chore(deps): bump the python-dependencies group across 1 directory with 10 updates

[dependabot]

Updates the requirements on litellm, pyarrow, datasets, langchain-openai, opensearch-py, langchain-core, fastapi, pydantic, cryptography and starlette to permit the latest version.
Updates litellm from 1.83.12 to 1.83.14

Commits

• See full diff in compare view

Updates pyarrow to 24.0.0

Release notes

Sourced from pyarrow's releases.

Apache Arrow 24.0.0

Release Notes URL: https://arrow.apache.org/release/24.0.0.html

Commits

• 31b4b6c MINOR: [Release] Update versions for 24.0.0
• 06dbc17 MINOR: [Release] Update .deb/.rpm changelogs for 24.0.0
• a021d80 MINOR: [Release] Update CHANGELOG.md for 24.0.0
• 2d6b12c GH-49716: [C++] FixedShapeTensorType::Deserialize should strictly validate se...
• a74cb6a GH-49697: [C++][CI] Check IPC file body bounds are in sync with decoder outco...
• 871a0c6 GH-49676: [Python][Packaging] Fix gRPC docker image layer being too big for h...
• f9203b3 GH-49586: [C++][CI] StructToStructSubset test failure with libc++ 22.1.1 (#49...
• fe298b4 GH-49628: [Python][Interchange protocol] Suppress warnings for pandas 4.0.0 a...
• 1f94910 GH-49252: [GLib] Deprecate Feather features (#49673)
• 5ba5c3c GH-49671: [CI][Docs] Don't run jobs for push by Dependabot (#49672)
• Additional commits viewable in compare view

Updates datasets from 3.6.0 to 4.8.5

Release notes

Sourced from datasets's releases.

4.8.5

Main bug fixes

• fix: decode Json() values before calling DataFrame.to_json() (#8116) by @​Brianzhengca in huggingface/datasets#8122
• Fix: decode JSON type before to_list or to_dict is called by @​ItsTania in huggingface/datasets#8137
• Fix batching for table-formatted datasets by @​bluehyena in huggingface/datasets#8126
• Fix iterable map resume state by @​Brianzhengca in huggingface/datasets#8147
• don't embed remote files in download_and_prepare to parquet by @​lhoestq in huggingface/datasets#8150

Other improvements and bug fixes

• Parse agent traces by @​lhoestq in huggingface/datasets#8113
• 🔒 Pin GitHub Actions to commit SHAs by @​paulinebm in huggingface/datasets#8114
• chore: bump doc-builder SHA for PR upload workflow by @​rtrompier in huggingface/datasets#8134
• Remove print statement in JSON processing by @​lhoestq in huggingface/datasets#8136
• Don't include files list DatasetInfo (and remove old stuff) by @​lhoestq in huggingface/datasets#8128
• update ci uer by @​lhoestq in huggingface/datasets#8139
• fix warning in ci by @​lhoestq in huggingface/datasets#8140
• fix mask in embed_storage for remote files by @​lhoestq in huggingface/datasets#8151
• fix original_files missing in ci json test by @​lhoestq in huggingface/datasets#8152
• Fix null in embed storage by @​lhoestq in huggingface/datasets#8154
• Fix base_path in integration tests by @​lhoestq in huggingface/datasets#8155

New Contributors

• @​paulinebm made their first contribution in huggingface/datasets#8114
• @​Brianzhengca made their first contribution in huggingface/datasets#8122
• @​bluehyena made their first contribution in huggingface/datasets#8126
• @​rtrompier made their first contribution in huggingface/datasets#8134
• @​ItsTania made their first contribution in huggingface/datasets#8137

Full Changelog: huggingface/datasets@4.8.4...4.8.5

4.8.4

What's Changed

• Support latest torchvision by @​lhoestq in huggingface/datasets#8087
• fix regression when loading JSON with one file = one object by @​lhoestq in huggingface/datasets#8086

Full Changelog: huggingface/datasets@4.8.3...4.8.4

4.8.3

What's Changed

• Fix split_dataset_by_node step by @​lhoestq in huggingface/datasets#8081
• Fix docstring of Json.cast_storage by @​albertvillanova in huggingface/datasets#8080

Full Changelog: huggingface/datasets@4.8.2...4.8.3

4.8.2

What's Changed

• Json type for empty struct by @​lhoestq in huggingface/datasets#8074

... (truncated)

Commits

• a015b2f Release: 4.8.5 (#8157)
• 4428907 Fix: decode JSON type before to_list or to_dict is called (#8137)
• ab921d1 Fix iterable map resume state (#8147)
• 7fe94d1 Fix base_path in integration tests (#8155)
• 8515a8c Fix null in embed storage (#8154)
• ff7dc9e fix original_files missing in ci json test (#8152)
• b27a470 fix mask in embed_storage for remote files (#8151)
• 6d03398 don't embed remote files in download_and_prepare to parquet (#8150)
• 891e52f Parse agent traces (#8113)
• 2724a65 fix warning in ci (#8140)
• Additional commits viewable in compare view

Updates langchain-openai from 1.1.10 to 1.2.1

Release notes

Sourced from langchain-openai's releases.

langchain-openai==1.2.1

Changes since langchain-openai==1.2.0

hotfix: bump min core versions (#36996) release(openai): 1.2.1 (#36995) fix(openai): add gpt-5.5 pro to Responses API check (#36994) feat(core): add content-block-centric streaming (v2) (#36834) chore(model-profiles): refresh model profile data (#36982)

langchain-openai==1.2.0

Changes since langchain-openai==1.1.16

release(openai): 1.2.0 (#36961) feat(openai): prevent silent streaming hangs in ChatOpenAI (#36949) hotfix(ci): remove nobenchmark flag (#36959) chore(partners): standardize integration test invocation (#36958)

langchain-openai==1.1.16

Changes since langchain-openai==1.1.15

release(openai): 1.1.16 (#36927) fix(openai): tolerate prompt_cache_retention drift in streaming (#36925)

langchain-openai==1.1.15

Changes since langchain-openai==1.1.14

release(openai): 1.1.15 (#36901) fix(openai): accommodate dict response items in streaming (#36899) fix(openai): infer azure chat profiles from model name (#36858) chore(model-profiles): refresh model profile data (#36864)

langchain-openai==1.1.14

Changes since langchain-openai==1.1.13

release(openai): 1.1.14 (#36820) fix(openai): use SSRF-safe transport for image token counting (#36819) chore(deps): bump pytest to 9.0.3 (#36801) chore: bump langsmith from 0.6.3 to 0.7.31 in /libs/partners/openai (#36795) chore: bump pillow from 12.1.1 to 12.2.0 in /libs/partners/openai (#36777)

langchain-openai==1.1.13

Changes since langchain-openai==1.1.12

release(openai): 1.1.13 (#36729) fix(openai): handle content blocks without type key in responses api conversion (#36725) chore(model-profiles): refresh model profile data (#36539) chore(openai): fix broken vcr cassette playback and add ci guard (#36502) fix(openai,groq,openrouter): use is-not-None checks in usage metadata token extraction (#36500) fix(core): fixed typos in the documentation (#36459) chore(model-profiles): refresh model profile data (#36455)

... (truncated)

Commits

• 87ba30f ci(infra): label release jobs, resolve package name in run title (#36998)
• 56d6e89 hotfix: bump min core versions (#36996)
• a70e7ab release(openai): 1.2.1 (#36995)
• 5a37cd5 fix(openai): add gpt-5.5 pro to Responses API check (#36994)
• c4498cc chore(core): mark stream_v2/astream_v2 as beta (#36992)
• fa0f0d8 release(core): 1.3.2 (#36990)
• 9ce72eb feat(core): add content-block-centric streaming (v2) (#36834)
• 889a45b ci(infra): overlay local langchain-* installs for external partners (#36989)
• ffaac42 ci(infra): add pytest-xdist to partner test groups (#36988)
• cc2feb1 chore(model-profiles): refresh model profile data (#36982)
• Additional commits viewable in compare view

Updates opensearch-py from 3.1.0 to 3.2.0

Release notes

Sourced from opensearch-py's releases.

v3.2.0

What's Changed

• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in opensearch-project/opensearch-py#986
• ci(linkchecker): remove exclude-mail option by @​florianvazelle in opensearch-project/opensearch-py#987
• change pool.close to pool.terminate by @​ekneg54 in opensearch-project/opensearch-py#981
• Bump codecov/codecov-action from 4 to 5 by @​dependabot[bot] in opensearch-project/opensearch-py#985
• Update pytest-asyncio requirement from <=1.2.0 to <=1.3.0 by @​dependabot[bot] in opensearch-project/opensearch-py#984
• Add ML Commons plugin doc by @​nathaliellenaa in opensearch-project/opensearch-py#992
• ci: fix mypy type ignore for untyped decorator in tests by @​florianvazelle in opensearch-project/opensearch-py#993
• Updated opensearch-py to reflect the latest OpenSearch API spec by @​opensearch-trigger-bot[bot] in opensearch-project/opensearch-py#994
• Bump actions/upload-artifact from 5 to 6 by @​dependabot[bot] in opensearch-project/opensearch-py#989
• Bump actions/download-artifact from 6 to 7 by @​dependabot[bot] in opensearch-project/opensearch-py#988
• Bump peter-evans/create-pull-request from 7 to 8 by @​dependabot[bot] in opensearch-project/opensearch-py#990
• fix(docs): use keyword arguments in security API examples by @​Pigueiras in opensearch-project/opensearch-py#1004
• Fix CI failures due to API spec updates by @​finnegancarroll in opensearch-project/opensearch-py#1007
• Bump opensearch protobufs - 1.2.0. by @​finnegancarroll in opensearch-project/opensearch-py#1000
• Fix AWSV4Signer.sign() not passing headers to AWSRequest by @​rbhatane in opensearch-project/opensearch-py#1035
• fix(signer): Include X-Amz-Content-SHA256 in SignedHeaders (#1038) by @​JiaxiChris in opensearch-project/opensearch-py#1039

New Contributors

• @​ekneg54 made their first contribution in opensearch-project/opensearch-py#981
• @​Pigueiras made their first contribution in opensearch-project/opensearch-py#1004
• @​rbhatane made their first contribution in opensearch-project/opensearch-py#1035
• @​JiaxiChris made their first contribution in opensearch-project/opensearch-py#1039

Full Changelog: opensearch-project/opensearch-py@v3.1.0...v3.2.0

Changelog

Sourced from opensearch-py's changelog.

[3.2.0]

Added

• Add dependency on opensearch-protobufs to provide client libraries for gRPC transport (#977)
• Add ML Commons plugin documentation (#992)

Updated APIs

• Updated opensearch-py APIs to reflect opensearch-api-specification@2954600

Changed

Deprecated

Removed

Fixed

• Fixed AWSV4Signer.sign() not passing custom headers to AWSRequest, causing x-amz-* headers to be excluded from SigV4 signature (#1034)
• Fixed AWSV4Signer.sign() not setting X-Amz-Content-SHA256 before SigV4Auth.add_auth(), causing the header to be absent from SignedHeaders in the Authorization header. The fix uses a guarded assignment that preserves caller-provided values (e.g., UNSIGNED-PAYLOAD, precomputed hashes) (#1038, #1039)
• Fixed the linkchecker CI step (#987)

Security

Dependencies

• Bump pytest-asyncio from <=1.2.0 to <=1.3.0 (#984)
• Bump actions/checkout from 5 to 6 (#986)
• Bump codecov/codecov-action from 4 to 5 (#985)
• Bump actions/upload-artifact from 5 to 6 (#989)
• Bump actions/download-artifact from 6 to 7 (#988)
• Bump peter-evans/create-pull-request from 7 to 8 (#990)
• Bump opensearch-protobufs from 0.19.0 to 1.2.0 (#1000)

Commits

• 8991792 fix(signer): Include X-Amz-Content-SHA256 in SignedHeaders (#1038) (#1039)
• d8a8c57 Fix AWSV4Signer.sign() not passing headers to AWSRequest (#1035)
• 6551595 Bump opensearch protobufs - 1.2.0. (#1000)
• 94ae310 Fix CI failures due to API spec updates (#1007)
• 1ce5b46 fix(docs): use keyword arguments in security API examples (#1004)
• 9b6d240 Bump peter-evans/create-pull-request from 7 to 8 (#990)
• 02c5dcc Bump actions/download-artifact from 6 to 7 (#988)
• fa8a862 Bump actions/upload-artifact from 5 to 6 (#989)
• f5ef694 Updated opensearch-py to reflect the latest OpenSearch API spec (2026-01-22) ...
• 10ab792 ci: fix mypy type ignore for untyped decorator in tests (#993)
• Additional commits viewable in compare view

Updates langchain-core from 1.3.0 to 1.3.2

Release notes

Sourced from langchain-core's releases.

langchain-core==1.3.2

Changes since langchain-core==1.3.1

release(core): 1.3.2 (#36990) feat(core): add content-block-centric streaming (v2) (#36834)

langchain-core==1.3.1

Changes since langchain-core==1.3.0

release(core): 1.3.1 (#36972) feat(core): allow _format_output to pass through list of ToolOutputMixin instances (#36963) chore: bump nbconvert from 7.17.0 to 7.17.1 in /libs/core (#36923) feat(core): Update inheritance behavior for tracer metadata for special keys (#36900) chore: bump langsmith from 0.7.13 to 0.7.31 in /libs/core (#36813)

Commits

• fa0f0d8 release(core): 1.3.2 (#36990)
• 9ce72eb feat(core): add content-block-centric streaming (v2) (#36834)
• 889a45b ci(infra): overlay local langchain-* installs for external partners (#36989)
• ffaac42 ci(infra): add pytest-xdist to partner test groups (#36988)
• cc2feb1 chore(model-profiles): refresh model profile data (#36982)
• 3dd0ad9 release(fireworks): 1.2.0 (#36978)
• 7b09eb7 fix(fireworks): honor max_retries (#36973)
• d30ef8a feat(fireworks): populate usage_metadata on streaming (#36977)
• 2715a74 fix(fireworks): swap undeployed Kimi K2 slug in integration tests (#36975)
• 2d3b491 ci(infra): shorten working-directory dropdown labels (#36974)
• Additional commits viewable in compare view

Updates fastapi from 0.124.4 to 0.136.1

Release notes

Sourced from fastapi's releases.

0.136.1

Upgrades

• ⬆️ Update Pydantic v2 code to address deprecations. PR #15101 by @​svlandeg.

Internal

• 🔨 Tweak translation script. PR #15174 by @​YuriiMotov.
• ⬆ Bump mkdocs-material from 9.7.1 to 9.7.6. PR #15408 by @​dependabot[bot].
• ⬆ Bump inline-snapshot from 0.31.1 to 0.32.6. PR #15409 by @​dependabot[bot].
• ⬆ Bump pytest-codspeed from 4.3.0 to 4.4.0. PR #15407 by @​dependabot[bot].
• ⬆ Bump pytest-cov from 7.0.0 to 7.1.0. PR #15406 by @​dependabot[bot].
• ⬆ Bump cloudflare/wrangler-action from 3.14.1 to 3.15.0. PR #15405 by @​dependabot[bot].
• ⬆ Bump mypy from 1.19.1 to 1.20.1. PR #15410 by @​dependabot[bot].
• ⬆ Bump python-dotenv from 1.2.1 to 1.2.2. PR #15400 by @​dependabot[bot].
• ⬆ Bump starlette from 0.52.1 to 1.0.0. PR #15397 by @​dependabot[bot].
• ⬆ Bump pygithub from 2.8.1 to 2.9.1. PR #15396 by @​dependabot[bot].
• ⬆ Bump pyjwt from 2.12.0 to 2.12.1. PR #15393 by @​dependabot[bot].
• ⬆ Bump zizmor from 1.23.1 to 1.24.1. PR #15394 by @​dependabot[bot].
• ⬆ Bump strawberry-graphql from 0.312.3 to 0.314.3. PR #15395 by @​dependabot[bot].
• ⬆ Bump python-multipart from 0.0.22 to 0.0.26. PR #15360 by @​dependabot[bot].
• ⬆ Bump authlib from 1.6.9 to 1.6.11. PR #15373 by @​dependabot[bot].
• ⬆ Bump aiohttp from 3.13.3 to 3.13.4. PR #15282 by @​dependabot[bot].
• ⬆ Bump pygments from 2.19.2 to 2.20.0. PR #15263 by @​dependabot[bot].
• ⬆ Bump pymdown-extensions from 10.20.1 to 10.21.2. PR #15391 by @​YuriiMotov.
• ⬆ Bump pillow from 12.1.1 to 12.2.0. PR #15333 by @​dependabot[bot].
• ⬆ Bump pytest from 9.0.2 to 9.0.3. PR #15334 by @​dependabot[bot].
• ⬆ Bump actions/upload-artifact from 7.0.0 to 7.0.1. PR #15374 by @​dependabot[bot].
• ⬆ Bump actions/cache from 5.0.4 to 5.0.5. PR #15385 by @​dependabot[bot].
• 🔧 Update sponsors: remove Zuplo. PR #15369 by @​tiangolo.
• 🔧 Update sponsors: remove Speakeasy. PR #15368 by @​tiangolo.
• 🔒️ Add zizmor and fix audit findings. PR #15316 by @​YuriiMotov.

0.136.0

Upgrades

• ⬆️ Support free-threaded Python 3.14t. PR #15149 by @​svlandeg.

0.135.4

Refactors

• 🔥 Remove April Fool's @app.vibe() 🤪. PR #15363 by @​tiangolo.

Internal

• ⬆ Bump cryptography from 46.0.5 to 46.0.7. PR #15314 by @​dependabot[bot].
• ⬆ Bump strawberry-graphql from 0.307.1 to 0.312.3. PR #15309 by @​dependabot[bot].
• 🔨 Add pre-commit hook to ensure latest release header has date. PR #15293 by @​YuriiMotov.

0.135.3

... (truncated)

Commits

• e54e5a8 🔖 Release version 0.136.1
• 9a8a5fd 📝 Update release notes
• 7815a32 ⬆️ Update Pydantic v2 code to address deprecations (#15101)
• ef1c927 📝 Update release notes
• 38039e1 🔨 Tweak translation script (#15174)
• 4fa826c 📝 Update release notes
• c394156 ⬆ Bump mkdocs-material from 9.7.1 to 9.7.6 (#15408)
• ae230ad 📝 Update release notes
• d9eb39d ⬆ Bump inline-snapshot from 0.31.1 to 0.32.6 (#15409)
• 4f8b5d1 📝 Update release notes
• Additional commits viewable in compare view

Updates pydantic from 2.12.5 to 2.13.3

Release notes

Sourced from pydantic's releases.

v2.13.3 2026-04-20

v2.13.3 (2026-04-20)

What's Changed

Fixes

• Handle AttributeError subclasses with from_attributes by @​Viicos in #13096

Full Changelog: pydantic/pydantic@v2.13.2...v2.13.3

v2.13.2 2026-04-17

v2.13.2 (2026-04-17)

What's Changed

Fixes

• Fix ValidationInfo.field_name missing with model_validate_json() by @​Viicos in #13084

Full Changelog: pydantic/pydantic@v2.13.1...v2.13.2

v2.13.1 2026-04-15

v2.13.1 (2026-04-15)

What's Changed

Fixes

• Fix ValidationInfo.data missing with model_validate_json() by @​davidhewitt in #13079

Full Changelog: pydantic/pydantic@v2.13.0...v2.13.1

v2.13.0 2026-04-13

v2.13.0 (2026-04-13)

The highlights of the v2.13 release are available in the blog post. Several minor changes (considered non-breaking changes according to our versioning policy) are also included in this release. Make sure to look into them before upgrading.

This release contains the updated pydantic.v1 namespace, matching version 1.10.26 which includes support for Python 3.14.

What's Changed

See the beta releases for all changes sinces 2.12.

Packaging

• Add zizmor for GitHub Actions workflow linting by @​Viicos in #13039
• Update jiter to v0.14.0 to fix a segmentation fault on musl Linux by @​Viicos in #13064

... (truncated)

Changelog

Sourced from pydantic's changelog.

v2.13.3 (2026-04-20)

GitHub release

What's Changed

Fixes

• Handle AttributeError subclasses with from_attributes by @​Viicos in #13096

v2.13.2 (2026-04-17)

GitHub release

What's Changed

Fixes

• Fix ValidationInfo.field_name missing with model_validate_json() by @​Viicos in #13084

v2.13.1 (2026-04-15)

GitHub release

What's Changed

Fixes

• Fix ValidationInfo.data missing with model_validate_json() by @​davidhewitt in #13079

v2.13.0 (2026-04-13)

GitHub release

The highlights of the v2.13 release are available in the blog post. Several minor changes (considered non-breaking changes according to our versioning policy) are also included in this release. Make sure to look into them before upgrading.

This release contains the updated pydantic.v1 namespace, matching version 1.10.26 which includes support for Python 3.14.

What's Changed

See the beta releases for all changes sinces 2.12.

New Features

• Allow default factories of private attributes to take validated model data by @​Viicos in #13013

Changes

... (truncated)

Commits

• 9e9a111 Fix backported test
• 1ec8c6a Prepare release v2.13.3
• fb4f204 Handle AttributeError subclasses with from_attributes
• ca3ddd1 Prepare release v2.13.2
• 000e823 Fix ValidationInfo.field_name missing with model_validate_json()
• d45d8be Prepare release 2.13.1
• 54aca60 Fix ValidationInfo.data missing with model_validate_json()
• 46bf4fa Fix Pydantic release workflow (#13067)
• 1b359ed Prepare release v2.13.0 (#13065)
• b1bf194 Fix model equality when using runtime extra configuration (#13062)
• Additional commits viewable in compare view

Updates cryptography from 46.0.7 to 47.0.0

Changelog

Sourced from cryptography's changelog.

47.0.0 - 2026-04-24

* Support for Python 3.8 is deprecated and will be removed in the next
  ``cryptography`` release.
* **BACKWARDS INCOMPATIBLE:** Support for binary elliptic curves
  (``SECT*`` classes) has been removed. These curves are rarely used and
  have additional security considerations that make them undesirable.
* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.1.x has been removed.
  OpenSSL 3.0.0 or later is now required. LibreSSL, BoringSSL, and AWS-LC
  continue to be supported.
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 4.1.
* **BACKWARDS INCOMPATIBLE:** Loading keys with unsupported algorithms or
  keys with unsupported explicit curve encodings now raises
  :class:`~cryptography.exceptions.UnsupportedAlgorithm` instead of
  ``ValueError``. This change affects
  :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`,
  :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`,
  :func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`,
  :func:`~cryptography.hazmat.primitives.serialization.load_der_public_key`,
  and :meth:`~cryptography.x509.Certificate.public_key` when called on
  certificates with unsupported public key algorithms.
* **BACKWARDS INCOMPATIBLE:** When parsing elliptic curve private keys, we now
  reject keys that incorrectly encode a private key of the wrong length because
  such keys are impossible to process in a constant-time manner. We do not
  believe keys with this problem are in wide use, however we may revert this
  change based on the feedback we receive.
* Deprecated passing 64-bit (8-byte) and 128-bit (16-byte) keys to
  :class:`~cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES`. In a
  future release, only 192-bit (24-byte) keys will be accepted. Users should
  expand shorter keys themselves (e.g., for single DES: ``key + key + key``,
  for two-key: ``key + key[:8]``).
* Updated the minimum supported Rust version (MSRV) to 1.83.0, from 1.74.0.
* Support for ``x86_64`` macOS (including publishing wheels) is deprecated
  and will be removed in the next release. We will switch to publishing an
  ``arm64`` only wheel for macOS.
* Support for 32-bit Windows (including publishing wheels) is deprecated
  and will be removed in the next release. Users should move to a 64-bit
  Python installation.
* ``public_bytes`` and ``private_bytes`` methods on keys now raise
  ``TypeError`` (instead of ``ValueError``) if an invalid encoding is provided
  for the given ``format``.
* Moved :class:`~cryptography.hazmat.decrepit.ciphers.modes.CFB`,
  :class:`~cryptography.hazmat.decrepit.ciphers.modes.OFB`, and
  :class:`~cryptography.hazmat.decrepit.ciphers.modes.CFB8` into
  :doc:`/hazmat/decrepit/index` and deprecated them in the ``modes`` module.
  They will be removed from the ``modes`` module in 49.0.0.
* Moved :class:`~cryptography.hazmat.primitives.ciphers.algorithms.Camellia`
  into  :doc:`/hazmat/decrepit/index` and deprecated it in the ``cipher`` module.
  It will be removed from the ``cipher`` module in 49.0.0.
</tr></table> 

... (truncated)

Commits

• 59c5f5e bump for 47.0.0 release (#14730)
• 9025578 Add MLKEM1024-P384 hybrid KEM support in HPKE (#14722)
• ef66de4 Recommend Argon2id over PBKDF2HMAC as KDF (#14724)
• d996a37 Add ubuntu-resolute to CI workflow (#14729)
• e86da41 chore(deps): bump libc from 0.2.185 to 0.2.186 (#14725)
• 1c33c9a Bump downstream dependencies in CI (#14728)
• 67fb6be Bump x509-limbo and/or wycheproof in CI (#14727)
• 6cb20b3 Bump BoringSSL, OpenSSL, AWS-LC in CI (#14726)
• d6f372d Update supported OpenSSL versions in installation docs (#14721)
• ebd2619 openssl 3.3 is out of upstream support (#14720)
• Additional commits viewable in compare view

Updates starlette to 1.0.0

Release notes

Sourced from starlette's releases.

Version 1.0.0

Starlette 1.0 is here! 🎉

After nearly eight years since its creation, Starlette has reached its first stable release.

A special thank you to @​lovelydinosaur, the creator of Starlette, Uvicorn, HTTPX and MkDocs, whose work helped to lay the foundation for the modern async Python ecosystem. 🙏

Thank you to @​adriangb, @​graingert, @​agronholm, @​florimondmanca, @​aminalaee, @​tiangolo, @​alex-oleshkevich, @​abersheeran, and @​uSpike for helping make Starlette what it is today. And to all my sponsors - especially @​tiangolo, @​huggingface, and @​elevenlabs - thank you for your support!

Thank you to all 290+ contributors who have shaped Starlette over the years! ❤️

Read more on the blog post.

Check out the full release notes at https://www.starlette.io/release-notes/#100-march-22-2026

---

Full Changelog: Kludex/starlette@1.0.0rc1...1.0.0

Changelog

Sourced from starlette's changelog.

1.0.0 (March 22, 2026)

Starlette 1.0 is here!

After nearly eight years since its creation, Starlette has reached its first stable release. Thank you to everyone who tested the release candidate and reported issues.

You can read more on the blog post.

Added

• Track session access and modification in SessionMiddleware #3166.

Fixed

• Handle websocket denial responses in StreamingResponse and FileResponse #3189.
• Use bytearray for field accumulation in FormParser #3179.
• Move parser.finalize() inside try/except in MultiPartParser.parse() #3153.

1.0.0rc1 (February 23, 2026)

We're ready! I'm thrilled to announce the first release candidate for Starlette 1.0.

Starlette was created in June 2018 by Tom Christie, and has been on ZeroVer for years. Today, it's downloaded almost 10 million times a day, serves as the foundation for FastAPI, and has inspired many other frameworks. In the age of AI, Starlette continues to play an important role as a dependency of the Python MCP SDK.

This release focuses on removing deprecated features that were marked for removal in 1.0.0, along with some last minute bug fixes. It's a release candidate, so we can gather feedback from the community before the final 1.0.0 release soon.

A huge thank you to all the contributors who have helped make Starlette what it is today. In particular, I'd like to recognize:

• Kim Christie - The original creator of Starlette, Uvicorn, and MkDocs, and the current maintainer of HTTPX. Kim's work helped lay the foundation for the modern async Python ecosystem.
• Adrian Garcia Badaracco - One of the smartest people I know, whom I have the pleasure of working with at Pydantic.
• Thomas Grainger - My async teacher, always ready to help with questions.
• Alex Grönholm - Another async mentor, always prompt to help with questions.
• Florimond Manca - Always present in the early days of both Starlette and Uvicorn, and helped a lot in the ecosystem.