build(deps): bump the python-deps group across 1 directory with 20 updates

[dependabot]

Bumps the python-deps group with 18 updates in the / directory:

Package	From	To
redis	7.4.0	8.0.1
tuf	6.0.0	7.0.0
dynaconf	3.2.13	3.3.0
sqlalchemy	2.0.49	2.0.51
psycopg2	2.9.11	2.9.12
pydantic	2.12.5	2.13.4
boto3	1.42.85	1.43.36
awswrangler	3.15.1	3.16.1
sigstore	4.2.0	4.3.0
pymysql	1.1.2	1.2.0
google-cloud-kms	3.12.0	3.14.0
tox	4.52.0	4.56.1
coverage	7.13.5	7.14.3
ruff	0.15.9	0.15.19
mypy	1.20.0	2.1.0
pytest	9.0.3	9.1.1
pre-commit	4.5.1	4.6.0
myst-parser	5.0.0	5.1.0

Updates redis from 7.4.0 to 8.0.1

Release notes

Sourced from redis's releases.

8.0.1

Changes

🐛 Bug Fixes

• Fix Unix socket maintenance notification handling and tests (#4097)
• Fix async cluster node connection release on write errors (#4111)
• Fixed async MultiDBClient with underlying RedisCluster (#4108)
• Fix hiredis readiness checks for high file descriptors (#4115)
• fix(search): parse RESP3 FT.SEARCH responses with bytes-typed keys (#4109)
• Fixing pubsub's listen method to be blocking. (#4119)
• fix(asyncio): release pooled connection when Pipeline.reset() is cancelled (#4123)
• Avoid per-check fd allocation in hiredis _socket_can_read() — use poll() instead of a per-call selector (#4118)

🧰 Maintenance

• Updating PyJWT dependency. (#4100)
• Update CI badge in README.md (#4099)
• Add missing url query argument parser for ssl_min_version (#4047)
• ci: least-privilege permissions on spellcheck (read) and stale-issues (job-level write for actions/stale) (#4080)
• Bumping github-versions actions (#4102)
• Updating lib version + supported Redis versions in README.md + updating the Redis versions in CI test matrix (#4092)

We'd like to thank all the contributors who worked on this release! @​violuke @​mokashang @​arpitjain099 @​coredumperror @​elena-kolevska @​vladvildanov @​petyaslavova

8.0.0

Changes

🚀 Highlights

Async Cluster PubSub

This release introduces full asyncio Cluster PubSub support, bringing shard-channel capabilities (SSUBSCRIBE, SUNSUBSCRIBE, SPUBLISH) to the async RedisCluster client. The new ClusterPubSub class in redis.asyncio.cluster automatically routes shard-channel subscriptions to the correct cluster node based on key-slot hashing, manages per-node PubSub connections, and supports round-robin message retrieval across nodes. Users can create a cluster pubsub instance via RedisCluster.pubsub() and use ssubscribe(), sunsubscribe(), and get_sharded_message() just as they would with the sync cluster client.

Keyspace and subkey notifications

Redis Keyspace Notifications are now supported for standalone and cluster deployments in both sync and async modes. New classes — KeyspaceNotifications, ClusterKeyspaceNotifications, AsyncKeyspaceNotifications, and AsyncClusterKeyspaceNotifications — provide a high-level API for keyspace/keyevent subscriptions and subkey notification families: subkeyspace, subkeyevent, subkeyspaceitem, and subkeyspaceevent. Convenience methods like subscribe_keyspace(), subscribe_keyevent(), subscribe_subkeyspace(), subscribe_subkeyevent(), subscribe_subkeyspaceitem(), and subscribe_subkeyspaceevent() simplify common patterns, with channel classes for both key and subkey channels.

In cluster mode, subscriptions are managed across primary nodes because each node emits notifications only for keys it owns, with built-in topology-change handling. Sync run_in_thread() and async listen() workflows are supported.

Redis Array commands(https://redis.io/docs/latest/develop/data-types/arrays/)

redis-py now supports Redis Arrays, a preview Redis data type for sparse, index-addressable sequences of strings. New AR* command helpers cover indexed reads/writes, range scans, deletion, cursor-based insertion, ring-buffer writes, metadata, text search, and aggregation, including ARGET, ARSET, ARMGET, ARMSET, ARSCAN, ARGREP, ARRING, and AROP.

Type Hints Improvements (breaking changes)

The @overload pattern has been applied systematically across core commands (core.py), VectorSet commands, and module commands (Search, JSON, TimeSeries, Bloom filters) to provide distinct return types for sync and async clients. Previously, methods returned a combined ResponseT (i.e., Union[Awaitable[Any], Any]), which caused static analysis tools like mypy and Pyright to flag false positives. Now, sync clients see concrete return types (e.g., int, bool, list[str]) while async clients see Awaitable[...] wrappers. This is a breaking change for type-checking only—runtime behavior is unchanged, but code relying on the old union return types in type annotations may need updates. Two new protocol types, SyncClientProtocol and AsyncClientProtocol, are used in overload signatures to enable this distinction.

RESP3 by default with opt-in unified responses

... (truncated)

Commits

• 7c0fd11 Updating lib version to 8.0.1
• b7a4d7d Avoid per-check fd allocation in hiredis _socket_can_read() — use poll() ...
• eec778e fix(asyncio): release pooled connection when Pipeline.reset() is cancelled (#...
• 08e01bb Fixing pubsub's listen method to be blocking. (#4119)
• 3d5257a fix(search): parse RESP3 FT.SEARCH responses with bytes-typed keys (#4109)
• cce28ff Fix hiredis readiness checks for high file descriptors (#4115)
• e20691c Fixed async MultiDBClient with underlying RedisCluster (#4108)
• ea37fcc Fix async cluster node connection release on write errors (#4111)
• f4146fa Updating lib version + supported Redis versions in README.md + updating the R...
• d47674e Bumping github-versions actions (#4102)
• Additional commits viewable in compare view

Updates tuf from 6.0.0 to 7.0.0

Release notes

Sourced from tuf's releases.

v7.0.0

This is a major release only because of a minor ngclient API tweak: there are no large functional changes.

Fixed

• Fix GHSA-qp9x-wp8f-qgjj: Incorrect delegation path matching on Windows
• Various documentation fixes (#2812, #2922, #2923)

Changed

• ngclient: Updater() now requires the named bootstrap argument to make it clearer that providing one is strongly recommended: previous default functionality can be reproduced with bootstrap=None (#2903)
• Prepare for removal of securesystemslib.hash (#2815)

Changelog

Sourced from tuf's changelog.

v7.0.0

This is a major release only because of a minor ngclient API tweak: there are no large functional changes.

Fixed

• Fix GHSA-qp9x-wp8f-qgjj: Incorrect delegation path matching on Windows
• Various documentation fixes (#2812, #2922, #2923)

Changed

• ngclient: Updater() now requires the named bootstrap argument to make it clearer that providing one is strongly recommended: previous default functionality can be reproduced with bootstrap=None (#2903)
• Prepare for removal of securesystemslib.hash (#2815)

Commits

• 353bdb7 Merge pull request #2942 from jku/release-prep
• 85ce3e8 Prepare 7.0 release
• 1a62020 Merge commit from fork
• 5c0c36d Merge pull request #2938 from theupdateframework/dependabot/pip/test-and-lint...
• 57cc1a7 Merge pull request #2937 from theupdateframework/dependabot/pip/build-and-rel...
• 9d7d1b9 Merge pull request #2939 from theupdateframework/dependabot/pip/dependencies-...
• be4f314 Merge pull request #2941 from theupdateframework/dependabot/github_actions/ac...
• 6348502 build(deps): bump the action-dependencies group across 1 directory with 2 upd...
• 4b6e35a build(deps): bump cryptography in the dependencies group
• 4883f02 build(deps): bump the test-and-lint-dependencies group with 2 updates
• Additional commits viewable in compare view

Updates dynaconf from 3.2.13 to 3.3.0

Release notes

Sourced from dynaconf's releases.

3.3.0

3.3.0 - 2026-06-24

Bug Fixes

• Fix index merge padding scalar lists with empty lists instead of None (#1380). By Sarath Francis.
• raise FileNotFoundError from load_file on missing path when silent=False. By Sai Asish Y.
• support Redis URL scheme for TLS connections (#1343). By Varun Chawla.
• support async contexts. By Bruno Rocha.
• codacy suggestions. By Bruno Rocha.
• more improvements on edge cases of converters. By Bruno Rocha.
• Extra improvements on converters. By Bruno Rocha.
• Replace regex on read_file converter. By Bruno Rocha.
• replace regex with simple if on get converter. By Bruno Rocha.
• 1307 run fix_absolute_urls eagerly for Django. By Bruno Rocha.
• make DataDict.dir compatible with Box. By Pedro Brochado.
• get method to return Any type. (#1315). By Bruno Cesar Rocha.
• remove unnecessary recursive evaluation call on Settings.get. By Pedro Brochado.
• -k must exit code 1 when key do not exist (#1293). By Bruno Rocha.
• use sys.argv instead of click.get_os_args (#1292). By Bruno Rocha.
• make raw variables private (#1287). By Fabricio Aguiar.
• Better way for CLI to find the Django Settings. By Bruno Rocha.
• handle empty hooks and boolean environments.. By Bruno Rocha.
• Hotfix hook collector to avoid eager evaluation. (#1255) (#1256). By Bruno Rocha.
• Ensure an error is raised when loading files with syntax errors (#1243). By Pedro Brochado.
• using merge with comma separated values will infer type [port of #1240]. By Bruno Rocha.
• Handle @insert with -1. By Bruno Rocha.
• Redis loader must handle an empty prefix. By Bruno Rocha.
• Ensure CLI can load settings from a base DJANGO_SETTINGS_MODULE. By Bruno Rocha.
• When --json is used in CLI list, does not print django app detected. By Bruno Rocha.
• when using load_file method, inspect will save module:linenumber from the caller.. By Bruno Rocha.
• Implement repr for combined validators (#1200). By Bruno Rocha.
• lazy validator's default value would evalute early (#1197). By Pedro Brochado.
• Fixed an error that would raise when using get_history() with lazy values (#1184). By Pedro Brochado.
• del attr wouldnt work with lowercase (#1168). By Pedro Brochado.
• Improve performance of Access Hooks (#1164). By Bruno Rocha.
• Ignore if file doesn't exist (#1159). By Bruno Rocha.
• Enable merge on settings.populate_obj (#1118). By Bruno Rocha.
• Add Django 5 transformation of STATIC_URL (#1117). By Bruno Rocha.
• Allow disabling transformation of dict to Dynabox (#1115). By Bruno Rocha.
• Support Nested Subtypes and Enclosed types (#1109). By Bruno Rocha.
• #1088 fresh vars definition case insensitive (#1091). By Bruno Rocha.
• Allow multiple validators with cast for the same field (#1080). By Bruno Rocha.
• Stop converting default when is_type_of is set to str (#1066). By Bruno Rocha.

Features

• add Settings-level caching mechanism. By Pedro Brochado.
• Add @read_file converter (#1291). By Bruno Rocha.
• envless load file (#1295). By Bruno Rocha.

... (truncated)

Changelog

Sourced from dynaconf's changelog.

3.3.0 - 2026-06-24

Bug Fixes

• Fix index merge padding scalar lists with empty lists instead of None (#1380). By Sarath Francis.
• raise FileNotFoundError from load_file on missing path when silent=False. By Sai Asish Y.
• support Redis URL scheme for TLS connections (#1343). By Varun Chawla.
• support async contexts. By Bruno Rocha.
• codacy suggestions. By Bruno Rocha.
• more improvements on edge cases of converters. By Bruno Rocha.
• Extra improvements on converters. By Bruno Rocha.
• Replace regex on read_file converter. By Bruno Rocha.
• replace regex with simple if on get converter. By Bruno Rocha.
• 1307 run fix_absolute_urls eagerly for Django. By Bruno Rocha.
• make DataDict.dir compatible with Box. By Pedro Brochado.
• get method to return Any type. (#1315). By Bruno Cesar Rocha.
• remove unnecessary recursive evaluation call on Settings.get. By Pedro Brochado.
• -k must exit code 1 when key do not exist (#1293). By Bruno Rocha.
• use sys.argv instead of click.get_os_args (#1292). By Bruno Rocha.
• make raw variables private (#1287). By Fabricio Aguiar.
• Better way for CLI to find the Django Settings. By Bruno Rocha.
• handle empty hooks and boolean environments.. By Bruno Rocha.
• Hotfix hook collector to avoid eager evaluation. (#1255) (#1256). By Bruno Rocha.
• Ensure an error is raised when loading files with syntax errors (#1243). By Pedro Brochado.
• using merge with comma separated values will infer type [port of #1240]. By Bruno Rocha.
• Handle @insert with -1. By Bruno Rocha.
• Redis loader must handle an empty prefix. By Bruno Rocha.
• Ensure CLI can load settings from a base DJANGO_SETTINGS_MODULE. By Bruno Rocha.
• When --json is used in CLI list, does not print django app detected. By Bruno Rocha.
• when using load_file method, inspect will save module:linenumber from the caller.. By Bruno Rocha.
• Implement repr for combined validators (#1200). By Bruno Rocha.
• lazy validator's default value would evalute early (#1197). By Pedro Brochado.
• Fixed an error that would raise when using get_history() with lazy values (#1184). By Pedro Brochado.
• del attr wouldnt work with lowercase (#1168). By Pedro Brochado.
• Improve performance of Access Hooks (#1164). By Bruno Rocha.
• Ignore if file doesn't exist (#1159). By Bruno Rocha.
• Enable merge on settings.populate_obj (#1118). By Bruno Rocha.
• Add Django 5 transformation of STATIC_URL (#1117). By Bruno Rocha.
• Allow disabling transformation of dict to Dynabox (#1115). By Bruno Rocha.
• Support Nested Subtypes and Enclosed types (#1109). By Bruno Rocha.
• #1088 fresh vars definition case insensitive (#1091). By Bruno Rocha.
• Allow multiple validators with cast for the same field (#1080). By Bruno Rocha.
• Stop converting default when is_type_of is set to str (#1066). By Bruno Rocha.

Features

• add Settings-level caching mechanism. By Pedro Brochado.
• Add @read_file converter (#1291). By Bruno Rocha.
• envless load file (#1295). By Bruno Rocha.
• Run CLI as module with python -m dynaconf (#1290). By Bruno Rocha.

... (truncated)

Commits

• f425fdb Release version 3.3.0
• 10d090b chore(ci): disable backport creation for 3.3.0 release only
• 0b7aaa4 chore(ci): go back to using uv sync + uv run
• ec6119f chore(ci): update to use uv tool install
• 2068632 chore(ci): add missing venv creation to uv install
• a6393f1 chore(ci): remove unnecessary uv install from workflows
• a49ba70 chore(ci): don't generate uv.lock for release/publish workflows
• 8d8e061 chore(ci): add new release 'framework' to the CI
• 2edaa2c refactor(cache): scope value cache to instance and remove global id counter
• 70164ce docs: Fix broken links and wrong merge behavior
• Additional commits viewable in compare view

Updates securesystemslib from 1.3.1 to 1.4.0

Release notes

Sourced from securesystemslib's releases.

v1.4.0

See CHANGELOG.md for details.

Changelog

Sourced from securesystemslib's changelog.

securesystemslib v1.4.0

Fixed

• HSMSigner: Fix usage with multi-byte keyids (#1107)

Changed

• SigstoreSigner: Update to current sigstore-python API (#1035)
• Deprecate Python 3.9 support (#1069)
• Various testing changes -- note that AWS is currently not tested in CI (see #1104)

Commits

• 47b0f45 Merge pull request #1130 from jku/prep-1.4.0
• e4f4bda Prepare 1.4.0
• 3e130e8 Merge pull request #1107 from Spinbazz/fix/cka_id_size_limit
• a690d88 Merge pull request #1127 from secure-systems-lab/dependabot/pip/test-and-lint...
• c03c919 build(deps): bump the test-and-lint-dependencies group with 2 updates
• 6363b26 lint fixes
• e4d0d33 Fix issue with odd hex length keyids
• 442d842 Merge pull request #1121 from secure-systems-lab/dependabot/pip/build-and-rel...
• 5cfe19e Merge pull request #1083 from jku/enable-hsm-tests-on-mac
• 2303329 tests: Enable HSM tests on Mac
• Additional commits viewable in compare view

Updates sqlalchemy from 2.0.49 to 2.0.51

Release notes

Sourced from sqlalchemy's releases.

2.0.51

Released: June 15, 2026

orm

• [orm] [bug] Fixed issue where _orm.subqueryload() combined with PropComparator.of_type() and PropComparator.and_() would silently drop the additional filter criteria, causing all related objects to be loaded instead of only those matching the filter. The LoaderCriteriaOption was being constructed against the base entity rather than the effective entity indicated by PropComparator.of_type(). Pull request courtesy Arya Rizky.

  References: #13207

• [orm] [bug] Fixed bug where a failure during tpc_prepare() within _orm.Session.commit() for a two-phase session would raise IllegalStateChangeError instead of the original database exception. The internal _prepare_impl() method's error handler was unable to invoke _orm.SessionTransaction.rollback() due to a state-change guard, preventing proper cleanup and masking the underlying error.

  References: #13356

engine

• [engine] [bug] Fixed issue where Result.freeze() would lose track of ambiguous column names present in the original CursorResult, causing key-based access on the thawed result to silently return a value instead of raising InvalidRequestError. The SimpleResultMetaData now accepts and propagates ambiguous key information so that frozen, thawed, and pickled results raise consistently for duplicate column names. Pull request courtesy Saurabh Kohli.

  References: #9427

sql

• [sql] [bug] Fixed issue where _sql.StatementLambdaElement would proxy attribute access through the cached "expected" expression rather than the resolved expression, causing stale closure-bound parameter values to be used when a lambda statement was extended with non-lambda criteria such as an additional .where() clause. Courtesy cjc0013.

  References: #10827

... (truncated)

Commits

• See full diff in compare view

Updates psycopg2 from 2.9.11 to 2.9.12

Changelog

Sourced from psycopg2's changelog.

Current release

What's new in psycopg 2.9.12 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Fix infinite loop with malformed interval (:ticket:1835).

What's new in psycopg 2.9.11 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Add support for Python 3.14.
• Avoid a segfault passing more arguments than placeholders if Python is built with assertions enabled (:ticket:[#1791](https://github.com/psycopg/psycopg2/issues/1791)).
• Add riscv64 platform binary packages (:ticket:[#1813](https://github.com/psycopg/psycopg2/issues/1813)).
• ~psycopg2.errorcodes map and ~psycopg2.errors classes updated to PostgreSQL 18.
• Drop support for Python 3.8.

What's new in psycopg 2.9.10 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Add support for Python 3.13.
• Receive notifications on commit (:ticket:[#1728](https://github.com/psycopg/psycopg2/issues/1728)).
• ~psycopg2.errorcodes map and ~psycopg2.errors classes updated to PostgreSQL 17.
• Drop support for Python 3.7.

What's new in psycopg 2.9.9 ^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Add support for Python 3.12.
• Drop support for Python 3.6.

What's new in psycopg 2.9.8 ^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Wheel package bundled with PostgreSQL 16 libpq in order to add support for recent features, such as sslcertmode.

What's new in psycopg 2.9.7 ^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Fix propagation of exceptions raised during module initialization (:ticket:[#1598](https://github.com/psycopg/psycopg2/issues/1598)).

... (truncated)

Commits

• 3a6d9d6 ci: include almalinux in whieel building
• ebca6bf chore: bump to version 3.9.12
• 0196f02 build(deps): bump pypa/cibuildwheel from 3.3.1 to 3.4.0
• d157bdc build(deps): bump docker/setup-qemu-action from 3 to 4
• 7fccc0f build(deps): bump actions/upload-artifact from 6 to 7
• d52a61e chore: bump dependency libraries
• b231d72 chore: fix building binary images
• 6d76e84 Merge pull request #1836 from psycopg/fix-1835
• f7e314c fix: overflow in malformed interval
• eb905c1 docs: replace bare except clause with except Exception
• Additional commits viewable in compare view

Updates pydantic from 2.12.5 to 2.13.4

Release notes

Sourced from pydantic's releases.

v2.13.4 2026-05-06

v2.13.4 (2026-05-06)

What's Changed

Packaging

• Bump libc from 0.2.155 to 0.2.185 by @​Viicos in #13109
• Adapt pydantic-core linker flags on macOS by @​washingtoneg and @​Viicos in #13147

Fixes

• Preserve RootModel core metadata by @​Viicos in #13129

Full Changelog: pydantic/pydantic@v2.13.3...v2.13.4

v2.13.3 2026-04-20

v2.13.3 (2026-04-20)

What's Changed

Fixes

• Handle AttributeError subclasses with from_attributes by @​Viicos in #13096

Full Changelog: pydantic/pydantic@v2.13.2...v2.13.3

v2.13.2 2026-04-17

v2.13.2 (2026-04-17)

What's Changed

Fixes

• Fix ValidationInfo.field_name missing with model_validate_json() by @​Viicos in #13084

Full Changelog: pydantic/pydantic@v2.13.1...v2.13.2

v2.13.1 2026-04-15

v2.13.1 (2026-04-15)

What's Changed

Fixes

• Fix ValidationInfo.data missing with model_validate_json() by @​davidhewitt in #13079

Full Changelog: pydantic/pydantic@v2.13.0...v2.13.1

v2.13.0 2026-04-13

... (truncated)

Changelog

Sourced from pydantic's changelog.

v2.13.4 (2026-05-06)

GitHub release

What's Changed

Packaging

• Bump libc from 0.2.155 to 0.2.185 by @​Viicos in #13109
• Adapt pydantic-core linker flags on macOS by @​washingtoneg and @​Viicos in #13147

Fixes

• Preserve RootModel core metadata by @​Viicos in #13129

v2.13.3 (2026-04-20)

GitHub release

What's Changed

Fixes

• Handle AttributeError subclasses with from_attributes by @​Viicos in #13096

v2.13.2 (2026-04-17)

GitHub release

What's Changed

Fixes

• Fix ValidationInfo.field_name missing with model_validate_json() by @​Viicos in #13084

v2.13.1 (2026-04-15)

GitHub release

What's Changed

Fixes

• Fix ValidationInfo.data missing with model_validate_json() by @​davidhewitt in #13079

v2.13.0 (2026-04-13)

GitHub release

The highlights of the v2.13 release are available in the blog post.

... (truncated)

Commits

• cf67d4b Fix linting
• f0d8a21 Prepare release v2.13.4
• 5e3fe1d Check for pydantic tag pattern in CI
• 7f9edcc Document tagging conventions
• b46a0c9 Adapt pydantic-core linker flags on macOS
• 50629c8 Update to PyPy 7.3.22
• 8522ebb Preserve RootModel core metadata
• a37f3af Adapt MISSING sentinel test to work with unreleased typing_extensions ver...
• 909259a Remove Logfire example in documentation
• 2c4174c Bump libc from 0.2.155 to 0.2.185
• Additional commits viewable in compare view

Updates boto3 from 1.42.85 to 1.43.36

Commits

• 1d26f21 Merge branch 'release-1.43.36'
• 111333b Bumping version to 1.43.36
• 9d1fa23 Add changelog entries from botocore
• 6d7f3c2 Update security docs to use newer versions of openssl and python (#4796)
• c5b26ca Merge branch 'release-1.43.35'
• c3750ac Merge branch 'release-1.43.35' into develop
• 46e77cd Bumping version to 1.43.35
• 9919ede Add changelog entries from botocore
• 1820b7d Merge branch 'release-1.43.34'
• 0065dbe Merge branch 'release-1.43.34' into develop
• Additional commits viewable in compare view

Updates awswrangler from 3.15.1 to 3.16.1

Release notes

Sourced from awswrangler's releases.

AWS SDK for pandas 3.16.1

Notable Changes ⚠️

• pyarrow upgraded from v20.0.0 to v.22.0.0 in AWS lambda layers ⚠️
• AWS Lambda layer region expansion: added layers in ca-west-1 Canada West (Calgary) 🇨🇦

Bugfixes 🐛

• fix(athena): verify bucket ownership and manifest integrity by @​kukushking in aws/aws-sdk-pandas#3314

Security / Dependency Updates 🛡️

• chore(deps): bump cryptography from 46.0.6 to 46.0.7 by @​dependabot[bot] in aws/aws-sdk-pandas#3297
• chore(deps): bump uv from 0.10.10 to 0.11.6 by @​dependabot[bot] in aws/aws-sdk-pandas#3299
• chore(deps-dev): bump pytest from 8.4.2 to 9.0.3 by @​dependabot[bot] in aws/aws-sdk-pandas#3303
• fix(deps): upgrade lxml to 6.1.0 and redshift-connector to 2.1.13 (CVE-2026-41066) by @​kukushking in aws/aws-sdk-pandas#3309
• fix(deps): bump ray, jupyterlab, nbconvert, pip due to CVEs by @​kukushking in aws/aws-sdk-pandas#3316
• chore(deps): bump the github-actions group across 1 directory with 2 updates by @​dependabot[bot] in aws/aws-sdk-pandas#3300
• chore: Release 3.16.1 by @​kukushking in aws/aws-sdk-pandas#3318
• chore(deps): bump jupyter-server from 2.17.0 to 2.18.0 by @​dependabot[bot] in aws/aws-sdk-pandas#3321
• chore(deps-dev): bump the development-dependencies group across 1 directory with 11 updates by @​dependabot[bot] in aws/aws-sdk-pandas#3323
• chore(deps): allow pyarrow 24 by @​kukushking in aws/aws-sdk-pandas#3325

Housekeeping 🧹

• chore: Update layers.rst by @​kukushking in aws/aws-sdk-pandas#3296

Full Changelog: aws/aws-sdk-pandas@3.16.0...3.16.1

AWS SDK for pandas 3.16.0

Notable Changes ⚠️

• feat: Support Pandas 3.x by @​kukushking in aws/aws-sdk-pandas#3272

Features / Enhancements 🚀

• feat: Support S3 Tables by @​kukushking in aws/aws-sdk-pandas#3273

Bugfixes 🐛

• fix: Sanitize SQL construction in Redshift module by @​kukushking in aws/aws-sdk-pandas#3281
• fix: resolve Dependabot LICENSE.txt parse error by @​jaidisido in aws/aws-sdk-pandas#3286
• fix(iceberg): too many open partitions by sorting inserts by @​knQzx in aws/aws-sdk-pandas#3294
• fix: Support Athena workgroups with managed query results (#3174) by @​Will282 in aws/aws-sdk-pandas#3275
• fix: Bundle libxslt/libexslt shared libraries in Lambda layer by @​kukushking in aws/aws-sdk-pandas#3295

Security / Dependency Updates 🛡️

• chore(deps): bump aiohttp from 3.13.3 to 3.13.4 by @​dependabot[bot] in aws/aws-sdk-pandas#3292
• chore(deps): bump pyasn1 from 0.6.2 to 0.6.3 by @​dependabot[bot] in aws/aws-sdk-pandas#3289
• chore(deps): bump requests from 2.32.5 to 2.33.0 by @​dependabot[bot] in aws/aws-sdk-pandas#3288
• chore(deps): bump pygments from 2.19.2 to 2.20.0 by @​dependabot[bot] in aws/aws-sdk-pandas#3287
• chore(deps): bump cryptography from 46.0.5 to 46.0.6 by @​dependabot[bot] in aws/aws-sdk-pandas#3290

Housekeeping 🧹

• chore: Release 3.16.0 by @​kukushking in aws/aws-sdk-pandas#3285
• chore: Update layers.rst by @​kukushking in aws/aws-sdk-pandas#3269

... (truncated)

Commits

• 5f26a71 chore: Update layers.rst
• 56f12d8 fix(lambda-layer): bundle libicu for AL2023 runtime compatibility
• 5578901 fix(lambda-layer): remove stale lxml 6.0.2 dist-info before upgrade
• 2a5d6a2 fix(lambda-layer): install libatomic on AL2023 and broaden lib search
• d8a98b1 fix(lambda-layer): bundle libatomic.so.1 for pyarrow 22+ runtime
• 1f45c87 fix(lambda-layer): install libatomic for pyarrow 22 linker
• 3da7549 chore(lambda-layer): bump pyarrow to 22.0.0
• 8c7b9ed fix(lambda-layer): upgrade lxml past redshift-connector cap for CVE-2026-41066
• fcf7b8c fix(lambda-layer): pin pyarrow to local wheel version in pip install
• 04733f2 fix(lambda-layer): point pip at pre-built pyarrow wheel via --find-links
• Additional commits viewable in compare view

Updates sigstore from 4.2.0 to 4.3.0

Release notes

Sourced from sigstore's releases.

v4.3.0

Added

• Issuer.identity_token accepts an optional redirect_port argument to accomodate OIDC providers that require pre-registered redirect URIs (#1029)

Fixed

• Fix ~60s keep-alive deadlock in browser-based OIDC authentication (#1693)
• Avoid over-using connections when signing many artifacts: Use one connection per thread (#1732)

Changed

• With Rekor v2 DSSE signing/verification now uses Hashedrekord log entries. This is based on Rekor v2 spec change: sigstore/architecture-docs#63 (#1776)
• sigstore is now compatible with cryptography 48 and tuf 7 (#1773)
• Embedded TUF metadata has been updated (#1785)

Changelog

Sourced from sigstore's changelog.

[4.3.0]

Added

• Issuer.identity_token accepts an optional redirect_port argument to accomodate OIDC providers that require pre-registered redirect URIs (#1029)

Fixed

• Fix ~60s keep-alive deadlock in browser-based OIDC authentication (#1693)
• Avoid over-using connections when signing many artifacts: Use one connection per thread (#1732)

Changed

• With Rekor v2 DSSE signing/verification now uses Hashedrekord log entries. This is based on Rekor v2 spec change: sigstore/architecture-docs#63 (#1776)
• sigstore is now compatible with cryptography 48 and tuf 7 (#1773)
• Embedded TUF metadata has been updated (#1785)

Commits

• 4baa76f Prepare 4.3.0 release (#1774)
• 3566ecd build(deps): bump sigstore/sigstore-conformance in the actions group (#1797)
• 05fcf60 Makefile: use uv run --locked everywhere (#1793)
• a5a9441 build(deps): bump github/codeql-action from 4.35.5 to 4.36.0 in the actions g...
• 531d12e build(deps-dev): bump ruff from 0.15.13 to 0.15.14 (#1791)
• c62a99b build(deps): bump pyjwt from 2.12.1 to 2.13.0 (#1790)
• b90e55d Bump the ceiling on cryptography version (#1773)
• fb9f2c4 TUF: Update embedded roots (#1785)
• 603eeb3 Encode DSSE as hashedrekord for Rekor v2 (#1776)
• 9b4f5f9 build(deps-dev): bump ruff from 0.15.12 to 0.15.13...

  Description has been truncated

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.