chore(deps): bump the uv group across 9 directories with 11 updates by dependabot[bot] · Pull Request #4125 · traceloop/openllmetry

dependabot · 2026-05-11T16:46:51Z

Bumps the uv group with 2 updates in the /packages/opentelemetry-instrumentation-agno directory: python-dotenv and python-multipart.
Bumps the uv group with 3 updates in the /packages/opentelemetry-instrumentation-crewai directory: python-multipart, pillow and urllib3.
Bumps the uv group with 1 update in the /packages/opentelemetry-instrumentation-lancedb directory: urllib3.
Bumps the uv group with 4 updates in the /packages/opentelemetry-instrumentation-mcp directory: python-dotenv, python-multipart, urllib3 and authlib.
Bumps the uv group with 3 updates in the /packages/opentelemetry-instrumentation-openai-agents directory: python-dotenv, python-multipart and urllib3.
Bumps the uv group with 1 update in the /packages/opentelemetry-instrumentation-sagemaker directory: urllib3.
Bumps the uv group with 5 updates in the /packages/opentelemetry-instrumentation-voyageai directory:

Package	From	To
pillow	`12.1.1`	`12.2.0`
urllib3	`2.6.3`	`2.7.0`
langchain-core	`1.2.12`	`1.3.3`
langchain-text-splitters	`1.1.0`	`1.1.2`
langsmith	`0.6.6`	`0.7.31`

Bumps the uv group with 4 updates in the /packages/opentelemetry-instrumentation-writer directory: python-dotenv, python-multipart, urllib3 and authlib.
Bumps the uv group with 11 updates in the /packages/sample-app directory:

Package	From	To
python-dotenv	`1.2.1`	`1.2.2`
python-multipart	`0.0.22`	`0.0.27`
pillow	`12.1.1`	`12.2.0`
urllib3	`2.6.3`	`2.7.0`
authlib	`1.6.6`	`1.6.11`
langchain-core	`1.2.11`	`1.3.3`
langchain-text-splitters	`1.1.0`	`1.1.2`
langsmith	`0.6.7`	`0.7.31`
banks	`2.3.0`	`2.4.2`
lxml	`6.0.2`	`6.1.0`
pypdf	`6.7.4`	`6.10.2`

Updates python-dotenv from 1.2.1 to 1.2.2

Release notes

Sourced from python-dotenv's releases.

v1.2.2

Added

Support for Python 3.14, including the free-threaded (3.14t) build. (#)

Changed

The dotenv run command now forwards flags directly to the specified command by @bbc2 in theskumar/python-dotenv#607

Improved documentation clarity regarding override behavior and the reference page.

Updated PyPy support to version 3.11.

Documentation for FIFO file support.

Support for Python 3.9.

Fixed

Improved set_key and unset_key behavior when interacting with symlinks by @bbc2 in #790c5

Corrected the license specifier and added missing Python 3.14 classifiers in package metadata by @JYOuyang in theskumar/python-dotenv#590

Breaking Changes

dotenv.set_key and dotenv.unset_key used to follow symlinks in some situations. This is no longer the case. For that behavior to be restored in all cases, follow_symlinks=True should be used.

In the CLI, set and unset used to follow symlinks in some situations. This is no longer the case.

dotenv.set_key, dotenv.unset_key and the CLI commands set and unset used to reset the file mode of the modified .env file to 0o600 in some situations. This is no longer the case: The original mode of the file is now preserved. Is the file needed to be created or wasn't a regular file, mode 0o600 is used.

Misc

skip 000 permission tests for root user by @burnout-projects in theskumar/python-dotenv#561

Bump actions/checkout from 5 to 6 in the github-actions group by @dependabot[bot] in theskumar/python-dotenv#593

Add Windows testing to CI by @bbc2 in theskumar/python-dotenv#604

Improve workflow efficiency with best practices by @theskumar in theskumar/python-dotenv#609

Remove the use of sh in tests by @bbc2 in theskumar/python-dotenv#612

New Contributors

@JYOuyang made their first contribution in theskumar/python-dotenv#590

@burnout-projects made their first contribution in theskumar/python-dotenv#561

@cpackham-atlnz made their first contribution in theskumar/python-dotenv#597

Full Changelog: theskumar/python-dotenv@v1.2.1...v1.2.2

Changelog

Sourced from python-dotenv's changelog.

[1.2.2] - 2026-03-01

Added

Support for Python 3.14, including the free-threaded (3.14t) build. (#588)

Changed

The dotenv run command now forwards flags directly to the specified command by [@bbc2] in #607

Improved documentation clarity regarding override behavior and the reference page.

Updated PyPy support to version 3.11.

Documentation for FIFO file support.

Dropped Support for Python 3.9.

Fixed

Improved set_key and unset_key behavior when interacting with symlinks by [@bbc2] in [790c5c0]

Corrected the license specifier and added missing Python 3.14 classifiers in package metadata by [@JYOuyang] in #590

Breaking Changes

dotenv.set_key and dotenv.unset_key used to follow symlinks in some situations. This is no longer the case. For that behavior to be restored in all cases, follow_symlinks=True should be used.

In the CLI, set and unset used to follow symlinks in some situations. This is no longer the case.

dotenv.set_key, dotenv.unset_key and the CLI commands set and unset used to reset the file mode of the modified .env file to 0o600 in some situations. This is no longer the case: The original mode of the file is now preserved. Is the file needed to be created or wasn't a regular file, mode 0o600 is used.

Commits

36004e0 Bump version: 1.2.1 → 1.2.2
eb20252 docs: update changelog for v1.2.2
790c5c0 Merge commit from fork
43340da Remove the use of sh in tests (#612)
09d7cee docs: clarify override behavior and document FIFO support (#610)
c8de288 ci: improve workflow efficiency with best practices (#609)
7bd9e3d Add Windows testing to CI (#604)
1baaf04 Drop Python 3.9 support and update to PyPy 3.11 (#608)
4a22cf8 ci: enable testing on Python 3.14t (free-threaded) (#588)
e2e8e77 Fix license specifier (#597)
Additional commits viewable in compare view

Updates python-multipart from 0.0.22 to 0.0.27

Release notes

Sourced from python-multipart's releases.

Version 0.0.27

What's Changed

Pass parse offsets via constructors by @Kludex in Kludex/python-multipart#268

Add multipart header limits by @Kludex in Kludex/python-multipart#267

Full Changelog: Kludex/python-multipart@0.0.26...0.0.27

Version 0.0.26

What's Changed

Skip preamble before first multipart boundary by @Kludex in Kludex/python-multipart#262

Silently discard epilogue data after the closing boundary by @Kludex in Kludex/python-multipart#259

Full Changelog: Kludex/python-multipart@0.0.25...0.0.26

Version 0.0.25

What's Changed

Apply Apache-2.0 properly by @Kludex in Kludex/python-multipart#247

Handle multipart headers case-insensitively by @Kludex in Kludex/python-multipart#252

Emit field_end for trailing bare field names on finalize by @bysiber in Kludex/python-multipart#230

Add UPLOAD_DELETE_TMP to FormParser config by @Kludex in Kludex/python-multipart#254

Remove custom FormParser classes by @Kludex in Kludex/python-multipart#257

Handle CTE values case-insensitively by @Kludex in Kludex/python-multipart#258

Add MIME content type info to File by @jhnstrk in Kludex/python-multipart#143

Full Changelog: Kludex/python-multipart@0.0.24...0.0.25

Version 0.0.24

What's Changed

Validate chunk_size in parse_form() by @Kludex in Kludex/python-multipart#244

Full Changelog: Kludex/python-multipart@0.0.23...0.0.24

Version 0.0.23

What's Changed

Remove unused trust_x_headers parameter and X-File-Name fallback by @jhnstrk in Kludex/python-multipart#196

Return processed length from QuerystringParser._internal_write by @bysiber in Kludex/python-multipart#229

Cleanup metadata dunders from __init__.py by @Chesars in Kludex/python-multipart#227

New Contributors

@Chesars made their first contribution in Kludex/python-multipart#227

@bysiber made their first contribution in Kludex/python-multipart#229

Full Changelog: Kludex/python-multipart@0.0.22...0.0.23

Changelog

Sourced from python-multipart's changelog.

0.0.27 (2026-04-27)

Add multipart header limits #267.

Pass parse offsets via constructors #268.

0.0.26 (2026-04-10)

Skip preamble before the first multipart boundary more efficiently #262.

Silently discard epilogue data after the closing multipart boundary #259.

0.0.25 (2026-04-10)

Add MIME content type info to File #143.

Handle CTE values case-insensitively #258.

Remove custom FormParser classes #257.

Add UPLOAD_DELETE_TMP to FormParser config #254.

Emit field_end for trailing bare field names on finalize #230.

Handle multipart headers case-insensitively #252.

Apply Apache-2.0 properly #247.

0.0.24 (2026-04-05)

Validate chunk_size in parse_form() #244.

0.0.23 (2026-04-05)

Remove unused trust_x_headers parameter and X-File-Name fallback #196.

Return processed length from QuerystringParser._internal_write #229.

Cleanup metadata dunders from __init__.py #227.

Commits

6d1d689 Version 0.0.27 (#272)
0b10220 Run CI on main branch pull requests (#271)
3e64f5f Add multipart header limits (#267)
eb109cc Pass parse offsets via constructors (#268)
78e29ab Bump pytest from 9.0.2 to 9.0.3 (#266)
b2ddd09 fuzz: Enhance fuzzing capabilities with new chunked and boundary tests (#264)
28f4785 Version 0.0.26 (#263)
d4452a7 Silently discard epilogue data after the closing boundary (#259)
6a7b76d Skip preamble before first multipart boundary (#262)
4addb60 Version 0.0.25 (#261)
Additional commits viewable in compare view

Updates python-multipart from 0.0.22 to 0.0.27

Release notes

Sourced from python-multipart's releases.

Version 0.0.27

What's Changed

Pass parse offsets via constructors by @Kludex in Kludex/python-multipart#268

Add multipart header limits by @Kludex in Kludex/python-multipart#267

Full Changelog: Kludex/python-multipart@0.0.26...0.0.27

Version 0.0.26

What's Changed

Skip preamble before first multipart boundary by @Kludex in Kludex/python-multipart#262

Silently discard epilogue data after the closing boundary by @Kludex in Kludex/python-multipart#259

Full Changelog: Kludex/python-multipart@0.0.25...0.0.26

Version 0.0.25

What's Changed

Apply Apache-2.0 properly by @Kludex in Kludex/python-multipart#247

Handle multipart headers case-insensitively by @Kludex in Kludex/python-multipart#252

Emit field_end for trailing bare field names on finalize by @bysiber in Kludex/python-multipart#230

Add UPLOAD_DELETE_TMP to FormParser config by @Kludex in Kludex/python-multipart#254

Remove custom FormParser classes by @Kludex in Kludex/python-multipart#257

Handle CTE values case-insensitively by @Kludex in Kludex/python-multipart#258

Add MIME content type info to File by @jhnstrk in Kludex/python-multipart#143

Full Changelog: Kludex/python-multipart@0.0.24...0.0.25

Version 0.0.24

What's Changed

Validate chunk_size in parse_form() by @Kludex in Kludex/python-multipart#244

Full Changelog: Kludex/python-multipart@0.0.23...0.0.24

Version 0.0.23

What's Changed

Remove unused trust_x_headers parameter and X-File-Name fallback by @jhnstrk in Kludex/python-multipart#196

Return processed length from QuerystringParser._internal_write by @bysiber in Kludex/python-multipart#229

Cleanup metadata dunders from __init__.py by @Chesars in Kludex/python-multipart#227

New Contributors

@Chesars made their first contribution in Kludex/python-multipart#227

@bysiber made their first contribution in Kludex/python-multipart#229

Full Changelog: Kludex/python-multipart@0.0.22...0.0.23

Changelog

Sourced from python-multipart's changelog.

0.0.27 (2026-04-27)

Add multipart header limits #267.

Pass parse offsets via constructors #268.

0.0.26 (2026-04-10)

Skip preamble before the first multipart boundary more efficiently #262.

Silently discard epilogue data after the closing multipart boundary #259.

0.0.25 (2026-04-10)

Add MIME content type info to File #143.

Handle CTE values case-insensitively #258.

Remove custom FormParser classes #257.

Add UPLOAD_DELETE_TMP to FormParser config #254.

Emit field_end for trailing bare field names on finalize #230.

Handle multipart headers case-insensitively #252.

Apply Apache-2.0 properly #247.

0.0.24 (2026-04-05)

Validate chunk_size in parse_form() #244.

0.0.23 (2026-04-05)

Remove unused trust_x_headers parameter and X-File-Name fallback #196.

Return processed length from QuerystringParser._internal_write #229.

Cleanup metadata dunders from __init__.py #227.

Commits

6d1d689 Version 0.0.27 (#272)
0b10220 Run CI on main branch pull requests (#271)
3e64f5f Add multipart header limits (#267)
eb109cc Pass parse offsets via constructors (#268)
78e29ab Bump pytest from 9.0.2 to 9.0.3 (#266)
b2ddd09 fuzz: Enhance fuzzing capabilities with new chunked and boundary tests (#264)
28f4785 Version 0.0.26 (#263)
d4452a7 Silently discard epilogue data after the closing boundary (#259)
6a7b76d Skip preamble before first multipart boundary (#262)
4addb60 Version 0.0.25 (#261)
Additional commits viewable in compare view

Updates pillow from 12.1.1 to 12.2.0

Release notes

Sourced from pillow's releases.

12.2.0

https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html

Documentation

Update 12.2.0 release notes #9522 [@hugovk]

Add loader plugins: AMOS abk, Atari Degas, 40+ more obscure formats via Netpbm #9482 [@bitplane]

Update Python versions #9515 [@radarhere]

Jeffrey A. Clark -> Jeffrey 'Alex' Clark #9513 [@aclark4life]

Add release notes for #9394, #9419 and #9456 #9467 [@radarhere]

Add Amiga Workbench .info loader to 3rd party plugins list #9459 [@bitplane]

Merge PFM documentation into PPM #9434 [@radarhere]

Update macOS tested Pillow versions #9431 [@radarhere]

Fix CVE number #9430 [@hugovk]

Dependencies

Update xz to 5.8.3 #9523 [@radarhere]

Update libjpeg-turbo to 3.1.4.1 #9507 [@radarhere]

Update libpng to 1.6.56 #9499 [@radarhere]

Update freetype to 2.14.3 #9485 [@radarhere]

Updated libavif to 1.4.1 #9479 [@radarhere]

Updated harfbuzz to 13.2.1 #9461 [@radarhere]

Update Ghostscript to 10.7.0 #9469 [@radarhere]

Update harfbuzz to 13.0.1 #9453 [@radarhere]

Update libavif to 1.4.0 #9460 [@radarhere]

Update freetype to 2.14.2 #9449 [@radarhere]

Update actions/download-artifact action to v8 #9451 [@renovate[bot]]

Updated libpng to 1.6.55 #9425 [@radarhere]

Testing

Cleanup .spider extension in the same test where it is added #9517 [@radarhere]

Run tests in parallel via tox for 3.5x speedup #9516 [@hugovk]

Enable colour in CI logs #9486 [@hugovk]

Update Ghostscript to 10.7.0 #9469 [@radarhere]

Simplify TGA test code #9477 [@radarhere]

Update tests to check for ValueError when encoding an empty image #9464 [@radarhere]

Upgrade CI from macos-15-intel to macos-26-intel #9454 [@hugovk]

Add check-case-conflict hook #9446 [@radarhere]

Specify platform when pulling docker image #9440 [@radarhere]

GHA: Cache libavif and webp builds for Ubuntu #9437 [@hugovk]

Update macOS tested Pillow versions #9431 [@radarhere]

Other changes

Check calloc return value #9527 [@radarhere]

Check all allocs in the Arrow tree #9488 [@wiredfool]

Reject non-numeric elements inside list coords #9526 [@hugovk]

Move variable declaration inside define #9525 [@radarhere]

... (truncated)

Commits

3c41c09 12.2.0 version bump
cdaa29e Check calloc return value (#9527)
585b2f5 Check calloc return value
ecf011e Check all allocs in the Arrow tree (#9488)
cf6de8c Reject non-numeric elements inside list coords (#9526)
ffdcede Update 12.2.0 release notes (#9522)
7929d77 Added security release notes (#149)
c4f7aa5 Added security release notes
22cdb5f Move variable declaration inside define (#9525)
fc15b3b Resize tall images vertically first (#9524)
Additional commits viewable in compare view

Updates urllib3 from 2.6.3 to 2.7.0

Release notes

Sourced from urllib3's releases.

2.7.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

Decompression-bomb safeguards of the streaming API were bypassed:

When HTTPResponse.drain_conn() was called after the response had been read and decompressed partially. (Reported by @Cycloctane)

During the second HTTPResponse.read(amt=N) or HTTPResponse.stream(amt=N) call when the response was decompressed using the official Brotli library. (Reported by @kimkou2024)

See GHSA-mf9v-mfxr-j63j for details.

HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by @christos-spearbit)

Deprecations and Removals

Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (urllib3/urllib3#3763)

Removed support for end-of-life Python 3.9. (urllib3/urllib3#3720)

Removed support for end-of-life PyPy3.10. (urllib3/urllib3#4979)

Bumped the minimum supported pyOpenSSL version to 19.0.0. (urllib3/urllib3#3777)

Bugfixes

Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. (urllib3/urllib3#3636)

Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True. (urllib3/urllib3#4967)

Fixed HTTPResponse.stream() and HTTPResponse.read_chunked() to handle amt=0. (urllib3/urllib3#3793)

Updated _TYPE_BODY type alias to include missing Iterable[str], matching the documented and runtime behavior of chunked request bodies. (urllib3/urllib3#3798)

Fixed LocationParseError when paths resembling schemeless URIs were passed to HTTPConnectionPool.urlopen(). (urllib3/urllib3#3352)

Fixed BaseHTTPResponse.readinto() type annotation to accept memoryview in addition to bytearray, matching the io.RawIOBase.readinto contract and enabling use with io.BufferedReader without type errors. (urllib3/urllib3#3764)

Changelog

Sourced from urllib3's changelog.

2.7.0 (2026-05-07)

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

Decompression-bomb safeguards of the streaming API were bypassed:

When HTTPResponse.drain_conn() was called after the response had been read and decompressed partially.

During the second HTTPResponse.read(amt=N) or HTTPResponse.stream(amt=N) call when the response was decompressed using the official Brotli <https://pypi.org/project/brotli/>__ library.

See GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>__ for details.

HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc>__)

Deprecations and Removals

Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. ([#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763>__)

Removed support for end-of-life Python 3.9. ([#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720>__)

Removed support for end-of-life PyPy3.10. ([#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979>__)

Bumped the minimum supported pyOpenSSL version to 19.0.0. ([#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777>__)

Bugfixes

Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. ([#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636>__)

Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True.

... (truncated)

Commits

9a950b9 Release 2.7.0
5ec0de4 Merge commit from fork
2bdcc44 Merge commit from fork
f45b0df Fix a misleading example for ProxyManager (#4970)
577193c Switch to nightly PyPy3.11 in CI for now (#4984)
e90af45 Avoid infinite loop in HTTPResponse.read_chunked when amt=0 (#4974)
67ed74f Bump dev dependencies (#4972)
3abd481 Upgrade mypy to version 1.20.2 (#4978)
2b8725d Drop support for EOL PyPy3.10 (#4979)
2944b2a Upgrade setup-chrome and setup-firefox to fix warnings (#4973)
Additional commits viewable in compare view

Updates urllib3 from 2.6.3 to 2.7.0

Release notes

Sourced from urllib3's releases.

2.7.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

Decompression-bomb safeguards of the streaming API were bypassed:

When HTTPResponse.drain_conn() was called after the response had been read and decompressed partially. (Reported by @Cycloctane)

During the second HTTPResponse.read(amt=N) or HTTPResponse.stream(amt=N) call when the response was decompressed using the official Brotli library. (Reported by @kimkou2024)

See GHSA-mf9v-mfxr-j63j for details.

HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by @christos-spearbit)

Deprecations and Removals

Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (urllib3/urllib3#3763)

Removed support for end-of-life Python 3.9. (urllib3/urllib3#3720)

Removed support for end-of-life PyPy3.10. (urllib3/urllib3#4979)

Bumped the minimum supported pyOpenSSL version to 19.0.0. (urllib3/urllib3#3777)

Bugfixes

Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. (urllib3/urllib3#3636)

Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True. (urllib3/urllib3#4967)

Fixed HTTPResponse.stream() and HTTPResponse.read_chunked() to handle amt=0. (urllib3/urllib3#3793)

Updated _TYPE_BODY type alias to include missing Iterable[str], matching the documented and runtime behavior of chunked request bodies. (urllib3/urllib3#3798)

Fixed LocationParseError when paths resembling schemeless URIs were passed to HTTPConnectionPool.urlopen(). (urllib3/urllib3#3352)

Fixed BaseHTTPResponse.readinto() type annotation to accept memoryview in addition to bytearray, matching the io.RawIOBase.readinto contract and enabling use with io.BufferedReader without type errors. (urllib3/urllib3#3764)

Changelog

Sourced from urllib3's changelog.

2.7.0 (2026-05-07)

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

Decompression-bomb safeguards of the streaming API were bypassed:

When HTTPResponse.drain_conn() was called after the response had been read and decompressed partially.

During the second HTTPResponse.read(amt=N) or HTTPResponse.stream(amt=N) call when the response was decompressed using the official Brotli <https://pypi.org/project/brotli/>__ library.

See GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>__ for details.

HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc>__)

Deprecations and Removals

Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. ([#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763>__)

Removed support for end-of-life Python 3.9. ([#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720>__)

Removed support for end-of-life PyPy3.10. ([#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979>__)

Bumped the minimum supported pyOpenSSL version to 19.0.0. ([#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777>__)

Bugfixes

Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. ([#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636>__)

Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True.

... (truncated)

Commits

9a950b9 Release 2.7.0
5ec0de4 Merge commit from fork
2bdcc44 Merge commit from fork
f45b0df Fix a misleading example for ProxyManager (#4970)
577193c Switch to nightly PyPy3.11 in CI for now (#4984)
e90af45 Avoid infinite loop in HTTPResponse.read_chunked when amt=0 (#4974)
67ed74f Bump dev dependencies (#4972)
3abd481 Upgrade mypy to version 1.20.2 (#4978)
2b8725d Drop support for EOL PyPy3.10 (#4979)
2944b2a Upgrade setup-chrome and setup-firefox to fix warnings (#4973)
Additional commits viewable in compare view

Updates python-dotenv from 1.2.1 to 1.2.2

Release notes

Sourced from python-dotenv's releases.

v1.2.2

Added

Support for Python 3.14, including the free-threaded (3.14t) build. (#)

Changed

The dotenv run command now forwards flags directly to the specified command by @bbc2 in theskumar/python-dotenv#607

Improved documentation clarity regarding override behavior and the reference page.

Updated PyPy support to version 3.11.

Documentation for FIFO file support.

Support for Python 3.9.

Fixed

Improved set_key and unset_key behavior when interacting with symlinks by @bbc2 in #790c5

Corrected the license specifier and added missing Python 3.14 classifiers in package metadata by @JYOuyang in theskumar/python-dotenv#590

Breaking Changes

dotenv.set_key and dotenv.unset_key used to follow symlinks in some situations. This is no longer the case. For that behavior to be restored in all cases, follow_symlinks=True should be used.

In the CLI, set and unset used to follow symlinks in some situations. This is no longer the case.

dotenv.set_key, dotenv.unset_key and the CLI commands set and unset used...
Description has been truncated

Bumps the uv group with 2 updates in the /packages/opentelemetry-instrumentation-agno directory: [python-dotenv](https://github.com/theskumar/python-dotenv) and [python-multipart](https://github.com/Kludex/python-multipart). Bumps the uv group with 3 updates in the /packages/opentelemetry-instrumentation-crewai directory: [python-multipart](https://github.com/Kludex/python-multipart), [pillow](https://github.com/python-pillow/Pillow) and [urllib3](https://github.com/urllib3/urllib3). Bumps the uv group with 1 update in the /packages/opentelemetry-instrumentation-lancedb directory: [urllib3](https://github.com/urllib3/urllib3). Bumps the uv group with 4 updates in the /packages/opentelemetry-instrumentation-mcp directory: [python-dotenv](https://github.com/theskumar/python-dotenv), [python-multipart](https://github.com/Kludex/python-multipart), [urllib3](https://github.com/urllib3/urllib3) and [authlib](https://github.com/authlib/authlib). Bumps the uv group with 3 updates in the /packages/opentelemetry-instrumentation-openai-agents directory: [python-dotenv](https://github.com/theskumar/python-dotenv), [python-multipart](https://github.com/Kludex/python-multipart) and [urllib3](https://github.com/urllib3/urllib3). Bumps the uv group with 1 update in the /packages/opentelemetry-instrumentation-sagemaker directory: [urllib3](https://github.com/urllib3/urllib3). Bumps the uv group with 5 updates in the /packages/opentelemetry-instrumentation-voyageai directory: | Package | From | To | | --- | --- | --- | | [pillow](https://github.com/python-pillow/Pillow) | `12.1.1` | `12.2.0` | | [urllib3](https://github.com/urllib3/urllib3) | `2.6.3` | `2.7.0` | | [langchain-core](https://github.com/langchain-ai/langchain) | `1.2.12` | `1.3.3` | | [langchain-text-splitters](https://github.com/langchain-ai/langchain) | `1.1.0` | `1.1.2` | | [langsmith](https://github.com/langchain-ai/langsmith-sdk) | `0.6.6` | `0.7.31` | Bumps the uv group with 4 updates in the /packages/opentelemetry-instrumentation-writer directory: [python-dotenv](https://github.com/theskumar/python-dotenv), [python-multipart](https://github.com/Kludex/python-multipart), [urllib3](https://github.com/urllib3/urllib3) and [authlib](https://github.com/authlib/authlib). Bumps the uv group with 11 updates in the /packages/sample-app directory: | Package | From | To | | --- | --- | --- | | [python-dotenv](https://github.com/theskumar/python-dotenv) | `1.2.1` | `1.2.2` | | [python-multipart](https://github.com/Kludex/python-multipart) | `0.0.22` | `0.0.27` | | [pillow](https://github.com/python-pillow/Pillow) | `12.1.1` | `12.2.0` | | [urllib3](https://github.com/urllib3/urllib3) | `2.6.3` | `2.7.0` | | [authlib](https://github.com/authlib/authlib) | `1.6.6` | `1.6.11` | | [langchain-core](https://github.com/langchain-ai/langchain) | `1.2.11` | `1.3.3` | | [langchain-text-splitters](https://github.com/langchain-ai/langchain) | `1.1.0` | `1.1.2` | | [langsmith](https://github.com/langchain-ai/langsmith-sdk) | `0.6.7` | `0.7.31` | | [banks](https://github.com/masci/banks) | `2.3.0` | `2.4.2` | | [lxml](https://github.com/lxml/lxml) | `6.0.2` | `6.1.0` | | [pypdf](https://github.com/py-pdf/pypdf) | `6.7.4` | `6.10.2` | Updates `python-dotenv` from 1.2.1 to 1.2.2 - [Release notes](https://github.com/theskumar/python-dotenv/releases) - [Changelog](https://github.com/theskumar/python-dotenv/blob/main/CHANGELOG.md) - [Commits](theskumar/python-dotenv@v1.2.1...v1.2.2) Updates `python-multipart` from 0.0.22 to 0.0.27 - [Release notes](https://github.com/Kludex/python-multipart/releases) - [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md) - [Commits](Kludex/python-multipart@0.0.22...0.0.27) Updates `python-multipart` from 0.0.22 to 0.0.27 - [Release notes](https://github.com/Kludex/python-multipart/releases) - [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md) - [Commits](Kludex/python-multipart@0.0.22...0.0.27) Updates `pillow` from 12.1.1 to 12.2.0 - [Release notes](https://github.com/python-pillow/Pillow/releases) - [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst) - [Commits](python-pillow/Pillow@12.1.1...12.2.0) Updates `urllib3` from 2.6.3 to 2.7.0 - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.6.3...2.7.0) Updates `urllib3` from 2.6.3 to 2.7.0 - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.6.3...2.7.0) Updates `python-dotenv` from 1.2.1 to 1.2.2 - [Release notes](https://github.com/theskumar/python-dotenv/releases) - [Changelog](https://github.com/theskumar/python-dotenv/blob/main/CHANGELOG.md) - [Commits](theskumar/python-dotenv@v1.2.1...v1.2.2) Updates `python-multipart` from 0.0.22 to 0.0.27 - [Release notes](https://github.com/Kludex/python-multipart/releases) - [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md) - [Commits](Kludex/python-multipart@0.0.22...0.0.27) Updates `urllib3` from 2.6.3 to 2.7.0 - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.6.3...2.7.0) Updates `authlib` from 1.6.9 to 1.6.11 - [Release notes](https://github.com/authlib/authlib/releases) - [Changelog](https://github.com/authlib/authlib/blob/v1.6.11/docs/changelog.rst) - [Commits](authlib/authlib@v1.6.9...v1.6.11) Updates `python-dotenv` from 1.2.1 to 1.2.2 - [Release notes](https://github.com/theskumar/python-dotenv/releases) - [Changelog](https://github.com/theskumar/python-dotenv/blob/main/CHANGELOG.md) - [Commits](theskumar/python-dotenv@v1.2.1...v1.2.2) Updates `python-multipart` from 0.0.22 to 0.0.27 - [Release notes](https://github.com/Kludex/python-multipart/releases) - [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md) - [Commits](Kludex/python-multipart@0.0.22...0.0.27) Updates `urllib3` from 2.6.3 to 2.7.0 - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.6.3...2.7.0) Updates `urllib3` from 2.6.3 to 2.7.0 - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.6.3...2.7.0) Updates `pillow` from 12.1.1 to 12.2.0 - [Release notes](https://github.com/python-pillow/Pillow/releases) - [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst) - [Commits](python-pillow/Pillow@12.1.1...12.2.0) Updates `urllib3` from 2.6.3 to 2.7.0 - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.6.3...2.7.0) Updates `langchain-core` from 1.2.12 to 1.3.3 - [Release notes](https://github.com/langchain-ai/langchain/releases) - [Commits](langchain-ai/langchain@langchain-core==1.2.12...langchain-core==1.3.3) Updates `langchain-text-splitters` from 1.1.0 to 1.1.2 - [Release notes](https://github.com/langchain-ai/langchain/releases) - [Commits](langchain-ai/langchain@langchain-text-splitters==1.1.0...langchain-text-splitters==1.1.2) Updates `langsmith` from 0.6.6 to 0.7.31 - [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases) - [Commits](langchain-ai/langsmith-sdk@v0.6.6...v0.7.31) Updates `python-dotenv` from 1.2.1 to 1.2.2 - [Release notes](https://github.com/theskumar/python-dotenv/releases) - [Changelog](https://github.com/theskumar/python-dotenv/blob/main/CHANGELOG.md) - [Commits](theskumar/python-dotenv@v1.2.1...v1.2.2) Updates `python-multipart` from 0.0.22 to 0.0.27 - [Release notes](https://github.com/Kludex/python-multipart/releases) - [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md) - [Commits](Kludex/python-multipart@0.0.22...0.0.27) Updates `urllib3` from 2.6.3 to 2.7.0 - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.6.3...2.7.0) Updates `authlib` from 1.6.9 to 1.6.11 - [Release notes](https://github.com/authlib/authlib/releases) - [Changelog](https://github.com/authlib/authlib/blob/v1.6.11/docs/changelog.rst) - [Commits](authlib/authlib@v1.6.9...v1.6.11) Updates `python-dotenv` from 1.2.1 to 1.2.2 - [Release notes](https://github.com/theskumar/python-dotenv/releases) - [Changelog](https://github.com/theskumar/python-dotenv/blob/main/CHANGELOG.md) - [Commits](theskumar/python-dotenv@v1.2.1...v1.2.2) Updates `python-multipart` from 0.0.22 to 0.0.27 - [Release notes](https://github.com/Kludex/python-multipart/releases) - [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md) - [Commits](Kludex/python-multipart@0.0.22...0.0.27) Updates `pillow` from 12.1.1 to 12.2.0 - [Release notes](https://github.com/python-pillow/Pillow/releases) - [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst) - [Commits](python-pillow/Pillow@12.1.1...12.2.0) Updates `urllib3` from 2.6.3 to 2.7.0 - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.6.3...2.7.0) Updates `authlib` from 1.6.6 to 1.6.11 - [Release notes](https://github.com/authlib/authlib/releases) - [Changelog](https://github.com/authlib/authlib/blob/v1.6.11/docs/changelog.rst) - [Commits](authlib/authlib@v1.6.9...v1.6.11) Updates `langchain-core` from 1.2.11 to 1.3.3 - [Release notes](https://github.com/langchain-ai/langchain/releases) - [Commits](langchain-ai/langchain@langchain-core==1.2.12...langchain-core==1.3.3) Updates `langchain-text-splitters` from 1.1.0 to 1.1.2 - [Release notes](https://github.com/langchain-ai/langchain/releases) - [Commits](langchain-ai/langchain@langchain-text-splitters==1.1.0...langchain-text-splitters==1.1.2) Updates `langsmith` from 0.6.7 to 0.7.31 - [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases) - [Commits](langchain-ai/langsmith-sdk@v0.6.6...v0.7.31) Updates `banks` from 2.3.0 to 2.4.2 - [Release notes](https://github.com/masci/banks/releases) - [Commits](masci/banks@v2.3.0...v2.4.2) Updates `lxml` from 6.0.2 to 6.1.0 - [Release notes](https://github.com/lxml/lxml/releases) - [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt) - [Commits](lxml/lxml@lxml-6.0.2...lxml-6.1.0) Updates `pypdf` from 6.7.4 to 6.10.2 - [Release notes](https://github.com/py-pdf/pypdf/releases) - [Changelog](https://github.com/py-pdf/pypdf/blob/main/CHANGELOG.md) - [Commits](py-pdf/pypdf@6.7.4...6.10.2) --- updated-dependencies: - dependency-name: python-dotenv dependency-version: 1.2.2 dependency-type: indirect dependency-group: uv - dependency-name: python-multipart dependency-version: 0.0.27 dependency-type: indirect dependency-group: uv - dependency-name: python-multipart dependency-version: 0.0.27 dependency-type: indirect dependency-group: uv - dependency-name: pillow dependency-version: 12.2.0 dependency-type: indirect dependency-group: uv - dependency-name: urllib3 dependency-version: 2.7.0 dependency-type: indirect dependency-group: uv - dependency-name: urllib3 dependency-version: 2.7.0 dependency-type: indirect dependency-group: uv - dependency-name: python-dotenv dependency-version: 1.2.2 dependency-type: indirect dependency-group: uv - dependency-name: python-multipart dependency-version: 0.0.27 dependency-type: indirect dependency-group: uv - dependency-name: urllib3 dependency-version: 2.7.0 dependency-type: indirect dependency-group: uv - dependency-name: authlib dependency-version: 1.6.11 dependency-type: indirect dependency-group: uv - dependency-name: python-dotenv dependency-version: 1.2.2 dependency-type: indirect dependency-group: uv - dependency-name: python-multipart dependency-version: 0.0.27 dependency-type: indirect dependency-group: uv - dependency-name: urllib3 dependency-version: 2.7.0 dependency-type: indirect dependency-group: uv - dependency-name: urllib3 dependency-version: 2.7.0 dependency-type: indirect dependency-group: uv - dependency-name: pillow dependency-version: 12.2.0 dependency-type: indirect dependency-group: uv - dependency-name: urllib3 dependency-version: 2.7.0 dependency-type: indirect dependency-group: uv - dependency-name: langchain-core dependency-version: 1.3.3 dependency-type: indirect dependency-group: uv - dependency-name: langchain-text-splitters dependency-version: 1.1.2 dependency-type: indirect dependency-group: uv - dependency-name: langsmith dependency-version: 0.7.31 dependency-type: indirect dependency-group: uv - dependency-name: python-dotenv dependency-version: 1.2.2 dependency-type: direct:development dependency-group: uv - dependency-name: python-multipart dependency-version: 0.0.27 dependency-type: indirect dependency-group: uv - dependency-name: urllib3 dependency-version: 2.7.0 dependency-type: indirect dependency-group: uv - dependency-name: authlib dependency-version: 1.6.11 dependency-type: indirect dependency-group: uv - dependency-name: python-dotenv dependency-version: 1.2.2 dependency-type: direct:production dependency-group: uv - dependency-name: python-multipart dependency-version: 0.0.27 dependency-type: indirect dependency-group: uv - dependency-name: pillow dependency-version: 12.2.0 dependency-type: indirect dependency-group: uv - dependency-name: urllib3 dependency-version: 2.7.0 dependency-type: indirect dependency-group: uv - dependency-name: authlib dependency-version: 1.6.11 dependency-type: indirect dependency-group: uv - dependency-name: langchain-core dependency-version: 1.3.3 dependency-type: indirect dependency-group: uv - dependency-name: langchain-text-splitters dependency-version: 1.1.2 dependency-type: indirect dependency-group: uv - dependency-name: langsmith dependency-version: 0.7.31 dependency-type: indirect dependency-group: uv - dependency-name: banks dependency-version: 2.4.2 dependency-type: indirect dependency-group: uv - dependency-name: lxml dependency-version: 6.1.0 dependency-type: indirect dependency-group: uv - dependency-name: pypdf dependency-version: 6.10.2 dependency-type: indirect dependency-group: uv ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels May 11, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the uv group across 9 directories with 11 updates#4125

chore(deps): bump the uv group across 9 directories with 11 updates#4125
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/packages/opentelemetry-instrumentation-agno/uv-05df70facb

dependabot Bot commented on behalf of github May 11, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 11, 2026

v1.2.2

Added

Changed

Fixed

Breaking Changes

Misc

New Contributors

[1.2.2] - 2026-03-01

Added

Changed

Fixed

Breaking Changes

Version 0.0.27

What's Changed

Version 0.0.26

What's Changed

Version 0.0.25

What's Changed

Version 0.0.24

What's Changed

Version 0.0.23

What's Changed

New Contributors

0.0.27 (2026-04-27)

0.0.26 (2026-04-10)

0.0.25 (2026-04-10)

0.0.24 (2026-04-05)

0.0.23 (2026-04-05)

Version 0.0.27

What's Changed

Version 0.0.26

What's Changed

Version 0.0.25

What's Changed

Version 0.0.24

What's Changed

Version 0.0.23

What's Changed

New Contributors

0.0.27 (2026-04-27)

0.0.26 (2026-04-10)

0.0.25 (2026-04-10)

0.0.24 (2026-04-05)

0.0.23 (2026-04-05)

12.2.0

Documentation

Dependencies

Testing

Other changes

2.7.0

🚀 urllib3 is fundraising for HTTP/2 support

Security

Deprecations and Removals

Bugfixes

2.7.0 (2026-05-07)

Security

Deprecations and Removals

Bugfixes

2.7.0

🚀 urllib3 is fundraising for HTTP/2 support

Security

Deprecations and Removals

Bugfixes

2.7.0 (2026-05-07)

Security

Deprecations and Removals

Bugfixes

v1.2.2

Added

Changed

Fixed

Breaking Changes

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone