deps(deps): bump the python-minor group across 1 directory with 7 updates

[dependabot]

Bumps the python-minor group with 7 updates in the / directory:

Package	From	To
fastapi	0.127.0	0.128.5
sqlalchemy	2.0.45	2.0.46
alembic	1.17.2	1.18.3
aiosqlite	0.22.0	0.22.1
tenacity	9.1.2	9.1.4
prometheus-client	0.23.1	0.24.1
ruff	0.14.10	0.15.0

Updates fastapi from 0.127.0 to 0.128.5

Release notes

Sourced from fastapi's releases.

0.128.5

Refactors

• ♻️ Refactor and simplify Pydantic v2 (and v1) compatibility internal utils. PR #14862 by @​tiangolo.

Internal

• ✅ Add inline snapshot tests for OpenAPI before changes from Pydantic v2. PR #14864 by @​tiangolo.

0.128.4

Refactors

• ♻️ Refactor internals, simplify Pydantic v2/v1 utils, create_model_field, better types for lenient_issubclass. PR #14860 by @​tiangolo.
• ♻️ Simplify internals, remove Pydantic v1 only logic, no longer needed. PR #14857 by @​tiangolo.
• ♻️ Refactor internals, cleanup unneeded Pydantic v1 specific logic. PR #14856 by @​tiangolo.

Translations

• 🌐 Update translations for fr (outdated pages). PR #14839 by @​YuriiMotov.
• 🌐 Update translations for tr (outdated and missing). PR #14838 by @​YuriiMotov.

Internal

• ⬆️ Upgrade development dependencies. PR #14854 by @​tiangolo.

0.128.3

Refactors

• ♻️ Re-implement on_event in FastAPI for compatibility with the next Starlette, while keeping backwards compatibility. PR #14851 by @​tiangolo.

Upgrades

• ⬆️ Upgrade Starlette supported version range to starlette>=0.40.0,<1.0.0. PR #14853 by @​tiangolo.

Translations

• 🌐 Update translations for ru (update-outdated). PR #14834 by @​tiangolo.

Internal

• 👷 Run tests with Starlette from git. PR #14849 by @​tiangolo.
• 👷 Run tests with lower bound uv sync, upgrade fastapi[all] minimum dependencies: ujson >=5.8.0, orjson >=3.9.3. PR #14846 by @​tiangolo.

0.128.2

Features

• ✨ Add support for PEP695 TypeAliasType. PR #13920 by @​cstruct.
• ✨ Allow Response type hint as dependency annotation. PR #14794 by @​jonathan-fulton.

Fixes

... (truncated)

Commits

• dedf140 🔖 Release version 0.128.5
• 79d4dfb 📝 Update release notes
• 9f4ecf5 ✅ Add inline snapshot tests for OpenAPI before changes from Pydantic v2 (#14864)
• c48539f 📝 Update release notes
• 2e7d375 ♻️ Refactor and simplify Pydantic v2 (and v1) compatibility internal utils (#...
• 8eac94b 🔖 Release version 0.128.4
• 58cdfc7 📝 Update release notes
• d59fbc3 ♻️ Refactor internals, simplify Pydantic v2/v1 utils, create_model_field, b...
• cc6ced6 📝 Update release notes
• cf55bad ♻️ Simplify internals, remove Pydantic v1 only logic, no longer needed (#14857)
• Additional commits viewable in compare view

Updates sqlalchemy from 2.0.45 to 2.0.46

Release notes

Sourced from sqlalchemy's releases.

2.0.46

Released: January 21, 2026

typing

• [typing] [bug] Fixed typing issues where ORM mapped classes and aliased entities could not be used as keys in result row mappings or as join targets in select statements. Patterns such as row._mapping[User], row._mapping[aliased(User)], row._mapping[with_polymorphic(...)] (rejected by both mypy and Pylance), and .join(aliased(User)) (rejected by Pylance) are documented and fully supported at runtime but were previously rejected by type checkers. The type definitions for _KeyType and _FromClauseArgument have been updated to accept these ORM entity types.

  References: #13075

postgresql

• [postgresql] [bug] Fixed issue where PostgreSQL JSONB operators _postgresql.JSONB.Comparator.path_match() and _postgresql.JSONB.Comparator.path_exists() were applying incorrect VARCHAR casts to the right-hand side operand when used with newer PostgreSQL drivers such as psycopg. The operators now indicate the right-hand type as JSONPATH, which currently results in no casting taking place, but is also compatible with explicit casts if the implementation were require it at a later point.

  References: #13059

• [postgresql] [bug] Fixed regression in PostgreSQL dialect where JSONB subscription syntax would generate incorrect SQL for cast() expressions returning JSONB, causing syntax errors. The dialect now properly wraps cast expressions in parentheses when using the [] subscription syntax, generating (CAST(...))[index] instead of CAST(...)[index] to comply with PostgreSQL syntax requirements. This extends the fix from #12778 which addressed the same issue for function calls.

  References: #13067

• [postgresql] [bug] Improved the foreign key reflection regular expression pattern used by the PostgreSQL dialect to be more permissive in matching identifier characters, allowing it to correctly handle unicode characters in table and column names. This change improves compatibility with PostgreSQL variants such as CockroachDB that may use different quoting patterns in combination with unicode characters in their identifiers. Pull request courtesy Gord Thompson.

... (truncated)

Commits

• See full diff in compare view

Updates alembic from 1.17.2 to 1.18.3

Release notes

Sourced from alembic's releases.

1.18.3

Released: January 29, 2026

bug

• [bug] [autogenerate] Fixed regression in version 1.18.0 due to #1771 where autogenerate would raise NoReferencedTableError when a foreign key constraint referenced a table that was not part of the initial table load, including tables filtered out by the EnvironmentContext.configure.include_name callable or tables in remote schemas that were not included in the initial reflection run.

  The change in #1771 was a performance optimization that eliminated additional reflection queries for tables that were only referenced by foreign keys but not explicitly included in the main reflection run. However, this optimization inadvertently removed the creation of Table objects for these referenced tables, causing autogenerate to fail when processing foreign key constraints that pointed to them.

  The fix creates placeholder Table objects for foreign key targets that are not reflected, allowing the autogenerate comparison to proceed without error while maintaining the performance improvement from #1771. When multiple foreign keys reference different columns in the same filtered table, the placeholder table accumulates all necessary columns. These placeholder tables may be visible when using the EnvironmentContext.configure.include_object callable to inspect ForeignKeyConstraint objects; they will have the name, schema and basic column information for the relevant columns present.

  References: #1787

• [bug] [general] Fixed regression caused by #1669 which requires SQLAlchemy objects to support generic type subscripting; for the older SQLAlchemy 1.4 series, this requires version 1.4.23. Changed the minimum requirements to require version 1.4.23 rather than 1.4.0.

  References: #1788

1.18.2

Released: January 28, 2026

usecase

• [usecase] [operations] The primary_key parameter on Column is now honored when Operations.add_column() is used, and will emit the "PRIMARY KEY" keyword inline within the ADD COLUMN directive. This is strictly a syntax

... (truncated)

Commits

• See full diff in compare view

Updates aiosqlite from 0.22.0 to 0.22.1

Changelog

Sourced from aiosqlite's changelog.

v0.22.1

Bug fix release

NOTE: Starting with v0.22.0, the aiosqlite.Connection object no longer inherits from threading.Thread. If not using aiosqlite as a context manager, clients must await connection.close() or call connection.stop() to ensure the helper thread is completed and terminated correctly. A ResourceWarning will be emitted for any connection that is garbage collected without being closed or stopped.

• Added synchronous stop() method to aiosqlite.Connection to enable safe cleanup and termination of the background thread without dependence on having an active event loop (#370)

$ git shortlog -s v0.22.0...v0.22.1
     2	Amethyst Reese

Commits

• 9b127ce Version bump v0.22.1
• 5c3f61c Improve stop semantics for connections (#370)
• See full diff in compare view

Updates tenacity from 9.1.2 to 9.1.4

Release notes

Sourced from tenacity's releases.

9.1.4

What's Changed

• Fix retry() annotations with async sleep= function by @​Zac-HD in jd/tenacity#555

Full Changelog: jd/tenacity@9.1.3...9.1.4

9.1.3

What's Changed

• Apply formatting to num seconds in before_sleep_log by @​aguinane in jd/tenacity#489
• Support Python 3.14 by @​sandrobonazzola in jd/tenacity#528
• Typing: Accept non-standard logger in helpers logging something by @​k4nar in jd/tenacity#540
• feat(wait): add wait_exception strategy by @​capitan-davide in jd/tenacity#541
• docs: fix syntax error in wait_chain docstring example by @​VedantMadane in jd/tenacity#548
• chore: drop Python 3.9 support (EOL) by @​Zac-HD in jd/tenacity#552
• Support async sleep for sync fn-to-retry by @​Zac-HD in jd/tenacity#551

New Contributors

• @​aguinane made their first contribution in jd/tenacity#489
• @​sandrobonazzola made their first contribution in jd/tenacity#528
• @​k4nar made their first contribution in jd/tenacity#540
• @​capitan-davide made their first contribution in jd/tenacity#541
• @​VedantMadane made their first contribution in jd/tenacity#548
• @​Zac-HD made their first contribution in jd/tenacity#552

Full Changelog: jd/tenacity@9.1.2...9.1.3

Commits

• d4e868d Fix retry() annotations with async sleep= function (#555)
• 24415eb support async sleep for sync fn (#551)
• 3bf33b4 chore: drop Python 3.9 support (EOL) (#552)
• 7027da3 chore(deps): bump the github-actions group with 2 updates (#550)
• 21ae7d0 docs: fix syntax error in wait_chain docstring example (#548)
• ef12c9e chore(deps): bump actions/checkout in the github-actions group (#547)
• c35a4b3 chore(deps): bump the github-actions group with 2 updates (#545)
• e792bba ci: fix mypy (#546)
• 0f55245 ci: remove reno requirements (#542)
• 815c34f feat(wait): add wait_exception strategy (#541)
• Additional commits viewable in compare view

Updates prometheus-client from 0.23.1 to 0.24.1

Release notes

Sourced from prometheus-client's releases.

v0.24.1

• [Django] Pass correct registry to MultiProcessCollector by @​jelly in prometheus/client_python#1152

v0.24.0

What's Changed

• Add an AIOHTTP exporter by @​Lexicality in prometheus/client_python#1139
• Add remove_matching() method for metric label deletion by @​hazel-shen in prometheus/client_python#1121
• fix(multiprocess): avoid double-building child metric names (#1035) by @​hazel-shen in prometheus/client_python#1146
• Don't interleave histogram metrics in multi-process collector by @​cjwatson in prometheus/client_python#1148
• Relax registry type annotations for exposition by @​cjwatson in prometheus/client_python#1149
• Added compression support in pushgateway by @​ritesh-avesha in prometheus/client_python#1144
• Add Django exporter (#1088) by @​Chadys in prometheus/client_python#1143

Full Changelog: prometheus/client_python@v0.23.1...v0.24.0

Commits

• f417f6e Release 0.24.1
• 6f0e967 Pass correct registry to MultiProcessCollector (#1152)
• c5024d3 Release 0.24.0
• e1cdc20 Add Django exporter (#1088) (#1143)
• 7b99592 Added compression support in pushgateway (#1144)
• 13df124 Relax registry type annotations for exposition (#1149)
• a264ec0 Don't interleave histogram metrics in multi-process collector (#1148)
• e8f8bae fix(multiprocess): avoid double-building child metric names (#1035) (#1146)
• 1783ca8 Add support for Python 3.14 (#1142)
• 378510b Add remove_matching() method for metric label deletion (#1121)
• Additional commits viewable in compare view

Updates ruff from 0.14.10 to 0.15.0

Release notes

Sourced from ruff's releases.

0.15.0

Release Notes

Released on 2026-02-03.

Check out the blog post for a migration guide and overview of the changes!

Breaking changes

• Ruff now formats your code according to the 2026 style guide. See the formatter section below or in the blog post for a detailed list of changes.

• The linter now supports block suppression comments. For example, to suppress N803 for all parameters in this function:

  # ruff: disable[N803]
  def foo(
      legacyArg1,
      legacyArg2,
      legacyArg3,
      legacyArg4,
  ): ...
  # ruff: enable[N803]

  See the documentation for more details.

• The ruff:alpine Docker image is now based on Alpine 3.23 (up from 3.21).

• The ruff:debian and ruff:debian-slim Docker images are now based on Debian 13 "Trixie" instead of Debian 12 "Bookworm."

• Binaries for the ppc64 (64-bit big-endian PowerPC) architecture are no longer included in our releases. It should still be possible to build Ruff manually for this platform, if needed.

• Ruff now resolves all extended configuration files before falling back on a default Python version.

Stabilization

The following rules have been stabilized and are no longer in preview:

• blocking-http-call-httpx-in-async-function (ASYNC212)
• blocking-path-method-in-async-function (ASYNC240)
• blocking-input-in-async-function (ASYNC250)
• map-without-explicit-strict (B912)
• if-exp-instead-of-or-operator (FURB110)
• single-item-membership-test (FURB171)
• missing-maxsplit-arg (PLC0207)
• unnecessary-lambda (PLW0108)
• unnecessary-empty-iterable-within-deque-call (RUF037)
• in-empty-collection (RUF060)
• legacy-form-pytest-raises (RUF061)
• non-octal-permissions (RUF064)

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.0

Released on 2026-02-03.

Check out the blog post for a migration guide and overview of the changes!

Breaking changes

• Ruff now formats your code according to the 2026 style guide. See the formatter section below or in the blog post for a detailed list of changes.

• The linter now supports block suppression comments. For example, to suppress N803 for all parameters in this function:

  # ruff: disable[N803]
  def foo(
      legacyArg1,
      legacyArg2,
      legacyArg3,
      legacyArg4,
  ): ...
  # ruff: enable[N803]

  See the documentation for more details.

• The ruff:alpine Docker image is now based on Alpine 3.23 (up from 3.21).

• The ruff:debian and ruff:debian-slim Docker images are now based on Debian 13 "Trixie" instead of Debian 12 "Bookworm."

• Binaries for the ppc64 (64-bit big-endian PowerPC) architecture are no longer included in our releases. It should still be possible to build Ruff manually for this platform, if needed.

• Ruff now resolves all extended configuration files before falling back on a default Python version.

Stabilization

The following rules have been stabilized and are no longer in preview:

• blocking-http-call-httpx-in-async-function (ASYNC212)
• blocking-path-method-in-async-function (ASYNC240)
• blocking-input-in-async-function (ASYNC250)
• map-without-explicit-strict (B912)
• if-exp-instead-of-or-operator (FURB110)
• single-item-membership-test (FURB171)

... (truncated)

Commits

• ce5f7b6 Bump 0.15.0 (#23055)
• b4e40f5 [ty] Fix __contains__ to respect descriptors (#23056)
• 848cb72 [ty] Fix narrowing of nonlocal variables with conditional assignments (#22966)
• da7f33a [ty] Add a diagnostic for Final without assignment (#23001)
• e65f9a6 Document markdown formatting feature (#22990)
• c0c1b98 Format markdown code blocks with line-by-line regex parse (#22996)
• 9f8f3e1 Allow positional-only params with defaults in method overrides (#23037)
• ef83810 [ty] ecosystem-analyzer: Support bare git repositories (#23054)
• 54dfee4 Customize where the fix_title sub-diagnostic appears (#23044)
• b534607 2026 Ruff Formatter Style (#22735)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, python. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.