Skip to content

Bump the pip group with 3 updates #295

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Bump the pip group with 3 updates #295

wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Oct 27, 2025

Updates the requirements on grpcio-tools, ruff and uv-build to permit the latest version.
Updates grpcio-tools to 1.76.0

Release notes

Sourced from grpcio-tools's releases.

Release v1.76.0

This is release 1.76.0 (genuine) of gRPC Core.

For gRPC documentation, see grpc.io. For previous releases, see Releases.

This release contains refinements, improvements, and bug fixes, with highlights listed below.

Core

  • Prioritize system CA over bundled CA. (#40583)
  • [event_engine] Introduce a event_engine_poller_for_python experiment. (#40243)
  • [metrics] add grpc.lb.backend_service label. (#40486)

C#

  • [csharp tools] #39374 Grpc.Tools can't process file Suffix name with Upper character. (#40072)

Python

  • [Python] gRPC AsyncIO: Improve CompletionQueue polling performance. (#39993)
Changelog

Sourced from grpcio-tools's changelog.

gRPC Release Schedule

Below is the release schedule for gRPC Java, Go and Core and its dependent languages C++, C#, Objective-C, PHP, Python and Ruby.

Releases are scheduled every six weeks on Tuesdays on a best effort basis. In some unavoidable situations a release may be delayed or released early or a language may skip a release altogether and do the next release to catch up with other languages. See the past releases in the links above. A six-week cycle gives us a good balance between delivering new features/fixes quickly and keeping the release overhead low.

The gRPC release support policy can be found here.

Releases are cut from release branches. For Core and Java repos, the release branch is cut two weeks before the scheduled release date. For Go, the branch is cut just before the release. An RC (release candidate) is published for Core and its dependent languages just after the branch cut. This RC is later promoted to release version if no further changes are made to the release branch. We do our best to keep head of master branch stable at all times regardless of release schedule. Daily build packages from master branch for C#, PHP, Python, Ruby and Protoc plugins are published on packages.grpc.io. If you depend on gRPC in production we recommend to set up your CI system to test the RCs and, if possible, the daily builds.

Names of gRPC releases are here.

Release Scheduled Branch Cut Scheduled Release Date
v1.17.0 Nov 19, 2018 Dec 4, 2018
v1.18.0 Jan 2, 2019 Jan 15, 2019
v1.19.0 Feb 12, 2019 Feb 26, 2019
v1.20.0 Mar 26, 2019 Apr 9, 2019
v1.21.0 May 7, 2019 May 21, 2019
v1.22.0 Jun 18, 2019 Jul 2, 2019
v1.23.0 Jul 30, 2019 Aug 13, 2019
v1.24.0 Sept 10, 2019 Sept 24, 2019
v1.25.0 Oct 22, 2019 Nov 5, 2019
v1.26.0 Dec 3, 2019 Dec 17, 2019
v1.27.0 Jan 14, 2020 Jan 28, 2020
v1.28.0 Feb 25, 2020 Mar 10, 2020
v1.29.0 Apr 7, 2020 Apr 21, 2020
v1.30.0 May 19, 2020 Jun 2, 2020
v1.31.0 Jul 14, 2020 Jul 28, 2020
v1.32.0 Aug 25, 2020 Sep 8, 2020
v1.33.0 Oct 6, 2020 Oct 20, 2020
v1.34.0 Nov 17, 2020 Dec 1, 2020
v1.35.0 Dec 29, 2020 Jan 12, 2021
v1.36.0 Feb 9, 2021 Feb 23, 2021
v1.37.0 Mar 23, 2021 Apr 6, 2021
v1.38.0 May 4, 2021 May 18, 2021
v1.39.0 Jun 15, 2021 Jun 29, 2021
v1.40.0 Jul 27, 2021 Aug 10, 2021
v1.41.0 Sep 7, 2021 Sep 21, 2021
v1.42.0 Oct 19, 2021 Nov 2, 2021
v1.43.0 Nov 30, 2021 Dec 14, 2021
v1.44.0 Jan 11, 2022 Jan 25, 2022
v1.45.0 Feb 22, 2022 Mar 8, 2022
Commits
  • f5ffb68 [Release] Bump version to 1.76.0 (on v1.76.x branch) (#40925)
  • ffd8379 [Release] Bump version to 1.76.0-pre1 (on v1.76.x branch) (#40798)
  • 835d394 [Release] Bump core version to 51.0.0 for upcoming release (#40784)
  • de6ce7f [PH2] Add files for goaway support (#40786)
  • f7dd7f4 [PH2][Trivial][CleanUp]
  • 2d40a37 [PH2][ChannelZ][ZTrace][Skeleton]
  • 83acb27 [build] Add Missing Dependencies for reflection_proto in Preparation for Enab...
  • abfe8a2 [PH2] Stream list represents streams open for reads.
  • c65d8de [PH2][Expt] Fix the experiment expiry
  • 755d025 Fix latent_see_test flakiness
  • Additional commits viewable in compare view

Updates ruff to 0.14.2

Release notes

Sourced from ruff's releases.

0.14.2

Release Notes

Released on 2025-10-23.

Preview features

  • [flake8-gettext] Resolve qualified names and built-in bindings (INT001, INT002, INT003) (#19045)

Bug fixes

  • Avoid reusing nested, interpolated quotes before Python 3.12 (#20930)
  • Catch syntax errors in nested interpolations before Python 3.12 (#20949)
  • [fastapi] Handle ellipsis defaults in FAST002 autofix (#20810)
  • [flake8-simplify] Skip SIM911 when unknown arguments are present (#20697)
  • [pyupgrade] Always parenthesize assignment expressions in fix for f-string (UP032) (#21003)
  • [pyupgrade] Fix UP032 conversion for decimal ints with underscores (#21022)
  • [fastapi] Skip autofix for keyword and __debug__ path params (FAST003) (#20960)

Rule changes

  • [flake8-bugbear] Skip B905 and B912 for fewer than two iterables and no starred arguments (#20998)
  • [ruff] Use DiagnosticTag for more pyflakes and pandas rules (#20801)

CLI

  • Improve JSON output from ruff rule (#20168)

Documentation

  • Add source to testimonial (#20971)
  • Document when a rule was added (#21035)

Other changes

  • [syntax-errors] Name is parameter and global (#20426)
  • [syntax-errors] Alternative match patterns bind different names (#20682)

Contributors

Install ruff 0.14.2

... (truncated)

Changelog

Sourced from ruff's changelog.

0.14.2

Released on 2025-10-23.

Preview features

  • [flake8-gettext] Resolve qualified names and built-in bindings (INT001, INT002, INT003) (#19045)

Bug fixes

  • Avoid reusing nested, interpolated quotes before Python 3.12 (#20930)
  • Catch syntax errors in nested interpolations before Python 3.12 (#20949)
  • [fastapi] Handle ellipsis defaults in FAST002 autofix (#20810)
  • [flake8-simplify] Skip SIM911 when unknown arguments are present (#20697)
  • [pyupgrade] Always parenthesize assignment expressions in fix for f-string (UP032) (#21003)
  • [pyupgrade] Fix UP032 conversion for decimal ints with underscores (#21022)
  • [fastapi] Skip autofix for keyword and __debug__ path params (FAST003) (#20960)

Rule changes

  • [flake8-bugbear] Skip B905 and B912 for fewer than two iterables and no starred arguments (#20998)
  • [ruff] Use DiagnosticTag for more pyflakes and pandas rules (#20801)

CLI

  • Improve JSON output from ruff rule (#20168)

Documentation

  • Add source to testimonial (#20971)
  • Document when a rule was added (#21035)

Other changes

  • [syntax-errors] Name is parameter and global (#20426)
  • [syntax-errors] Alternative match patterns bind different names (#20682)

Contributors

0.14.1

... (truncated)

Commits

Updates uv-build to 0.9.5

Release notes

Sourced from uv-build's releases.

0.9.5

Release Notes

Released on 2025-10-21.

This release contains an upgrade to astral-tokio-tar, which addresses a vulnerability in tar extraction on malformed archives with mismatching size information between the ustar header and PAX extensions. While the astral-tokio-tar advisory has been graded as "high" due its potential broader impact, the specific impact to uv is low due to a lack of novel attacker capability. Specifically, uv only processes tar archives from source distributions, which already possess the capability for full arbitrary code execution by design, meaning that an attacker gains no additional capabilities through astral-tokio-tar.

Regardless, we take the hypothetical risk of parser differentials very seriously. Out of an abundance of caution, we have assigned this upgrade an advisory: GHSA-w476-p2h3-79g9

Security

  • Upgrade astral-tokio-tar to 0.5.6 to address a parsing differential (#16387)

Enhancements

  • Add required environment marker example to hint (#16244)
  • Fix typo in MissingTopLevel warning (#16351)
  • Improve 403 Forbidden error message to indicate package may not exist (#16353)
  • Add a hint on uv pip install failure if the --system flag is used to select an externally managed interpreter (#16318)

Bug fixes

  • Fix backtick escaping for PowerShell (#16307)

Documentation

  • Document metadata consistency expectation (#15683)
  • Remove outdated aarch64 musl note (#16385)

Install uv 0.9.5

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/uv/releases/download/0.9.5/uv-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/astral-sh/uv/releases/download/0.9.5/uv-installer.ps1 | iex"

Download uv 0.9.5

File Platform Checksum
uv-aarch64-apple-darwin.tar.gz Apple Silicon macOS checksum
uv-x86_64-apple-darwin.tar.gz Intel macOS checksum
uv-aarch64-pc-windows-msvc.zip ARM64 Windows checksum

... (truncated)

Changelog

Sourced from uv-build's changelog.

0.9.5

Released on 2025-10-21.

This release contains an upgrade to astral-tokio-tar, which addresses a vulnerability in tar extraction on malformed archives with mismatching size information between the ustar header and PAX extensions. While the astral-tokio-tar advisory has been graded as "high" due its potential broader impact, the specific impact to uv is low due to a lack of novel attacker capability. Specifically, uv only processes tar archives from source distributions, which already possess the capability for full arbitrary code execution by design, meaning that an attacker gains no additional capabilities through astral-tokio-tar.

Regardless, we take the hypothetical risk of parser differentials very seriously. Out of an abundance of caution, we have assigned this upgrade an advisory: GHSA-w476-p2h3-79g9

Security

  • Upgrade astral-tokio-tar to 0.5.6 to address a parsing differential (#16387)

Enhancements

  • Add required environment marker example to hint (#16244)
  • Fix typo in MissingTopLevel warning (#16351)
  • Improve 403 Forbidden error message to indicate package may not exist (#16353)
  • Add a hint on uv pip install failure if the --system flag is used to select an externally managed interpreter (#16318)

Bug fixes

  • Fix backtick escaping for PowerShell (#16307)

Documentation

  • Document metadata consistency expectation (#15683)
  • Remove outdated aarch64 musl note (#16385)

0.9.4

Released on 2025-10-17.

Enhancements

  • Add CUDA 13.0 support (#16321)
  • Add auto-detection for Intel GPU on Windows (#16280)
  • Implement display of RFC 9457 HTTP error contexts (#16199)

Bug fixes

  • Avoid obfuscating pyx tokens in uv auth token output (#16345)

0.9.3

Released on 2025-10-14.

Python

  • Add CPython 3.15.0a1
  • Add CPython 3.13.9

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the pip group with 3 updates
36f669f 
Updates the requirements on [grpcio-tools](https://github.com/grpc/grpc), [ruff](https://github.com/astral-sh/ruff) and [uv-build](https://github.com/astral-sh/uv) to permit the latest version.

Updates `grpcio-tools` to 1.76.0
- [Release notes](https://github.com/grpc/grpc/releases)
- [Changelog](https://github.com/grpc/grpc/blob/master/doc/grpc_release_schedule.md)
- [Commits](grpc/grpc@v1.63.0...v1.76.0)

Updates `ruff` to 0.14.2
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ruff@0.13.0...0.14.2)

Updates `uv-build` to 0.9.5
- [Release notes](https://github.com/astral-sh/uv/releases)
- [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md)
- [Commits](astral-sh/uv@0.8.15...0.9.5)

---
updated-dependencies:
- dependency-name: grpcio-tools
  dependency-version: 1.76.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: ruff
  dependency-version: 0.14.2
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: uv-build
  dependency-version: 0.9.5
  dependency-type: direct:production
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the area/dependencies Affects dependencies label Oct 27, 2025
@dependabot dependabot bot requested a review from a team as a code owner October 27, 2025 12:25
@dependabot dependabot bot added the area/dependencies Affects dependencies label Oct 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/dependencies Affects dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant