Skip to content

Update sqlalchemy requirement from >=2.0 to >=2.0.49#24

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/sqlalchemy-gte-2.0.49
Open

Update sqlalchemy requirement from >=2.0 to >=2.0.49#24
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/sqlalchemy-gte-2.0.49

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 12, 2026

Copy link
Copy Markdown

Updates the requirements on sqlalchemy to permit the latest version.

Release notes

Sourced from sqlalchemy's releases.

2.0.49

Released: April 3, 2026

orm

  • [orm] [bug] Fixed issue where _orm.Session.get() would bypass the identity map and emit unnecessary SQL when with_for_update=False was passed, rather than treating it equivalently to the default of None. Pull request courtesy of Joshua Swanson.

    References: #13176

  • [orm] [bug] Fixed issue where chained _orm.joinedload() options would not be applied correctly when the final relationship in the chain is declared on a base mapper and accessed through a subclass mapper in a _orm.with_polymorphic() query. The path registry now correctly computes the natural path when a property declared on a base class is accessed through a path containing a subclass mapper, ensuring the loader option can be located during query compilation.

    References: #13193

  • [orm] [bug] [inheritance] Fixed issue where using _orm.Load.options() to apply a chained loader option such as _orm.joinedload() or _orm.selectinload() with _orm.PropComparator.of_type() for a polymorphic relationship would not generate the necessary clauses for the polymorphic subclasses. The polymorphic loading strategy is now correctly propagated when using a call such as joinedload(A.b).options(joinedload(B.c.of_type(poly))) to match the behavior of direct chaining e.g. joinedload(A.b).joinedload(B.c.of_type(poly)).

    References: #13202

  • [orm] [bug] [inheritance] Fixed issue where using chained loader options such as _orm.selectinload() after _orm.joinedload() with _orm.PropComparator.of_type() for a polymorphic relationship would not properly apply the chained loader option. The loader option is now correctly applied when using a call such as joinedload(A.b.of_type(poly)).selectinload(poly.SubClass.c) to eagerly load related objects.

    References: #13209

typing

  • [typing] [bug] Fixed a typing issue where the typed members of :data:.func would return the appropriate class of the same name, however this creates an issue for

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Update sqlalchemy requirement from >=2.0 to >=2.0.49
613e351 
Updates the requirements on [sqlalchemy](https://github.com/sqlalchemy/sqlalchemy) to permit the latest version.
- [Release notes](https://github.com/sqlalchemy/sqlalchemy/releases)
- [Changelog](https://github.com/sqlalchemy/sqlalchemy/blob/main/CHANGES.rst)
- [Commits](https://github.com/sqlalchemy/sqlalchemy/commits)

---
updated-dependencies:
- dependency-name: sqlalchemy
  dependency-version: 2.0.49
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Apr 12, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: dependencies, python. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@github-actions

github-actions Bot commented Apr 12, 2026

Copy link
Copy Markdown

Security Sentinel Report

Severity Count
CRITICAL 54
HIGH 0
MEDIUM 9
Severity Finding File Details
CRITICAL Vulnerable dependency: cryptography pyproject.toml CVE-2026-34073: cryptography has incomplete DNS name constraint enforcement on peer names
CRITICAL Vulnerable dependency: cryptography pyproject.toml CVE-2026-39892: Cryptography vulnerable to buffer overflow if non-contiguous buffers were passed to APIs
CRITICAL Vulnerable dependency: aiohttp pyproject.toml CVE-2026-34514: AIOHTTP has CRLF injection through multipart part content type header construction
CRITICAL Vulnerable dependency: aiohttp pyproject.toml CVE-2026-34517: AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS
CRITICAL Vulnerable dependency: aiohttp pyproject.toml CVE-2026-34520: AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header
CRITICAL Vulnerable dependency: aiohttp pyproject.toml CVE-2026-34518: AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect
CRITICAL Vulnerable dependency: aiohttp pyproject.toml CVE-2026-34525: AIOHTTP accepts duplicate Host headers
CRITICAL Vulnerable dependency: aiohttp pyproject.toml CVE-2026-34513: AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector
CRITICAL Vulnerable dependency: aiohttp pyproject.toml CVE-2026-34516: AIOHTTP has a Multipart Header Size Bypass
CRITICAL Vulnerable dependency: aiohttp pyproject.toml CVE-2026-34519: AIOHTTP has HTTP response splitting via \r in reason phrase
CRITICAL Vulnerable dependency: aiohttp pyproject.toml CVE-2026-34515: AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windo
CRITICAL Vulnerable dependency: aiohttp pyproject.toml CVE-2026-22815: aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage
CRITICAL Vulnerable dependency: PyJWT pyproject.toml CVE-2026-32597: PyJWT accepts unknown crit header extensions
CRITICAL Hardcoded secret tests/test_tunnel_setup.py Pattern matched: (?:API_KEY
CRITICAL Hardcoded secret tests/test_tunnel_setup.py Pattern matched: (?:API_KEY
CRITICAL Hardcoded secret tests/test_tunnel_setup.py Pattern matched: (?:API_KEY
CRITICAL Hardcoded secret tests/test_tunnel_setup.py Pattern matched: (?:API_KEY
CRITICAL Hardcoded secret tests/test_channels.py Pattern matched: (?:API_KEY
CRITICAL Hardcoded secret tests/test_channels.py Pattern matched: (?:API_KEY
CRITICAL Hardcoded secret tests/test_channels.py Pattern matched: (?:API_KEY
CRITICAL Hardcoded secret tests/test_channels.py Pattern matched: (?:API_KEY
CRITICAL Hardcoded secret tests/test_channels.py Pattern matched: (?:API_KEY
CRITICAL Hardcoded secret tests/test_channels.py Pattern matched: (?:API_KEY
CRITICAL Hardcoded secret tests/test_channels.py Pattern matched: (?:API_KEY
CRITICAL Hardcoded secret tests/test_channels.py Pattern matched: (?:API_KEY

...and 47 more.
This PR is blocked by CRITICAL findings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants