build(deps): bump the production-dependencies group across 1 directory with 10 updates

[dependabot]

Bumps the production-dependencies group with 10 updates in the / directory:

Package	From	To
cachetools	7.1.3	7.1.4
flask-cors	6.0.2	6.0.5
grpcio	1.80.0	1.81.1
grpcio-testing	1.80.0	1.81.1
grpcio-tools	1.80.0	1.81.1
peewee	4.0.5	4.0.8
phonenumbers	9.0.30	9.0.32
pyjwt	2.12.1	2.13.0
pytest	9.0.3	9.1.0
tqdm	4.67.3	4.68.2

Updates cachetools from 7.1.3 to 7.1.4

Changelog

Sourced from cachetools's changelog.

v7.1.4 (2026-05-22)

• Minor unit test improvements.

• Update build environment.

Commits

• 48284d7 Release v7.1.4.
• 55ea96b Update build environment.
• c5439fe Add threading tests for lock-only decorators.
• 91828fc Run threading tests unconditionally with timeout.
• See full diff in compare view

Updates flask-cors from 6.0.2 to 6.0.5

Release notes

Sourced from flask-cors's releases.

6.0.5

Supersedes 6.0.4

What's Changed

• Add MyPy Typing and modernize options parsing by @​corydolphin in corydolphin/flask-cors#409 (this broke strict type checking when using Blueprints)
• Restore Blueprint support in CORS type signatures (#410) by @​corydolphin in corydolphin/flask-cors#411

Full Changelog: corydolphin/flask-cors@6.0.3...6.0.5

6.0.4

What's Changed

• Add MyPy Typing by @​corydolphin in corydolphin/flask-cors#409

Full Changelog: corydolphin/flask-cors@6.0.3...6.0.4

6.0.3

What's Changed

• Derive package version from git tag via setuptools-scm by @​corydolphin in corydolphin/flask-cors#405
• Improve CI/CD security with least privilege and build separation by @​corydolphin in corydolphin/flask-cors#406

Full Changelog: corydolphin/flask-cors@6.0.2...6.0.3

6.0.3-pre

What's Changed

• Derive package version from git tag via setuptools-scm by @​corydolphin in corydolphin/flask-cors#405
• Improve CI/CD security with least privilege and build separation by @​corydolphin in corydolphin/flask-cors#406

Full Changelog: corydolphin/flask-cors@6.0.2...6.0.3

Commits

• 91ebc49 Typing Hotfix: support blueprints in the type system
• d601665 Add strict MyPy Typing
• c8e8871 Harden release publishing workflow (#406)
• e1d4034 Derive package version from git tag via setuptools-scm (#405)
• See full diff in compare view

Updates grpcio from 1.80.0 to 1.81.1

Release notes

Sourced from grpcio's releases.

Release v1.81.1

This is release 1.81.0 (graphic) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

• [EventEngine] Fix a potential use-after-free error on Windows. (#42078)
• [ssl] Server side handshaker factory stores a map of key signers. (#42002)
• [Core] Fix completion queue shutdown race on weak memory models (ARM). (#41510)
• [EventEngine] Fix a Windows race that causes an assertion error. (#41563)
• [grpc_error] enable error_flatten experiment in OSS. (#41471)
• [Python] Trim Python2 backward compatiblity syntax - removed (object) inheritance. (#41708)

Objective-C

• [ObjC] Add receiveNextMessage to GRPCUnaryProtoCall. (#42260)

Python

• [Python] Add typing_extensions dep to aio Bazel target. (#42001)
• [Python] [Pyright] Part 1 - Pyright for src/python/grpcio/grpc/aio/_base_server.py. (#42240)
• [Python] Drop 3.9. (#42145)
• [Python] grpc-status: Relax protobuf dependency upper bound to allow 7.x. (#41948)
• [Python] [Typeguard] Part 5 - Add Typeguard SYNC Stack in tests. (#40278)
• [Python] Remove GIL from ReceiveMessageOperation.un_c method. (#41812)
• [Python] Support observability in AsyncIO stack. (#41573)

Ruby

• [Ruby] Drop support for EOL Ruby 3.1 and clean up. (#41435)
• [Ruby] Composed CallCredentials keep a reference to their source. (#41782)

Release v1.81.0

This is release 1.81.0 (graphic) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

... (truncated)

Commits

• e84a8a2 [Release] Bump version to 1.81.1 (on v1.81.x branch) (#42584)
• 4706d6a [xDS] fix use-after-free in global XdsClient map (#42559)
• 42a6b5b [Core][Release] Update BCR presubmit job definition (#42561)
• 8bdf11e [Release] Bump version to 1.81.0 (on v1.81.x branch) (#42432)
• 0029e06 Move all gRPC Session classes to the experimental namespace (#42462)
• 1f18268 [CI] Fix Asan thread_stress_test error by reducing thread count (#42424) (#42...
• ee3fed7 Backport MacOS fix cl/917004588 to v1.81.x (#42441)
• 6244f3b [Release] Bump version to 1.81.0-pre1 (on v1.81.x branch) (#42378)
• 1108777 [Release] Bump core version to 54.0.0 for upcoming release (#42321)
• 74940e8 [fix] Add back the do-while loop that handles the TSI_RESULT correctly.
• Additional commits viewable in compare view

Updates grpcio-testing from 1.80.0 to 1.81.1

Updates grpcio-tools from 1.80.0 to 1.81.1

Release notes

Sourced from grpcio-tools's releases.

Release v1.81.1

This is release 1.81.0 (graphic) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

• [EventEngine] Fix a potential use-after-free error on Windows. (#42078)
• [ssl] Server side handshaker factory stores a map of key signers. (#42002)
• [Core] Fix completion queue shutdown race on weak memory models (ARM). (#41510)
• [EventEngine] Fix a Windows race that causes an assertion error. (#41563)
• [grpc_error] enable error_flatten experiment in OSS. (#41471)
• [Python] Trim Python2 backward compatiblity syntax - removed (object) inheritance. (#41708)

Objective-C

• [ObjC] Add receiveNextMessage to GRPCUnaryProtoCall. (#42260)

Python

• [Python] Add typing_extensions dep to aio Bazel target. (#42001)
• [Python] [Pyright] Part 1 - Pyright for src/python/grpcio/grpc/aio/_base_server.py. (#42240)
• [Python] Drop 3.9. (#42145)
• [Python] grpc-status: Relax protobuf dependency upper bound to allow 7.x. (#41948)
• [Python] [Typeguard] Part 5 - Add Typeguard SYNC Stack in tests. (#40278)
• [Python] Remove GIL from ReceiveMessageOperation.un_c method. (#41812)
• [Python] Support observability in AsyncIO stack. (#41573)

Ruby

• [Ruby] Drop support for EOL Ruby 3.1 and clean up. (#41435)
• [Ruby] Composed CallCredentials keep a reference to their source. (#41782)

Release v1.81.0

This is release 1.81.0 (graphic) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

... (truncated)

Commits

• e84a8a2 [Release] Bump version to 1.81.1 (on v1.81.x branch) (#42584)
• 8bdf11e [Release] Bump version to 1.81.0 (on v1.81.x branch) (#42432)
• 6244f3b [Release] Bump version to 1.81.0-pre1 (on v1.81.x branch) (#42378)
• 820f933 [Python] Drop 3.9 (#42145)
• 451521c [Core CI] Make windows python distrib tests use ccache. (#42171)
• cb09882 [Build] Upgrade protobuf to 33.5 (#41976)
• a2bf3f1 [Release] Bump version to 1.81.0-dev (on master branch) (#41843)
• See full diff in compare view

Updates peewee from 4.0.5 to 4.0.8

Release notes

Sourced from peewee's releases.

4.0.8

• Add BaseQuery.aexecute() - an async twin of execute() available on all query types, executing through the query's bound async database: await User.select().aexecute(), await user.tweets.aexecute(). Returns exactly what execute() returns, including result rows for DML with RETURNING. Queries remain non-awaitable; this is an ordinary coroutine method and the only async method on queries.
• Add async model methods to playhouse.pwasyncio using "a"-prefixed coroutine counterparts of the row-level Model methods (acreate, aget, aget_or_none, aget_by_id, aget_or_create, aset_by_id, adelete_by_id, abulk_create, abulk_update, asave, adelete_instance), available via the new AsyncModel / AsyncModelMixin classes. Each is a thin delegation through the greenlet bridge, so behavior is identical to the synchronous implementation. Note: the Model property of async databases now returns a base class that includes these methods - relevant only if you introspect the base class of db.Model subclasses.
• Add afetch() for explicit, awaitable lazy foreign-key resolution: user = await tweet.afetch(Tweet.user). Already-loaded relations (via join or prefetch) return immediately without a query.
• Add db.first(query, n=1) async helper.
• MissingGreenletBridge errors now include a hint describing the async APIs to use.
• The asyncio extension is no longer considered preliminary - the async APIs documented in the docs are stable. The asyncio stress test now also runs in CI.

View commits

4.0.7

• Fixes for playhouse.pwasyncio: report correct UPDATE / DELETE rowcounts on asyncpg, roll back open transactions when connections are returned to the pool, raise instead of deadlocking when querying during iterate(), and detect the MySQL / MariaDB server version.
• Additional playhouse.pwasyncio fixes: a second iterate() on a busy connection raises instead of deadlocking, asyncpg exceptions are translated to peewee exception types, registered aggregates / collations / window functions / extensions and timeout are applied to async SQLite connections, :memory: databases use a single connection, atomic() accepts transaction arguments (e.g. lock_type), postgres connection URLs and isolation_level are supported, %% in raw SQL is unescaped, and attempting a query outside the greenlet bridge no longer emits "never awaited" warnings.
• Fixes for playhouse.pydantic_utils: JSON fields validate as Any (now including the sqlite_ext JSONField), foreign keys may be included / excluded by field name or column name, server-side defaults like SQL('CURRENT_TIMESTAMP') are no longer emitted as schema defaults, and relationships keys are validated.
• Add a new cross-backend JSONField to core that provides basic operations and also more consistent behavior when reading data. By default the new core JSONField treats extracted values as JSON, which is generally the correct thing, but "text-mode" is available as a chained .as_text() method. See docs. May eventually replace the backend-specific implementations with subclasses that inherit semantics of this new field. Note: playhouse.mysql_ext.JSONField is now the core field. The old json_dumps / json_loads arguments are renamed dumps / loads, the extract() method is removed (use item-access or path()), and MySQL tables are now created with JSON columns rather than TEXT.
• Eliminate use of deprecated params when connecting to MySQL databases, thanks to @​abulgher, #3050.
• Using fromisoformat() ended up causing previously-unconverted strings (Ymd) to be converted in some cases, e.g. formatting a datetime as a str (#3051). The change I made to address this is to make explicit casts on function calls not attempt any heuristic python-value conversion. This makes it more natural to call fn.whatever().cast('text') and you predictably get text out.

View commits

4.0.6

• Add new methods to the postgres BinaryJSONField: helpers for in-place modifications (set, replace, insert, append, update).
• Also add json-path helpers to the postgres BinaryJSONField (path_exists, path_match, path_query, path_query_array, path_query_first).
• Quote path elements in SQLite's JSON field.
• Better and faster parsing of formatted date/times. Use the stdlib fromisoformat as a first attempt since it's faster and more robust.
• Ensure db.connection_context() can be nested cleanly, #3046.
• Fix potential deadlock in pool.close_all and pool.manual_close, #3047.
• Restore whitespace stripping in FixedCharField, #3048.

View commits

Changelog

Sourced from peewee's changelog.

4.0.8

• Add BaseQuery.aexecute() - an async twin of execute() available on all query types, executing through the query's bound async database: await User.select().aexecute(), await user.tweets.aexecute(). Returns exactly what execute() returns, including result rows for DML with RETURNING. Queries remain non-awaitable; this is an ordinary coroutine method and the only async method on queries.
• Add async model methods to playhouse.pwasyncio using "a"-prefixed coroutine counterparts of the row-level Model methods (acreate, aget, aget_or_none, aget_by_id, aget_or_create, aset_by_id, adelete_by_id, abulk_create, abulk_update, asave, adelete_instance), available via the new AsyncModel / AsyncModelMixin classes. Each is a thin delegation through the greenlet bridge, so behavior is identical to the synchronous implementation. Note: the Model property of async databases now returns a base class that includes these methods - relevant only if you introspect the base class of db.Model subclasses.
• Add afetch() for explicit, awaitable lazy foreign-key resolution: user = await tweet.afetch(Tweet.user). Already-loaded relations (via join or prefetch) return immediately without a query.
• Add db.first(query, n=1) async helper.
• MissingGreenletBridge errors now include a hint describing the async APIs to use.
• The asyncio extension is no longer considered preliminary - the async APIs documented in the docs are stable. The asyncio stress test now also runs in CI.

View commits

4.0.7

• Fixes for playhouse.pwasyncio: report correct UPDATE / DELETE rowcounts on asyncpg, roll back open transactions when connections are returned to the pool, raise instead of deadlocking when querying during iterate(), and detect the MySQL / MariaDB server version.
• Additional playhouse.pwasyncio fixes: a second iterate() on a busy connection raises instead of deadlocking, asyncpg exceptions are translated to peewee exception types, registered aggregates / collations / window functions / extensions and timeout are applied to async SQLite connections, :memory: databases use a single connection, atomic() accepts transaction arguments (e.g. lock_type), postgres connection URLs and isolation_level are supported, %% in raw SQL is unescaped, and attempting a query outside the greenlet bridge no longer emits "never awaited" warnings.
• Fixes for playhouse.pydantic_utils: JSON fields validate as Any (now including the sqlite_ext JSONField), foreign keys may be included / excluded by field name or column name, server-side defaults like SQL('CURRENT_TIMESTAMP') are no longer emitted as schema defaults, and relationships keys are validated.

... (truncated)

Commits

• 0a684ef 4.0.8
• df3b05b Drop 2.x compat shim for metaclass.
• 5a84747 Update readme & index
• e8bb29a Clarify docs, move up install section in asyncio
• 03dab6e Docs and readme cleanup for new asyncio interfaces
• 1f471a5 Ensure we don't rebind + fix some order-dependent tests
• 80055a5 drop decorator so it registers as a coroutine.
• 4eea98b Clarify aexecute() usages in docs.
• 0401abf Add aexecute() helper to BaseQuery
• f6f4a6b Docs and CL for asyncio facade.
• Additional commits viewable in compare view

Updates phonenumbers from 9.0.30 to 9.0.32

Commits

• facd74c Prep for 9.0.32 release
• 8ea3d6a Generated files for metadata
• 1d40b76 Merge metadata changes from upstream 9.0.32
• 43a9c86 Prep for 9.0.31 release
• 98c625e Generated files for metadata
• 9161226 Merge metadata changes from upstream 9.0.31
• See full diff in compare view

Updates pyjwt from 2.12.1 to 2.13.0

Release notes

Sourced from pyjwt's releases.

2.13.0

PyJWT 2.13.0 — Security Release

This release bundles five security fixes plus three additional hardening / spec-compliance changes. We recommend all users upgrade.

Security

• GHSA-xgmm-8j9v-c9wx — JWK JSON accepted as HMAC secret (algorithm confusion). HMACAlgorithm.prepare_key previously rejected PEM- and SSH-formatted asymmetric keys but did not catch a JWK passed as a raw JSON string. In a verifier configured with both symmetric and asymmetric algorithms in algorithms=[…] and a raw-JSON JWK as the key, an attacker could forge HS256 tokens using the JWK text as the HMAC secret. The guard has been extended to reject any JWK-shaped JSON. Reported by @​aradona91.

• GHSA-jq35-7prp-9v3f — Algorithm allow-list bypass with PyJWK / PyJWKClient. When verifying with a PyJWK, the caller's algorithms=[…] allow-list was checked against the token header alg as a string only; actual verification used the algorithm bound to the PyJWK. An attacker who controlled a registered JWKS key could sign with one algorithm and advertise another on the header. PyJWT now requires the token header alg to match the PyJWK's algorithm before verification. Reported by @​sushi-gif.

• GHSA-w7vc-732c-9m39 — DoS via base64 decode of unused payload segment when b64=false. For detached-payload JWS (b64=false), the compact-form payload segment was base64-decoded before being discarded in favor of the caller-supplied detached_payload. An attacker could inflate the unused segment to force CPU + memory cost without holding a valid signature. The segment is now required to be empty per RFC 7515 Appendix F, and is no longer decoded. Reported by @​thesmartshadow.

• GHSA-993g-76c3-p5m4 — PyJWKClient accepts non-HTTP(S) URIs. PyJWKClient.fetch_data passed its URI to urllib.request.urlopen, which by default also handles file://, ftp://, and data: schemes. An application that fed an attacker-influenced URI into PyJWKClient could be coerced into reading local files or reaching other unintended schemes. PyJWKClient now rejects any URI whose scheme isn't http or https. Reported by @​KEIJOT.

• GHSA-fhv5-28vv-h8m8 — PyJWKClient cache wiped on fetch error. A finally-block put(jwk_set=None) cleared the JWK Set cache whenever a fetch raised, turning a transient JWKS-endpoint outage into application-wide auth failure. The cache write was moved into the success path; transient errors no longer evict valid cached keys. Reported by @​eddieran.

Fixed

• Reject empty HMAC keys outright in HMACAlgorithm.prepare_key with InvalidKeyError instead of accepting them with only a warning. Defends against the os.getenv("JWT_SECRET", "") footgun. Thanks to @​SnailSploit and @​spartan8806 for the reports.
• Forward per-call options (including enforce_minimum_key_length) from PyJWT.decode through to PyJWS._verify_signature. The option was previously silently dropped between the two layers, so it only took effect when set on the PyJWT instance. Thanks to @​WLUB for the report.
• RFC 7797 §3 compliance for b64=false: the encoder now auto-adds "b64" to crit, and the decoder rejects tokens that set b64=false without listing it in crit. Thanks to @​MachineLearning-Nerd for the report.

Changed

• Migrate the dev, docs, and tests package extras to dependency groups, by @​kurtmckee in #1152.

Upgrade notes

Most fixes are invisible to correctly-configured callers. A few behavioral changes you may encounter:

• Empty HMAC keys now raise. If your app passed "" or b"" as a secret (often via a missing env var, e.g. os.getenv("JWT_SECRET", "")), encode/decode will now raise InvalidKeyError. This is the intended behavior — fix the configuration.
• PyJWK decoding now requires the token's alg to match the JWK's algorithm. Previously a mismatch was silently honored if the header alg appeared in the allow-list. Tokens that relied on this mismatch will now fail with InvalidAlgorithmError.
• PyJWKClient now rejects non-HTTP(S) URIs at construction time. Tests or dev environments that fetched JWKS from file:// URIs need to switch to a local HTTP server or load the JWKS by other means (e.g. construct PyJWKSet.from_dict(...) directly).
• b64=false tokens are now strictly RFC 7515 / 7797 compliant. Tokens with a non-empty compact-form payload segment, or that omit "b64" from crit, will be rejected. PyJWT-produced tokens always satisfy both invariants, so round-trips through PyJWT are unaffected.
• enforce_minimum_key_length set per-call now takes effect. Callers who passed options={"enforce_minimum_key_length": True} to jwt.decode() previously got no enforcement; they will now get InvalidKeyError on undersized keys, as documented.

Full changelog: jpadilla/pyjwt@2.12.1...2.13.0

Changelog

Sourced from pyjwt's changelog.

v2.13.0 <https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0>__

Security

- Reject JWK JSON documents passed as raw HMAC secrets in
  ``HMACAlgorithm.prepare_key`` to close an algorithm-confusion gap that
  the existing PEM/SSH guard did not cover. Reported by @aradona91 in
  `GHSA-xgmm-8j9v-c9wx <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx>`__.
- Bind the JWT header ``alg`` to ``PyJWK.algorithm_name`` during
  verification so the caller's ``algorithms=[...]`` allow-list cannot be
  bypassed when decoding with a ``PyJWK`` / ``PyJWKClient`` key. Reported
  by @sushi-gif in `GHSA-jq35-7prp-9v3f <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f>`__.
- Reject non-``http(s)`` URI schemes in ``PyJWKClient`` so attacker-
  influenced URIs cannot read local files or reach unintended schemes via
  urllib's default ``file://`` / ``ftp://`` / ``data:`` handlers. Reported
  by @KEIJOT in `GHSA-993g-76c3-p5m4 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4>`__.
- Preserve the cached JWK Set on fetch errors in ``PyJWKClient.fetch_data``.
  The previous ``finally``-block ``put(None)`` pattern cleared the cache
  on any transient outage, turning one bad JWKS request into application-
  wide auth failure. Reported by @eddieran in `GHSA-fhv5-28vv-h8m8 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8>`__.
- Skip the unconditional base64 decode of the compact-form payload segment
  when ``b64=false`` is set in the protected header, and require that
  segment to be empty (RFC 7515 Appendix F detached form). Closes an
  unauthenticated DoS amplifier. Reported by @thesmartshadow in
  `GHSA-w7vc-732c-9m39 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39>`__.
Fixed

- Reject empty HMAC keys outright in ``HMACAlgorithm.prepare_key`` with
  ``InvalidKeyError`` instead of accepting them with only a warning.
  Thanks to @SnailSploit and @spartan8806 for independently flagging the
  footgun.
- Forward per-call ``options`` (including ``enforce_minimum_key_length``)
  from ``PyJWT.decode`` through to ``PyJWS._verify_signature`` so the
  option actually takes effect when set at the call site rather than only
  on the ``PyJWT`` instance. Thanks to @WLUB for the report.
- RFC 7797 §3 compliance for ``b64=false``: the encoder now auto-adds
  ``&quot;b64&quot;`` to the ``crit`` header parameter, and the decoder rejects
  tokens that set ``b64=false`` without listing it in ``crit``. Thanks to
  @MachineLearning-Nerd for the report.
Changed



Migrate the dev, docs, and tests package extras to dependency groups by @​kurtmckee in [#1152](https://github.com/jpadilla/pyjwt/issues/1152) &lt;https://github.com/jpadilla/pyjwt/pull/1152&gt;__

Commits

• 7144e45 Apply ruff format
• d2f4bec Restore cast() calls with cross-version type: ignore for prepare_key
• 22f478c Remove redundant casts in RSAAlgorithm.prepare_key and `ECAlgorithm.prepare...
• 95791b1 Bundle security fixes and hardening into 2.13.0
• dcc27a9 [pre-commit.ci] pre-commit autoupdate (#1155)
• 9d08a9a [pre-commit.ci] pre-commit autoupdate (#1146)
• b87c100 Bump codecov/codecov-action from 5 to 6 (#1154)
• 40e3147 Migrate development extras to dependency groups (#1152)
• See full diff in compare view

Updates pytest from 9.0.3 to 9.1.0

Release notes

Sourced from pytest's releases.

9.1.0

pytest 9.1.0 (2026-06-13)

Removals and backward incompatible breaking changes

• #14533: When using --doctest-modules, autouse fixtures with module, package or session scope that are defined inline in Python test modules (not plugins or conftests) will now possibly execute twice.

  If this is undesirable, move the fixture definition to a conftest.py file if possible.

  Technical explanation for those interested: When using --doctest-modules, pytest possibly collects Python modules twice, once as pytest.Module and once as a DoctestModule (depending on the configuration). Due to improvements in pytest's fixture implementation, if e.g. the DoctestModule collects a fixture, it is now visible to it only, and not to the Module. This means that both need to register the fixtures independently.

Deprecations (removal in next major release)

• #10819: Added a deprecation warning for class-scoped fixtures defined as instance methods (without @classmethod). Such fixtures set attributes on a different instance than the test methods use, leading to unexpected behavior. Use @classmethod decorator instead -- by yastcher.

  See 10819 and 14011.

• #12882: Calling request.getfixturevalue() <pytest.FixtureRequest.getfixturevalue> during teardown to request a fixture that was not already requested is now deprecated and will become an error in pytest 10.

  See dynamic-fixture-request-during-teardown for details.

• #13409: Using non-~collections.abc.Collection iterables (such as generators, iterators, or custom iterable objects) for the argvalues parameter in @pytest.mark.parametrize <pytest.mark.parametrize ref> and metafunc.parametrize <pytest.Metafunc.parametrize> is now deprecated.

  These iterables get exhausted after the first iteration, leading to tests getting unexpectedly skipped in cases such as running pytest.main() multiple times, using class-level parametrize decorators, or collecting tests multiple times.

  See parametrize-iterators for details and suggestions.

• #13946: The private config.inicfg attribute is now deprecated. Use config.getini() <pytest.Config.getini> to access configuration values instead.

  See config-inicfg for more details.

• #14004: Passing baseid to ~pytest.FixtureDef or nodeid strings to fixture registration APIs is now deprecated. These are internal pytest APIs that are used by some plugins.

  Use the node parameter instead for fixture scoping. This enables more robust node-based matching instead of string prefix matching. If you've used nodeid=None, pass node=session instead.

  This will be removed in pytest 10.

• #14335: The method of configuring hooks using markers, deprecated since pytest 7.2, is now scheduled to be removed in pytest 10. See hook-markers for more details.

• #14434: The --pastebin option is now deprecated.

... (truncated)

Commits

• b2522cf Prepare release version 9.1.0
• 368d2fc [refactor] Tighten SetComparisonFunction to Iterator[str] (#14587)
• ff77cd8 [refactor] Make base assertion comparisons return an iterator instead of a li...
• 0d8491a build(deps): Bump actions/stale from 10.2.0 to 10.3.0
• 4a809d9 Merge pull request #14568 from pytest-dev/register-fixture
• 5dfa385 Fix recursion traceback test to cover all styles (#14582)
• f52ff0c Add pytest.register_fixture
• a8ac094 Merge pull request #14567 from pytest-dev/more-visibility-deprecate
• e5620cd [pre-commit.ci] pre-commit autoupdate (#14577)
• 2ce9c6d Merge pull request #14540 from minbang930/fix-14533-doctest-module-fixtures
• Additional commits viewable in compare view

Updates tqdm from 4.67.3 to 4.68.2

Release notes

Sourced from tqdm's releases.

tqdm v4.68.2 stable

• revert accidental change to ascii default (fixes #1760)
  • UnicodeEncodeError: 'charmap' codec can't encode characters in position 6-7: character maps to <undefined> can be fixed by installing tqdm!=4.68.0,!=4.68.1
• misc docs updates
  • fix links
  • replace stray rst -> md syntax
  • consistent "progress bar" terminology (#1737)
• tests: fix coverage (fixes #1760)

tqdm v4.68.1 stable

• set name of monitor thread (#1669, #1752 <- #1435)
• fix monitor thread atexit deadlock (#1751 <- #528, #627, #1435, #1564)
• docs: minor copyediting

tqdm v4.68.0 stable

• utils: simplify terminal size detection (#1760)
• contrib
  • itertools (#1760)
    • add chain, permutations, combinations, combinations_with_replacement, batched
    • add product(repeat=1) keyword argument (#1428)
  • fix discord, telegram error handling
  • fix discord, slack, telegram format for total=None
• soft-deprecate tqdm.utils.envwrap -> envwrap
• benchmarks: fix asv
• misc linting
• misc framework updates
  • CI: migrate manual job to pre-commit.ci
  • bump workflow actions & pre-commit hooks

Commits

• 4b33952 revert accidental change to tqdm(ascii) default
• b10848f docs: fix links
• 85b62dd docs: replace stray rst -> md
• d2fb04a docs: mention OpenAI sponsorship
• 85940f9 docs: consistent progress bar terminology
• 9dbb36b tests: fix coverage
• 67cf355 Merge pull request #1751 from jaltmayerpizzorno/fix-atexit-monitor-deadlock
• cfa4a85 minor docstring updates
• f83290c Fix TMonitor deadlock at interpreter shutdown
• 59029c3 Set name for tqdm monitor thread (#1752)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions