Bump the python-packages group with 6 updates

[dependabot]

Bumps the python-packages group with 6 updates:

Package	From	To
pydantic	2.12.4	2.12.5
celery	5.5.3	5.6.0
fastapi	0.121.3	0.123.0
asyncpg	0.30.0	0.31.0
mypy	1.18.2	1.19.0
flake8-pyproject	1.2.3	1.2.4

Updates pydantic from 2.12.4 to 2.12.5

Release notes

Sourced from pydantic's releases.

v2.12.5 2025-11-26

v2.12.5 (2025-11-26)

This is the fifth 2.12 patch release, addressing an issue with the MISSING sentinel and providing several documentation improvements.

The next 2.13 minor release will be published in a couple weeks, and will include a new polymorphic serialization feature addressing the remaining unexpected changes to the serialize as any behavior.

• Fix pickle error when using model_construct() on a model with MISSING as a default value by @​ornariece in #12522.
• Several updates to the documentation by @​Viicos.

Full Changelog: pydantic/pydantic@v2.12.4...v2.12.5

Changelog

Sourced from pydantic's changelog.

v2.12.5 (2025-11-26)

GitHub release

This is the fifth 2.12 patch release, addressing an issue with the MISSING sentinel and providing several documentation improvements.

The next 2.13 minor release will be published in a couple weeks, and will include a new polymorphic serialization feature addressing the remaining unexpected changes to the serialize as any behavior.

• Fix pickle error when using model_construct() on a model with MISSING as a default value by @​ornariece in #12522.
• Several updates to the documentation by @​Viicos.

Commits

• bd2d0dd Prepare release v2.12.5
• 7d0302e Document security implications when using create_model()
• e9ef980 Fix typo in Standard Library Types documentation
• f2c20c0 Add pydantic-docs dev dependency, make use of versioning blocks
• a76c1aa Update documentation about JSON Schema
• 8cbc72c Add documentation about custom __init__()
• 99eba59 Add additional test for FieldInfo.get_default()
• c710769 Special case MISSING sentinel in smart_deepcopy()
• 20a9d77 Do not delete mock validator/serializer in rebuild_dataclass()
• c86515a Update parts of the model and revalidate_instances documentation
• See full diff in compare view

Updates celery from 5.5.3 to 5.6.0

Release notes

Sourced from celery's releases.

v5.6.0

Celery v5.6.0 is now available.

Key Highlights

See What's new in Celery 5.6 for a complete overview or read the main highlights below.

Python 3.9 Minimum Version

Celery 5.6.0 drops support for Python 3.8 (EOL). The minimum required Python version is now 3.9. Users still on Python 3.8 must upgrade their Python version before upgrading to Celery 5.6.0.

Additionally, this release includes initial support for Python 3.14.

SQS: Reverted to pycurl from urllib3

The switch from pycurl to urllib3 for the SQS transport (introduced in Celery 5.5.0 via Kombu) has been reverted due to critical issues affecting SQS users.

Contributed by @​auvipy in celery/celery#9620.

Security Fix: Broker Credential Leak Prevention

Fixed a security issue where broker URLs containing passwords were being logged in plaintext by the delayed delivery mechanism. Broker credentials are now properly sanitized in all log output.

Contributed by @​giancarloromeo in celery/celery#9997.

Memory Leak Fixes

Two significant memory leaks have been fixed in this release:

Exception Handling Memory Leak: Fixed a critical memory leak in task exception handling that was particularly severe on Python 3.11+ due to enhanced traceback data. The fix properly breaks reference cycles in tracebacks to allow garbage collection.

Contributed by @​jaiganeshs21 in celery/celery#9799.

Pending Result Memory Leak: Fixed a memory leak where AsyncResult subscriptions were not being cleaned up when results were forgotten.

Contributed by @​tsoos99dev in celery/celery#9806.

ETA Task Memory Limit

New configuration option worker_eta_task_limit to prevent out-of-memory crashes when workers fetch large numbers of ETA or countdown tasks. Previously, workers could exhaust available memory when the broker contained many scheduled tasks.

Example usage:

app.conf.worker_eta_task_limit = 1000

Contributed by @​sashu2310 in celery/celery#9853.

Queue Type Selection for Auto-created Queues

... (truncated)

Changelog

Sourced from celery's changelog.

5.6.0

:release-date: 2025-11-30 :release-by: Tomer Nosrati

Celery v5.6.0 is now available.

Key Highlights

See :ref:`whatsnew-5.6` for a complete overview or read the main highlights below.
Python 3.9 Minimum Version
Celery 5.6.0 drops support for Python 3.8 (EOL). The minimum required Python
version is now 3.9. Users still on Python 3.8 must upgrade their Python version
before upgrading to Celery 5.6.0.
Additionally, this release includes initial support for Python 3.14.
SQS: Reverted to pycurl from urllib3
The switch from pycurl to urllib3 for the SQS transport (introduced in
Celery 5.5.0 via Kombu) has been reverted due to critical issues affecting SQS
users:

Processing throughput dropped from ~100 tasks/sec to ~3/sec in some environments
UnknownOperationException errors causing container crash loops
Silent message processing failures with no error logs

Users of the SQS transport must ensure pycurl is installed. If you removed
pycurl after upgrading to Celery 5.5.0, you will need to reinstall it.
Contributed by @auvipy <https://github.com/auvipy>_ in
[#9620](https://github.com/celery/celery/issues/9620) <https://github.com/celery/celery/pull/9620>_.
Security Fix: Broker Credential Leak Prevention
Fixed a security issue where broker URLs containing passwords were being logged
in plaintext by the delayed delivery mechanism. Broker credentials are now
properly sanitized in all log output.
Contributed by @giancarloromeo <https://github.com/giancarloromeo>_ in
[#9997](https://github.com/celery/celery/issues/9997) <https://github.com/celery/celery/pull/9997>_.
Memory Leak Fixes
</tr></table>

... (truncated)

Commits

• cca1116 Prepare for release: v5.6.0 (#10010)
• 1133f22 Bump mypy from 1.14.1 to 1.19.0 (#10008)
• 0932d2c [pre-commit.ci] pre-commit autoupdate (#10007)
• b446910 Prepare for (pre) release: v5.6.0rc2 (#10005)
• 3f0f0fe asynpool: Don't return from inside a finally block (#10000)
• 95d0552 Bump actions/checkout from 5 to 6 (#10003)
• f32b92f Add Py39-314t to CI (#9999)
• 63c1910 Don't fail task on timeout during cold shutdown (#9678)
• 30649db Fix log leaking broker credentials (#9997)
• 929412e Remove Python 4.0 version condition for pytest dependencies (#9993)
• Additional commits viewable in compare view

Updates fastapi from 0.121.3 to 0.123.0

Release notes

Sourced from fastapi's releases.

0.123.0

Fixes

• 🐛 Cache dependencies that don't use scopes and don't have sub-dependencies with scopes. PR #14419 by @​tiangolo.

0.122.1

Fixes

• 🐛 Fix hierarchical security scope propagation. PR #5624 by @​kristjanvalur.

Docs

• 💅 Update CSS to explicitly use emoji font. PR #14415 by @​tiangolo.

Internal

• ⬆ Bump markdown-include-variants from 0.0.5 to 0.0.6. PR #14418 by @​YuriiMotov.

0.122.0

Fixes

• 🐛 Use 401 status code in security classes when credentials are missing. PR #13786 by @​YuriiMotov.
  • If your code depended on these classes raising the old (less correct) 403 status code, check the new docs about how to override the classes, to use the same old behavior: Use Old 403 Authentication Error Status Codes.

Internal

• 🔧 Configure labeler to exclude files that start from underscore for lang-all label. PR #14213 by @​YuriiMotov.
• 👷 Add pre-commit config with local script for permalinks. PR #14398 by @​tiangolo.
• 💄 Use font Fira Code to fix display of Rich panels in docs in Windows. PR #14387 by @​tiangolo.
• 👷 Add custom pre-commit CI. PR #14397 by @​tiangolo.
• ⬆ Bump actions/checkout from 5 to 6. PR #14381 by @​dependabot[bot].
• 👷 Upgrade latest-changes GitHub Action and pin actions/checkout@v5. PR #14403 by @​svlandeg.
• 🛠️ Add add-permalinks and add-permalinks-page to scripts/docs.py. PR #14033 by @​YuriiMotov.
• 🔧 Upgrade Material for MkDocs and remove insiders. PR #14375 by @​tiangolo.

Commits

• f2bab95 🔖 Release version 0.123.0
• c38e3e0 📝 Update release notes
• 7fbd304 🐛 Cache dependencies that don't use scopes and don't have sub-dependencies wi...
• 63d7a2b 🔖 Release version 0.122.1
• 7681f29 📝 Update release notes
• 378ad68 🐛 Fix hierarchical security scope propagation (#5624)
• c6487ed 📝 Update release notes
• 62a6974 ⬆ Bump markdown-include-variants from 0.0.5 to 0.0.6 (#14418)
• 9982882 📝 Update release notes
• 8ab7167 💅 Update CSS to explicitly use emoji font (#14415)
• Additional commits viewable in compare view

Updates asyncpg from 0.30.0 to 0.31.0

Release notes

Sourced from asyncpg's releases.

v0.31.0

Enable Python 3.14 with experimental subinterpreter/freethreading support.

Improvements

• Add Python 3.14 support, experimental subinterpreter/freethreading support (#1279) (by @​elprans in 9e42642b)

• Avoid performing type introspection on known types (#1243) (by @​elprans in 5c9986c4)

• Make prepare() not use named statements by default when cache is disabled (#1245) (by @​elprans in 5b14653e)

• Implement connection service file functionality (#1223) (by @​AndrewJackson2020 in 1d63bb15)

Fixes

• Fix multi port connection string issue (#1222) (by @​AndrewJackson2020 in 01c0db7b)

• Avoid leaking connections if _can_use_connection fails (#1269) (by @​yuliy-openai in e94302d2)

Other

• Drop support for EOL Python 3.8 (#1281) (by @​elprans in 6c2c4904)

Commits

• 71775a6 asyncpg v0.31.0
• 508cae6 Test on PostgreSQL 18 (#1290)
• e534e5f Bump cibuildwheel
• 07fe512 Bump pgproto
• 648b35f Bump Cython to 3.2.1 (#1288)
• 9e42642 Add Python 3.14 support, experimental subinterpreter/freethreading support (#...
• 6fe1c49 Move development deps away from extras and into dependency groups (#1280)
• 7a54816 Fix a couple of missed Python version guards
• 6c2c490 Drop support for EOL Python 3.8 (#1281)
• 4c60ae8 Bump version to 0.31.0.dev0
• Additional commits viewable in compare view

Updates mypy from 1.18.2 to 1.19.0

Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next Release

Drop Support for Python 3.9

Mypy no longer supports running with Python 3.9, which has reached end-of-life. When running mypy with Python 3.10+, it is still possible to type check code that needs to support Python 3.9 with the --python-version 3.9 argument. Support for this will be dropped in the first half of 2026!

Contributed by Marc Mueller (PR 20156).

Mypy 1.19

We’ve just uploaded mypy 1.19.0 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features, performance improvements and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

Python 3.9 Support Ending Soon

This is the last mypy feature release that supports Python 3.9, which reached end of life in October 2025.

Performance Improvements

• Switch to a more dynamic SCC processing logic (Ivan Levkivskyi, PR 20053)
• Speed up type aliases (Ivan Levkivskyi, PR 19810)

Fixed‑Format Cache Improvements

Mypy uses a cache by default to speed up incremental runs by reusing partial results from earlier runs. Mypy 1.18 added a new binary fixed-format cache representation as an experimental feature. The feature is no longer experimental, and we are planning to enable it by default in a future mypy release (possibly 1.20), since it's faster and uses less space than the original, JSON-based cache format. Use --fixed-format-cache to enable the fixed-format cache.

Mypy now has an extra dependency on the librt PyPI package, as it's needed for cache serialization and deserialization.

Mypy ships with a tool to convert fixed-format cache files to the old JSON format. Example of how to use this:

$ python -m mypy.exportjson .mypy_cache/.../my_module.data.ff

... (truncated)

Commits

• 0f068c9 Remove +dev
• 6d5cf52 Various updates to 1.19 changelog (#20304)
• 3c81308 Add draft version of 1.19 release notes (#20296)
• 1999a20 [mypyc] librt base64: use existing SIMD CPU dispatch by customizing build fla...
• 1b94fbb [mypyc] Fix vtable pointer with inherited dunder new (#20302)
• 13369cb [mypyc] Fix crash on super in generator (#20291)
• a087a58 Update import map when new modules added (#20271)
• 35e843c [mypyc] Add efficient librt.base64.b64decode (#20263)
• 094f66d [mypyc] Add repr to AssignmentTarget subclasses (#20258)
• 0738db3 Do not push partial types to the binder (#20202)
• Additional commits viewable in compare view

Updates flake8-pyproject from 1.2.3 to 1.2.4

Release notes

Sourced from flake8-pyproject's releases.

1.2.4

• Fixes typo in name of meta variable in --toml-config help message. (#21)
• Registers GitHub repo as trusted publisher for PyPI releases. (#38)

Commits

• 3c516a9 Bumped version to 1.2.4.
• df70f19 Added GitHub workflow for releases on PyPI.
• d46e99c Only run scheduled test weekly instead of nightly.
• da0b9ed Added link to GitHub releases as a project URL.
• 8e4b87f Cosmetic changes to code format of dev tools in tools folder.
• 4227bd4 Use longer names for dev tools in tools folder.
• 3866f48 Mention early on that we need to be called in pyproject.toml folder.
• 40bf639 Removed configuration and documentation of pre-commit hook.
• 9df7abb Bump actions/checkout from 5 to 6 in the github-actions group
• 2c23062 Fixed reporting of code coverage.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Coverage Report •

File	Stmts	Miss	Cover	Missing
TOTAL	5098	293	94%

report-only-changed-files is enabled. No files were changed during this commit :)