chore(deps): bump the all-dependencies group in /backend with 3 updates

[dependabot]

Updates the requirements on fastapi[standard], sqlalchemy and uv-build to permit the latest version.
Updates fastapi[standard] to 0.136.3

Release notes

Sourced from fastapi[standard]'s releases.

0.136.3

Refactors

• ♻️ Do not accept underscore headers when using convert_underscores=True (the default). PR #15589 by @​tiangolo.

Commits

• 8206485 🔖 Release version 0.136.3
• c910e01 📝 Update release notes
• 063b5bf ♻️ Do not accept underscore headers when using convert_underscores=True (th...
• 22b02e2 🔖 Release version 0.136.2
• 3b252a2 📝 Update release notes
• c7fb785 ♻️ Validate Server Sent Event fields to avoid applications from sending broke...
• cb83b83 📝 Update release notes
• 00f805c ✅ Update tests, don't double dispose the engine (#15587)
• 3675137 📝 Update release notes
• 7b57e42 📝 Document --entrypoint CLI option (#15464)
• Additional commits viewable in compare view

Updates sqlalchemy from 2.0.49 to 2.0.50

Release notes

Sourced from sqlalchemy's releases.

2.0.50

Released: May 24, 2026

orm

• [orm] [bug] Fixed issue where using _orm.joinedload() with PropComparator.of_type() targeting a joined-table subclass combined with PropComparator.and_() referencing a column on that subclass would generate invalid SQL, where the subclass column was not adapted to the subquery alias. Pull request courtesy Joaquin Hui Gomez.

  References: #13203

• [orm] [bug] Fixed issue where the presence of a SessionEvents.do_orm_execute() event hook would cause internal execution options such as yield_per and loader-specific state from the first orm_pre_session_exec pass to leak into the second pass, leading to errors when using relationship loaders such as selectinload() and immediateload(). The execution options passed to the second compilation pass are now based on the original options plus only the explicit updates made via ORMExecuteState.update_execution_options() within the event hook.

  References: #13301

• [orm] [bug] Fixed issue where using _orm.with_polymorphic() on a leaf class (a subclass with no further descendants) or a non-inherited class would fail with an AttributeError when used in an ORM statement, due to _orm.configure_mappers() not being triggered implicitly. The fix ensures that AliasedInsp participates in the _post_inspect hook, triggering mapper configuration during ORM statement compilation.

  References: #13319

sql

• [sql] [bug] Fixed issue where floor division (//) between a Float or Numeric numerator and an Integer denominator would omit the FLOOR() SQL wrapper on dialects where Dialect.div_is_floordiv is True (the default, including PostgreSQL and SQLite). FLOOR() is now applied if either the denominator or the numerator is a non-integer, so that expressions such as float_col // int_col render as FLOOR(float_col / int_col) instead of the incorrect float_col / int_col. Pull request courtesy r266-tech.

  References: #10528

postgresql

... (truncated)

Commits

• See full diff in compare view

Updates uv-build to 0.11.16

Release notes

Sourced from uv-build's releases.

0.11.16

Release Notes

Released on 2026-05-21.

Enhancements

• Add support for direct archive dependencies in Git (#10072)
• Adjust hint rendering (#18090)

Preview features

• uv audit: specialize malformed OSV error (#19515)
• Reject locked malware installations (#18936)

Configuration

• Allow disabling reading the system config with UV_NO_SYSTEM_CONFIG (#19476)

Bug fixes

• Allow environment variables that take a list to be empty (#19503)
• Ensure that incompatible wheel hints do not leak secrets (#19504)
• Reject unsafe entry points in uv-build (#19495)
• Restrict delimiters in entry point parsing (#19471)
• uv-netrc: fix multi-word no-space comment lines causing parse errors (#19494)

Documentation

• Document and test relative exclude-newer support for uv pip (#19475)

Install uv 0.11.16

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/uv/releases/download/0.11.16/uv-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://releases.astral.sh/github/uv/releases/download/0.11.16/uv-installer.ps1 | iex"

Download uv 0.11.16

File	Platform	Checksum
uv-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum

... (truncated)

Changelog

Sourced from uv-build's changelog.

0.11.16

Released on 2026-05-21.

Enhancements

• Add support for direct archive dependencies in Git (#10072)
• Adjust hint rendering (#18090)

Preview features

• uv audit: specialize malformed OSV error (#19515)
• Reject locked malware installations (#18936)

Configuration

• Allow disabling reading the system config with UV_NO_SYSTEM_CONFIG (#19476)

Bug fixes

• Allow environment variables that take a list to be empty (#19503)
• Ensure that incompatible wheel hints do not leak secrets (#19504)
• Reject unsafe entry points in uv-build (#19495)
• Restrict delimiters in entry point parsing (#19471)
• uv-netrc: fix multi-word no-space comment lines causing parse errors (#19494)

Documentation

• Document and test relative exclude-newer support for uv pip (#19475)

0.11.15

Released on 2026-05-18.

Security

• Fix a TAR parser differential, see GHSA-3cv2-h65g-fgmm (#19463)
• Enforce that entry points cannot escape in the scripts directory, see GHSA-4gg8-gxpx-9rph (#19464)

Enhancements

• Add TOML v1.1 -> v1.0 backwards compatibility for source distributions (#18741)
• Add support for Azure request signing (#19421)
• Apply stricter validation to all wheel filename segments (#19364)
• Reject empty strings as an invalid package name (#19435)
• Use structured errors for signing authentication failures (#19422)

Preview

• uv audit: Add JSON output (#19305)

... (truncated)

Commits

• 135a363 Bump version to 0.11.16 (#19522)
• 3b5f994 Add a uv lock check to CI (#19524)
• 4ffb506 Improve crates.io new crate error message (#19523)
• 51ba989 Add support for direct archive dependencies in Git (#10072)
• c07a6ef Reject locked malware installations (#18936)
• 58a6734 Allow environment variables that take a list to be empty (#19503)
• c1477e2 Use UV_NO_SYSTEM_CONFIG in tests to avoid reading machine-global config (#1...
• 4648a0b uv audit: specialize malformed OSV error (#19515)
• e2375ab Test create_junction changes from #19402 (#19487)
• 547bf2f Avoid unwrapping from OnceMap (#19510)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions