Skip to content

[Tech] Bump the non-major-dependencies group in /pipeline with 8 updates#2905

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/pipeline/non-major-dependencies-74a907ec62
Open

[Tech] Bump the non-major-dependencies group in /pipeline with 8 updates#2905
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/pipeline/non-major-dependencies-74a907ec62

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 1, 2026

Bumps the non-major-dependencies group in /pipeline with 8 updates:

Package From To
geopandas 1.1.2 1.1.3
geoalchemy2 0.18.1 0.19.0
prefect 3.6.9 3.6.29
coverage 7.13.4 7.13.5
sqlalchemy 2.0.46 2.0.49
psycopg2-binary 2.9.11 2.9.12
css-inline 0.20.0 0.20.2
lxml 6.0.2 6.1.0

Updates geopandas from 1.1.2 to 1.1.3

Release notes

Sourced from geopandas's releases.

Version 1.1.3

What's Changed

This release addresses a handful of small compatibility issues with pandas 3.0 and backports some bugfixes.

Bug fixes:

  • Improved compatibility with pandas 3.0 Copy-on-Write feature, making use of deferred copies where possible (#3298, #3711).
  • Fix GeoSeries.sample_points not accepting list-like size when generating points using pointpaterns (#3710).
  • Fix from_wkt/wkb to correctly handle missing values with pandas 3 (where the new str dtype is used) (#3714).
  • Fix to_postgis to correctly handle missing values with pandas 3 (where the new str dtype is used) (#3722).
  • Using loc to assign column values to a new row index now correctly preserves the column CRS and geometry dtype on pandas 3.1, due to an upstream bug fix (#3741, Pandas #62523)
  • Random states in pointpats methods of sample_points can now be fixed with rng (#3737).

Full Changelog: geopandas/geopandas@v1.1.2...v1.1.3

Changelog

Sourced from geopandas's changelog.

Version 1.1.3 (March 10, 2026)

This release addresses a handful of small compatibility issues with pandas 3.0 and backports some bugfixes.

Bug fixes:

  • Improved compatibility with pandas 3.0 Copy-on-Write feature, making use of deferred copies where possible (#3298, #3711).
  • Fix GeoSeries.sample_points not accepting list-like size when generating points using pointpaterns (#3710).
  • Fix from_wkt/wkb to correctly handle missing values with pandas 3 (where the new str dtype is used) (#3714).
  • Fix to_postgis to correctly handle missing values with pandas 3 (where the new str dtype is used) (#3722).
  • Using loc to assign column values to a new row index now correctly preserves the column CRS and geometry dtype on pandas 3.1, due to an upstream bug fix (#3741, Pandas #62523)
  • Random states in pointpats methods of sample_points`` can now be fixed with rng` (#3737).
Commits
  • f5fe3ff RLS: v1.1.3
  • c104670 pointpats <2.5.3 test compat
  • af36b14 ENH: add pointpats as an optional dependency & pass in rng (#3737)
  • d9ed84a COMPAT: fix failing test for loc concatenation crs preservation with pandas 3...
  • 1b1ddc2 MAINT: use trusted publishing for releasing to PyPI (#3734)
  • 8d0c05d changelog
  • a424f17 Avoid returning deep copies with pandas 3.0 (with Copy-on-Write) (#3298)
  • 03fa43e MAINT: cleanup release warning for project.license table (#3603)
  • 29fdb30 CI: remove usage of PANDAS_FUTURE_INFER_STRINGS=0 (#3715)
  • 9070e13 missing changelog entries
  • Additional commits viewable in compare view

Updates geoalchemy2 from 0.18.1 to 0.19.0

Release notes

Sourced from geoalchemy2's releases.

0.19.0

What's Changed

Full Changelog: geoalchemy/geoalchemy2@0.18.4...0.19.0

0.18.4

What's Changed

Full Changelog: geoalchemy/geoalchemy2@0.18.3...0.18.4

0.18.3

What's Changed

Full Changelog: geoalchemy/geoalchemy2@0.18.2...0.18.3

0.18.2

What's Changed

Full Changelog: geoalchemy/geoalchemy2@0.18.1...0.18.2

Changelog

Sourced from geoalchemy2's changelog.

0.19.0

0.18.4

0.18.3

0.18.2

Commits
  • 792cc5e Release: 0.19.0 (#599)
  • 9d17680 Fix: Ensure _GISType.column_expression is compatible with TypeDecorator (#598)
  • 3d4d8ec CI: Fix Too many connections errors in MySQL and MariaDB (#597)
  • b5d6336 [pre-commit.ci] pre-commit autoupdate (#595)
  • 187f092 Improve WKT parsing and fix comparator doc typo (#594)
  • dce1bb1 CI: Fix triggers after default branch was renamed main (#593)
  • beb96c3 Release: 0.18.4 (#591)
  • 6266c25 CI: Move to the official Coveralls action (#592)
  • f402f63 CI: Make Coveralls optional since the service is down at the moment (#590)
  • 36ebd0f Fix: fix setuptools deprecation warning (#589)
  • Additional commits viewable in compare view

Updates prefect from 3.6.9 to 3.6.29

Release notes

Sourced from prefect's releases.

3.6.29 - ON CONFLICT DO BETTER

Enhancements ➕➕

Bug Fixes 🐞

Development & Tidiness 🧹

Documentation 📓

Full Changelog: PrefectHQ/prefect@3.6.28...3.6.29

3.6.29.dev4: Nightly Development Release

What's Changed

Enhancements ➕➕

Development & Tidiness 🧹

Documentation 📓

Uncategorized

Full Changelog: PrefectHQ/prefect@3.6.29.dev3...3.6.29.dev4

3.6.29.dev3: Nightly Development Release

... (truncated)

Commits
  • 51b7ff4 docs: Add release notes for 3.6.29 (#21765)
  • 70e5c64 docs: update task_run_recorder sort-key invariant to reflect conflict-key coa...
  • a85e6b7 Fix task run recorder conflict handling (#21726)
  • e934cf2 chore(deps): bump the uv-dependencies group across 1 directory with 16 update...
  • dab238c docs: raise quality bar for automated AGENTS.md update workflow (#21761)
  • ba706b7 docs: document pytest-timeout thread method requirement for flow timeout test...
  • 7fb21d4 fix(filesystems): always enforce basepath containment in LocalFileSystem (#21...
  • f27a156 fix(tests): prevent pytest-timeout SIGALRM from interfering with flow timeout...
  • d2a8441 docs: document UnknownSerializer graceful degradation for cross-environment r...
  • a544cfc docs: document BlockStorageAdapter destination-clearing invariant in runner A...
  • Additional commits viewable in compare view

Updates coverage from 7.13.4 to 7.13.5

Changelog

Sourced from coverage's changelog.

Version 7.13.5 — 2026-03-17

  • Fix: issue 2138_ describes a memory leak that happened when repeatedly using the Coverage API with in-memory data. This is now fixed.

  • Fix: the markdown-formatted coverage report didn't fully escape special characters in file paths (issue 2141). This would be very unlikely to cause a problem, but now it's done properly, thanks to Ellie Ayla <pull 2142_>.

  • Fix: the C extension wouldn't build on VS2019, but now it does (issue 2145_).

.. _issue 2138: coveragepy/coveragepy#2138 .. _issue 2141: coveragepy/coveragepy#2141 .. _pull 2142: coveragepy/coveragepy#2142 .. _issue 2145: coveragepy/coveragepy#2145

.. _changes_7-13-4:

Commits
  • c88da14 docs: sample HTML for 7.13.5
  • e2ac3e1 build: sample HTML shouldn't include the status.json file
  • 910f8f3 docs: prep for 7.13.5
  • 3a4819c style: make workflows more uniform
  • 2a53705 chore: bump the action-dependencies group across 1 directory with 4 updates (...
  • e7c878d chore: make upgrade
  • ab4db40 build: use --generate-hashes when pinning
  • a438753 chore: make upgrade
  • 7b33457 refactor: some leftover pyupgrade 3.10 bits
  • 2ff968d refactor: this type wasn't used anywhere
  • Additional commits viewable in compare view

Updates sqlalchemy from 2.0.46 to 2.0.49

Release notes

Sourced from sqlalchemy's releases.

2.0.49

Released: April 3, 2026

orm

  • [orm] [bug] Fixed issue where _orm.Session.get() would bypass the identity map and emit unnecessary SQL when with_for_update=False was passed, rather than treating it equivalently to the default of None. Pull request courtesy of Joshua Swanson.

    References: #13176

  • [orm] [bug] Fixed issue where chained _orm.joinedload() options would not be applied correctly when the final relationship in the chain is declared on a base mapper and accessed through a subclass mapper in a _orm.with_polymorphic() query. The path registry now correctly computes the natural path when a property declared on a base class is accessed through a path containing a subclass mapper, ensuring the loader option can be located during query compilation.

    References: #13193

  • [orm] [bug] [inheritance] Fixed issue where using _orm.Load.options() to apply a chained loader option such as _orm.joinedload() or _orm.selectinload() with _orm.PropComparator.of_type() for a polymorphic relationship would not generate the necessary clauses for the polymorphic subclasses. The polymorphic loading strategy is now correctly propagated when using a call such as joinedload(A.b).options(joinedload(B.c.of_type(poly))) to match the behavior of direct chaining e.g. joinedload(A.b).joinedload(B.c.of_type(poly)).

    References: #13202

  • [orm] [bug] [inheritance] Fixed issue where using chained loader options such as _orm.selectinload() after _orm.joinedload() with _orm.PropComparator.of_type() for a polymorphic relationship would not properly apply the chained loader option. The loader option is now correctly applied when using a call such as joinedload(A.b.of_type(poly)).selectinload(poly.SubClass.c) to eagerly load related objects.

    References: #13209

typing

  • [typing] [bug] Fixed a typing issue where the typed members of :data:.func would return the appropriate class of the same name, however this creates an issue for

... (truncated)

Commits

Updates psycopg2-binary from 2.9.11 to 2.9.12

Changelog

Sourced from psycopg2-binary's changelog.

Current release

What's new in psycopg 2.9.12 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

  • Fix infinite loop with malformed interval (:ticket:1835).

What's new in psycopg 2.9.11 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

  • Add support for Python 3.14.
  • Avoid a segfault passing more arguments than placeholders if Python is built with assertions enabled (:ticket:[#1791](https://github.com/psycopg/psycopg2/issues/1791)).
  • Add riscv64 platform binary packages (:ticket:[#1813](https://github.com/psycopg/psycopg2/issues/1813)).
  • ~psycopg2.errorcodes map and ~psycopg2.errors classes updated to PostgreSQL 18.
  • Drop support for Python 3.8.

What's new in psycopg 2.9.10 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

  • Add support for Python 3.13.
  • Receive notifications on commit (:ticket:[#1728](https://github.com/psycopg/psycopg2/issues/1728)).
  • ~psycopg2.errorcodes map and ~psycopg2.errors classes updated to PostgreSQL 17.
  • Drop support for Python 3.7.

What's new in psycopg 2.9.9 ^^^^^^^^^^^^^^^^^^^^^^^^^^^

  • Add support for Python 3.12.
  • Drop support for Python 3.6.

What's new in psycopg 2.9.8 ^^^^^^^^^^^^^^^^^^^^^^^^^^^

  • Wheel package bundled with PostgreSQL 16 libpq in order to add support for recent features, such as sslcertmode.

What's new in psycopg 2.9.7 ^^^^^^^^^^^^^^^^^^^^^^^^^^^

  • Fix propagation of exceptions raised during module initialization (:ticket:[#1598](https://github.com/psycopg/psycopg2/issues/1598)).

... (truncated)

Commits
  • 3a6d9d6 ci: include almalinux in whieel building
  • ebca6bf chore: bump to version 3.9.12
  • 0196f02 build(deps): bump pypa/cibuildwheel from 3.3.1 to 3.4.0
  • d157bdc build(deps): bump docker/setup-qemu-action from 3 to 4
  • 7fccc0f build(deps): bump actions/upload-artifact from 6 to 7
  • d52a61e chore: bump dependency libraries
  • b231d72 chore: fix building binary images
  • 6d76e84 Merge pull request #1836 from psycopg/fix-1835
  • f7e314c fix: overflow in malformed interval
  • eb905c1 docs: replace bare except clause with except Exception
  • Additional commits viewable in compare view

Updates css-inline from 0.20.0 to 0.20.2

Release notes

Sourced from css-inline's releases.

[C] Release 0.20.2

Fixed

  • inline_fragment silently returning only whitespace when the input starts with whitespace or contains structural HTML tags (<html>, <head>, <body>, <style>). #692 #693

[Java] Release 0.20.2

Added

  • CssInline.inline(String html, String css) convenience overload for applying a CSS string to a full HTML document. #693

Fixed

  • inlineFragment silently returning only whitespace when the input starts with whitespace or contains structural HTML tags (<html>, <head>, <body>, <style>). #692 #693

[JavaScript] Release 0.20.2

Fixed

  • inlineFragment silently returning only whitespace when the input starts with whitespace or contains structural HTML tags (<html>, <head>, <body>, <style>). #692 #693

[PHP] Release 0.20.2

Fixed

  • inline_fragment silently returning only whitespace when the input starts with whitespace or contains structural HTML tags (<html>, <head>, <body>, <style>). #692 #693

[Python] Release 0.20.2

Fixed

  • inline_fragment silently returning only whitespace when the input starts with whitespace or contains structural HTML tags (<html>, <head>, <body>, <style>). #692 #693

[Ruby] Release 0.20.2

Fixed

  • inline_fragment silently returning only whitespace when the input starts with whitespace or contains structural HTML tags (<html>, <head>, <body>, <style>). #692 #693

[Rust] Release 0.20.2

Fixed

  • inline_fragment silently returning only whitespace when the input starts with whitespace or contains structural HTML tags (<html>, <head>, <body>, <style>). #692 #693

[C] Release 0.20.1

Changed

  • Update html5ever to 0.39.
  • Update selectors to 0.36.

Fixed

  • !important lost when inlining styles onto elements with existing inline style attributes. #682
  • !important lost when minify_css is enabled due to separator mismatch during property lookup. #682

... (truncated)

Changelog

Sourced from css-inline's changelog.

[0.20.2] - 2026-04-02

Fixed

  • inline_fragment silently returning only whitespace when the input starts with whitespace or contains structural HTML tags (<html>, <head>, <body>, <style>). #692 #693

[0.20.1] - 2026-03-26

Changed

  • Update html5ever to 0.39.
  • Update selectors to 0.36.

Fixed

  • !important lost when inlining styles onto elements with existing inline style attributes. #682
  • !important lost when minify_css is enabled due to separator mismatch during property lookup. #682
Commits
  • 2179596 chore(c): Release 0.20.2
  • ad7c8da chore(python): Release 0.20.2
  • adb3e7b docs: Update changelogs
  • 5beb478 feat: CssInline.inline(String html, String css) convenience overload for ap...
  • d37dce9 build(deps): bump lodash from 4.17.23 to 4.18.1 in /bindings/javascript
  • 7620ae9 docs: Clarify inline vs inline_fragment behavior
  • 5e9e60f build(deps): update wasm-bindgen requirement in /bindings/javascript
  • 052d475 fix: inline_fragment silently returning only leading whitespace when the in...
  • 3edcec4 build(deps): update wasm-bindgen requirement in /bindings/javascript
  • f0d8770 chore(php): Release 0.20.1
  • Additional commits viewable in compare view

Updates lxml from 6.0.2 to 6.1.0

Changelog

Sourced from lxml's changelog.

6.1.0 (2026-04-17)

This release fixes a possible external entity injection (XXE) vulnerability in iterparse() and the ETCompatXMLParser.

Features added

  • GH#486: The HTML ARIA accessibility attributes were added to the set of safe attributes in lxml.html.defs. This allows lxml_html_clean to pass them through. Patch by oomsveta.

  • The default chunk size for reading from file-likes in iterparse() is now configurable with a new chunk_size argument.

Bugs fixed

  • LP#2146291: The resolve_entities option was still set to True for iterparse and ETCompatXMLParser, allowing for external entity injection (XXE) when using these parsers without setting this option explicitly. The default was now changed to 'internal' only (as for the normal XML and HTML parsers since lxml 5.0). Issue found by Sihao Qiu as CVE-2026-41066.

6.0.4 (2026-04-12)

Bugs fixed

  • LP#2148019: Spurious MemoryError during namespace cleanup.

6.0.3 (2026-04-09)

Bugs fixed

  • Several out of memory error cases now raise MemoryError that were not handled before.

  • Slicing with large step values (outside of +/- sys.maxsize) could trigger undefined C behaviour.

  • LP#2125399: Some failing tests were fixed or disabled in PyPy.

  • LP#2138421: Memory leak in error cases when setting the public_id or system_url of a document.

... (truncated)

Commits
  • 43722f4 Update changelog.
  • 8747040 Name version of option change in docstring.
  • 6c36e6c Fix pypistats URL in download statistics script.
  • c7d76d6 Change security policy to point to Github security advisories.
  • 378ccf8 Update project income report.
  • 315270b Docs: Reduce TOC depth of package pages and move module contents first.
  • 6dbba7f Docs: Show current year in copyright line.
  • e4385bf Update project income report.
  • 5bed1e1 Validate file hashes in release download script.
  • c13ee10 Prepare release of 6.1.0.
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
[Tech] Bump the non-major-dependencies group in /pipeline with 8 updates
13bcd5b 
Bumps the non-major-dependencies group in /pipeline with 8 updates:

| Package | From | To |
| --- | --- | --- |
| [geopandas](https://github.com/geopandas/geopandas) | `1.1.2` | `1.1.3` |
| [geoalchemy2](https://github.com/geoalchemy/geoalchemy2) | `0.18.1` | `0.19.0` |
| [prefect](https://github.com/PrefectHQ/prefect) | `3.6.9` | `3.6.29` |
| [coverage](https://github.com/coveragepy/coveragepy) | `7.13.4` | `7.13.5` |
| [sqlalchemy](https://github.com/sqlalchemy/sqlalchemy) | `2.0.46` | `2.0.49` |
| [psycopg2-binary](https://github.com/psycopg/psycopg2) | `2.9.11` | `2.9.12` |
| [css-inline](https://github.com/Stranger6667/css-inline) | `0.20.0` | `0.20.2` |
| [lxml](https://github.com/lxml/lxml) | `6.0.2` | `6.1.0` |


Updates `geopandas` from 1.1.2 to 1.1.3
- [Release notes](https://github.com/geopandas/geopandas/releases)
- [Changelog](https://github.com/geopandas/geopandas/blob/main/CHANGELOG.md)
- [Commits](geopandas/geopandas@v1.1.2...v1.1.3)

Updates `geoalchemy2` from 0.18.1 to 0.19.0
- [Release notes](https://github.com/geoalchemy/geoalchemy2/releases)
- [Changelog](https://github.com/geoalchemy/geoalchemy2/blob/main/CHANGES.txt)
- [Commits](geoalchemy/geoalchemy2@0.18.1...0.19.0)

Updates `prefect` from 3.6.9 to 3.6.29
- [Release notes](https://github.com/PrefectHQ/prefect/releases)
- [Commits](PrefectHQ/prefect@3.6.9...3.6.29)

Updates `coverage` from 7.13.4 to 7.13.5
- [Release notes](https://github.com/coveragepy/coveragepy/releases)
- [Changelog](https://github.com/coveragepy/coveragepy/blob/main/CHANGES.rst)
- [Commits](coveragepy/coveragepy@7.13.4...7.13.5)

Updates `sqlalchemy` from 2.0.46 to 2.0.49
- [Release notes](https://github.com/sqlalchemy/sqlalchemy/releases)
- [Changelog](https://github.com/sqlalchemy/sqlalchemy/blob/main/CHANGES.rst)
- [Commits](https://github.com/sqlalchemy/sqlalchemy/commits)

Updates `psycopg2-binary` from 2.9.11 to 2.9.12
- [Changelog](https://github.com/psycopg/psycopg2/blob/master/NEWS)
- [Commits](psycopg/psycopg2@2.9.11...2.9.12)

Updates `css-inline` from 0.20.0 to 0.20.2
- [Release notes](https://github.com/Stranger6667/css-inline/releases)
- [Changelog](https://github.com/Stranger6667/css-inline/blob/master/CHANGELOG.md)
- [Commits](Stranger6667/css-inline@c-v0.20.0...c-v0.20.2)

Updates `lxml` from 6.0.2 to 6.1.0
- [Release notes](https://github.com/lxml/lxml/releases)
- [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt)
- [Commits](lxml/lxml@lxml-6.0.2...lxml-6.1.0)

---
updated-dependencies:
- dependency-name: geopandas
  dependency-version: 1.1.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: non-major-dependencies
- dependency-name: geoalchemy2
  dependency-version: 0.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: non-major-dependencies
- dependency-name: prefect
  dependency-version: 3.6.29
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: non-major-dependencies
- dependency-name: coverage
  dependency-version: 7.13.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: non-major-dependencies
- dependency-name: sqlalchemy
  dependency-version: 2.0.49
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: non-major-dependencies
- dependency-name: psycopg2-binary
  dependency-version: 2.9.12
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: non-major-dependencies
- dependency-name: css-inline
  dependency-version: 0.20.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: non-major-dependencies
- dependency-name: lxml
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: non-major-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies tech. enhancement technical enhancement labels May 1, 2026
@tristanrobert
Copy link
Copy Markdown
Contributor

tristanrobert commented May 1, 2026

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 1, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@VincentAntoine VincentAntoine

Labels

dependencies tech. enhancement technical enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tristanrobert @VincentAntoine