and faster than the plugin, as it does not re-parse the entire HTML of each page, but instead uses Python Markdown's native extension API.

HTML in the table of contents

Additionally, section titles in the table of contents will now render with HTML markup, so you can use emojis and other inline features in section titles and have them render correctly in the table of contents. In Material for MkDocs, this functionality was implemented with the typeset plugin. Zensical now supports this natively.

Relative links in raw HTML

Relative links in raw HTML are now correctly resolved. Initially, we carried over the link processing and resolution logic from MkDocs, which does not support relative links in raw HTML to this day. We implemented a Python Markdown postprocessor, to ensure that relative links in raw HTML are handled as well.

Changelog

Features

• 5519730 zensical, compat – render section title with markup in table of contents
• db8518d compat – add plugin compatibility shim for glightbox
• 057da7c compat – add support for image galleries using glightbox (#290)

Bug fixes

... (truncated)

Commits

• 5081de2 chore: release v0.0.36 (#576)
• d4d88f8 fix: update ui to v0.0.15
• ca9743a chore: release v0.0.35
• 676bfe2 chore: fix mypy linter error
• 64f3f33 fix: relative links in raw HTML not correctly resolved (#258)
• 87abb2a fix: remove img attributes moved to parent in GLightboxExtension
• 5795fc8 Merge pull request #569 from zensical/fix/lightbox-extension
• f7531af fix: images in raw HTML are double-processed by GLightboxExtension
• 1d8dc83 fix: ensure None attributes are not added by GlightboxExtension
• 7c977a8 refactor: move GLightbox extension to regular Postprocessor
• Additional commits viewable in compare view

Updates uvicorn from 0.44.0 to 0.46.0

Release notes

Sourced from uvicorn's releases.

Version 0.46.0

What's Changed

• Support ws_max_size in wsproto implementation by @​Kludex in Kludex/uvicorn#2915
• Support ws_ping_interval and ws_ping_timeout in wsproto implementation by @​Kludex in Kludex/uvicorn#2916
• Use bytearray for incoming WebSocket message buffer in websockets-sansio by @​Kludex in Kludex/uvicorn#2917

Full Changelog: Kludex/uvicorn@0.45.0...0.46.0

Version 0.45.0

What's Changed

• Preserve forwarded client ports in proxy headers middleware by @​Kludex in Kludex/uvicorn#2903
• Accept os.PathLike for log_config by @​Kludex in Kludex/uvicorn#2905
• Accept log_level strings case-insensitively by @​Kludex in Kludex/uvicorn#2907
• Raise helpful ImportError when PyYAML is missing for YAML log config by @​Kludex in Kludex/uvicorn#2906
• Revert empty context for ASGI runs by @​Kludex in Kludex/uvicorn#2911
• Add --reset-contextvars flag to isolate ASGI request context by @​Kludex in Kludex/uvicorn#2912
• Revert "Emit http.disconnect on server shutdown for streaming responses" (#2829) by @​Kludex in Kludex/uvicorn#2913

New Contributors

• @​Krishnachaitanyakc made their first contribution in Kludex/uvicorn#2870

Full Changelog: Kludex/uvicorn@0.44.0...0.45.0

Changelog

Sourced from uvicorn's changelog.

0.46.0 (April 23, 2026)

Added

• Support ws_max_size in wsproto implementation (#2915)
• Support ws_ping_interval and ws_ping_timeout in wsproto implementation (#2916)

Changed

• Use bytearray for incoming WebSocket message buffer in websockets-sansio (#2917)

0.45.0 (April 21, 2026)

Added

• Add --reset-contextvars flag to isolate ASGI request context (#2912)
• Accept os.PathLike for log_config (#2905)
• Accept log_level strings case-insensitively (#2907)

Changed

• Revert "Emit http.disconnect on server shutdown for streaming responses" (#2913)
• Revert "Explicitly start ASGI run with empty context" (#2911)

Fixed

• Preserve forwarded client ports in proxy headers middleware (#2903)
• Raise helpful ImportError when PyYAML is missing for YAML log config (#2906)

Commits

• b224045 Version 0.46.0 (#2918)
• 7375b5b Use bytearray for incoming WebSocket message buffer in websockets-sansio (#...
• d438fb1 Support ws_ping_interval and ws_ping_timeout in wsproto implementation ...
• 3e6b964 Support ws_max_size in wsproto implementation (#2915)
• 2c423bd Version 0.45.0 (#2914)
• 7f027f8 Revert "Emit http.disconnect on server shutdown for streaming responses" (#...
• 73a80c3 Add --reset-contextvars flag to isolate ASGI request context (#2912)
• 45c0b56 Revert empty context for ASGI runs (#2911)
• 850d926 Raise helpful ImportError when PyYAML is missing for YAML log config (#2906)
• fdcacb4 Accept log_level strings case-insensitively (#2907)
• Additional commits viewable in compare view

Updates ruff from 0.15.9 to 0.15.12

Release notes

Sourced from ruff's releases.

0.15.12

Release Notes

Released on 2026-04-24.

Preview features

• Implement #ruff:file-ignore file-level suppressions (#23599)
• Implement #ruff:ignore logical-line suppressions (#23404)
• Revert preview changes to displayed diagnostic severity in LSP (#24789)
• [airflow] Implement task-branch-as-short-circuit (AIR004) (#23579)
• [flake8-bugbear] Fix break/continue handling in loop-iterator-mutation (B909) (#24440)
• [pylint] Fix PLC2701 for type parameter scopes (#24576)

Rule changes

• [pandas-vet] Suggest .array as well in PD011 (#24805)

CLI

• Respect default Unix permissions for cache files (#24794)

Documentation

• [pylint] Fix PLR0124 description not to claim self-comparison always returns the same value (#24749)
• [pyupgrade] Expand docs on reusable TypeVars and scoping (UP046) (#24153)
• Improve rules table accessibility (#24711)

Contributors

• @​dylwil3
• @​AlexWaygood
• @​woodruffw
• @​avasis-ai
• @​Dev-iL
• @​denyszhak
• @​ShipItAndPray
• @​anishgirianish
• @​augustelalande
• @​amyreese
• @​majiayu000

Install ruff 0.15.12

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/ruff/releases/download/0.15.12/ruff-installer.sh | sh

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.12

Released on 2026-04-24.

Preview features

• Implement #ruff:file-ignore file-level suppressions (#23599)
• Implement #ruff:ignore logical-line suppressions (#23404)
• Revert preview changes to displayed diagnostic severity in LSP (#24789)
• [airflow] Implement task-branch-as-short-circuit (AIR004) (#23579)
• [flake8-bugbear] Fix break/continue handling in loop-iterator-mutation (B909) (#24440)
• [pylint] Fix PLC2701 for type parameter scopes (#24576)

Rule changes

• [pandas-vet] Suggest .array as well in PD011 (#24805)

CLI

• Respect default Unix permissions for cache files (#24794)

Documentation

• [pylint] Fix PLR0124 description not to claim self-comparison always returns the same value (#24749)
• [pyupgrade] Expand docs on reusable TypeVars and scoping (UP046) (#24153)
• Improve rules table accessibility (#24711)

Contributors

• @​dylwil3
• @​AlexWaygood
• @​woodruffw
• @​avasis-ai
• @​Dev-iL
• @​denyszhak
• @​ShipItAndPray
• @​anishgirianish
• @​augustelalande
• @​amyreese
• @​majiayu000

0.15.11

Released on 2026-04-16.

Preview features

• [ruff] Ignore RUF029 when function is decorated with asynccontextmanager (#24642)
• [airflow] Implement airflow-xcom-pull-in-template-string (AIR201) (#23583)
• [flake8-bandit] Fix S103 false positives and negatives in mask analysis (#24424)

... (truncated)

Commits

• 66f93cf Bump 0.15.12 (#24815)
• 476a4d0 [ty] Complete support for more detailed diagnostics on possibly unbound error...
• ed669ea Implement #ruff:file-ignore file-level suppressions (#23599)
• e73d952 [ty] Include inferred type in invalid-key concise diagnostic for union/inte...
• 80feb29 [ty] report only dead annotation-only locals as unused (#24811)
• 0fbf2bc Drop deprecated license classifier (#24808)
• 43b174c [ty] Infer lambda parameter types with Callable type context (#24317)
• 4f449ae [ty] Add error context for intersection types (#24772)
• 5b4e753 [ty] Add support for goto in literal enum member inlay hint (#24792)
• e7cc762 [ty] Add error context for TypedDict assignments (#24790)
• Additional commits viewable in compare view

Updates mypy from 1.20.0 to 1.20.2

Changelog

Sourced from mypy's changelog.

Mypy 1.20.2

• Use WAL with SQLite cache and fix close (Shantanu, PR 21154)
• Adjust SQLite journal mode (Ivan Levkivskyi, PR 21217)
• Correctly aggregate narrowing information on parent expressions (Shantanu, PR 21206)
• Fix regression related to generic callables (Shantanu, PR 21208)
• Fix regression by avoiding widening types in some contexts (Shantanu, PR 21242)
• Fix slicing in non-strict optional mode (Shantanu, PR 21282)
• mypyc: Fix match statement semantics for "or" pattern (Shantanu, PR 21156)
• mypyc: Fix issue with module dunder attributes (Piotr Sawicki, PR 21275)
• Initial support for Python 3.15.0a8 (Marc Mueller, PR 21255)

Acknowledgements

Thanks to all mypy contributors who contributed to this release:

• A5rocks
• Aaron Wieczorek
• Adam Turner
• Ali Hamdan
• asce
• BobTheBuidler
• Brent Westbrook
• Brian Schubert
• bzoracler
• Chris Burroughs
• Christoph Tyralla
• Colin Watson
• Donghoon Nam
• E. M. Bray
• Emma Smith
• Ethan Sarp
• George Ogden
• getzze
• grayjk
• Gregor Riepl
• Ivan Levkivskyi
• James Hilliard
• James Le Cuirot
• Jeremy Nimmer
• Joren Hammudoglu
• Kai (Kazuya Ito)
• kaushal trivedi
• Kevin Kannammalil
• Lukas Geiger
• Łukasz Langa
• Marc Mueller
• Michael R. Crusoe
• michaelm-openai
• Neil Schemenauer
• Piotr Sawicki

... (truncated)

Commits

• 145a062 Bump version to 1.20.2
• 81cd492 Fix slicing with nonstrict optional (#21282)
• 908d344 [mypyc] Set dunder attrs when adding module to sys.modules (#21275)
• ba28610 Initial support for Python 3.15.0a8 (#21255)
• 7b0e09f Fix match statement semantics for "or" pattern (#21156)
• 92b74f2 Avoid widening types in conditional_types (#21242)
• 0dcbfaa Fix is_overlapping_types for generic callables (#21208)
• 210f518 Correctly aggregate narrowing information on parent expressions (#21206)
• c34530e Only set journal mode in coordinator (#21217)
• 79a3ec6 Use WAL with SQLite cache, fix close (#21154)
• Additional commits viewable in compare view

Updates pyinstaller from 6.19.0 to 6.20.0

Release notes

Sourced from pyinstaller's releases.

v6.20.0

Please see the v6.20.0 section of the changelog for a list of the changes since v6.19.0.

Changelog

Sourced from pyinstaller's changelog.

6.20.0 (2026-04-22)

Bugfix

* (Linux) Fix binary dependency analysis in Termux environment; previously,
  no binary dependencies would be reported due to mismatched ``ldd`` output
  pattern. (:issue:`9402`)
* (Linux) Fix compatibility issues with Termux python 3.13, caused by
  platform being now reported as "android" instead of "linux" (PEP 738).
  (:issue:`9398`)
* (macOS) Fix built-time error when trying to create an .app bundle with
  data collected from a directory that contains symlinked elements.
  (:issue:`9375`)
* Fix the ``forkserver`` spawn mode of ``multiprocessing`` under python
  3.13.13, 3.14.4, and the upcoming 3.15. (:issue:`9423`)
* Remove warning about non-existing ``tclX`` module directory; in some Tcl
  distributions (e.g., Debian-packaged Tcl), this directory is located
  under the main library/data directory, and therefore the stand-alone
  directory neither exists nor needs to be explicitly collected.
  (:issue:`9401`)
Hooks

* Prevent the run-time hook for ``gi.repository.GLib`` from overriding
  the implicit default value of the ``XDG_DATA_DIRS`` environment
  variable (i.e., ``/usr/local/share/:/usr/share/``) when adding the
  frozen application's top-level directory to the list of data directories.
  (:issue:`9422`)
* Update ``gi.repository.Gio`` hook to collect corresponding platform-specific
  typelib (``GioWin32`` or ``GioUnix``), and add hooks for these modules.
  This aims to prevent potential run-time errors, either because the typelib
  is missing, or because it was opportunistically loaded from the run-time
  system and happens to be of incompatible version. (:issue:`9410`)
* Update ``gi.repository.GLib`` hook to collect corresponding platform-specific
  typelib (``GLibWin32`` or ``GLibUnix``), and add hooks for these modules.
  This aims to prevent potential run-time errors, either because the typelib
  is missing, or because it was opportunistically loaded from the run-time
  system and happens to be of incompatible version. (:issue:`9410`)
Bootloader

</code></pre>

<ul>

<li>(Windows) Add new option to the <code>waf</code> build script, <code>--no-cfg</code>,

that allows bootloader to be built without Control Flow Guard (CFG)

enabled. Applicable only when building with MSVC toolchain. (:issue:<code>9352</code>)</li>

</ul>

<!-- raw HTML omitted -->

</blockquote>

<p>... (truncated)</p>

</details>

<details>

<summary>Commits</summary>
<ul>

<li><a href="https://github.com/pyinstaller/pyinstaller/commit/8a6172796b56aa428980c3628663ba08e77ad81e&quot;&gt;&lt;code&gt;8a61727&lt;/code&gt;&lt;/a> Release v6.20.0. [skip ci]</li>

<li><a href="https://github.com/pyinstaller/pyinstaller/commit/151ff76940748960452b3186b6885758d94841dc&quot;&gt;&lt;code&gt;151ff76&lt;/code&gt;&lt;/a> Tests: Requirements: Scheduled weekly dependency update for week 16 (<a href="https://redirect.github.com/pyinstaller/pyinstaller/issues/9431&quot;&gt;#9431&lt;/a&gt;)&lt;/li>

<li><a href="https://github.com/pyinstaller/pyinstaller/commit/4d28a528f8ab8632f7cfa7662fc6fcc45881e741&quot;&gt;&lt;code&gt;4d28a52&lt;/code&gt;&lt;/a> Tests: Requirements: Scheduled weekly dependency update for week 15 (<a href="https://redirect.github.com/pyinstaller/pyinstaller/issues/9429&quot;&gt;#9429&lt;/a&gt;)&lt;/li>

<li><a href="https://github.com/pyinstaller/pyinstaller/commit/881ee26d446a574c9bed14d4e8fd40628c7c1a93&quot;&gt;&lt;code&gt;881ee26&lt;/code&gt;&lt;/a> tests: test_path_encodings: ensure that custom tmp dir exists</li>

<li><a href="https://github.com/pyinstaller/pyinstaller/commit/b42c9421158d9a6069274f1af848549cc527afb7&quot;&gt;&lt;code&gt;b42c942&lt;/code&gt;&lt;/a> tests: test_bundled_shell_script: fix for Termux without /usr symlink</li>

<li><a href="https://github.com/pyinstaller/pyinstaller/commit/afc1b27baac552e985bd3f365eac401db1ca8189&quot;&gt;&lt;code&gt;afc1b27&lt;/code&gt;&lt;/a> ci: termux: use primary mirror and perform initial package upgrade</li>

<li><a href="https://github.com/pyinstaller/pyinstaller/commit/1c29fab7926c3ee4d185587f29ea015b41b955b5&quot;&gt;&lt;code&gt;1c29fab&lt;/code&gt;&lt;/a> Fix multiprocessing with forkserver in python 3.13.13 and 3.14.4</li>

<li><a href="https://github.com/pyinstaller/pyinstaller/commit/3eab93a1c006c9fd2e45174d9f54b8a981cc319d&quot;&gt;&lt;code&gt;3eab93a&lt;/code&gt;&lt;/a> ci: have setup-python check for latest version of python</li>

<li><a href="https://github.com/pyinstaller/pyinstaller/commit/929b186d3f451317deac6eae7663ba2e8726f75f&quot;&gt;&lt;code&gt;929b186&lt;/code&gt;&lt;/a> rthook: do not overwrite XDG_DATA_DIRS fallback value (<a href="https://redirect.github.com/pyinstaller/pyinstaller/issues/9422&quot;&gt;#9422&lt;/a&gt;)&lt;/li>

<li><a href="https://github.com/pyinstaller/pyinstaller/commit/722dbd189a7e8e572af6133848e6057aa44e945f&quot;&gt;&lt;code&gt;722dbd1&lt;/code&gt;&lt;/a> Tests: Requirements: Scheduled weekly dependency update for week 14 (<a href="https://redirect.github.com/pyinstaller/pyinstaller/issues/9419&quot;&gt;#9419&lt;/a&gt;)&lt;/li>

<li>Additional commits viewable in <a href="https://github.com/pyinstaller/pyinstaller/compare/v6.19.0...v6.20.0&quot;&gt;compare view</a></li>

</ul>

</details>
<br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options


You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

uv.lock

Package	Version	License	Issue Type
pydantic	2.13.3	Null	Unknown License

Allowed Licenses:

Apache-2.0, ISC, MIT, MIT-0, BSD-2-Clause, BSD-3-Clause, MPL-2.0, 0BSD, Python-2.0, Python-2.0.1, CNRI-Python, GPL-1.0-or-later, GPL-2.0-or-later

Excluded from license check:

pkg:pypi/click@8.3.2, pkg:pypi/fastapi@0.135.3, pkg:pypi/griffelib@2.0.2, pkg:pypi/iregexp-check@0.1.4, pkg:pypi/jsonpointer@3.1.1, pkg:pypi/mkdocs-autorefs@1.4.4, pkg:pypi/mkdocs-get-deps@0.2.2, pkg:pypi/mkdocstrings@1.0.3, pkg:pypi/mkdocstrings-python@2.0.3, pkg:pypi/mypy@1.20.0, pkg:pypi/pymdown-extensions@10.21.2, pkg:pypi/pytest@9.0.3, pkg:pypi/pytest-cov@7.1.0, pkg:pypi/python-dateutil@2.9.0.post0, pkg:pypi/ruff@0.15.9, pkg:pypi/starlette@1.0.0, pkg:pypi/uvicorn@0.44.0, pkg:pypi/pyinstaller@6.19.0, pkg:pypi/python-jsonpath@2.0.2, pkg:pypi/pyinstaller-hooks-contrib@2026.4, pkg:pypi/regex@2026.4.4, pkg:pypi/uv@0.10.12

OpenSSF Scorecard

Package	Version	Score	Details
pip/fastapi	0.136.1	Unknown	Unknown
pip/mypy	1.20.2	Unknown	Unknown
pip/pydantic	2.13.3	Unknown	Unknown
pip/pydantic-core	2.46.3	🟢 6.6	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 9 Found 22/24 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/pyinstaller	6.20.0	Unknown	Unknown
pip/ruff	0.15.12	Unknown	Unknown
pip/tomli	2.4.1	Unknown	Unknown
pip/uvicorn	0.46.0	Unknown	Unknown
pip/zensical	0.0.36	Unknown	Unknown

Scanned Files

• uv.lock