build(deps): bump the token-spy-python group across 1 directory with 4 updates

[dependabot]

Updates the requirements on fastapi, uvicorn, httpx and psycopg2-binary to permit the latest version.
Updates fastapi to 0.136.3

Release notes

Sourced from fastapi's releases.

0.136.3

Refactors

• ♻️ Do not accept underscore headers when using convert_underscores=True (the default). PR #15589 by @​tiangolo.

Commits

• 8206485 🔖 Release version 0.136.3
• c910e01 📝 Update release notes
• 063b5bf ♻️ Do not accept underscore headers when using convert_underscores=True (th...
• 22b02e2 🔖 Release version 0.136.2
• 3b252a2 📝 Update release notes
• c7fb785 ♻️ Validate Server Sent Event fields to avoid applications from sending broke...
• cb83b83 📝 Update release notes
• 00f805c ✅ Update tests, don't double dispose the engine (#15587)
• 3675137 📝 Update release notes
• 7b57e42 📝 Document --entrypoint CLI option (#15464)
• Additional commits viewable in compare view

Updates uvicorn to 0.49.0

Release notes

Sourced from uvicorn's releases.

Version 0.49.0

What's Changed

• Bump httptools minimum version to 0.8.0 by @​Kludex in Kludex/uvicorn#2962
• Consume duplicate forwarding headers in ProxyHeadersMiddleware (reverses the 0.48.0 behavior of ignoring them) by @​Kludex in Kludex/uvicorn#2971

Full Changelog: Kludex/uvicorn@0.48.0...0.49.0

Changelog

Sourced from uvicorn's changelog.

0.49.0 (June 3, 2026)

Changed

• Bump httptools minimum version to 0.8.0 (#2962)
• Consume duplicate forwarding headers in ProxyHeadersMiddleware (reverses the 0.48.0 behavior of ignoring them) (#2971)

0.48.0 (May 24, 2026)

Changed

• Default ssl_ciphers to None and use OpenSSL defaults (#2940)

Fixed

• Ignore duplicate forwarding headers in ProxyHeadersMiddleware (#2944)

0.47.0 (May 14, 2026)

Added

• Add ssl_context_factory for custom SSLContext configuration (#2920)

Changed

• Eagerly import the ASGI app in the parent process (#2919)

Fixed

• Treat fd=0 as a valid file descriptor with reload/workers (#2927)

0.46.0 (April 23, 2026)

Added

• Support ws_max_size in wsproto implementation (#2915)
• Support ws_ping_interval and ws_ping_timeout in wsproto implementation (#2916)

Changed

• Use bytearray for incoming WebSocket message buffer in websockets-sansio (#2917)

0.45.0 (April 21, 2026)

Added

• Add --reset-contextvars flag to isolate ASGI request context (#2912)
• Accept os.PathLike for log_config (#2905)
• Accept log_level strings case-insensitively (#2907)

... (truncated)

Commits

• 3ef2e3e Version 0.49.0 (#2973)
• eeb64b1 Consume duplicate forwarding headers in ProxyHeadersMiddleware (#2971)
• 630f4ac Make the watchfiles reload tests deterministic (#2972)
• 9154922 chore(deps): bump the github-actions group across 1 directory with 6 updates ...
• 739727a Migrate docs deploy from Cloudflare Pages to Workers (#2967)
• be4a240 Gate docs preview deploy on Cloudflare token presence (#2966)
• c489d7e Bump httptools minimum version to 0.8.0 (#2962)
• 9f547bd Skip docs preview deploy for Dependabot PRs (#2961)
• 44446b8 Migrate documentation from MkDocs Material to Zensical (#2959)
• cfd659c Bump pymdown-extensions to 10.21.3 (#2958)
• Additional commits viewable in compare view

Updates httpx to 0.28.1

Release notes

Sourced from httpx's releases.

Version 0.28.1

0.28.1 (6th December, 2024)

• Fix SSL case where verify=False together with client side certificates.

Changelog

Sourced from httpx's changelog.

0.28.1 (6th December, 2024)

• Fix SSL case where verify=False together with client side certificates.

0.28.0 (28th November, 2024)

Be aware that the default JSON request bodies now use a more compact representation. This is generally considered a prefered style, tho may require updates to test suites.

The 0.28 release includes a limited set of deprecations...

Deprecations:

We are working towards a simplified SSL configuration API.

For users of the standard verify=True or verify=False cases, or verify=<ssl_context> case this should require no changes. The following cases have been deprecated...

• The verify argument as a string argument is now deprecated and will raise warnings.
• The cert argument is now deprecated and will raise warnings.

Our revised SSL documentation covers how to implement the same behaviour with a more constrained API.

The following changes are also included:

• The deprecated proxies argument has now been removed.
• The deprecated app argument has now been removed.
• JSON request bodies use a compact representation. (#3363)
• Review URL percent escape sets, based on WHATWG spec. (#3371, #3373)
• Ensure certifi and httpcore are only imported if required. (#3377)
• Treat socks5h as a valid proxy scheme. (#3178)
• Cleanup Request() method signature in line with client.request() and httpx.request(). (#3378)
• Bugfix: When passing params={}, always strictly update rather than merge with an existing querystring. (#3364)

0.27.2 (27th August, 2024)

Fixed

• Reintroduced supposedly-private URLTypes shortcut. (#2673)

0.27.1 (27th August, 2024)

Added

• Support for zstd content decoding using the python zstandard package is added. Installable using httpx[zstd]. (#3139)

Fixed

• Improved error messaging for InvalidURL exceptions. (#3250)
• Fix app type signature in ASGITransport. (#3109)

0.27.0 (21st February, 2024)

... (truncated)

Commits

• 26d48e0 Version 0.28.1 (#3445)
• 89599a9 Fix verify=False, cert=... case. (#3442)
• 8ecb86f Add test for request params behavior changes (#3364) (#3440)
• 0cb7e5a Bump the python-packages group with 11 updates (#3434)
• 15e21e9 Updating deprecated docstring Client() class (#3426)
• 80960fa Version 0.28.0. (#3419)
• a33c878 Fix extensions type annotation. (#3380)
• ce7e14d Error on verify as str. (#3418)
• 47f4a96 Handle empty zstd responses (#3412)
• 189fc4b Update CHANGELOG.md, fix typo(s) (#3406)
• Additional commits viewable in compare view

Updates psycopg2-binary to 2.9.12

Changelog

Sourced from psycopg2-binary's changelog.

Current release

What's new in psycopg 2.9.12 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Fix infinite loop with malformed interval (:ticket:1835).

What's new in psycopg 2.9.11 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Add support for Python 3.14.
• Avoid a segfault passing more arguments than placeholders if Python is built with assertions enabled (:ticket:[#1791](https://github.com/psycopg/psycopg2/issues/1791)).
• Add riscv64 platform binary packages (:ticket:[#1813](https://github.com/psycopg/psycopg2/issues/1813)).
• ~psycopg2.errorcodes map and ~psycopg2.errors classes updated to PostgreSQL 18.
• Drop support for Python 3.8.

What's new in psycopg 2.9.10 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Add support for Python 3.13.
• Receive notifications on commit (:ticket:[#1728](https://github.com/psycopg/psycopg2/issues/1728)).
• ~psycopg2.errorcodes map and ~psycopg2.errors classes updated to PostgreSQL 17.
• Drop support for Python 3.7.

What's new in psycopg 2.9.9 ^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Add support for Python 3.12.
• Drop support for Python 3.6.

What's new in psycopg 2.9.8 ^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Wheel package bundled with PostgreSQL 16 libpq in order to add support for recent features, such as sslcertmode.

What's new in psycopg 2.9.7 ^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Fix propagation of exceptions raised during module initialization (:ticket:[#1598](https://github.com/psycopg/psycopg2/issues/1598)).

... (truncated)

Commits

• 3a6d9d6 ci: include almalinux in whieel building
• ebca6bf chore: bump to version 3.9.12
• 0196f02 build(deps): bump pypa/cibuildwheel from 3.3.1 to 3.4.0
• d157bdc build(deps): bump docker/setup-qemu-action from 3 to 4
• 7fccc0f build(deps): bump actions/upload-artifact from 6 to 7
• d52a61e chore: bump dependency libraries
• b231d72 chore: fix building binary images
• 6d76e84 Merge pull request #1836 from psycopg/fix-1835
• f7e314c fix: overflow in malformed interval
• eb905c1 docs: replace bare except clause with except Exception
• Additional commits viewable in compare view

[Lightheartdevs]

Codex grouped dependency audit: work on more before merging.

Checks are green, but this grouped Token Spy update includes runtime framework/server/client jumps: FastAPI 0.110-0.120 -> 0.136.3, Uvicorn 0.27-0.30 -> 0.48.0, HTTPX -> 0.28.1, plus psycopg2 patch. I would not merge this on CI alone. Please run focused Token Spy startup/health/API tests and a container smoke covering outbound HTTP/error handling before merge.