Lock file maintenance Python dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Adoption	Passing	Confidence
		lockFileMaintenance	All locks refreshed
asgiref (changelog)	dependency-groups	patch	==3.11.0 → ==3.11.1
granian	dependency-groups	minor	==2.6.1 → ==2.7.1
grpcio-tools	dependency-groups	minor	==1.76.0 → ==1.78.0
gunicorn (changelog)	dependency-groups	patch	==25.0.0 → ==25.0.3
ruff (source, changelog)	dependency-groups	minor	~=0.14.13 → ~=0.15.0
uv_build (source, changelog)	build-system.requires	minor	>=0.9.28,<0.10.0 → >=0.10.0,<0.11.0
uv_build (source, changelog)	build-system.requires	minor	>=0.8.13,<0.10.0 → >=0.10.0,<0.11.0
uv_build (source, changelog)	build-system.requires	minor	>=0.7.21,<0.10.0 → >=0.10.0,<0.11.0

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Release Notes

django/asgiref (asgiref)

v3.11.1

Compare Source

• SECURITY FIX CVE-2025-14550: There was a potential DoS vector for users of
  the asgiref.wsgi.WsgiToAsgi adapter. Malicious requests, including an unreasonably
  large number of values for the same header, could lead to resource exhaustion
  when building the WSGI environment.

  To mitigate this, the algorithm is changed to be more efficient, and
  WsgiToAsgi gains a new optional duplicate_header_limit parameter,
  which defaults to 100. This specifies the number of times a single header may
  be repeated before the request is rejected as malformed.

  You may override duplicate_header_limit when configuring your application::

  application = WsgiToAsgi(wsgi_app, duplicate_header_limit=200)
  

  Set duplicate_header_limit=None if you wish to disable this check.

• Fixed a regression in 3.11.0 in sync_to_async when wrapping a callable
  with an attribute named context. (#​537)

emmett-framework/granian (granian)

v2.7.1: Granian 2.7.1

Compare Source

Patch release

Changes since 2.7.0:

• Fix websockets' handles cleanup on shutdown
  • This should fix an occasional runtime thread panic with the message
    Cannot drop pointer into Python heap without the thread being attached
• Fix a bug in the ASGI protocol preventing apps to receive the websocket.disconnect event after server-initiated close (#​801 by @​JaeHyuckSa)
  • This should fix some long-standing issues with Django channels
• Review some lock holding strategy in PyFutureAwaitable callback dispatch (#​802 by @​ColemanDunn)
• Bump dependencies

v2.7.0: Granian 2.7.0

Compare Source

What's Changed

New features

• Add prometheus metrics export (based on @​butlerx preliminary work)
• Add support for ASGI websocket denial response extension (#​771 by @​JaeHyuckSa)
• Add static files rewrite support for directory listings (#​784 by @​tobiasge)
• Add support for multiple static paths

Changes

• Lowered --blocking-threads-idle-timeout minimum accepted value to 5 seconds
• Bump dependencies

Enhancements

• Refactor blocking thread-pool resize strategy
• Review auto runtime mode option

Fixes

• Bump minimum version of click dependency

benoitc/gunicorn (gunicorn)

v25.0.3

Compare Source

What's Changed

Bug Fixes

• Fix RuntimeError when StopIteration raised in ASGI coroutine (#​3484)
• Fix passing maxsplit in re.split() as positional argument (deprecated in Python 3.13)

Documentation

• Updated sponsorship section and homepage

Full Changelog: benoitc/gunicorn@25.0.2...25.0.3

v25.0.2: Release 25.0.2

Compare Source

Bug Fixes

• Fix ASGI concurrent request failures through nginx proxy by normalizing
  sockaddr tuples to handle both 2-tuple (IPv4) and 4-tuple (IPv6) formats
  (PR #​3485)

• Fix graceful disconnect handling for ASGI worker to properly handle
  client disconnects without raising exceptions
  (PR #​3485)

• Fix lazy import of dirty module for gevent compatibility - prevents
  import errors when concurrent.futures is imported before gevent monkey-patching
  (PR #​3483)

Changes

• Refactor: Extract _normalize_sockaddr utility function for consistent
  socket address handling across workers

• Add license headers to all Python source files

• Update copyright year to 2026 in LICENSE and NOTICE files

v25.0.1

Compare Source

Bug Fixes

• Fix ASGI streaming responses (SSE) hanging: add chunked transfer encoding for
  HTTP/1.1 responses without Content-Length header. Without chunked encoding,
  clients wait for connection close to determine end-of-response.

Changes

• Update celery_alternative example to use FastAPI with native ASGI worker and
  uvloop for async task execution

Testing

• Add ASGI compliance test suite with Docker-based integration tests covering HTTP,
  WebSocket, streaming, lifespan, framework integration (Starlette, FastAPI),
  HTTP/2, and concurrency scenarios

astral-sh/ruff (ruff)

v0.15.0

Compare Source

Released on 2026-02-03.

Check out the blog post for a migration
guide and overview of the changes!

Breaking changes

• Ruff now formats your code according to the 2026 style guide. See the formatter section below or in the blog post for a detailed list of changes.

• The linter now supports block suppression comments. For example, to suppress N803 for all parameters in this function:

  # ruff: disable[N803]
  def foo(
      legacyArg1,
      legacyArg2,
      legacyArg3,
      legacyArg4,
  ): ...
  # ruff: enable[N803]

  See the documentation for more details.

• The ruff:alpine Docker image is now based on Alpine 3.23 (up from 3.21).

• The ruff:debian and ruff:debian-slim Docker images are now based on Debian 13 "Trixie" instead of Debian 12 "Bookworm."

• Binaries for the ppc64 (64-bit big-endian PowerPC) architecture are no longer included in our releases. It should still be possible to build Ruff manually for this platform, if needed.

• Ruff now resolves all extended configuration files before falling back on a default Python version.

Stabilization

The following rules have been stabilized and are no longer in preview:

• blocking-http-call-httpx-in-async-function
  (ASYNC212)
• blocking-path-method-in-async-function
  (ASYNC240)
• blocking-input-in-async-function
  (ASYNC250)
• map-without-explicit-strict
  (B912)
• if-exp-instead-of-or-operator
  (FURB110)
• single-item-membership-test
  (FURB171)
• missing-maxsplit-arg (PLC0207)
• unnecessary-lambda (PLW0108)
• unnecessary-empty-iterable-within-deque-call
  (RUF037)
• in-empty-collection (RUF060)
• legacy-form-pytest-raises
  (RUF061)
• non-octal-permissions (RUF064)
• invalid-rule-code (RUF102)
• invalid-suppression-comment
  (RUF103)
• unmatched-suppression-comment
  (RUF104)
• replace-str-enum (UP042)

The following behaviors have been stabilized:

• The --output-format flag is now respected when running Ruff in --watch mode, and the full output format is now used by default, matching the regular CLI output.
• builtin-attribute-shadowing (A003) now detects the use of shadowed built-in names in additional contexts like decorators, default arguments, and other attribute definitions.
• duplicate-union-member (PYI016) now considers typing.Optional when searching for duplicate union members.
• split-static-string (SIM905) now offers an autofix when the maxsplit argument is provided, even without a sep argument.
• dict-get-with-none-default (SIM910) now applies to more types of key expressions.
• super-call-with-parameters (UP008) now has a safe fix when it will not delete comments.
• unnecessary-default-type-args (UP043) now applies to stub (.pyi) files on Python versions before 3.13.

Formatter

This release introduces the new 2026 style guide, with the following changes:

• Lambda parameters are now kept on the same line and lambda bodies will be parenthesized to let
  them break across multiple lines (#​21385)
• Parentheses around tuples of exceptions in except clauses will now be removed on Python 3.14 and
  later (#​20768)
• A single empty line is now permitted at the beginning of function bodies (#​21110)
• Parentheses are avoided for long as captures in match statements (#​21176)
• Extra spaces between escaped quotes and ending triple quotes can now be omitted (#​17216)
• Blank lines are now enforced before classes with decorators in stub files (#​18888)

Preview features

• Apply formatting to Markdown code blocks (#​22470, #​22990, #​22996)

  See the documentation for more details.

Bug fixes

• Fix suppression indentation matching (#​22903)

Rule changes

• Customize where the fix_title sub-diagnostic appears (#​23044)
• [FastAPI] Add sub-diagnostic explaining why a fix was unavailable (FAST002) (#​22565)
• [flake8-annotations] Don't suggest NoReturn for functions raising NotImplementedError (ANN201, ANN202, ANN205, ANN206) (#​21311)
• [pyupgrade] Make fix unsafe if it deletes comments (UP017) (#​22873)
• [pyupgrade] Make fix unsafe if it deletes comments (UP020) (#​22872)
• [pyupgrade] Make fix unsafe if it deletes comments (UP033) (#​22871)
• [refurb] Do not add abc.ABC if already present (FURB180) (#​22234)
• [refurb] Make fix unsafe if it deletes comments (FURB110) (#​22768)
• [ruff] Add sub-diagnostics with permissions (RUF064) (#​22972)

Server

• Identify notebooks by LSP didOpen instead of .ipynb file extension (#​22810)

CLI

• Add --color CLI option to force colored output (#​22806)

Documentation

• Document - stdin convention in CLI help text (#​22817)
• [refurb] Change example to re.search with ^ anchor (FURB167) (#​22984)
• Fix link to Sphinx code block directives (#​23041)
• [pydocstyle] Clarify which quote styles are allowed (D300) (#​22825)
• [flake8-bugbear] Improve docs for no-explicit-stacklevel (B028) (#​22538)

Other changes

• Update MSRV to 1.91 (#​22874)

Contributors

• @​danparizher
• @​chirizxc
• @​amyreese
• @​Jkhall81
• @​cwkang1998
• @​manzt
• @​11happy
• @​hugovk
• @​caiquejjx
• @​ntBre
• @​akawd
• @​konstin

v0.14.14

Compare Source

Released on 2026-01-22.

Preview features

• Preserve required parentheses in lambda bodies (#​22747)
• Combine range suppression code diagnostics (#​22613)
• [airflow] Second positional argument to Asset/Dataset should not be a dictionary (AIR303) (#​22453)
• [ruff] Detect duplicate entries in __all__ (RUF068) (#​22114)

Bug fixes

• [pyupgrade] Allow shadowing non-builtin bindings (UP029) (#​22749)
• [pyupgrade] Apply UP045 to string arguments of typing.cast (#​22320)
• [flake8-pie] Detect duplicated declared class fields in PIE794 (#​22717)

Rule changes

• [flake8-pyi] Fix inconsistent handling of forward references for __new__, __enter__, __aenter__ in PYI034 (#​22798)
• [flake8-pytest-style] Support check parameter in PT011 (#​22725)
• [ruff] Add exception for ctypes.Structure._fields_ (RUF012) (#​22559)
• Many fixes are now marked unsafe if they would remove comments:
  • [flake8-bugbear] B009, B010, B013, B014, B033
  • [flake8-simplify] SIM910, SIM911
  • [pyupgrade] UP007, UP039, UP041, UP045
  • [refurb] FURB105, FURB116, FURB136, FURB140, FURB145, FURB154, FURB157, FURB164,FURB181, FURB188
  • [ruff] RUF019, RUF020

Documentation

• Add --exit-non-zero-on-format to formatter exit codes section (#​22761)
• Update contributing guide for adding a new rule (#​22779)
• [FastAPI] Document fix safety for FAST001 (#​22655)
• [flake8-async] Tweak explanation to focus on latency/efficiency tradeoff (ASYNC110) (#​22715)
• [pandas-vet] Make example error out-of-the-box (PD002) (#​22561)
• [refurb] Make the example work out of box (FURB101) (#​22770)
• [refurb] Make the example work out of box (FURB103) (#​22769)

Contributors

• @​alejsdev
• @​ntBre
• @​caiquejjx
• @​chirizxc
• @​denyszhak
• @​sjyangkevin
• @​MeGaGiGaGon
• @​leandrobbraga
• @​MichaReiser
• @​carljm
• @​amyreese
• @​zsol
• @​harupy

astral-sh/uv (uv_build)

v0.10.0

Compare Source

Since we released uv 0.9.0 in October of 2025, we've accumulated various changes that improve correctness and user experience, but could break some workflows. This release contains those changes; many have been marked as breaking out of an abundance of caution. We expect most users to be able to upgrade without making changes.

This release also includes the stabilization of preview features. Python upgrades are now stable, including the uv python upgrade command, uv python install --upgrade, and automatically upgrading Python patch versions in virtual environments when a new version is installed. The add-bounds and extra-build-dependencies settings are now stable. Finally, the uv workspace dir and uv workspace list utilities for writing scripts against workspace members are now stable.

Breaking changes

• Require --clear to remove existing virtual environments in uv venv (#​17757)

  Previously, uv venv would prompt for confirmation before removing an existing virtual environment in interactive contexts, and remove it without confirmation in non-interactive contexts. Now, uv venv requires the --clear flag to remove an existing virtual environment. A warning for this change was added in uv 0.8.

  You can opt out of this behavior by passing the --clear flag or setting UV_VENV_CLEAR=1.

• Error if multiple indexes include default = true (#​17011)

  Previously, uv would silently accept multiple indexes with default = true and use the first one. Now, uv will error if multiple indexes are marked as the default.

  You cannot opt out of this behavior. Remove default = true from all but one index.

• Error when an explicit index is unnamed (#​17777)

  Explicit indexes can only be used via the [tool.uv.sources] table, which requires referencing the index by name. Previously, uv would silently accept unnamed explicit indexes, which could never be referenced. Now, uv will error if an explicit index does not have a name.

  You cannot opt out of this behavior. Add a name to the explicit index or remove the entry.

• Install alternative Python executables using their implementation name (#​17756, #​17760)

  Previously, uv python install would install PyPy, GraalPy, and Pyodide executables with names like python3.10 into the bin directory. Now, these executables will be named using their implementation name, e.g., pypy3.10, graalpy3.10, and pyodide3.12, to avoid conflicting with CPython installations.

  You cannot opt out of this behavior.

• Respect global Python version pins in uv tool run and uv tool install (#​14112)

  Previously, uv tool run and uv tool install did not respect the global Python version pin (set via uv python pin --global). Now, these commands will use the global Python version when no explicit version is requested.

  For uv tool install, if the tool is already installed, the Python version will not change unless --reinstall or --python is provided. If the tool was previously installed with an explicit --python flag, the global pin will not override it.

  You can opt out of this behavior by providing an explicit --python flag.

• Remove Debian Bookworm, Alpine 3.21, and Python 3.8 Docker images (#​17755)

  The Debian Bookworm and Alpine 3.21 images were replaced by Debian Trixie and Alpine 3.22 as defaults in uv 0.9. These older images are now removed. Python 3.8 images are also removed, as Python 3.8 is no longer supported in the Trixie or Alpine base images.

  The following image tags are no longer published:

  • uv:bookworm, uv:bookworm-slim
  • uv:alpine3.21
  • uv:python3.8-*

  Use uv:debian or uv:trixie instead of uv:bookworm, uv:alpine or uv:alpine3.22 instead of uv:alpine3.21, and a newer Python version instead of uv:python3.8-*.

• Drop PPC64 (big endian) builds (#​17626)

  uv no longer provides pre-built binaries for PPC64 (big endian). This platform appears to be largely unused and is only supported on a single manylinux version. PPC64LE (little endian) builds are unaffected.

  Building uv from source is still supported for this platform.

• Skip generating activate.csh for relocatable virtual environments (#​17759)

  Previously, uv venv --relocatable would generate an activate.csh script that contained hardcoded paths, making it incompatible with relocation. Now, the activate.csh script is not generated for relocatable virtual environments.

  You cannot opt out of this behavior.

• Require username when multiple credentials match a URL (#​16983)

  When using uv auth login to store credentials, you can register multiple username and password combinations for the same host. Previously, when uv needed to authenticate and multiple credentials matched the URL (e.g., when retrieving a token with uv auth token), uv would pick the first match. Now, uv will error instead.

  You cannot opt out of this behavior. Include the username in the request, e.g., uv auth token --username foo example.com.

• Avoid invalidating the lockfile versions after an exclude-newer change (#​17721)

  Previously, changing the exclude-newer setting would cause package versions to be upgraded, ignoring the lockfile entirely. Now, uv will only change package versions if they are no longer within the exclude-newer range.

  You can restore the previous behavior by using --upgrade or --upgrade-package to opt-in to package version changes.

• Upgrade uv format to Ruff 0.15.0 (#​17838)

  uv format now uses Ruff 0.15.0, which uses the 2026 style guide. See the blog post for details.

  The formatting of code is likely to change. You can opt out of this behavior by requesting an older Ruff version, e.g., uv format --version 0.14.14.

• Update uv crate test features to use test- as a prefix (#​17860)

  This change only affects redistributors of uv. The Cargo features used to gate test dependencies, e.g., pypi, have been renamed with a test- prefix for clarity, e.g., test-pypi.

Stabilizations

• uv python upgrade and uv python install --upgrade (#​17766)

  When installing Python versions, an intermediary directory without the patch version attached will be created, and virtual environments will be transparently upgraded to new patch versions.

  See the Python version documentation for more details.

• uv add --bounds and the add-bounds configuration option (#​17660)

  This does not come with any behavior changes. You will no longer see an experimental warning when using uv add --bounds or add-bounds in configuration.

• uv workspace list and uv workspace dir (#​17768)

  This does not come with any behavior changes. You will no longer see an experimental warning when using these commands.

• extra-build-dependencies (#​17767)

  This does not come with any behavior changes. You will no longer see an experimental warning when using extra-build-dependencies in configuration.

Enhancements

• Improve ABI tag error message phrasing (#​17878)
• Introduce a 10s connect timeout (#​17733)
• Allow using pyx.dev as a target in uv auth commands despite PYX_API_URL differing (#​17856)

Bug fixes

• Support all CPython ABI tag suffixes properly (#​17817)
• Add support for detecting PowerShell on Linux and macOS (#​17870)
• Retry timeout errors for streams (#​17875)

---

Configuration

📅 Schedule: Branch creation - "before 4am on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[anuraaga]

PS @stefanvanburen looks like we're finally getting the PRs we wanted :)