chore(deps): update machine-learning

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
fastapi (changelog)	0.136.0 → 0.136.1			project.dependencies	patch
huggingface-hub	1.13.0 → 1.14.0			project.dependencies	minor
mypy (changelog)	1.20.1 → 1.20.2			dependency-groups	patch
onnxruntime	1.24.4 → 1.25.1			project.optional-dependencies	minor	1.26.0
onnxruntime-gpu	1.24.4 → 1.25.1			project.optional-dependencies	minor	1.26.0
onnxruntime-migraphx	1.24.2 → 1.25.0			project.optional-dependencies	minor
orjson (changelog)	3.11.8 → 3.11.9			project.dependencies	patch
pydantic (changelog)	2.12.5 → 2.13.4			project.dependencies	minor
pydantic-settings (changelog)	2.13.1 → 2.14.0			project.dependencies	minor	2.14.1
python	d168b8d → d49c1ff			stage	digest
python	9c6f908 → cd67330			stage	digest
python	970c99f → 99f4240			stage	digest
ruff (source, changelog)	0.15.10 → 0.15.12			dependency-groups	patch
tokenizers	0.22.2 → 0.23.1			project.dependencies	minor
types-requests (changelog)	2.33.0.20260408 → 2.33.0.20260503			dependency-groups	patch	2.33.0.20260508
uvicorn (changelog)	0.44.0 → 0.46.0			project.dependencies	minor

---

Release Notes

fastapi/fastapi (fastapi)

v0.136.1

Compare Source

Upgrades

• ⬆️ Update Pydantic v2 code to address deprecations. PR #​15101 by @​svlandeg.

Internal

• 🔨 Tweak translation script. PR #​15174 by @​YuriiMotov.
• ⬆ Bump mkdocs-material from 9.7.1 to 9.7.6. PR #​15408 by @​dependabot[bot].
• ⬆ Bump inline-snapshot from 0.31.1 to 0.32.6. PR #​15409 by @​dependabot[bot].
• ⬆ Bump pytest-codspeed from 4.3.0 to 4.4.0. PR #​15407 by @​dependabot[bot].
• ⬆ Bump pytest-cov from 7.0.0 to 7.1.0. PR #​15406 by @​dependabot[bot].
• ⬆ Bump cloudflare/wrangler-action from 3.14.1 to 3.15.0. PR #​15405 by @​dependabot[bot].
• ⬆ Bump mypy from 1.19.1 to 1.20.1. PR #​15410 by @​dependabot[bot].
• ⬆ Bump python-dotenv from 1.2.1 to 1.2.2. PR #​15400 by @​dependabot[bot].
• ⬆ Bump starlette from 0.52.1 to 1.0.0. PR #​15397 by @​dependabot[bot].
• ⬆ Bump pygithub from 2.8.1 to 2.9.1. PR #​15396 by @​dependabot[bot].
• ⬆ Bump pyjwt from 2.12.0 to 2.12.1. PR #​15393 by @​dependabot[bot].
• ⬆ Bump zizmor from 1.23.1 to 1.24.1. PR #​15394 by @​dependabot[bot].
• ⬆ Bump strawberry-graphql from 0.312.3 to 0.314.3. PR #​15395 by @​dependabot[bot].
• ⬆ Bump python-multipart from 0.0.22 to 0.0.26. PR #​15360 by @​dependabot[bot].
• ⬆ Bump authlib from 1.6.9 to 1.6.11. PR #​15373 by @​dependabot[bot].
• ⬆ Bump aiohttp from 3.13.3 to 3.13.4. PR #​15282 by @​dependabot[bot].
• ⬆ Bump pygments from 2.19.2 to 2.20.0. PR #​15263 by @​dependabot[bot].
• ⬆ Bump pymdown-extensions from 10.20.1 to 10.21.2. PR #​15391 by @​YuriiMotov.
• ⬆ Bump pillow from 12.1.1 to 12.2.0. PR #​15333 by @​dependabot[bot].
• ⬆ Bump pytest from 9.0.2 to 9.0.3. PR #​15334 by @​dependabot[bot].
• ⬆ Bump actions/upload-artifact from 7.0.0 to 7.0.1. PR #​15374 by @​dependabot[bot].
• ⬆ Bump actions/cache from 5.0.4 to 5.0.5. PR #​15385 by @​dependabot[bot].
• 🔧 Update sponsors: remove Zuplo. PR #​15369 by @​tiangolo.
• 🔧 Update sponsors: remove Speakeasy. PR #​15368 by @​tiangolo.
• 🔒️ Add zizmor and fix audit findings. PR #​15316 by @​YuriiMotov.

huggingface/huggingface_hub (huggingface-hub)

v1.14.0: [v1.14.0] Handle Spaces secrets & variables from CLI and other improvements

Compare Source

🖥️ Manage Space secrets and variables from the CLI

You can now manage Space secrets and environment variables directly from the command line with two new hf spaces subgroups: secrets and variables. Use hf spaces secrets to add, list, and delete write-only secrets, and hf spaces variables to add, list, and delete readable environment variables. Both add commands support multiple -s/-e flags and --secrets-file/-env-file for loading from dotenv files. On the Python side, HfApi.get_space_secrets() returns secret metadata (key, description, updated timestamp) without ever revealing values.

# List secrets (values are write-only — only keys and timestamps are shown)
$ hf spaces secrets ls username/my-space

# Add secrets
$ hf spaces secrets add username/my-space -s OPENAI_API_KEY=sk-...
$ hf spaces secrets add username/my-space --secrets-file .env.secrets

# Delete a secret (confirmation prompt, use --yes to skip)
$ hf spaces secrets delete username/my-space OPENAI_API_KEY --yes

# List, add, and delete variables (values are readable)
$ hf spaces variables ls username/my-space
$ hf spaces variables add username/my-space -e MODEL_ID=gpt2 -e MAX_TOKENS=512
$ hf spaces variables delete username/my-space MAX_TOKENS --yes

• [CLI] Add hf spaces secrets and variables subgroups by @​davanstrien in #​4170
• [CLI] Add get_space_secrets + hf spaces secrets ls by @​Wauplin in #​4182

📚 Documentation: CLI guide · Manage your Space

🪣 Rsync-style trailing slash for bucket folder copies

hf buckets cp now supports rsync-style trailing slash semantics when copying folders. A trailing / on the source path copies only the folder's contents to the destination, while omitting it nests the folder itself — matching the behavior you'd expect from rsync. This makes it possible to flatten directory structures during copies, which was not possible before. Additionally, copy_files now raises an explicit EntryNotFoundError when the source path resolves to no files, instead of silently succeeding with zero operations.

# Without trailing slash: "logs" dir is nested => dst/logs/...
$ hf buckets cp hf://buckets/username/src-bucket/logs hf://buckets/username/dst/

# With trailing slash: only contents of "logs" are copied => dst/...
$ hf buckets cp hf://buckets/username/src-bucket/logs/ hf://buckets/username/dst/

• [Buckets] Support rsync-style trailing slash in copy_files by @​Wauplin in #​4187
• [CLI] Raise error when copy_files source doesn't exist by @​Wauplin in #​4186

📚 Documentation: Buckets guide · CLI guide

💔 Breaking Change

• [CLI] Rename hf skills upgrade -> hf skills update by @​hanouticelina in #​4176 — hf skills upgrade no longer exists; use hf skills update instead.
• [CLI] Add out.status() by @​hanouticelina in #​4171 — status updates (spinners/progress) on hf extensions install and hf spaces dev-mode are now suppressed when using --format json, --quiet, or --format agent.

🖥️ CLI

• [CLI] Add hints and example to hf datasets leaderboard by @​Wauplin in #​4174
• [CLI] Shortcut hf update when already on latest version by @​julien-c in #​4177
• [CLI] Remove progress bars on skills update by @​Wauplin in #​4179
• [CLI] Increase default --limit from 10 to 30 for list commands by @​Wauplin in #​4181
• [CLI] Support hf -v to print version by @​Wauplin in #​4185
• [CLI] migrate hf skills to bucket by @​hanouticelina in #​4175

🐛 Bug and typo fixes

• Update typer dependency version in setup.py by @​tomaarsen in #​4193

🏗️ Internal

• Post-release: bump version to 1.14.0.dev0 by @​huggingface-hub-bot[bot] in #​4172
• [Release] Move social drafts to minor-release and archive release notes to bucket by @​Wauplin in #​4173
• Update unit test warnings check to ignore unrelated deprecation warnings by @​seanses in #​4188
• [internal] Untrack useless files by @​Wauplin in #​4191

python/mypy (mypy)

v1.20.2

Compare Source

ijl/orjson (orjson)

v3.11.9

Compare Source

Changed

• Build now depends on Rust 1.95 or later instead of 1.89.

Fixed

• Fix building on Rust 1.95.

pydantic/pydantic (pydantic)

v2.13.4: 2026-05-06

Compare Source

v2.13.4 (2026-05-06)

What's Changed

Packaging

• Bump libc from 0.2.155 to 0.2.185 by @​Viicos in #​13109
• Adapt pydantic-core linker flags on macOS by @​washingtoneg and @​Viicos in #​13147

Fixes

• Preserve RootModel core metadata by @​Viicos in #​13129

Full Changelog: pydantic/pydantic@v2.13.3...v2.13.4

v2.13.3

Compare Source

GitHub release

What's Changed

Fixes

• Handle AttributeError subclasses with from_attributes by @​Viicos in #​13096

v2.13.2

Compare Source

v2.13.1: 2026-04-15

Compare Source

v2.13.1 (2026-04-15)

What's Changed

Fixes

• Fix ValidationInfo.data missing with model_validate_json() by @​davidhewitt in #​13079

Full Changelog: pydantic/pydantic@v2.13.0...v2.13.1

v2.13.0

Compare Source

GitHub release

The highlights of the v2.13 release are available in the blog post.
Several minor changes (considered non-breaking changes according to our versioning policy)
are also included in this release. Make sure to look into them before upgrading.

This release contains the updated pydantic.v1 namespace, matching version 1.10.26 which includes support for Python 3.14.

What's Changed

See the beta releases for all changes sinces 2.12.

New Features

• Allow default factories of private attributes to take validated model data by @​Viicos in #​13013

Changes

• Warn when serializing fixed length tuples with too few items by @​arvindsaripalli in #​13016

Fixes

• Change type of Any when synthesizing _build_sources for BaseSettings.__init__() signature in the mypy plugin by @​Viicos in #​13049
• Fix model equality when using runtime extra configuration by @​Viicos in #​13062

Packaging

• Add zizmor for GitHub Actions workflow linting by @​Viicos in #​13039
• Update jiter to v0.14.0 to fix a segmentation fault on musl Linux by @​Viicos in #​13064

New Contributors

• @​arvindsaripalli made their first contribution in #​13016

pydantic/pydantic-settings (pydantic-settings)

v2.14.0

Compare Source

What's Changed

• Fix parsing env vars into Optional Strict types by @​hramezani in #​792
• Fix RecursionError with mutually recursive models in CLI by @​hramezani in #​794
• Fix env_file from model_config ignored in CliApp.run() (#​795) by @​hramezani in #​796
• Update dependencies by @​hramezani in #​798
• Add Dependabot configuration by @​hramezani in #​801
• Bump samuelcolvin/check-python-version from 4.1 to 5 by @​dependabot[bot] in #​802
• Bump actions/upload-artifact from 4 to 7 by @​dependabot[bot] in #​803
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in #​804
• Bump astral-sh/setup-uv from 5 to 7 by @​dependabot[bot] in #​805
• Bump actions/setup-python from 5 to 6 by @​dependabot[bot] in #​806
• Ignore chardet and group GitHub Actions in Dependabot by @​hramezani in #​808
• Bump actions/download-artifact from 4 to 8 in the github-actions group by @​dependabot[bot] in #​809
• Bump the python-packages group with 2 updates by @​dependabot[bot] in #​810
• Support reading .env files from FIFOs (e.g. 1Password Environments) by @​JacobHayes in #​776
• Fix AliasChoices ignored when changing provider priority by @​hramezani in #​813
• fix: resolve KeyError in run_subcommand for underscore field names by @​bradykieffer in #​799
• Bump the python-packages group with 3 updates by @​dependabot[bot] in #​814
• Fix Literal[numeric Enum] coercion for CLI and env vars by @​m9810223 in #​811
• Fix nested discriminated unions not discovered by env/CLI providers by @​hramezani in #​816
• Bump the python-packages group with 3 updates by @​dependabot[bot] in #​820
• CLI ensure env nested max split internally. by @​kschwab in #​821
• Bump the python-packages group with 4 updates by @​dependabot[bot] in #​824
• Migrate boto3-stubs to types-boto3 by @​hramezani in #​831
• Fix CLI not recognizing field name with validate_by_name and AliasChoices by @​hramezani in #​826
• Allow customisation of the dotevn setting source to filter variables by @​CaselIT in #​832
• Bump the python-packages group with 3 updates by @​dependabot[bot] in #​833
• Introduce yamlfmt by @​Viicos in #​836
• Bump boto3 from 1.42.82 to 1.42.83 in the python-packages group by @​dependabot[bot] in #​837
• Introduce zizmor by @​Viicos in #​838
• Fix CliPositionalArg[list[CustomType]] crash for custom types by @​hramezani in #​839
• Add note about Mypy plugin for BaseSettings.__init__() by @​Viicos in #​842
• Fix cli_ignore_unknown_args=True not working on subcommands by @​hramezani in #​844
• Bump the python-packages group with 4 updates by @​dependabot[bot] in #​847
• Fix CLI descriptions lost under python -OO by falling back to json_schema_extra by @​hramezani in #​843
• Prepare release 2.14.0 by @​hramezani in #​848

New Contributors

• @​dependabot[bot] made their first contribution in #​802
• @​JacobHayes made their first contribution in #​776
• @​bradykieffer made their first contribution in #​799
• @​CaselIT made their first contribution in #​832

Full Changelog: pydantic/pydantic-settings@v2.13.1...v2.14.0

astral-sh/ruff (ruff)

v0.15.12

Compare Source

Released on 2026-04-24.

Preview features

• Implement #ruff:file-ignore file-level suppressions (#​23599)
• Implement #ruff:ignore logical-line suppressions (#​23404)
• Revert preview changes to displayed diagnostic severity in LSP (#​24789)
• [airflow] Implement task-branch-as-short-circuit (AIR004) (#​23579)
• [flake8-bugbear] Fix break/continue handling in loop-iterator-mutation (B909) (#​24440)
• [pylint] Fix PLC2701 for type parameter scopes (#​24576)

Rule changes

• [pandas-vet] Suggest .array as well in PD011 (#​24805)

CLI

• Respect default Unix permissions for cache files (#​24794)

Documentation

• [pylint] Fix PLR0124 description not to claim self-comparison always returns the same value (#​24749)
• [pyupgrade] Expand docs on reusable TypeVars and scoping (UP046) (#​24153)
• Improve rules table accessibility (#​24711)

Contributors

• @​dylwil3
• @​AlexWaygood
• @​woodruffw
• @​avasis-ai
• @​Dev-iL
• @​denyszhak
• @​ShipItAndPray
• @​anishgirianish
• @​augustelalande
• @​amyreese
• @​majiayu000

v0.15.11

Compare Source

Released on 2026-04-16.

Preview features

• [ruff] Ignore RUF029 when function is decorated with asynccontextmanager (#​24642)
• [airflow] Implement airflow-xcom-pull-in-template-string (AIR201) (#​23583)
• [flake8-bandit] Fix S103 false positives and negatives in mask analysis (#​24424)

Bug fixes

• [flake8-async] Omit overridden methods for ASYNC109 (#​24648)

Documentation

• [flake8-async] Add override mention to ASYNC109 docs (#​24666)
• Update Neovim config examples to use vim.lsp.config (#​24577)

Contributors

• @​augustelalande
• @​anishgirianish
• @​benberryallwood
• @​charliermarsh
• @​Dev-iL

huggingface/tokenizers (tokenizers)

v0.23.1

Compare Source

TL;DR

tokenizers 0.23.1 is the first proper stable release in the 0.23 line — 0.23.0 only ever shipped as rc0 because the release pipeline itself was broken (Node side hadn't shipped multi-platform binaries since 2023, Python side was on pyo3 0.27 without free-threaded support). 0.23.1 is the version where everything actually goes out the door together: full Node multi-platform wheels for the first time in years, Python 3.14 (regular and free-threaded 3.14t), full type hints for every Python class, and a stack of measurable perf wins on the BPE / added-vocab hot paths.

There is no functional 0.23.0 published — we tag 0.23.1 directly so users don't accidentally pull a never-shipped version.

---

🚨 Breaking changes

• Drop Python 3.9 (#​1952) — requires-python = ">=3.10"; 3.9 users stay on 0.22.x.
• add_tokens normalizes content at insertion (#​1995) — re-saved tokenizer.json may differ in the added_tokens block. Existing files load unchanged.
• Type stubs are precise (#​1928, #​1997) — methods that returned Any now return real types; mypy --strict may surface previously-hidden errors. Stub layout also moved from tokenizers/<sub>/__init__.pyi to tokenizers/<sub>.pyi. This breaks the surface of some of the processors like RobertaProcessign's __init__ .
• 3.14t-only: setters/getters return PyResult<T> because of Arc<RwLock<Tokenizer>>; a poisoned lock surfaces as PyException instead of a panic.

---

⚡ Performance — measured locally on this Mac, not lifted from PRs

Run with cargo bench --bench <name> -- --save-baseline v0_22_2 on v0.22.2, then --baseline v0_22_2 on v0.23.1. Numbers are point-in-time wall clock on a single laptop; relative deltas are what matters, absolute numbers will differ on CI hardware.

Added-vocabulary deserialize — the headline win (#​1995, #​1999)

bench: improve added_vocab_deserialize to reflect real-world workloads (#​2000) is now representative of how transformers actually loads tokenizer.json files. The combined effect of daachorse for the matching automaton plus the normalize-on-insert refactor is enormous on this workload:

benchmark	v0.22.2	v0.23.1	change
100k tokens, special, no norm	~410 ms	248 ms	−40%
100k tokens, non-special, no norm	~7.1 s	273 ms	−96%
100k tokens, special, NFKC	~395 ms	235 ms	−40%
100k tokens, non-special, NFKC	~7.4 s	290 ms	−96%
400k tokens, special, no norm	~15 s	980 ms	−94%

Real-world impact: loading a Llama-3-style tokenizer with a large set of added tokens dropped from "noticeable pause" to "instant".

BPE encode

benchmark	v0.22.2	v0.23.1	change
BPE GPT2 encode batch, no cache	530 ms	446 ms	−16%
BPE GPT2 encode batch (cached)	690 ms	685 ms	noise
BPE GPT2 encode (single)	1.95 s	1.94 s	noise
BPE Train (small)	32.6 ms	31.5 ms	−3%
BPE Train (big)	1.01 s	988 ms	−2%

The BPE per-thread cache PR (#​2028) shows much larger wins on highly-parallel workloads (+47–62% at 88+ threads on a server box, per the PR's own measurements on Vera). Single-thread batch numbers above are flat or slightly improved because cache-hit overhead was already low without contention.

Llama-3 encode

benchmark	v0.22.2	v0.23.1	change
llama3-encode (single)	2.10 s	2.02 s	−4%
llama3-batch	438 ms	408 ms	−7%
llama3-offsets	410 ms	395 ms	−4%

Truncation early exit (#​1990)

Right-direction truncation no longer pre-tokenizes past max_length. The new truncation_benchmark doesn't exist on v0.22.2 so there's no apples-to-apples here, but the PR's own measurements on the same machine showed −20–28% across a range of max_length values for right-truncation; left-truncation unchanged.

Other perf improvements (no direct comparable bench)

• BPE::Builder::build no longer formats strings in a hot loop (#​2010) — ~45% faster Tokenizer::from_file on Llama-3 in the PR's profile.
• BPE per-thread cache (#​2028) — see Vera numbers in PR description for parallel scale-out.

---

🔄 Serialization / deserialization

The tokenizer.json format is forward-compatible: existing files load on 0.23 unchanged. Two things to know if you re-save:

• added_tokens entries created via add_tokens(..., normalized=True) will have their content normalized at save time — see breaking-change note above.
• tokenizer.train(...) no longer keeps a redundant added_tokens/special_tokens Vec separate from the added_tokens_map_r. Public API surface unchanged; only the internal struct shape moved.

bench: improve added_vocab_deserialize to reflect real-world workloads (#​2000) lands a more realistic micro-benchmark for this surface; if you're tracking deserialize perf in your own CI, the new bench is the one to compare against.

---

🐍 Python: free-threaded 3.14t support

Dedicated wheels for python3.14t (the free-threaded build introduced in PEP 703). The wheel:

• Declares Py_MOD_GIL_NOT_USED, so importing tokenizers does not force the GIL back on.
• Builds without the abi3 cargo feature (free-threaded Python doesn't expose the limited API).
• Goes through Arc<RwLock<Tokenizer>> for the inner state so concurrent setters and encoders don't race PyO3's per-pyclass borrow check.

A new stress-test module tests/test_freethreaded.py exercises N-encoder × M-setter races on a single Tokenizer and asserts no RuntimeError: Already borrowed, no RwLock poisoning, and that sys._is_gil_enabled() is False post-import.

For the regular CPython wheel everything is unchanged.

---

📦 Node.js bindings: first proper multi-platform release since 2023

The npm package now ships 13 platforms (macOS x64/arm64/universal, Windows x64/i686/arm64, Linux x64/arm64/armv7 in both glibc and musl, Android arm64/armv7) — previous workflows only built 3 of those, leaving Apple Silicon / Linux ARM / Alpine users with package-not-found errors since 2023 (#​1365, #​1703, #​1922). Fixed via #​1970 + #​2034, which also bumps @napi-rs/cli to v3 and switches cross-builds to cargo-zigbuild.

---

🧷 Type hints & typing for all classes (#​1928, #​1997)

Every class in the python bindings now ships proper .pyi stubs — Tokenizer, AddedToken, Encoding, every decoder / model / normalizer / pre-tokenizer / processor / trainer. Editors and type checkers (mypy, pyright, ty) see real signatures with types and docstrings instead of falling back to Any.

The stubs are generated automatically from the compiled extension via tools/stub-gen (Rust binary using pyo3-introspection). Re-running make style regenerates them; CI guards against regenerated-vs-checked-in drift. If the generator ever returns 0 docstrings (e.g. because the [patch.crates-io] pin in .cargo/config.toml falls out of sync with the pyo3 dep version), it now hard-aborts with a precise diagnostic instead of silently emitting bare-bones stubs.

>>> from tokenizers import Tokenizer
>>> # IDEs now resolve every method, every kwarg, every return type
>>> Tokenizer.from_pretrained("bert-base-cased")

⚠️ As called out in breaking changes: stricter type info means previously-hidden type errors in user code may now surface under mypy --strict.

---

✨ Other features

• Unigram sampling: models.Unigram now exposes alpha and nbest_size for subword regularization (parity with Google's implementation, #​1994). Closes long-standing requests #​730 and #​849.
• Weakref support on Tokenizer (#​1958) — useful for long-lived caches that don't want to keep tokenizers alive.
• CI benchmark regression detection on PRs (#​2013) — every PR runs ci_benchmark against the stored baseline and posts a comparison chart to the PR.
• Longer-context Llama-3 benchmarks (#​1971) for tracking head-room on multi-thousand-token inputs.

---

🛠 Other fixes

• EncodingVisualizer: unclosed annotation span fixed (#​1911), HTML escape applied to output (#​1937).
• DecodeStream: __copy__ / __deepcopy__ (#​1930).
• Pre-tokenize: removed an unnecessary to_vec() from slice (#​1964).
• Replace wget / norvig URL with HF Hub downloads in test data fetch (#​2018).
• uv support in the Python Makefile (#​1977).
• Several security-pin bumps on workflow SHAs (#​2004, #​2005, #​2006, #​2016, #​2017).

---

👥 Contributors

Thanks to everyone who shipped commits between v0.22.2 and v0.23.1:

@​ArthurZucker, @​finnagin, @​gordonmessmer, @​jberg5, @​kennethsible, @​llukito, @​MayCXC, @​McPatate, @​michaelfeil, @​mrkm4ntr, @​musicinmybrain, @​ngoldbaum, @​OhashiReon, @​paulinebm, @​podarok, @​rtrompier, @​sebpop, @​Shivam-Bhardwaj, @​threexc, @​wheynelau, @​xanderlent — plus @​dependabot and @​hf-security-analysis for keeping pins fresh.

---

Full Changelog: huggingface/tokenizers@v0.22.2...v0.23.1

Kludex/uvicorn (uvicorn)

v0.46.0: Version 0.46.0

Compare Source

What's Changed

• Support ws_max_size in wsproto implementation by @​Kludex in #​2915
• Support ws_ping_interval and ws_ping_timeout in wsproto implementation by @​Kludex in #​2916
• Use bytearray for incoming WebSocket message buffer in websockets-sansio by @​Kludex in #​2917

Full Changelog: Kludex/uvicorn@0.45.0...0.46.0

v0.45.0: Version 0.45.0

Compare Source

What's Changed

• Preserve forwarded client ports in proxy headers middleware by @​Kludex in #​2903
• Accept os.PathLike for log_config by @​Kludex in #​2905
• Accept log_level strings case-insensitively by @​Kludex in #​2907
• Raise helpful ImportError when PyYAML is missing for YAML log config by @​Kludex in #​2906
• Revert empty context for ASGI runs by @​Kludex in #​2911
• Add --reset-contextvars flag to isolate ASGI request context by @​Kludex in #​2912
• Revert "Emit http.disconnect on server shutdown for streaming responses" (#​2829) by @​Kludex in #​2913

New Contributors

• @​Krishnachaitanyakc made their first contribution in #​2870

Full Changelog: Kludex/uvicorn@0.44.0...0.45.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "before 9am on tuesday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: machine-learning/pyproject.toml

Artifact update for pydantic-settings resolved to version 2.14.1, which is a pending version that has not yet passed the Minimum Release Age threshold.
Renovate was attempting to update to 2.14.0
This is (likely) not a bug in Renovate, but due to the way your project pins dependencies, _and_ how Renovate calls your package manager to update them.
Until Renovate supports specifying an exact update to your package manager (https://github.com/renovatebot/renovate/issues/41624), it is recommended to directly pin your dependencies (with `rangeStrategy=pin` for apps, or `rangeStrategy=widen` for libraries)
See also: https://docs.renovatebot.com/dependency-pinning/

File name: machine-learning/pyproject.toml

Artifact update for types-requests resolved to version 2.33.0.20260508, which is a pending version that has not yet passed the Minimum Release Age threshold.
Renovate was attempting to update to 2.33.0.20260503
This is (likely) not a bug in Renovate, but due to the way your project pins dependencies, _and_ how Renovate calls your package manager to update them.
Until Renovate supports specifying an exact update to your package manager (https://github.com/renovatebot/renovate/issues/41624), it is recommended to directly pin your dependencies (with `rangeStrategy=pin` for apps, or `rangeStrategy=widen` for libraries)
See also: https://docs.renovatebot.com/dependency-pinning/

File name: machine-learning/pyproject.toml

Artifact update for onnxruntime resolved to version 1.26.0, which is a pending version that has not yet passed the Minimum Release Age threshold.
Renovate was attempting to update to 1.25.1
This is (likely) not a bug in Renovate, but due to the way your project pins dependencies, _and_ how Renovate calls your package manager to update them.
Until Renovate supports specifying an exact update to your package manager (https://github.com/renovatebot/renovate/issues/41624), it is recommended to directly pin your dependencies (with `rangeStrategy=pin` for apps, or `rangeStrategy=widen` for libraries)
See also: https://docs.renovatebot.com/dependency-pinning/

File name: machine-learning/pyproject.toml

Artifact update for onnxruntime-gpu resolved to version 1.26.0, which is a pending version that has not yet passed the Minimum Release Age threshold.
Renovate was attempting to update to 1.25.1
This is (likely) not a bug in Renovate, but due to the way your project pins dependencies, _and_ how Renovate calls your package manager to update them.
Until Renovate supports specifying an exact update to your package manager (https://github.com/renovatebot/renovate/issues/41624), it is recommended to directly pin your dependencies (with `rangeStrategy=pin` for apps, or `rangeStrategy=widen` for libraries)
See also: https://docs.renovatebot.com/dependency-pinning/

File name: machine-learning/pyproject.toml

Artifact update for onnxruntime resolved to version 1.26.0, which is a pending version that has not yet passed the Minimum Release Age threshold.
Renovate was attempting to update to 1.25.1
This is (likely) not a bug in Renovate, but due to the way your project pins dependencies, _and_ how Renovate calls your package manager to update them.
Until Renovate supports specifying an exact update to your package manager (https://github.com/renovatebot/renovate/issues/41624), it is recommended to directly pin your dependencies (with `rangeStrategy=pin` for apps, or `rangeStrategy=widen` for libraries)
See also: https://docs.renovatebot.com/dependency-pinning/

File name: machine-learning/pyproject.toml

Artifact update for onnxruntime resolved to version 1.26.0, which is a pending version that has not yet passed the Minimum Release Age threshold.
Renovate was attempting to update to 1.25.1
This is (likely) not a bug in Renovate, but due to the way your project pins dependencies, _and_ how Renovate calls your package manager to update them.
Until Renovate supports specifying an exact update to your package manager (https://github.com/renovatebot/renovate/issues/41624), it is recommended to directly pin your dependencies (with `rangeStrategy=pin` for apps, or `rangeStrategy=widen` for libraries)
See also: https://docs.renovatebot.com/dependency-pinning/