chore(deps): bump the uv group across 2 directories with 3 updates

[dependabot]

Bumps the uv group with 2 updates in the / directory: prefect and dulwich.
Bumps the uv group with 1 update in the /python_testcontainers directory: starlette.

Updates prefect from 3.6.13 to 3.6.28.dev2

Release notes

Sourced from prefect's releases.

3.6.28.dev2: Nightly Development Release

What's Changed

Bug Fixes 🐞

• Skip uv pip freeze in bundle creation when a non-uv launcher is set by @​devin-ai-integration[bot] in PrefectHQ/prefect#21607
• Fix DNS rebinding TOCTOU bypass in validate_restricted_url by @​devin-ai-integration[bot] in PrefectHQ/prefect#21591

Development & Tidiness 🧹

• fix(tests): prevent aiosqlite teardown race in legacy events/out test by @​devin-ai-integration[bot] in PrefectHQ/prefect#21619

Documentation 📓

• docs: Add release notes for prefect-kubernetes==0.7.8 by @​devin-ai-integration[bot] in PrefectHQ/prefect#21611

Uncategorized

• docs: clarify that uv pip freeze is skipped only for execution launcher overrides by @​github-actions[bot] in PrefectHQ/prefect#21613
• Fix _UnpicklingFuture.add_done_callback swallowing deserialization errors by @​saschwartz in PrefectHQ/prefect#21612
• fix(tests): raise asyncpg connection_timeout in unit test mode by @​devin-ai-integration[bot] in PrefectHQ/prefect#21614

Full Changelog: PrefectHQ/prefect@3.6.28.dev1...3.6.28.dev2

3.6.28.dev1: Nightly Development Release

What's Changed

Bug Fixes 🐞

• fix(prefect-shell): kill whole process tree on ShellOperation cleanup by @​zzstoatzz in PrefectHQ/prefect#21586

Uncategorized

• docs: document SIGTERM bridge and sanitize_subprocess_env in utilities AGENTS.md by @​github-actions[bot] in PrefectHQ/prefect#21604
• docs: document JSDOM CSS custom property and matchMedia mocking patterns by @​github-actions[bot] in PrefectHQ/prefect#21605

Full Changelog: PrefectHQ/prefect@3.6.27...3.6.28.dev1

3.6.27 - When I cancel, you cancel

Enhancements ➕➕

• Remove causal ordering from task run recorder by @​chuqCTC in #21458
• Enable cascading cancellation for in-process subflows by @​desertaxle in #21477
• Relax work-pool storage CLI to allow ambient cloud credentials by @​desertaxle in #21578

Bug Fixes 🐞

• Bump pydocket to >=0.19.0 and drop the fakeredis pin by @​chrisguidry in #21512
• URL-encode credentials in dict fallback path for git clone by @​devin-ai-integration in #21540
• Handle missing anyio.NoEventLoopError on older anyio versions by @​devin-ai-integration in #21539
• Fix serve not clearing work pool config on existing deployments by @​vyagubov in #21528
• Add validation for malformed block document placeholder format by @​kuishou68 in #21501
• Handle PydanticInvalidForJsonSchema in parameter schema generation by @​devin-ai-integration in #21571
• Eagerly rebuild task-run submission schemas by @​desertaxle in #21556
• Propagate contextvars to the flow heartbeat thread by @​devin-ai-integration in #21577

... (truncated)

Commits

• 6f89b6d fix(tests): raise asyncpg connection_timeout in unit test mode (#21614)
• 1589b45 fix(tests): prevent aiosqlite teardown race in legacy events/out test (#21619)
• 7c70ac5 Fix DNS rebinding TOCTOU bypass in validate_restricted_url (#21591)
• 3458636 Fix _UnpicklingFuture.add_done_callback swallowing deserialization errors (#2...
• 3d18732 docs: clarify that uv pip freeze is skipped only for execution launcher overr...
• 36207f9 Skip uv pip freeze in bundle creation when a non-uv launcher is set (#21607)
• 8ab8ac4 docs: Add release notes for prefect-kubernetes==0.7.8 (#21611)
• 6373056 fix(prefect-shell): kill whole process tree on ShellOperation cleanup (#21586)
• 6dd5af5 docs: document JSDOM CSS custom property and matchMedia mocking patterns (#21...
• 9f9bed7 fix(ui-v2): default deployment detail tab to Details to match V1 (#21601)
• Additional commits viewable in compare view

Updates dulwich from 0.24.7 to 1.2.5

Release notes

Sourced from dulwich's releases.

dulwich 1.2.5

This is a security release. All users are encouraged to upgrade.

Security fixes

• GHSA-gfhv-vqv2-4544 -- Validate submodule paths in porcelain.submodule_update (and thus porcelain.clone(recurse_submodules=True)). A crafted upstream repository could carry a submodule whose path was .git/hooks (or any other path inside .git or above the work tree), causing the submodule's tree contents to be written there with their executable bits intact. The dulwich analogue of git's CVE-2024-32002 / CVE-2024-32004. (Reported by tonghuaroot)

• CVE-2026-42305 -- Harden tree path validation against entry names that are harmless on POSIX but dangerous when checked out on Windows. validate_path_element_ntfs now also rejects Windows path separators, the alternate data stream marker :, NTFS 8.3 short-name aliases of .git, and reserved Windows device names. core.protectNTFS now defaults to true on every platform, and both core.protectNTFS and core.protectHFS are now read under their correct option names. (Reported by Christopher Toth)

• CVE-2026-42563 -- Shell-quote values substituted into ProcessMergeDriver commands. A malicious branch could inject shell commands when a merge driver referencing %P was configured. (Reported by Ravishanker Kusuma (hayageek))

• CVE-2026-47712 -- Sanitize commit subjects used in porcelain.format_patch filenames so a malicious subject (e.g. x/../../x) cannot direct the generated patch outside outdir. (Reported by Christopher Toth)

• receive.maxInputSize -- Honour receive.maxInputSize in ReceivePackHandler. Previously a remote unauthenticated client could send a tiny crafted pack that declared a huge dest_size and trigger hundreds of MB of allocation over git-receive-pack. (Reported by Liyi, Ziyue, Strick, Maurice and Chenchen @ University of Sydney)

dulwich-1.2.4

Tolerate ref names with empty path components (e.g. `refs/tags//v1.0`) for now, emitting a `DeprecationWarning` rather than raising a `RefFormatError`. Such names are constructed by older Poetry releases (fixed in Poetry 2.4.0) and were silently accepted before Dulwich 1.2.3. `local_branch_name`, `local_tag_name` and `local_replace_name` likewise warn about, and strip, a leading slash instead of raising `ValueError`. Both will become errors again in a future release. (Jelmer Vernooij, #2192)

dulwich-1.2.1

Changes since 1.2.0

• Derive the LFS endpoint as the remote's on-disk LFS store (<remote>/.git/lfs for worktrees, <remote>/lfs for bare repos) when remote.origin.url points at a local filesystem path or file:// URL, matching git-lfs behaviour. Previously the built-in smudge filter constructed an HTTP-style <remote>.git/info/lfs path that did not exist on disk, leaving LFS-tracked files as pointers when cloning from a local repo.

• Deduplicate objects when writing a multi-pack-index. Objects present in multiple packs (e.g. after git gc creates a cruft pack) would otherwise produce an OIDL chunk with repeated SHAs, causing git multi-pack-index verify to fail with "oid lookup out of order". (#2152)

• Extend ignorecase and precomposeunicode support to index lookups. (#1807)

1.2.0

Notable changes since 1.1.0

New features

• Add am command and porcelain.am() for applying mailbox-style email patches (git am), with state persistence for --continue, --skip, --abort, and --quit recovery (#1692).
• Add apply command and porcelain.apply_patch() for applying unified diffs, including rename/copy detection, binary patches with Git's base85 encoding, and --3way merge fallback (#1784).
• Expand log command options: --oneline, --abbrev-commit, --author, --committer, --grep, --since/--after, --until/--before, -n/--max-count, --no-merges, --merges, --stat, -p/--patch, --name-only, and --follow (#1779).
• Add support for push options (-o/--push-option) in push, enabling AGit flow and other server-side push option workflows.
• Add missing push options: --all, --tags, --delete, --dry-run, --prune, --set-upstream, --follow-tags, and --mirror (#1844).
• Add support for atomic push operations (--atomic): either all ref updates succeed or none are applied (#1781).
• Add support for extensions.relativeworktrees repository extension, allowing worktrees to use relative paths (#2112).

... (truncated)

Changelog

Sourced from dulwich's changelog.

1.2.5 2026-05-28

• SECURITY(GHSA-gfhv-vqv2-4544): Validate submodule paths in porcelain.submodule_update (and thus porcelain.clone(recurse_submodules=True)). A crafted upstream repository could carry a submodule whose path was .git/hooks (or any other path inside .git or above the work tree), causing the submodule's tree contents to be written there with their executable bits intact -- dropping a hook that later commands would run. Submodule paths are now rejected if they are absolute or carry a component that the configured path validator refuses, and the submodule's own tree is materialized with the same validator. This is the dulwich analogue of git's CVE-2024-32002 / CVE-2024-32004. (Jelmer Vernooij; reported by tonghuaroot)

• SECURITY(CVE-2026-42305): Harden tree path validation against entry names that are harmless on POSIX but dangerous when checked out on Windows. A crafted tree could previously carry such names through to the work tree. validate_path_element_ntfs now also rejects:

  • Windows path separators, so an entry named .git\hooks\pre-commit.exe can no longer materialize a file inside .git that Git for Windows would execute.
  • The alternate data stream marker : (e.g. .git::$INDEX_ALLOCATION, which writes into .git directly).
  • NTFS 8.3 short-name aliases of .git (git~<digits>); only git~1 was rejected before.
  • Reserved Windows device names (CON, PRN, AUX, NUL, COM1-COM9, LPT1-LPT9), including with an extension or trailing dots/spaces such as NUL.txt or COM1 .bar.

  In addition, core.protectNTFS now defaults to true on every platform (matching git after CVE-2019-1353), so a POSIX clone no longer accepts paths that would be unsafe on a later Windows clone, and both core.protectNTFS and core.protectHFS are now read under their correct option names, having previously been silently ignored. POSIX users who need literal NTFS-unsafe filenames can opt out with core.protectNTFS=false. (Jelmer Vernooij; reported by Christopher Toth)

• SECURITY (CVE-2026-42563): Shell-quote values substituted into ProcessMergeDriver commands. %P is a path from the git tree, so a malicious branch could inject shell commands when the user had a merge driver configured that referenced %P. (Jelmer Vernooij; reported by Ravishanker Kusuma (hayageek))

• SECURITY(CVE-2026-47712): Sanitize commit subjects used in porcelain.format_patch filenames so a malicious subject (e.g. x/../../x) cannot direct the generated patch outside outdir. get_summary now matches git's format_sanitized_subject.

... (truncated)

Commits

• 073f4df Release 1.2.5
• 5f85d3e tests: fix Windows-only failures in NTFS and merge-driver tests
• 25313ad Merge branch 'advisory-5'
• 1ca1814 submodule: Reject unsafe submodule paths in submodule_update
• 3559ef1 Merge branch 'advisory-4'
• f860ca4 server: Honour receive.maxInputSize to bound received packs
• 0fd6e6b Merge branch 'advisory-3'
• 0110b88 Merge branch 'advisory-2'
• 49eb56e Add NEWS entry for CVE-2026-42305
• 57efc4a Merge branch 'advisory-1'
• Additional commits viewable in compare view

Updates starlette from 0.49.3 to 1.0.1

Release notes

Sourced from starlette's releases.

Version 1.0.1

What's Changed

• Ignore malformed Host header when constructing request.url by @​Kludex in Kludex/starlette#3279

Full Changelog: Kludex/starlette@1.0.0...1.0.1

Version 1.0.0

Starlette 1.0 is here! 🎉

After nearly eight years since its creation, Starlette has reached its first stable release.

A special thank you to @​lovelydinosaur, the creator of Starlette, Uvicorn, HTTPX and MkDocs, whose work helped to lay the foundation for the modern async Python ecosystem. 🙏

Thank you to @​adriangb, @​graingert, @​agronholm, @​florimondmanca, @​aminalaee, @​tiangolo, @​alex-oleshkevich, @​abersheeran, and @​uSpike for helping make Starlette what it is today. And to all my sponsors - especially @​tiangolo, @​huggingface, and @​elevenlabs - thank you for your support!

Thank you to all 290+ contributors who have shaped Starlette over the years! ❤️

Read more on the blog post.

Check out the full release notes at https://www.starlette.io/release-notes/#100-march-22-2026

---

Full Changelog: Kludex/starlette@1.0.0rc1...1.0.0

Version 1.0.0rc1

We're ready! 🚀

The first release candidate for Starlette 1.0 is here! After years on ZeroVer, we're finally making the jump.

This release removes all deprecated features marked for 1.0.0, along with some last-minute bug fixes.

A special thank you to @​lovelydinosaur, the creator of Starlette, Uvicorn, HTTPX and MkDocs, whose work helped to lay the foundation for the modern async Python ecosystem. 🙏

Thank you to @​adriangb, @​graingert, @​agronholm, @​florimondmanca, @​aminalaee, @​tiangolo, @​alex-oleshkevich, and @​abersheeran for helping make Starlette what it is today. And to all my sponsors - especially @​tiangolo, @​huggingface, and @​elevenlabs - thank you for your support!

Thank you to all 290+ contributors who have shaped Starlette over the years!

Check out the full release notes at https://www.starlette.io/release-notes/#100rc1-february-23-2026

---

Full Changelog: Kludex/starlette@0.52.1...1.0.0rc1

Version 0.52.1

What's Changed

• Only use typing_extensions in older Python versions by @​Kludex in Kludex/starlette#3109

---

... (truncated)

Changelog

Sourced from starlette's changelog.

1.0.1 (May 21, 2026)

Fixed

• Ignore malformed Host header when constructing request.url #3279.

1.0.0 (March 22, 2026)

Starlette 1.0 is here!

After nearly eight years since its creation, Starlette has reached its first stable release. Thank you to everyone who tested the release candidate and reported issues.

You can read more on the blog post.

Added

• Track session access and modification in SessionMiddleware #3166.

Fixed

• Handle websocket denial responses in StreamingResponse and FileResponse #3189.
• Use bytearray for field accumulation in FormParser #3179.
• Move parser.finalize() inside try/except in MultiPartParser.parse() #3153.

1.0.0rc1 (February 23, 2026)

We're ready! I'm thrilled to announce the first release candidate for Starlette 1.0.

Starlette was created in June 2018 by Tom Christie, and has been on ZeroVer for years. Today, it's downloaded almost 10 million times a day, serves as the foundation for FastAPI, and has inspired many other frameworks. In the age of AI, Starlette continues to play an important role as a dependency of the Python MCP SDK.

This release focuses on removing deprecated features that were marked for removal in 1.0.0, along with some last minute bug fixes. It's a release candidate, so we can gather feedback from the community before the final 1.0.0 release soon.

A huge thank you to all the contributors who have helped make Starlette what it is today. In particular, I'd like to recognize:

• Kim Christie - The original creator of Starlette, Uvicorn, and MkDocs, and the current maintainer of HTTPX. Kim's work helped lay the foundation for the modern async Python ecosystem.
• Adrian Garcia Badaracco - One of the smartest people I know, whom I have the pleasure of working with at Pydantic.
• Thomas Grainger - My async teacher, always ready to help with questions.
• Alex Grönholm - Another async mentor, always prompt to help with questions.
• Florimond Manca - Always present in the early days of both Starlette and Uvicorn, and helped a lot in the ecosystem.
• Amin Alaee - Contributed a lot with file-related PRs.
• Sebastián Ramírez - Maintains FastAPI upstream, and always in contact to help with upstream issues.
• Alex Oleshkevich - Helped a lot on templates and many discussions.

... (truncated)

Commits

• 48f8e33 Version 1.0.1 (#3281)
• f078832 Remove Hugging Face sponsor block from docs (#3280)
• 472951e chore(deps): bump the github-actions group with 2 updates (#3277)
• 764dab0 Ignore malformed Host header when constructing request.url (#3279)
• 19d0811 Harden GitHub Actions workflows and Dependabot config (#3276)
• 01f4637 chore(deps): bump idna from 3.10 to 3.15 (#3274)
• b8fa514 docs: fix typos in TestClient docs and test_requests comment (#3266)
• e935b6b fix uvicorn domain (#3269)
• 96af952 Add 7-day cooldown for dependency resolution via uv exclude-newer (#3265)
• 61e385b Add zizmor GitHub Actions security analysis workflow (#3264)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Summary by cubic

Upgrade prefect, dulwich, and starlette to pick up security fixes and stability improvements, updating root uv.lock and python_testcontainers/uv.lock.

• Dependencies
  • prefect → 3.6.28.dev2 (root): bug fixes including stricter DNS URL validation and bundle behavior; adds amplitude-analytics and cyclopts transitively.
  • dulwich → 1.2.5 (root): security release with submodule path validation, NTFS path protections, and receive.maxInputSize enforcement.
  • starlette → 1.0.1 (python_testcontainers): 1.0 line with fix to ignore malformed Host headers; lockfile also updates compatible fastapi.

^{Written for commit b062eac. Summary will update on new commits.}