Skip to content

chore(deps): Bump the python-dependencies group across 1 directory with 5 updates#103

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/python-dependencies-e6b851c5cd
Open

chore(deps): Bump the python-dependencies group across 1 directory with 5 updates#103
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/python-dependencies-e6b851c5cd

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 25, 2026

Copy link
Copy Markdown
Contributor

Bumps the python-dependencies group with 5 updates in the / directory:

Package From To
structlog 25.5.0 26.1.0
mcp 1.27.1 1.28.0
google-api-python-client 2.196.0 2.197.0
pytest-asyncio 1.3.0 1.4.0
code-review-graph 2.3.3 2.3.6

Updates structlog from 25.5.0 to 26.1.0

Release notes

Sourced from structlog's releases.

26.1.0

Highlights

Given how long this release took, it's pretty thicc with nice things all over the board! Apologies for the long release cycle; it's been a victim of the slopocalypse and me trying to navigate my way thru the new normal. Extra big thanks to my sponsors for not abandoning me in these unironically trying times. ❤️

Full changelog below!

Special Thanks

This release would not be possible without my generous sponsors! Thank you to all of you making sustainable maintenance possible! If you would like to join them, go to https://github.com/sponsors/hynek and check out the sweet perks!

Above and Beyond

Variomedia AG (@variomedia), Tidelift (@tidelift), Kraken Tech (@kraken-tech), Klaviyo (@klaviyo), Privacy Solutions GmbH (@privacy-solutions), FilePreviews (@filepreviews), Ecosystems (@ecosyste-ms), TestMu AI Open Source Office (Formerly LambdaTest) (@LambdaTest-Inc), GitHub (@github), Doist (@Doist), Daniel Fortunov (@asqui), and Kevin P. Fleming (@kpfleming).

Maintenance Sustainers

Buttondown (@buttondown), Christopher Dignam (@chdsbd), Magnus Watn (@magnuswatn), David Cramer (@dcramer), Rivo Laks (@rivol), Polar (@polarsource), Mike Fiedler (@miketheman), Duncan Hill (@cricalix), Colin Marquardt (@cmarqu), Pieter Swinkels (@swinkels), Nick Libertini (@libertininick), Brian M. Dennis (@crossjam), Al Sweigart (@asweigart), Celebrity News AG (@celebritynewsag), The Westervelt Company (@westerveltco), Sławomir Ehlert (@slafs), Mostafa Khalil (@khadrawy), Filip Mularczyk (@mukiblejlok), Thomas Klinger (@thmsklngr), Andreas Poehlmann (@ap--), August Trapper Bigelow (@atbigelow), Carlton Gibson (@carltongibson), and Roboflow (@roboflow).

Full Changelog

Removed

  • Python 3.8 and 3.9 support.

Deprecated

  • Support for better-exceptions is deprecated and will be removed within a year. Use our Rich integration or copy-paste the one line of code you need. #802

Added

  • Python 3.15 support. #813

  • structlog.dev.rich_monochrome_traceback for Rich-based monochrome exception rendering and add support for it throughout structlog.dev.ConsoleRenderer when the user asks for no colors. #794

  • structlog.BytesLogger now has a name attribute which allows you to use it with the structlog.stdlib.add_logger_name() processor without using the standard library integration. #786

  • structlog.processors.CallsiteParameterAdder now supports CallsiteParameter.QUAL_MODULE that adds the qualified import name of the module of the callsite, or __main__ if the module is the entry point. This is only available for structlog-originated events since the standard library has no equivalent (except for the convention of setting the logger's name to __name__). #812

  • structlog.stdlib.BoundLogger now has is_enabled_for() and get_effective_level() methods that are snake_case aliases for its isEnabledFor() and getEffectiveLevel() methods. This makes it more compatible with the native structlog.typing.FilteringBoundLogger, so you can swap configurations without changing your call sites. #818

Changed

  • structlog.dev.ConsoleRenderer does not warn anymore when the exception key has a rendered value despite having a fancy formatter configured. #790

... (truncated)

Changelog

Sourced from structlog's changelog.

26.1.0 - 2026-06-06

Removed

  • Python 3.8 and 3.9 support.

Deprecated

  • Support for better-exceptions is deprecated and will be removed within a year. Use our Rich integration or copy-paste the one line of code you need. #802

Added

  • Python 3.15 support. #813

  • structlog.dev.rich_monochrome_traceback for Rich-based monochrome exception rendering and add support for it throughout structlog.dev.ConsoleRenderer when the user asks for no colors. #794

  • structlog.BytesLogger now has a name attribute which allows you to use it with the structlog.stdlib.add_logger_name() processor without using the standard library integration. #786

  • structlog.processors.CallsiteParameterAdder now supports CallsiteParameter.QUAL_MODULE that adds the qualified import name of the module of the callsite, or __main__ if the module is the entry point. This is only available for structlog-originated events since the standard library has no equivalent (except for the convention of setting the logger's name to __name__). #812

  • structlog.stdlib.BoundLogger now has is_enabled_for() and get_effective_level() methods that are snake_case aliases for its isEnabledFor() and getEffectiveLevel() methods. This makes it more compatible with the native structlog.typing.FilteringBoundLogger, so you can swap configurations without changing your call sites. #818

Changed

  • structlog.dev.ConsoleRenderer does not warn anymore when the exception key has a rendered value despite having a fancy formatter configured. #790

Fixed

  • structlog.BytesLogger, structlog.PrintLogger, and structlog.WriteLogger now hold weak references to the files they use for output. This prevents their leakage in long-running processes that open many logfiles, such as task executors that create a per-task BytesLogger or WriteLogger. #807

  • structlog.WriteLogger is usable after unpickling. #787

  • structlog.processors.CallsiteParameterAdder now reports the calling thread's id and name for async log methods, instead of the thread from the executor pool that runs the underlying sync logger.

... (truncated)

Commits

Updates mcp from 1.27.1 to 1.28.0

Release notes

Sourced from mcp's releases.

v1.28.0

Deprecations

Two API surfaces now emit DeprecationWarning ahead of their removal in v2. Nothing is removed in 1.x, and the warnings fire only when the deprecated API is called - importing the modules stays silent.

  • WebSocket transport - mcp.client.websocket.websocket_client and mcp.server.websocket.websocket_servermodelcontextprotocol/typescript-sdk#1783
  • Experimental tasks API - ClientSession.experimental, Server.experimental, ServerSession.experimental, and the experimental_task_handlers= kwarg on ClientSession. Tasks (SEP-1686) were removed from the MCP specification and are expected to return as a separate MCP extension.

If your test suite runs with filterwarnings = ["error"] and exercises these paths, add a scoped ignore such as ignore:The experimental tasks API is deprecated:DeprecationWarning or ignore:The WebSocket .* transport is deprecated:DeprecationWarning.

See #2828 for full details.

What's Changed

New Contributors

Full Changelog: modelcontextprotocol/python-sdk@v1.27.2...v1.28.0

v1.27.2

What's Changed

Full Changelog: modelcontextprotocol/python-sdk@v1.27.1...v1.27.2

Commits
  • 32d3290 [v1.x] Pass a list to parametrize in test_docs_examples (pytest 9.1.0 compat)...
  • 0dca751 [v1.x] Deflake the child process cleanup tests (#2839)
  • 52258a9 [v1.x] Add a v2 status banner to the README (#2835)
  • b8f4917 [v1.x] Deprecate the WebSocket transport and the experimental tasks entry poi...
  • 2309e5e fix: omit null optional fields from task result payloads (#2809)
  • 494eb11 [v1.x] Support Python 3.14 (#2769)
  • 6213787 [v1.x] Scope experimental tasks to the session that created them (#2720)
  • ce267b6 [v1.x] Bind transport sessions to the authenticated principal (#2719)
  • 1abcca2 [v1.x] Add subject and claims to AccessToken (#2690)
  • 9773a3f [v1.x] ci: deploy docs to py.sdk.modelcontextprotocol.io via Pages artifact (...
  • See full diff in compare view

Updates google-api-python-client from 2.196.0 to 2.197.0

Release notes

Sourced from google-api-python-client's releases.

v2.197.0

2.197.0 (2026-05-19)

Features

... (truncated)

Commits

Updates pytest-asyncio from 1.3.0 to 1.4.0

Release notes

Sourced from pytest-asyncio's releases.

pytest-asyncio v1.4.0

1.4.0 - 2026-05-26

Deprecated

  • Overriding the event_loop_policy fixture is deprecated. Use the pytest_asyncio_loop_factories hook instead. (#1419)

Added

  • Added the pytest_asyncio_loop_factories hook to parametrize asyncio tests with custom event loop factories.

    The hook returns a mapping of factory names to loop factories, and pytest.mark.asyncio(loop_factories=[...]) selects a subset of configured factories per test. When a single factory is configured, test names are unchanged.

    Synchronous @pytest_asyncio.fixture functions now see the correct event loop when custom loop factories are configured, even when test code disrupts the current event loop (e.g., via asyncio.run() or asyncio.set_event_loop(None)). (#1164)

Changed

  • Improved the readability of the warning message that is displayed when asyncio_default_fixture_loop_scope is unset (#1298)
  • Only import asyncio.AbstractEventLoopPolicy for type checking to avoid raising a DeprecationWarning. (#1394)
  • Updated minimum supported pytest version to v8.4.0. (#1397)

Fixed

  • Fixed a ResourceWarning: unclosed event loop warning that could occur when a synchronous test called asyncio.run() or otherwise unset the current event loop after pytest-asyncio had run an async test or fixture. (#724)

Notes for Downstream Packagers

  • Added dependency on sphinx-tabs >= 3.5 to organize documentation examples into tabs. (#1395)

pytest-asyncio v1.4.0a2

1.4.0a2 - 2026-05-02

Deprecated

  • Overriding the event_loop_policy fixture is deprecated. Use the pytest_asyncio_loop_factories hook instead. (#1419)

Added

  • Added the pytest_asyncio_loop_factories hook to parametrize asyncio tests with custom event loop factories.

    The hook returns a mapping of factory names to loop factories, and pytest.mark.asyncio(loop_factories=[...]) selects a subset of configured factories per test. When a single factory is configured, test names are unchanged on pytest 8.4+.

    Synchronous @pytest_asyncio.fixture functions now see the correct event loop when custom loop factories are configured, even when test code disrupts the current event loop (e.g., via asyncio.run() or asyncio.set_event_loop(None)). (#1164)

Changed

  • Improved the readability of the warning message that is displayed when asyncio_default_fixture_loop_scope is unset (#1298)
  • Only import asyncio.AbstractEventLoopPolicy for type checking to avoid raising a DeprecationWarning. (#1394)

... (truncated)

Commits
  • 6e14cd2 chore: Prepare release of v1.4.0.
  • 4b900fb Build(deps): Bump codecov/codecov-action from 6.0.0 to 6.0.1
  • ab9f632 Build(deps): Bump zipp from 3.23.1 to 4.1.0
  • a56fc77 Build(deps): Bump hypothesis from 6.152.6 to 6.152.8
  • e8bae9b Build(deps): Bump requests from 2.34.0 to 2.34.2
  • fc43340 Build(deps): Bump idna from 3.14 to 3.15
  • 762eaf5 Build(deps): Bump jaraco-functools from 4.4.0 to 4.5.0
  • b62e222 Build(deps): Bump click from 8.3.3 to 8.4.0
  • 9190447 Build(deps): Bump pydantic from 2.13.3 to 2.13.4
  • 82a393c ci: Remove unnecessary debug output.
  • Additional commits viewable in compare view

Updates code-review-graph from 2.3.3 to 2.3.6

Release notes

Sourced from code-review-graph's releases.

v2.3.6 — community-response release

Community-response release. Built from a full audit of every open PR, issue, and discussion — community fixes merged with credit, verified defects fixed (including two open Windows bugs), benchmark claims made independently checkable, and the project's first self-hosted PR review bot: this repo now reviews its own pull requests with its own graph.

Highlights

  • Custom languages without forking (#320): drop a .code-review-graph/languages.toml into your repo to index any grammar shipped by tree-sitter-language-pack. See https://github.com/tirth8205/code-review-graph/blob/HEAD/docs/CUSTOM_LANGUAGES.md.
  • GitHub Action for risk-scored PR reviews: builds/restores the graph from CI cache and posts a sticky review comment with risk table, affected flows, test gaps, and token savings. See https://github.com/tirth8205/code-review-graph/blob/HEAD/docs/GITHUB_ACTION.md.
  • Honest benchmarks: new agent_baseline benchmark (graph vs a realistic grep-and-read agent), failed eval runs excluded from aggregates instead of inflating them, non-circular co-change ground truth for impact accuracy, weekly report-only eval CI. README now leads with the ~82x median; 528x is the best case, not the headline.
  • docs/FAQ.md: vs LSP, vs RAG, vs agentic grep, when NOT to use this tool, and how to verify it's working.

Fixes

  • Windows: daemon status WinError 87 crash (#511) and CLI detect-changes mapping 0 functions (#528)
  • store_file_batch transaction guard (#489 — community PR #529 by @​Devilthelegend, thank you)
  • Unknown embedding providers now error instead of silently using the local model
  • Analysis tools no longer leak SQLite connections; fastmcp capped <4; git hooks now work in worktrees and core.hooksPath/husky setups; shipped hooks drain stdin
  • Translated READMEs carry staleness banners and no longer contradict the English benchmark numbers

Full details in https://github.com/tirth8205/code-review-graph/blob/HEAD/CHANGELOG.md. No breaking changes.

v2.3.5 — Real-time token savings, visible to humans

Real-time token savings, visible to humans. The estimated context-savings metric introduced in 2.3.4 was JSON-only. In 2.3.5 it surfaces as a clean boxed panel on the CLI and is verifiable against a real tokenizer in one flag — so when you reach for code-review-graph to review a change, you can immediately see how much of your context window the graph just kept out.

Token Savings demo

Highlights

  • 🪟 Token Savings panel on both code-review-graph detect-changes --brief and the new code-review-graph update --brief. Per-category breakdown (Functions / Tests / Risk / Other) that sums exactly to the graph response size.
  • --verify flag cross-checks the displayed numbers against OpenAI's cl100k_base tokenizer. Calibration shows the estimate stays within +0.5% of real GPT-4 tokens in aggregate across 222 mixed-language source files (data in docs/REPRODUCING.md).
  • 🔁 Deterministic eval pipeline — pinned upstream SHAs, full clones with returncode checks, fixed Leiden seed. Two contributors running the benchmark recipe on different machines on different days now produce identical numbers.
  • 🎯 Multi-hop retrieval benchmark + richer embedding text + identifier-aware search boost lift compound-query accuracy from 0.545 → 0.909.
  • 📦 code-review-graph embed CLI subcommand for explicit embedding generation. Previously only reachable via MCP.

What the panel looks like

```text ┌─────────────────────── Token Savings ────────────────────────┐ │ Full context would be: 12,921 tokens │ │ Graph context used: 762 tokens │ │ Saved: 12,159 tokens (~94%) │ │ Breakdown: Functions 244 · Tests 191 · Risk 244 · Other 83 │ └──────────────────────────────────────────────────────────────┘ ```

Add --verify to grow a Verified (tiktoken) row so the numbers are no longer just an estimate.

Reproduction

End-to-end recipe with canonical numbers in docs/REPRODUCING.md. All 6 test repos pin upstream SHAs, embeddings are deterministic on CPU, Leiden detection is seeded.

... (truncated)

Changelog

Sourced from code-review-graph's changelog.

[2.3.6] - 2026-06-10

Community-response release. Built from a full audit of every open PR, issue, and discussion: community fixes merged with credit, verified defects fixed (including two open Windows bugs), benchmark claims made independently checkable, and the project's first self-hosted PR review bot — this repo now reviews its own pull requests with its own graph. No breaking changes.

Added

  • Custom languages without forking (#320): drop a .code-review-graph/languages.toml into your repo to index any grammar shipped by tree-sitter-language-pack (extension map + node-type lists, validated and capped, built-ins always win). See docs/CUSTOM_LANGUAGES.md.
  • GitHub Action for risk-scored PR review comments: composite action.yml builds/restores the graph from CI cache, runs detect-changes against the PR base, and upserts a sticky comment with risk table, affected flows, test gaps, and the Token Savings line. Dogfooded on this repo via .github/workflows/pr-review.yml. See docs/GITHUB_ACTION.md.
  • agent_baseline eval benchmark: compares graph queries against a realistic grep-and-read-top-k agent baseline instead of the whole-corpus strawman; wired into all six pinned eval configs.
  • Co-change ground truth for impact_accuracy: predictions are now also graded against files actually co-changed in the same commit; the legacy metric is explicitly labelled "graph-derived (circular — upper bound)".
  • Weekly eval CI (.github/workflows/eval.yml): report-only cron run of the two smallest pinned configs with CSV artifacts and a job summary.
  • docs/FAQ.md: how CRG compares to LSP, RAG, grep/agentic search, and adjacent tools; when NOT to use it; verification steps; monorepo/worktree and registry guidance. Linked from the README.
  • GitHub issue forms (bug/feature/platform), a PR template mirroring the CONTRIBUTING checklist, and dependabot config for pip + GitHub Actions.

Fixed

  • store_file_batch is now guarded against open transactions like its sibling (#489, merged from community PR #529 by @​Devilthelegend — thank you).
  • Windows: daemon status no longer crashes with WinError 87 (#511): PID liveness now uses OpenProcess/WaitForSingleObject on win32 instead of os.kill(pid, 0).
  • Windows: CLI detect-changes mapped 0 functions (#528): diff paths are now remapped to absolute native paths before node lookup, matching the MCP tool's behavior; also prevents the misleading "~100% token savings" line on an empty result.
  • Eval benchmarks no longer record failed runs as inflated wins: thrown get_review_context/analyze_changes calls are marked status=error and excluded from aggregates instead of producing naive/1 ratios or recall=1.0.
  • Unknown embedding provider names now raise a clear error listing valid providers instead of silently falling back to the local model.
  • The five analysis MCP tools and the wiki-page tool no longer leak SQLite

... (truncated)

Commits
  • 935695f release: v2.3.6
  • 543de44 Merge pull request #541 from tirth8205/release/community-response
  • c47ceee docs: changelog for community-response integration
  • d4ae6cf Merge branch 'fix/hooks-robustness' into release/community-response
  • 2dcd5bf Merge branch 'fix/hygiene-followups' into release/community-response
  • feb6901 Merge branch 'fix/windows-daemon-detect-changes' into release/community-response
  • bbcf243 Merge branch 'tier3/custom-languages' into release/community-response
  • d66b8bc fix: close GraphStore in analysis tools and wiki page lookup
  • 455e4af fix(changes): remap internally-parsed diff keys to absolute paths
  • 2f40add Merge branch 'tier3/community-infra' into release/community-response
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): Bump the python-dependencies group across 1 directory wi…
e92fb86 
…th 5 updates

Bumps the python-dependencies group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [structlog](https://github.com/hynek/structlog) | `25.5.0` | `26.1.0` |
| [mcp](https://github.com/modelcontextprotocol/python-sdk) | `1.27.1` | `1.28.0` |
| [google-api-python-client](https://github.com/googleapis/google-api-python-client) | `2.196.0` | `2.197.0` |
| [pytest-asyncio](https://github.com/pytest-dev/pytest-asyncio) | `1.3.0` | `1.4.0` |
| [code-review-graph](https://github.com/tirth8205/code-review-graph) | `2.3.3` | `2.3.6` |



Updates `structlog` from 25.5.0 to 26.1.0
- [Release notes](https://github.com/hynek/structlog/releases)
- [Changelog](https://github.com/hynek/structlog/blob/main/CHANGELOG.md)
- [Commits](hynek/structlog@25.5.0...26.1.0)

Updates `mcp` from 1.27.1 to 1.28.0
- [Release notes](https://github.com/modelcontextprotocol/python-sdk/releases)
- [Changelog](https://github.com/modelcontextprotocol/python-sdk/blob/main/RELEASE.md)
- [Commits](modelcontextprotocol/python-sdk@v1.27.1...v1.28.0)

Updates `google-api-python-client` from 2.196.0 to 2.197.0
- [Release notes](https://github.com/googleapis/google-api-python-client/releases)
- [Commits](googleapis/google-api-python-client@v2.196.0...v2.197.0)

Updates `pytest-asyncio` from 1.3.0 to 1.4.0
- [Release notes](https://github.com/pytest-dev/pytest-asyncio/releases)
- [Commits](pytest-dev/pytest-asyncio@v1.3.0...v1.4.0)

Updates `code-review-graph` from 2.3.3 to 2.3.6
- [Release notes](https://github.com/tirth8205/code-review-graph/releases)
- [Changelog](https://github.com/tirth8205/code-review-graph/blob/main/CHANGELOG.md)
- [Commits](tirth8205/code-review-graph@v2.3.3...v2.3.6)

---
updated-dependencies:
- dependency-name: structlog
  dependency-version: 26.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: python-dependencies
- dependency-name: mcp
  dependency-version: 1.28.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-dependencies
- dependency-name: google-api-python-client
  dependency-version: 2.197.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-dependencies
- dependency-name: pytest-asyncio
  dependency-version: 1.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-dependencies
- dependency-name: code-review-graph
  dependency-version: 2.3.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 25, 2026
@sonarqubecloud

sonarqubecloud Bot commented Jun 25, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants