deps(deps): bump the python-runtime group across 1 directory with 10 updates

[dependabot]

Bumps the python-runtime group with 10 updates in the / directory:

Package	From	To
mcp	1.27.1	1.27.2
uvicorn	0.47.0	0.48.0
starlette	1.1.0	1.2.1
python-multipart	0.0.29	0.0.30
pytest-asyncio	1.3.0	1.4.0
ruff	0.15.14	0.15.15
coverage	7.14.0	7.14.1
idna	3.16	3.17
platformdirs	4.9.6	4.10.0
pydantic-core	2.46.4	2.47.0

Updates mcp from 1.27.1 to 1.27.2

Release notes

Sourced from mcp's releases.

v1.27.2

What's Changed

• [v1.x] ci: deploy docs to py.sdk.modelcontextprotocol.io via Pages artifact by @​maxisbey in modelcontextprotocol/python-sdk#2635
• [v1.x] Add subject and claims to AccessToken by @​maxisbey in modelcontextprotocol/python-sdk#2690
• [v1.x] Bind transport sessions to the authenticated principal by @​maxisbey in modelcontextprotocol/python-sdk#2719
• [v1.x] Scope experimental tasks to the session that created them by @​maxisbey in modelcontextprotocol/python-sdk#2720

Full Changelog: modelcontextprotocol/python-sdk@v1.27.1...v1.27.2

Commits

• 6213787 [v1.x] Scope experimental tasks to the session that created them (#2720)
• ce267b6 [v1.x] Bind transport sessions to the authenticated principal (#2719)
• 1abcca2 [v1.x] Add subject and claims to AccessToken (#2690)
• 9773a3f [v1.x] ci: deploy docs to py.sdk.modelcontextprotocol.io via Pages artifact (...
• See full diff in compare view

Updates uvicorn from 0.47.0 to 0.48.0

Release notes

Sourced from uvicorn's releases.

Version 0.48.0

What's Changed

• Default ssl_ciphers to None and use OpenSSL defaults by @​Kludex in Kludex/uvicorn#2940
• Ignore duplicate forwarding headers in ProxyHeadersMiddleware by @​Kludex in Kludex/uvicorn#2944

Full Changelog: Kludex/uvicorn@0.47.0...0.48.0

Changelog

Sourced from uvicorn's changelog.

0.48.0 (May 24, 2026)

Changed

• Default ssl_ciphers to None and use OpenSSL defaults (#2940)

Fixed

• Ignore duplicate forwarding headers in ProxyHeadersMiddleware (#2944)

Commits

• 73e84e5 Version 0.48.0 (#2951)
• 45ea116 Ignore duplicate forwarding headers in ProxyHeadersMiddleware (#2944)
• dd4394c chore(deps): bump idna from 3.11 to 3.15 (#2941)
• abe0781 Default ssl_ciphers to None and use OpenSSL defaults (#2940)
• See full diff in compare view

Updates starlette from 1.1.0 to 1.2.1

Release notes

Sourced from starlette's releases.

Version 1.2.1

What's Changed

• Use httpx2 for type checking in the testclient module by @​leifwar in Kludex/starlette#3304
• Add assert error for requires() when request param is not Request type by @​KeeganOP in Kludex/starlette#3298

New Contributors

• @​leifwar made their first contribution in Kludex/starlette#3304
• @​diskeu made their first contribution in Kludex/starlette#3243
• @​KeeganOP made their first contribution in Kludex/starlette#3298

Full Changelog: Kludex/starlette@1.2.0...1.2.1

Version 1.2.0

What's Changed

• Support httpx2 in the test client by @​Kludex in Kludex/starlette#3291

Full Changelog: Kludex/starlette@1.1.0...1.2.0

Changelog

Sourced from starlette's changelog.

1.2.1 (May 31, 2026)

Fixed

• Use httpx2 for type checking in the testclient module #3304.
• Add assert error for requires() when the request parameter is not a Request type #3298.

1.2.0 (May 28, 2026)

Added

• Support httpx2 in the test client #3291.

Commits

• ef773fe Version 1.2.1 (#3306)
• 3fc68a7 Add sponsors section to docs sidebar (#3305)
• b053f7b chore(deps): bump the python-packages group across 1 directory with 6 updates...
• 1478775 Add assert error for requires() when request param is not Request type (#3298)
• 6576547 Describe disconnected-after-response behavior in test docstring (#3243)
• 9cb1553 Use same module (httpx|httpx2) for type checking as for runtime (#3304)
• 4060987 Version 1.2.0 (#3300)
• 1e289ca Migrate docs deploy from Cloudflare Pages to Workers Static Assets (#3282)
• 100f05a Add httpx2 as a dev dependency (#3295)
• 508023b Support httpx2 in the test client (#3291)
• See full diff in compare view

Updates python-multipart from 0.0.29 to 0.0.30

Release notes

Sourced from python-multipart's releases.

Version 0.0.30

What's Changed

• Treat only & as the urlencoded field separator by @​Kludex in Kludex/python-multipart#290
• Ignore RFC 2231 extended parameters in parse_options_header by @​Kludex in Kludex/python-multipart#291

Full Changelog: Kludex/python-multipart@0.0.29...0.0.30

Changelog

Sourced from python-multipart's changelog.

0.0.30 (2026-05-31)

• Parse application/x-www-form-urlencoded bodies per the WHATWG URL standard, treating only & as a field separator #290.
• Ignore RFC 2231/5987 extended parameters (name*, filename*) in parse_options_header, keeping the plain parameter authoritative per RFC 7578 §4.2 #291.

Commits

• 9d3ead5 Version 0.0.30 (#292)
• 3506c15 Ignore RFC 2231 extended parameters in parse_options_header (#291)
• d69df35 Treat only & as the urlencoded field separator (#290)
• 1e6ff97 Bump idna from 3.11 to 3.15 (#289)
• See full diff in compare view

Updates pytest-asyncio from 1.3.0 to 1.4.0

Release notes

Sourced from pytest-asyncio's releases.

pytest-asyncio v1.4.0

1.4.0 - 2026-05-26

Deprecated

• Overriding the event_loop_policy fixture is deprecated. Use the pytest_asyncio_loop_factories hook instead. (#1419)

Added

• Added the pytest_asyncio_loop_factories hook to parametrize asyncio tests with custom event loop factories.

  The hook returns a mapping of factory names to loop factories, and pytest.mark.asyncio(loop_factories=[...]) selects a subset of configured factories per test. When a single factory is configured, test names are unchanged.

  Synchronous @pytest_asyncio.fixture functions now see the correct event loop when custom loop factories are configured, even when test code disrupts the current event loop (e.g., via asyncio.run() or asyncio.set_event_loop(None)). (#1164)

Changed

• Improved the readability of the warning message that is displayed when asyncio_default_fixture_loop_scope is unset (#1298)
• Only import asyncio.AbstractEventLoopPolicy for type checking to avoid raising a DeprecationWarning. (#1394)
• Updated minimum supported pytest version to v8.4.0. (#1397)

Fixed

• Fixed a ResourceWarning: unclosed event loop warning that could occur when a synchronous test called asyncio.run() or otherwise unset the current event loop after pytest-asyncio had run an async test or fixture. (#724)

Notes for Downstream Packagers

• Added dependency on sphinx-tabs >= 3.5 to organize documentation examples into tabs. (#1395)

pytest-asyncio v1.4.0a2

1.4.0a2 - 2026-05-02

Deprecated

• Overriding the event_loop_policy fixture is deprecated. Use the pytest_asyncio_loop_factories hook instead. (#1419)

Added

• Added the pytest_asyncio_loop_factories hook to parametrize asyncio tests with custom event loop factories.

  The hook returns a mapping of factory names to loop factories, and pytest.mark.asyncio(loop_factories=[...]) selects a subset of configured factories per test. When a single factory is configured, test names are unchanged on pytest 8.4+.

  Synchronous @pytest_asyncio.fixture functions now see the correct event loop when custom loop factories are configured, even when test code disrupts the current event loop (e.g., via asyncio.run() or asyncio.set_event_loop(None)). (#1164)

Changed

• Improved the readability of the warning message that is displayed when asyncio_default_fixture_loop_scope is unset (#1298)
• Only import asyncio.AbstractEventLoopPolicy for type checking to avoid raising a DeprecationWarning. (#1394)

... (truncated)

Commits

• 6e14cd2 chore: Prepare release of v1.4.0.
• 4b900fb Build(deps): Bump codecov/codecov-action from 6.0.0 to 6.0.1
• ab9f632 Build(deps): Bump zipp from 3.23.1 to 4.1.0
• a56fc77 Build(deps): Bump hypothesis from 6.152.6 to 6.152.8
• e8bae9b Build(deps): Bump requests from 2.34.0 to 2.34.2
• fc43340 Build(deps): Bump idna from 3.14 to 3.15
• 762eaf5 Build(deps): Bump jaraco-functools from 4.4.0 to 4.5.0
• b62e222 Build(deps): Bump click from 8.3.3 to 8.4.0
• 9190447 Build(deps): Bump pydantic from 2.13.3 to 2.13.4
• 82a393c ci: Remove unnecessary debug output.
• Additional commits viewable in compare view

Updates ruff from 0.15.14 to 0.15.15

Release notes

Sourced from ruff's releases.

0.15.15

Release Notes

Released on 2026-05-28.

Preview features

• Fix Markdown closing fence handling (#25310)
• [pyflakes] Report duplicate imports in typing.TYPE_CHECKING block (F811) (#22560)

Bug fixes

• [pyflakes] Treat function-scope bare annotations as locals per PEP 526 (F821) (#21540)

Performance

• Avoid redundant TokenValue drops in the lexer (#25300)
• Reduce memory usage by dropping token-excess capacity and improve performance by approximating the initial tokens Vec size (#25354)
• Use ThinVec in AST to shrink Stmt (#25361)

Documentation

• Fix line-length example for --config option (#25389)
• [flake8-comprehensions] Document RecursionError edge case in __len__ (C416) (#25286)
• [mccabe] Improve example (C901) (#25287)
• [pyupgrade] Clarify fix safety docs (UP007, UP045) (#25288)
• [refurb] Document FURB192 exception change for empty sequences (#25317)
• [ruff] Document false negative for user-defined types (RUF013) (#25289)

Formatter

• Fix formatting of lambdas nested within f-strings (#25398)

Server

• Return code action for codeAction/resolve requests that contain no or no valid URL (#25365)

Other changes

• Expand semantic syntax errors for invalid walruses (#25415)

Contributors

• @​chirizxc
• @​ntBre
• @​adityasingh2400
• @​charliermarsh
• @​fallintoplace
• @​martin-schlossarek
• @​MichaReiser

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.15

Released on 2026-05-28.

Preview features

• Fix Markdown closing fence handling (#25310)
• [pyflakes] Report duplicate imports in typing.TYPE_CHECKING block (F811) (#22560)

Bug fixes

• [pyflakes] Treat function-scope bare annotations as locals per PEP 526 (F821) (#21540)

Performance

• Avoid redundant TokenValue drops in the lexer (#25300)
• Reduce memory usage by dropping token-excess capacity and improve performance by approximating the initial tokens Vec size (#25354)
• Use ThinVec in AST to shrink Stmt (#25361)

Documentation

• Fix line-length example for --config option (#25389)
• [flake8-comprehensions] Document RecursionError edge case in __len__ (C416) (#25286)
• [mccabe] Improve example (C901) (#25287)
• [pyupgrade] Clarify fix safety docs (UP007, UP045) (#25288)
• [refurb] Document FURB192 exception change for empty sequences (#25317)
• [ruff] Document false negative for user-defined types (RUF013) (#25289)

Formatter

• Fix formatting of lambdas nested within f-strings (#25398)

Server

• Return code action for codeAction/resolve requests that contain no or no valid URL (#25365)

Other changes

• Expand semantic syntax errors for invalid walruses (#25415)

Contributors

• @​chirizxc
• @​ntBre
• @​adityasingh2400
• @​charliermarsh
• @​fallintoplace
• @​martin-schlossarek
• @​MichaReiser
• @​Ruchir28

Commits

• db5aa0a Bump 0.15.15 (#25431)
• 366fe21 [ty] Improve diagnostics for syntax errors in forward annotations (#25158)
• e2e1e64 [ty] Remove excess capacity from more Salsa cached collections (#25411)
• 1bd77e1 [ty] Use diagnostic message as tie breaker when sorting (#25424)
• 7e1bc1e Add agent skills for working on ty (#25422)
• 574e107 Expand semantic syntax errors for invalid walruses (#25415)
• 4a7ca06 [ty] Display docs for matching parameter when hovering over the name of an ar...
• 5432709 Refine a few agents instructions (#25423)
• 3cb09eb [ty] Support typing.TypeForm (#25334)
• c8cd59f [ty] Infer class attributes assigned by metaclass initialization (#25342)
• Additional commits viewable in compare view

Updates coverage from 7.14.0 to 7.14.1

Changelog

Sourced from coverage's changelog.

Version 7.14.1 — 2026-05-26

• Fix: the HTML report used typographic niceties to make file paths more readable by adding a small amount of space around slashes. Those spaces interfered with searching the page for file paths of interest. Now the report uses CSS to accomplish the same visual tweak so that searches with slashes work correctly. Closes issue 2170_.

• Add a 3.16 PyPI classifier <hugo-316_>_ since we test on the 3.16 main branch.

.. _issue 2170: coveragepy/coveragepy#2170 .. _hugo-316: https://mastodon.social/@​hugovk/116588523571204490

.. _changes_7-14-0:

Commits

• 64d9b66 docs: correct the date for 7.14.1
• 6fa7dd4 chore: bump actions/dependency-review-action (#2181)
• 078afae docs: sample HTML for 7.14.1
• cb4f028 docs: prep for 7.14.1
• ae2d09f Merge branch 'nedbat/classifire-316-kits'
• 2c3568b build: declare 3.16 compatibility
• faa68f8 chore: bump github/codeql-action in the action-dependencies group (#2173)
• eb55fee test: we don't need PyPy < 7.3.22 anymore
• ac168fe test: the text summary should show missing
• fed4bd2 chore: upgrade virtualenv
• Additional commits viewable in compare view

Updates idna from 3.16 to 3.17

Changelog

Sourced from idna's changelog.

3.17 (2026-05-28)

• Substantial 75% reduction in memory usage through new data structures and some optimization in processing speed.
• Added a general 1024-character input length cap to the public validation, conversion, and codec entry points. This is well above any legitimate domain or label and guards against pathological inputs.

Commits

• f48619c Release 3.17
• 7421ba8 Pre-release 3.17rc0
• 22ebb73 Merge pull request #251 from kjd/structure-optimizations
• 2a7ac0a Drop redundant parallel-arrays comment from uts46data
• 354eee9 Apply ruff format to uts46data.py
• 8c34ffc Refactor uts46data into parallel arrays
• 1189629 Range-encode joining_types for compact representation
• f90b87a Generic length limit for functions
• d6ffd28 Merge pull request #247 from kjd/release-3.16
• See full diff in compare view

Updates platformdirs from 4.9.6 to 4.10.0

Release notes

Sourced from platformdirs's releases.

4.10.0

What's Changed

• chore: improve platformdirs maintenance path by @​lphuc2250gma in tox-dev/platformdirs#488
• ✨ feat: add user_projects_dir for $XDG_PROJECTS_DIR by @​gaborbernat in tox-dev/platformdirs#490
• ✨ feat: add user_publicshare_dir, user_templates_dir, user_fonts_dir, user_preference_dir by @​gaborbernat in tox-dev/platformdirs#491

New Contributors

• @​lphuc2250gma made their first contribution in tox-dev/platformdirs#488

Full Changelog: tox-dev/platformdirs@4.9.6...4.10.0

Changelog

Sourced from platformdirs's changelog.

########### Changelog ###########

---

4.10.0 (2026-05-28)

---

• ✨ feat: add user_publicshare_dir, user_templates_dir, user_fonts_dir, user_preference_dir :pr:491
• ✨ feat: add user_projects_dir for $XDG_PROJECTS_DIR :pr:490
• chore: improve platformdirs maintenance path :pr:488 - by :user:lphuc2250gma

---

4.9.6 (2026-04-09)

---

• 🐛 fix(release): use double quotes for tag variable expansion :pr:477

---

4.9.5 (2026-04-06)

---

• 📝 docs(appauthor): clarify None vs False on Windows :pr:476
• Separates implementations of macOS dirs that share a default :pr:473 - by :user:Goddesen
• Remove persist-credentials: false from release job :pr:472
• fix: do not duplicate site dirs in Unix.iter_{config,site}_dirs() when use_site_for_root is active :pr:469 - by :user:viccie30
• 🔧 fix(type): resolve ty 0.0.25 type errors :pr:468
• 🔒 ci(workflows): add zizmor security auditing :pr:467
• 🐛 fix(release): generate docstrfmt-compatible changelog entries :pr:463

---

4.9.4 (2026-03-05)

---

• [pre-commit.ci] pre-commit autoupdate :pr:461 - by :user:pre-commit-ci[bot]
• Update README.md
• 📝 docs: add project logo to documentation :pr:459
• Standardize .github files to .yaml suffix
• build(deps): bump the all group with 2 updates :pr:457 - by :user:dependabot[bot]
• Move SECURITY.md to .github/SECURITY.md
• Add permissions to workflows :pr:455
• Add security policy
• [pre-commit.ci] pre-commit autoupdate :pr:454 - by :user:pre-commit-ci[bot]

---

4.9.2 (2026-02-16)

---

• 📝 docs: restructure following Diataxis framework :pr:448

... (truncated)

Commits

• 04cb136 Release 4.10.0
• 078bc61 ✨ feat: add user_publicshare_dir, user_templates_dir, user_fonts_dir, user_pr...
• d279747 ✨ feat: add user_projects_dir for $XDG_PROJECTS_DIR (#490)
• 4116391 [pre-commit.ci] pre-commit autoupdate (#489)
• dbc63f5 chore: improve platformdirs maintenance path (#488)
• 9265108 [pre-commit.ci] pre-commit autoupdate (#487)
• 9f857ec [pre-commit.ci] pre-commit autoupdate (#486)
• a76e777 [pre-commit.ci] pre-commit autoupdate (#484)
• 903fd9f [pre-commit.ci] pre-commit autoupdate (#483)
• a5da35d build(deps): bump astral-sh/setup-uv from 8.0.0 to 8.1.0 in the all group (#482)
• Additional commits viewable in compare view

Updates pydantic-core from 2.46.4 to 2.47.0

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, python. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.