chore(deps): update python dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
argcomplete (changelog)	==3.6.2 → ==3.6.3
arrow	==1.3.0 → ==1.4.0
asttokens	==3.0.0 → ==3.0.1
attrs (changelog)	==25.3.0 → ==25.4.0
bandit (source, changelog)	==1.8.6 → ==1.9.4
beautifulsoup4 (changelog)	==4.13.4 → ==4.14.3
black (changelog)	==25.1.0 → ==25.12.0
bleach	==6.2.0 → ==6.3.0
boto3	==1.40.6 → ==1.42.69
botocore	==1.40.6 → ==1.42.69
build (changelog)	==1.3.0 → ==1.4.0
cachecontrol	==0.14.3 → ==0.14.4
certifi	==2025.8.3 → ==2025.11.12
cfgv	==3.4.0 → ==3.5.0
charset-normalizer (changelog)	==3.4.3 → ==3.4.6
click (changelog)	==8.1.8 → ==8.3.1
click-option-group	==0.5.7 → ==0.5.9
commitizen (changelog)	==4.8.3 → ==4.13.9
coverage	==7.10.2 → ==7.13.4
cyclonedx-bom (changelog)	==7.0.0 → ==7.2.2
deprecated	==1.2.18 → ==1.3.1
deptry (changelog)	==0.23.1 → ==0.24.0
dill	==0.4.0 → ==0.4.1
exceptiongroup (changelog)	==1.2.2 → ==1.3.1
executing	==2.2.0 → ==2.2.1
fastjsonschema	==2.21.1 → ==2.21.2
filelock	==3.18.0 → ==3.25.2
googleapis-common-protos (source)	==1.70.0 → ==1.73.0
greenlet (changelog)	==3.2.4 → ==3.3.2
hvac	==2.3.0 → ==2.4.0
identify	==2.6.13 → ==2.6.18
idna (changelog)	==3.10 → ==3.11
importlib-metadata	==8.7.0 → ==8.7.1
iniconfig	==2.1.0 → ==2.3.0
ipython	==8.12.3 → ==8.38.0
isort (changelog)	==6.0.1 → ==6.1.0
jmespath	==1.0.1 → ==1.1.0
jsonschema (changelog)	==4.25.0 → ==4.26.0
jsonschema-specifications	==2025.4.1 → ==2025.9.1
jupyter-client	==8.6.3 → ==8.8.0
jupyter-core	==5.8.1 → ==5.9.1
maison	==2.0.0 → ==2.0.2
markdown (changelog)	==3.8.2 → ==3.10.2
markupsafe (changelog)	==3.0.2 → ==3.0.3
matplotlib-inline	==0.1.7 → ==0.2.1
mistune	==3.1.3 → ==3.2.0
mkdocs-autorefs (changelog)	==1.4.2 → ==1.4.4
mkdocs-get-deps (changelog)	==0.2.0 → ==0.2.2
mkdocstrings (changelog)	==0.30.0 → ==0.30.1
msgpack (changelog)	==1.1.1 → ==1.1.2
nbclient	==0.10.2 → ==0.10.4
nbconvert	==7.16.6 → ==7.17.0
nodeenv	==1.9.1 → ==1.10.0
numpy (changelog)	==2.3.2 → ==2.4.3
packageurl-python	==0.17.5 → ==0.17.6
parso	==0.8.4 → ==0.8.6
peewee (changelog)	==3.18.2 → ==3.19.0
pip-audit	==2.9.0 → ==2.10.0
pip-tools (changelog)	==7.5.0 → ==7.5.3
pipdeptree (changelog)	==2.28.0 → ==2.31.0
platformdirs (changelog)	==4.3.8 → ==4.9.4
pre-commit	==4.3.0 → ==4.5.1
prometheus-client	==0.22.1 → ==0.24.1
prompt-toolkit	==3.0.51 → ==3.0.52
pydantic (changelog)	==2.11.7 → ==2.12.5
pydantic-core	==2.33.2 → ==2.42.0
pylint (changelog)	==3.3.8 → ==3.3.9
pymdown-extensions	==10.16.1 → ==10.21
pyparsing	==3.2.3 → ==3.3.2
pyright	==1.1.403 → ==1.1.408
pytest (changelog)	==8.4.1 → ==8.4.2
pytest-cov (changelog)	==6.2.1 → ==6.3.0
pyyaml (source)	==6.0.2 → ==6.0.3
pyzmq	==27.0.1 → ==27.1.0
questionary	==2.1.0 → ==2.1.1
referencing (changelog)	==0.36.2 → ==0.37.0
requests (source, changelog)	==2.32.4 → ==2.32.5
rich	==13.5.3 → ==13.9.4
rpds-py	==0.27.0 → ==0.30.0
ruamel-yaml	==0.18.14 → ==0.19.1
ruamel-yaml-clib	==0.2.12 → ==0.2.15
ruff (source, changelog)	==0.12.8 → ==0.15.6
s3transfer	==0.13.1 → ==0.16.0
soupsieve	==2.7 → ==2.8.3
sqlalchemy (changelog)	==2.0.42 → ==2.0.48
stevedore	==5.4.1 → ==5.7.0
tenacity	==9.1.2 → ==9.1.4
termcolor (changelog)	==3.1.0 → ==3.3.0
tinycss2 (changelog)	==1.4.0 → ==1.5.1
tomli (changelog)	==2.0.2 → ==2.4.0
tomlkit	==0.13.3 → ==0.14.0
tornado (source)	==6.5.2 → ==6.5.5
types-python-dateutil (changelog)	==2.9.0.20250809 → ==2.9.0.20260305
typing-extensions (changelog)	==4.14.1 → ==4.15.0
typing-inspection (changelog)	==0.4.1 → ==0.4.2
urllib3 (changelog)	==2.5.0 → ==2.6.3
virtualenv	==20.33.1 → ==20.39.1
wcwidth	==0.2.13 → ==0.6.0
wheel (changelog)	==0.45.1 → ==0.46.3
wrapt (changelog)	==1.17.2 → ==1.17.3
yamlfix	==1.17.0 → ==1.19.1
yarg	==0.1.9 → ==0.1.10

---

Release Notes

kislyuk/argcomplete (argcomplete)

v3.6.3

Compare Source

===============================

• Make RE PCRE compatible. Fixes #​539

• Only execute Python interpreters (#​536)

• fish: set variable scope to local to avoid clobbering global or
  universal variables (#​534)

• Documentation and help improvements

arrow-py/arrow (arrow)

v1.4.0

Compare Source

• [ADDED] Added week_start parameter to floor() and ceil() methods. PR #&#8203;1222 <https://github.com/arrow-py/arrow/pull/1222>_
• [ADDED] Added FORMAT_RFC3339_STRICT with a T separator. PR #&#8203;1201 <https://github.com/arrow-py/arrow/pull/1201>_
• [ADDED] Added Macedonian in Latin locale support. PR #&#8203;1200 <https://github.com/arrow-py/arrow/pull/1200>_
• [ADDED] Added Persian/Farsi locale support. PR #&#8203;1190 <https://github.com/arrow-py/arrow/pull/1190>_
• [ADDED] Added week and weeks to Thai locale timeframes. PR #&#8203;1218 <https://github.com/arrow-py/arrow/pull/1218>_
• [ADDED] Added weeks to Catalan locale. PR #&#8203;1189 <https://github.com/arrow-py/arrow/pull/1189>_
• [ADDED] Added Persian names of months, month-abbreviations and day-abbreviations in Gregorian calendar. PR #&#8203;1172 <https://github.com/arrow-py/arrow/pull/1172>_
• [CHANGED] Migrated Arrow to use ZoneInfo for timezones instead of pytz. PR #&#8203;1217 <https://github.com/arrow-py/arrow/pull/1217>_
• [FIXED] Fixed humanize month limits. PR #&#8203;1224 <https://github.com/arrow-py/arrow/pull/1224>_
• [FIXED] Fixed type hint of Arrow.__getattr__. PR #&#8203;1171 <https://github.com/arrow-py/arrow/pull/1171>_
• [FIXED] Fixed spelling and removed poorly used expressions in Korean locale. PR #&#8203;1181 <https://github.com/arrow-py/arrow/pull/1181>_
• [FIXED] Updated shift() method for issue #​1145. PR #&#8203;1194 <https://github.com/arrow-py/arrow/pull/1194>_
• [FIXED] Improved Greek locale translations (seconds, days, "ago", and month typo). PR #&#8203;1184 <https://github.com/arrow-py/arrow/pull/1184>, PR #&#8203;1186 <https://github.com/arrow-py/arrow/pull/1186>
• [FIXED] Addressed datetime.utcnow deprecation warning. PR #&#8203;1182 <https://github.com/arrow-py/arrow/pull/1182>_
• [INTERNAL] Added codecov test results. PR #&#8203;1223 <https://github.com/arrow-py/arrow/pull/1223>_
• [INTERNAL] Updated CI dependencies (actions/setup-python, actions/checkout, codecov/codecov-action, actions/cache).
• [INTERNAL] Added docstrings to parser.py. PR #&#8203;1010 <https://github.com/arrow-py/arrow/pull/1010>_
• [INTERNAL] Updated Python versions support and bumped CI dependencies. PR #&#8203;1177 <https://github.com/arrow-py/arrow/pull/1177>_
• [INTERNAL] Added dependabot for GitHub actions. PR #&#8203;1193 <https://github.com/arrow-py/arrow/pull/1193>_
• [INTERNAL] Moved dateutil types to test requirements. PR #&#8203;1183 <https://github.com/arrow-py/arrow/pull/1183>_
• [INTERNAL] Added documentation link for arrow.format. PR #&#8203;1180 <https://github.com/arrow-py/arrow/pull/1180>_

gristlabs/asttokens (asttokens)

v3.0.1

Compare Source

python-attrs/attrs (attrs)

v25.4.0

Compare Source

Backwards-incompatible Changes

• Class-level kw_only=True behavior is now consistent with dataclasses.

  Previously, a class that sets kw_only=True makes all attributes keyword-only, including those from base classes.
  If an attribute sets kw_only=False, that setting is ignored, and it is still made keyword-only.

  Now, only the attributes defined in that class that doesn't explicitly set kw_only=False are made keyword-only.

  This shouldn't be a problem for most users, unless you have a pattern like this:

  @​attrs.define(kw_only=True)
  class Base:
      a: int
      b: int = attrs.field(default=1, kw_only=False)
  
  @​attrs.define
  class Subclass(Base):
      c: int

  Here, we have a kw_only=True attrs class (Base) with an attribute that sets kw_only=False and has a default (Base.b), and then create a subclass (Subclass) with required arguments (Subclass.c).
  Previously this would work, since it would make Base.b keyword-only, but now this fails since Base.b is positional, and we have a required positional argument (Subclass.c) following another argument with defaults.
  #​1457

Changes

• Values passed to the __init__() method of attrs classes are now correctly passed to __attrs_pre_init__() instead of their default values (in cases where kw_only was not specified).
  #​1427

• Added support for Python 3.14 and PEP 749.
  #​1446,
  #​1451

• attrs.validators.deep_mapping() now allows to leave out either key_validator xor value_validator.
  #​1448

• attrs.validators.deep_iterator() and attrs.validators.deep_mapping() now accept lists and tuples for all validators and wrap them into a attrs.validators.and_().
  #​1449

• Added a new experimental way to inspect classes:

  attrs.inspect(cls) returns the effective class-wide parameters that were used by attrs to construct the class.

  The returned class is the same data structure that attrs uses internally to decide how to construct the final class.
  #​1454

• Fixed annotations for attrs.field(converter=...).
  Previously, a tuple of converters was only accepted if it had exactly one element.
  #​1461

• The performance of attrs.asdict() has been improved by 45–260%.
  #​1463

• The performance of attrs.astuple() has been improved by 49–270%.
  #​1469

• The type annotation for attrs.validators.or_() now allows for different types of validators.

  This was only an issue on Pyright.
  #​1474

PyCQA/bandit (bandit)

v1.9.4

Compare Source

What's Changed

• chore: fixed some typos in comments by @​jakob1379 in #​1351
• Bump docker/login-action from 3.6.0 to 3.7.0 by @​dependabot[bot] in #​1353
• Bump docker/build-push-action from 6.18.0 to 6.19.2 by @​dependabot[bot] in #​1357
• Fix B613 crash when reading from stdin by @​worksbyfriday in #​1361
• Include filename in nosec 'no failed test' warning by @​worksbyfriday in #​1363
• Fix B615 false positive when revision is set via variable by @​worksbyfriday in #​1358
• Lower version guard in check_ast_node to Python 3.12 by @​rcgray in #​1355
• Fix B106 reporting wrong line number on multiline function calls by @​worksbyfriday in #​1360

New Contributors

• @​jakob1379 made their first contribution in #​1351
• @​worksbyfriday made their first contribution in #​1361
• @​rcgray made their first contribution in #​1355

Full Changelog: PyCQA/bandit@1.9.3...1.9.4

v1.9.3

Compare Source

What's Changed

• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in #​1334
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1335
• Fix B608 to detect VALUES( without space by @​kfess in #​1337
• Add check for hardcoded passwords in dicts. by @​alanverresen in #​1338
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in #​1341
• Update tox tests for Python 3.10 by @​willschlitzer in #​1346
• Bump docker/setup-buildx-action from 3.11.1 to 3.12.0 by @​dependabot[bot] in #​1347
• Limit B614 to torch.load deserializers by @​dibussoc in #​1348

New Contributors

• @​kfess made their first contribution in #​1337
• @​alanverresen made their first contribution in #​1338
• @​willschlitzer made their first contribution in #​1346
• @​dibussoc made their first contribution in #​1348

Full Changelog: PyCQA/bandit@1.9.2...1.9.3

v1.9.2

Compare Source

What's Changed

• Argparse Python 3.14 enhancements by @​ericwb in #​1331
• Check whether Constant value is str by @​ericwb in #​1333

Full Changelog: PyCQA/bandit@1.9.1...1.9.2

v1.9.1

Compare Source

What's Changed

• More Python version related fixes by @​ericwb in #​1327

Full Changelog: PyCQA/bandit@1.9.0...1.9.1

psf/black (black)

v25.12.0

Compare Source

Highlights

• Black no longer supports running with Python 3.9 (#​4842)

Stable style

• Fix bug where comments preceding # fmt: off/# fmt: on blocks were incorrectly
  removed, particularly affecting Jupytext's # %% [markdown] comments (#​4845)
• Fix crash when multiple # fmt: skip comments are used in a multi-part if-clause, on
  string literals, or on dictionary entries with long lines (#​4872)
• Fix possible crash when fmt: directives aren't on the top level (#​4856)

Preview style

• Fix fmt: skip skipping the line after instead of the line it's on (#​4855)
• Remove unnecessary parentheses from the left-hand side of assignments while preserving
  magic trailing commas and intentional multiline formatting (#​4865)
• Fix fix_fmt_skip_in_one_liners crashing on with statements (#​4853)
• Fix fix_fmt_skip_in_one_liners crashing on annotated parameters (#​4854)
• Fix new lines being added after imports with # fmt: skip on them (#​4894)

Packaging

• Releases now include arm64 Windows binaries and wheels (#​4814)

Integrations

• Add output-file input to GitHub Action psf/black to write formatter output to a
  file for artifact capture and log cleanliness (#​4824)

v25.11.0

Compare Source

Highlights

• Enable base 3.14 support (#​4804)
• Add support for the new Python 3.14 t-string syntax introduced by PEP 750 (#​4805)

Stable style

• Fix bug where comments between # fmt: off and # fmt: on were reformatted (#​4811)
• Comments containing fmt directives now preserve their exact formatting instead of
  being normalized (#​4811)

Preview style

• Move multiline_string_handling from --unstable to --preview (#​4760)
• Fix bug where module docstrings would be treated as normal strings if preceded by
  comments (#​4764)
• Fix bug where python 3.12 generics syntax split line happens weirdly (#​4777)
• Standardize type comments to form # type: <value> (#​4645)
• Fix fix_fmt_skip_in_one_liners preview feature to respect # fmt: skip for compound
  statements with semicolon-separated bodies (#​4800)

Configuration

• Add no_cache option to control caching behavior. (#​4803)

Packaging

• Releases now include arm64 Linux binaries (#​4773)

Output

• Write unchanged content to stdout when excluding formatting from stdin using pipes
  (#​4610)

Blackd

• Implemented BlackDClient. This simple python client allows to easily send formatting
  requests to blackd (#​4774)

Integrations

• Enable 3.14 base CI (#​4804)
• Enhance GitHub Action psf/black to support the required-version major-version-only
  "stability" format when using pyproject.toml (#​4770)
• Improve error message for vim plugin users. It now handles independently vim version
• Vim: Warn on unsupported Vim and Python versions independently (#​4772)
• Vim: Print the import paths when importing black fails (#​4675)
• Vim: Fix handling of virtualenvs that have a different Python version (#​4675)

v25.9.0

Compare Source

Highlights

• Remove support for pre-python 3.7 await/async as soft keywords/variable names
  (#​4676)

Stable style

• Fix crash while formatting a long del statement containing tuples (#​4628)
• Fix crash while formatting expressions using the walrus operator in complex with
  statements (#​4630)
• Handle # fmt: skip followed by a comment at the end of file (#​4635)
• Fix crash when a tuple appears in the as clause of a with statement (#​4634)
• Fix crash when tuple is used as a context manager inside a with statement (#​4646)
• Fix crash when formatting a \ followed by a \r followed by a comment (#​4663)
• Fix crash on a \\r\n (#​4673)
• Fix crash on await ... (where ... is a literal Ellipsis) (#​4676)
• Fix crash on parenthesized expression inside a type parameter bound (#​4684)
• Fix crash when using line ranges excluding indented single line decorated items
  (#​4670)

Preview style

• Fix a bug where one-liner functions/conditionals marked with # fmt: skip would still
  be formatted (#​4552)
• Improve multiline_string_handling with ternaries and dictionaries (#​4657)
• Fix a bug where string_processing would not split f-strings directly after
  expressions (#​4680)
• Wrap the in clause of comprehensions across lines if necessary (#​4699)
• Remove parentheses around multiple exception types in except and except* without
  as. (#​4720)
• Add \r style newlines to the potential newlines to normalize file newlines both from
  and to (#​4710)

Parser

• Rewrite tokenizer to improve performance and compliance (#​4536)
• Fix bug where certain unusual expressions (e.g., lambdas) were not accepted in type
  parameter bounds and defaults. (#​4602)

Performance

• Avoid using an extra process when running with only one worker (#​4734)

Integrations

• Fix the version check in the vim file to reject Python 3.8 (#​4567)
• Enhance GitHub Action psf/black to read Black version from an additional section in
  pyproject.toml: [project.dependency-groups] (#​4606)
• Build gallery docker image with python3-slim and reduce image size (#​4686)

Documentation

• Add FAQ entry for windows emoji not displaying (#​4714)

mozilla/bleach (bleach)

v6.3.0

Compare Source

Backwards incompatible changes

• Dropped support for Python 3.9. (#​756)

Security fixes

None

Bug fixes

• Add support for Python 3.14. (#​758)
• Fix wbr handling. (#​488)

boto/boto3 (boto3)

v1.42.69

Compare Source

=======

• api-change:bedrock: [botocore] You can now generate policy scenarios on demand using the new GENERATE POLICY SCENARIOS build workflow type. Scenarios will no longer be automatically generated during INGEST CONTENT, REFINE POLICY, and IMPORT POLICY workflows, resulting in faster completion times for these operations.
• api-change:bedrock-agentcore: [botocore] Provide support to perform deterministic operations on agent runtime through shell command executions via the new InvokeAgentRuntimeCommand API
• api-change:bedrock-agentcore-control: [botocore] Supporting hosting of public ECR Container Images in AgentCore Runtime
• api-change:ecs: [botocore] Amazon ECS now supports configuring whether tags are propagated to the EC2 Instance Metadata Service (IMDS) for instances launched by the Managed Instances capacity provider. This gives customers control over tag visibility in IMDS when using ECS Managed Instances.

v1.42.68

Compare Source

=======

• api-change:apigateway: [botocore] API Gateway now supports an additional security policy "SecurityPolicy-TLS13-1-2-FIPS-PFS-PQ-2025-09" for REST APIs and custom domain names. The new policy is compliant with TLS 1.3, Federal Information Processing Standards (FIPS), Perfect Forward Secrecy (PFS), and post-quantum (PQ) cryptography
• api-change:config: [botocore] Fix pagination support for DescribeConformancePackCompliance, and update OrganizationConfigRule InputParameters max length to match ConfigRule.
• api-change:connect: [botocore] Deprecating PredefinedNotificationID field
• api-change:gameliftstreams: [botocore] Feature launch that enables customers to connect streaming sessions to their own VPCs running in AWS.
• api-change:glue: [botocore] Add QuerySessionContext to BatchGetPartitionRequest
• api-change:ivs-realtime: [botocore] Updates maximum reconnect window seconds from 60 to 300 for participant replication
• api-change:mediaconvert: [botocore] This update adds support for Dolby AC-4 audio output, frame rate conversion between non-Dolb