chore(deps): Bump the python-dependencies group with 2 updates

[dependabot]

Bumps the python-dependencies group with 2 updates: pytest-asyncio and code-review-graph.

Updates pytest-asyncio from 1.3.0 to 1.4.0

Release notes

Sourced from pytest-asyncio's releases.

pytest-asyncio v1.4.0

1.4.0 - 2026-05-26

Deprecated

• Overriding the event_loop_policy fixture is deprecated. Use the pytest_asyncio_loop_factories hook instead. (#1419)

Added

• Added the pytest_asyncio_loop_factories hook to parametrize asyncio tests with custom event loop factories.

  The hook returns a mapping of factory names to loop factories, and pytest.mark.asyncio(loop_factories=[...]) selects a subset of configured factories per test. When a single factory is configured, test names are unchanged.

  Synchronous @pytest_asyncio.fixture functions now see the correct event loop when custom loop factories are configured, even when test code disrupts the current event loop (e.g., via asyncio.run() or asyncio.set_event_loop(None)). (#1164)

Changed

• Improved the readability of the warning message that is displayed when asyncio_default_fixture_loop_scope is unset (#1298)
• Only import asyncio.AbstractEventLoopPolicy for type checking to avoid raising a DeprecationWarning. (#1394)
• Updated minimum supported pytest version to v8.4.0. (#1397)

Fixed

• Fixed a ResourceWarning: unclosed event loop warning that could occur when a synchronous test called asyncio.run() or otherwise unset the current event loop after pytest-asyncio had run an async test or fixture. (#724)

Notes for Downstream Packagers

• Added dependency on sphinx-tabs >= 3.5 to organize documentation examples into tabs. (#1395)

pytest-asyncio v1.4.0a2

1.4.0a2 - 2026-05-02

Deprecated

• Overriding the event_loop_policy fixture is deprecated. Use the pytest_asyncio_loop_factories hook instead. (#1419)

Added

• Added the pytest_asyncio_loop_factories hook to parametrize asyncio tests with custom event loop factories.

  The hook returns a mapping of factory names to loop factories, and pytest.mark.asyncio(loop_factories=[...]) selects a subset of configured factories per test. When a single factory is configured, test names are unchanged on pytest 8.4+.

  Synchronous @pytest_asyncio.fixture functions now see the correct event loop when custom loop factories are configured, even when test code disrupts the current event loop (e.g., via asyncio.run() or asyncio.set_event_loop(None)). (#1164)

Changed

• Improved the readability of the warning message that is displayed when asyncio_default_fixture_loop_scope is unset (#1298)
• Only import asyncio.AbstractEventLoopPolicy for type checking to avoid raising a DeprecationWarning. (#1394)

... (truncated)

Commits

• 6e14cd2 chore: Prepare release of v1.4.0.
• 4b900fb Build(deps): Bump codecov/codecov-action from 6.0.0 to 6.0.1
• ab9f632 Build(deps): Bump zipp from 3.23.1 to 4.1.0
• a56fc77 Build(deps): Bump hypothesis from 6.152.6 to 6.152.8
• e8bae9b Build(deps): Bump requests from 2.34.0 to 2.34.2
• fc43340 Build(deps): Bump idna from 3.14 to 3.15
• 762eaf5 Build(deps): Bump jaraco-functools from 4.4.0 to 4.5.0
• b62e222 Build(deps): Bump click from 8.3.3 to 8.4.0
• 9190447 Build(deps): Bump pydantic from 2.13.3 to 2.13.4
• 82a393c ci: Remove unnecessary debug output.
• Additional commits viewable in compare view

Updates code-review-graph from 2.3.3 to 2.3.5

Release notes

Sourced from code-review-graph's releases.

v2.3.5 — Real-time token savings, visible to humans

Real-time token savings, visible to humans. The estimated context-savings metric introduced in 2.3.4 was JSON-only. In 2.3.5 it surfaces as a clean boxed panel on the CLI and is verifiable against a real tokenizer in one flag — so when you reach for code-review-graph to review a change, you can immediately see how much of your context window the graph just kept out.

Highlights

• 🪟 Token Savings panel on both code-review-graph detect-changes --brief and the new code-review-graph update --brief. Per-category breakdown (Functions / Tests / Risk / Other) that sums exactly to the graph response size.
• ✅ --verify flag cross-checks the displayed numbers against OpenAI's cl100k_base tokenizer. Calibration shows the estimate stays within +0.5% of real GPT-4 tokens in aggregate across 222 mixed-language source files (data in docs/REPRODUCING.md).
• 🔁 Deterministic eval pipeline — pinned upstream SHAs, full clones with returncode checks, fixed Leiden seed. Two contributors running the benchmark recipe on different machines on different days now produce identical numbers.
• 🎯 Multi-hop retrieval benchmark + richer embedding text + identifier-aware search boost lift compound-query accuracy from 0.545 → 0.909.
• 📦 code-review-graph embed CLI subcommand for explicit embedding generation. Previously only reachable via MCP.

What the panel looks like

```text ┌─────────────────────── Token Savings ────────────────────────┐ │ Full context would be: 12,921 tokens │ │ Graph context used: 762 tokens │ │ Saved: 12,159 tokens (~94%) │ │ Breakdown: Functions 244 · Tests 191 · Risk 244 · Other 83 │ └──────────────────────────────────────────────────────────────┘ ```

Add --verify to grow a Verified (tiktoken) row so the numbers are no longer just an estimate.

Reproduction

End-to-end recipe with canonical numbers in docs/REPRODUCING.md. All 6 test repos pin upstream SHAs, embeddings are deterministic on CPU, Leiden detection is seeded.

Full release notes

CHANGELOG.md — v2.3.5 entry

v2.3.4

Focused reliability and token-efficiency release for MCP/CLI review workflows. No breaking changes.

Added

• Estimated context savings metadata for graph-filtered review/impact/architecture responses. The new context_savings field is intentionally compact (estimated, saved_tokens, saved_percent) and uses the existing conservative character-count approximation rather than claiming exact tokenization.
• CLI estimated savings line for code-review-graph detect-changes --brief; full JSON output includes the same compact context_savings metadata.

Changed

• Architecture overview is compact by default: get_architecture_overview_tool now defaults to detail_level="minimal", dropping per-community member lists and aggregating cross-community edges by community pair. Full per-edge output remains available with detail_level="standard".
• Bounded change analysis: detect_changes_tool can now cap very large changed-function and transitive-test frontiers with CRG_MAX_CHANGED_FUNCS and CRG_MAX_TRANSITIVE_FRONTIER, and can return a structured timeout error via CRG_TOOL_TIMEOUT.

Fixed

... (truncated)

Changelog

Sourced from code-review-graph's changelog.

[2.3.5] - 2026-05-25

Real-time token savings, visible to humans. The estimated context-savings metric introduced in 2.3.4 was JSON-only. In 2.3.5 it surfaces as a clean boxed panel on the CLI and is verifiable against a real tokenizer in one flag — so when you reach for code-review-graph to review a change, you can immediately see how much of your context window the graph just kept out. No breaking changes.

Added — Token Savings (headline feature)

• Boxed Token Savings panel on every --brief CLI call. Both code-review-graph detect-changes --brief and the new code-review-graph update --brief print a four-line panel: the full-context baseline, the graph response size, total saved tokens with percent, and a per-category breakdown (Functions / Tests / Risk / Other) that sums exactly to the graph response size — no padding, no rounding magic.

  ┌─────────────────────── Token Savings ────────────────────────┐
  │ Full context would be:     12,921 tokens                     │
  │ Graph context used:           762 tokens                     │
  │ Saved:                     12,159 tokens (~94%)              │
  │ Breakdown: Functions 244 · Tests 191 · Risk 244 · Other 83   │
  └──────────────────────────────────────────────────────────────┘
  

• --verify flag cross-checks the displayed numbers against OpenAI's cl100k_base tokenizer (the GPT-4 family). Adds a second Verified (tiktoken) row to the panel showing the real token counts. Requires pip install tiktoken. A one-time calibration across 222 mixed source files (Python/JS/TS/Go/Rust/RST/MD) committed in docs/REPRODUCING.md shows the chars/4 approximation stays within +0.5% of real tokens in aggregate; per-repo bias is bounded to ±12% and the ratio stays stable because both sides of the divide are equally biased.

• code-review-graph update --brief — incremental update plus the same risk + Token Savings panel in one command. Distinct from detect-changes --brief (which is read-only against the existing graph). Use update --brief when the graph might be stale (post-rebase, large change set); use detect-changes --brief when hooks/crg-daemon have already kept the graph fresh.

Added — Reproducible benchmarks

• docs/REPRODUCING.md — end-to-end reproduction recipe with canonical numbers, the tiktoken calibration table, and an explicit explanation of the three different "token" benchmarks in the codebase and what each measures. Two people running the recipe on different machines on

... (truncated)

Commits

• c65b47b docs: 2.3.5 release notes, reproduction recipe, refreshed diagrams
• c04af36 feat: deterministic eval pipeline, multi-hop benchmark, search lift
• 1356a8b feat: real-time Token Savings panel and tiktoken cross-check
• ef640c1 docs: clean up stale project metadata
• cafa8a9 docs: align documentation with current CRG behaviour
• 8e0882a Merge pull request #512 from tirth8205/release/2.3.4-prep
• 0e80df4 chore: satisfy release lint checks
• 9088092 docs: prepare 2.3.4 release notes
• 9c22fd2 feat: add estimated context savings
• 7df524c fix: bound detect changes analysis
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.