chore(deps): uv: bump the all-python group across 1 directory with 9 updates

[dependabot]

Bumps the all-python group with 9 updates in the /agent directory:

Package	From	To
boto3	1.43.9	1.43.15
bedrock-agentcore	1.9.1	1.11.0
claude-agent-sdk	0.2.82	0.2.87
fastapi	0.136.1	0.136.3
uvicorn	0.47.0	0.48.0
aws-opentelemetry-distro	0.17.0	0.17.1
cedarpy	4.8.0	4.8.3
ruff	0.15.12	0.15.14
ty	0.0.35	0.0.39

Updates boto3 from 1.43.9 to 1.43.15

Commits

• ecbbf11 Merge branch 'release-1.43.15'
• af67f4e Bumping version to 1.43.15
• 16a99f5 Add changelog entries from botocore
• 07953b0 Merge branch 'release-1.43.14'
• 7270b75 Merge branch 'release-1.43.14' into develop
• 25c77c3 Bumping version to 1.43.14
• 5e64afc Add changelog entries from botocore
• 97921f4 Merge branch 'release-1.43.13'
• 4e58a35 Merge branch 'release-1.43.13' into develop
• 1307ac2 Bumping version to 1.43.13
• Additional commits viewable in compare view

Updates bedrock-agentcore from 1.9.1 to 1.11.0

Release notes

Sourced from bedrock-agentcore's releases.

Bedrock AgentCore SDK v1.11.0

Installation

pip install bedrock-agentcore==1.11.0

What's Changed

See CHANGELOG.md for details.

What's Changed

• test: add OTEL span content leakage integration tests by @​jesseturner21 in aws/bedrock-agentcore-sdk-python#485
• fix: stop retrying after successful payment signing is rejected by merchant by @​rajuans in aws/bedrock-agentcore-sdk-python#492
• feat(evaluation): add DatasetClient and dataset management service provider by @​jariy17 in aws/bedrock-agentcore-sdk-python#491
• fix(payments): drop unsupported paymentConnectorId + add http_request plugin tool + EIP-3009 timing fix by @​aidandaly24 in aws/bedrock-agentcore-sdk-python#493
• Release v1.11.0 by @​agentcore-devx-automation[bot] in aws/bedrock-agentcore-sdk-python#495

New Contributors

• @​rajuans made their first contribution in aws/bedrock-agentcore-sdk-python#492

Full Changelog: aws/bedrock-agentcore-sdk-python@v1.10.0...v1.11.0

Bedrock AgentCore SDK v1.10.0

Installation

pip install bedrock-agentcore==1.10.0

What's Changed

See CHANGELOG.md for details.

What's Changed

• chore: replace all github.token/GITHUB_TOKEN with GitHub App token by @​aidandaly24 in aws/bedrock-agentcore-sdk-python#475
• feat: expand custom request header forwarding to match runtime allowlist by @​padmak30 in aws/bedrock-agentcore-sdk-python#483
• Release v1.10.0 by @​agentcore-devx-automation[bot] in aws/bedrock-agentcore-sdk-python#486

New Contributors

• @​agentcore-devx-automation[bot] made their first contribution in aws/bedrock-agentcore-sdk-python#486

Full Changelog: aws/bedrock-agentcore-sdk-python@v1.9.1...v1.10.0

Changelog

Sourced from bedrock-agentcore's changelog.

[1.11.0] - 2026-05-22

Fixed

• fix: stop retrying after successful payment signing is rejected by merchant (#492) (0b2b34f)

Other Changes

• fix(payments): drop unsupported paymentConnectorId + add http_request plugin tool + EIP-3009 timing fix (#493) (d5428b2)
• feat(evaluation): add DatasetClient and dataset management service provider (#491) (29287c2)
• test: add OTEL span content leakage integration tests (#485) (c311682)

[1.10.0] - 2026-05-19

Added

• feat: expandi custom request header forwarding to match runtime allowlist (#483) (5fde434)

Other Changes

• chore: replace all github.token/GITHUB_TOKEN with GitHub App token (#475) (b64a0d9)

Commits

• 1042d58 chore: bump version to 1.11.0 (#495)
• d5428b2 fix(payments): drop unsupported paymentConnectorId + add http_request plugin ...
• 29287c2 feat(evaluation): add DatasetClient and dataset management service provider (...
• 0b2b34f fix: stop retrying after successful payment signing is rejected by merchant (...
• c311682 test: add OTEL span content leakage integration tests (#485)
• 76c8d89 chore: bump version to 1.10.0 (#486)
• 5fde434 feat: expandi custom request header forwarding to match runtime allowlist (#483)
• b64a0d9 chore: replace all github.token/GITHUB_TOKEN with GitHub App token (#475)
• See full diff in compare view

Updates claude-agent-sdk from 0.2.82 to 0.2.87

Release notes

Sourced from claude-agent-sdk's releases.

v0.2.87

Internal/Other Changes

• Updated bundled Claude CLI to version 2.1.150
• Switched CI workflows from static API key to Workload Identity Federation for Claude authentication, using short-lived tokens instead of long-lived secrets (#984)

---

PyPI: https://pypi.org/project/claude-agent-sdk/0.2.87/

pip install claude-agent-sdk==0.2.87

v0.2.86

Internal/Other Changes

• Updated bundled Claude CLI to version 2.1.149

---

PyPI: https://pypi.org/project/claude-agent-sdk/0.2.86/

pip install claude-agent-sdk==0.2.86

v0.2.85

Internal/Other Changes

• Updated bundled Claude CLI to version 2.1.148

---

PyPI: https://pypi.org/project/claude-agent-sdk/0.2.85/

pip install claude-agent-sdk==0.2.85

v0.2.84

Internal/Other Changes

... (truncated)

Changelog

Sourced from claude-agent-sdk's changelog.

0.2.87

Internal/Other Changes

• Updated bundled Claude CLI to version 2.1.150
• Switched CI workflows from static API key to Workload Identity Federation for Claude authentication, using short-lived tokens instead of long-lived secrets (#984)

0.2.86

Internal/Other Changes

• Updated bundled Claude CLI to version 2.1.149

0.2.85

Internal/Other Changes

• Updated bundled Claude CLI to version 2.1.148

0.2.84

Internal/Other Changes

• Updated bundled Claude CLI to version 2.1.147

0.2.83

Internal/Other Changes

• Updated bundled Claude CLI to version 2.1.146

Commits

• 9970096 docs: update changelog for v0.2.87
• 2237c9e chore: release v0.2.87
• a6146c2 chore: bump bundled CLI version to 2.1.150
• 3471a9f Use workload identity federation for Claude auth in CI workflows (#984)
• 095a8b3 docs: update changelog for v0.2.86
• dd06657 chore: release v0.2.86
• 1113acf chore: bump bundled CLI version to 2.1.149
• 2a3720d docs: update changelog for v0.2.85
• eee6bf4 chore: release v0.2.85
• 0bc333f chore: bump bundled CLI version to 2.1.148
• Additional commits viewable in compare view

Updates fastapi from 0.136.1 to 0.136.3

Release notes

Sourced from fastapi's releases.

0.136.3

Refactors

• ♻️ Do not accept underscore headers when using convert_underscores=True (the default). PR #15589 by @​tiangolo.

0.136.2

Refactors

• ♻️ Validate Server Sent Event fields to avoid applications from sending broken data. PR #15588 by @​tiangolo.

Docs

• 📝 Document --entrypoint CLI option. PR #15464 by @​YuriiMotov.
• 📝 Update and simplify docs about help and management. PR #15583 by @​tiangolo.
• 📝 Add docs references to central contributing docs. PR #15580 by @​tiangolo.
• 📝 Update security policy. PR #15577 by @​tiangolo.
• 🍱 Update sponsors: TalorData image. PR #15562 by @​tiangolo.
• 📝 Update docs, simplify usage of admonitions, only default ones. PR #15553 by @​tiangolo.
• 📝 Fix image URLs in index.md. PR #15534 by @​YuriiMotov.
• ✏️ Fix Azkaban spelling typo in virtual-environments.md‎. PR #15463 by @​isaacbernat.
• 💄 Improve layout and styling. PR #15462 by @​alejsdev.
• 💄 Refactor opinions section with interactive tabs and new logos. PR #15458 by @​alejsdev.
• 📝 Add FastAPI Conf '26 announcement to docs. PR #15457 by @​alejsdev.

Translations

• 🌐 Improve translation consistency in ‎docs/pt/docs/advanced/generate-clients.md‎. PR #15456 by @​Will-thom.
• 🌐 Update translations for ja (update-outdated). PR #15530 by @​tiangolo.
• 🌐 Update translations for uk (update-outdated). PR #15529 by @​tiangolo.
• 🌐 Update translations for pt (update-outdated). PR #15528 by @​tiangolo.
• 🌐 Update translations for de (update-outdated). PR #15527 by @​tiangolo.
• 🌐 Update translations for tr (update-outdated). PR #15526 by @​tiangolo.
• 🌐 Update translations for ko (update-outdated). PR #15525 by @​tiangolo.
• 🌐 Update translations for zh-hant (update-outdated). PR #15524 by @​tiangolo.
• 🌐 Update translations for fr (update-outdated). PR #15522 by @​tiangolo.
• 🌐 Update translations for es (update-outdated). PR #15523 by @​tiangolo.
• 🌐 Update translations for zh (update-outdated). PR #15520 by @​tiangolo.
• 🌐 Update translations for ru (update-outdated). PR #15521 by @​tiangolo.
• 🌐 Fix typos in Spanish LLM-prompt. PR #15472 by @​crr004.

Internal

• ✅ Update tests, don't double dispose the engine. PR #15587 by @​tiangolo.
• ⚡️ Speed up test suite via caching and fixture scopes to make it ~24% faster. PR #13583 by @​dikos1337.
• 🔥 Remove config files now in central GitHub repo. PR #15585 by @​tiangolo.
• ⬆ Bump urllib3 from 2.6.3 to 2.7.0. PR #15502 by @​dependabot[bot].
• ⬆ Bump idna from 3.11 to 3.15. PR #15565 by @​dependabot[bot].
• ⬆ Bump cloudflare/wrangler-action from 3.15.0 to 4.0.0. PR #15571 by @​dependabot[bot].
• 🔧 Migrate docs from MkDocs to Zensical. PR #15563 by @​tiangolo.
• 🔒️ Only allow team members to modify dependencies. PR #15548 by @​svlandeg.

... (truncated)

Commits

• 8206485 🔖 Release version 0.136.3
• c910e01 📝 Update release notes
• 063b5bf ♻️ Do not accept underscore headers when using convert_underscores=True (th...
• 22b02e2 🔖 Release version 0.136.2
• 3b252a2 📝 Update release notes
• c7fb785 ♻️ Validate Server Sent Event fields to avoid applications from sending broke...
• cb83b83 📝 Update release notes
• 00f805c ✅ Update tests, don't double dispose the engine (#15587)
• 3675137 📝 Update release notes
• 7b57e42 📝 Document --entrypoint CLI option (#15464)
• Additional commits viewable in compare view

Updates uvicorn from 0.47.0 to 0.48.0

Release notes

Sourced from uvicorn's releases.

Version 0.48.0

What's Changed

• Default ssl_ciphers to None and use OpenSSL defaults by @​Kludex in Kludex/uvicorn#2940
• Ignore duplicate forwarding headers in ProxyHeadersMiddleware by @​Kludex in Kludex/uvicorn#2944

Full Changelog: Kludex/uvicorn@0.47.0...0.48.0

Changelog

Sourced from uvicorn's changelog.

0.48.0 (May 24, 2026)

Changed

• Default ssl_ciphers to None and use OpenSSL defaults (#2940)

Fixed

• Ignore duplicate forwarding headers in ProxyHeadersMiddleware (#2944)

Commits

• 73e84e5 Version 0.48.0 (#2951)
• 45ea116 Ignore duplicate forwarding headers in ProxyHeadersMiddleware (#2944)
• dd4394c chore(deps): bump idna from 3.11 to 3.15 (#2941)
• abe0781 Default ssl_ciphers to None and use OpenSSL defaults (#2940)
• See full diff in compare view

Updates aws-opentelemetry-distro from 0.17.0 to 0.17.1

Release notes

Sourced from aws-opentelemetry-distro's releases.

Release v0.17.1

What's Changed

• feat(agent-observability): add AWS_GENAI_CONTENT_EXTRACTION_OPT_OUT env var to allow disabling LLO content extraction from spans (#741)
• fix(mcp-instrumentation): suppress MCP /ping spans when agent observability is enabled (#748)
• fix: pin urllib3 to 2.7.0 to fix CVE-2026-44431 and CVE-2026-44432 (#753)

Upstream Components

• opentelemetry-api - 1.40.0
• opentelemetry-sdk - 1.40.0
• opentelemetry-exporter-otlp-proto-grpc - 1.40.0
• opentelemetry-exporter-otlp-proto-http - 1.40.0
• opentelemetry-propagator-b3 - 1.40.0
• opentelemetry-propagator-jaeger - 1.40.0
• opentelemetry-exporter-otlp-proto-common - 1.40.0
• opentelemetry-sdk-extension-aws - 2.1.0
• opentelemetry-propagator-aws-xray - 1.0.2
• opentelemetry-distro - 0.61b0
• opentelemetry-processor-baggage - 0.61b0
• opentelemetry-propagator-ot-trace - 0.61b0
• opentelemetry-instrumentation - 0.61b0
• opentelemetry-instrumentation-aws-lambda - 0.61b0
• opentelemetry-instrumentation-aio-pika - 0.61b0
• opentelemetry-instrumentation-aiohttp-client - 0.61b0
• opentelemetry-instrumentation-aiokafka - 0.61b0
• opentelemetry-instrumentation-aiopg - 0.61b0
• opentelemetry-instrumentation-asgi - 0.61b0
• opentelemetry-instrumentation-asyncpg - 0.61b0
• opentelemetry-instrumentation-boto - 0.61b0
• opentelemetry-instrumentation-boto3sqs - 0.61b0
• opentelemetry-instrumentation-botocore - 0.61b0
• opentelemetry-instrumentation-celery - 0.61b0
• opentelemetry-instrumentation-confluent-kafka - 0.61b0
• opentelemetry-instrumentation-dbapi - 0.61b0
• opentelemetry-instrumentation-django - 0.61b0
• opentelemetry-instrumentation-elasticsearch - 0.61b0
• opentelemetry-instrumentation-falcon - 0.61b0
• opentelemetry-instrumentation-fastapi - 0.61b0
• opentelemetry-instrumentation-flask - 0.61b0
• opentelemetry-instrumentation-grpc - 0.61b0
• opentelemetry-instrumentation-httpx - 0.61b0
• opentelemetry-instrumentation-jinja2 - 0.61b0
• opentelemetry-instrumentation-kafka-python - 0.61b0
• opentelemetry-instrumentation-logging - 0.61b0
• opentelemetry-instrumentation-mysql - 0.61b0
• opentelemetry-instrumentation-mysqlclient - 0.61b0
• opentelemetry-instrumentation-pika - 0.61b0
• opentelemetry-instrumentation-psycopg2 - 0.61b0
• opentelemetry-instrumentation-pymemcache - 0.61b0
• opentelemetry-instrumentation-pymongo - 0.61b0

... (truncated)

Changelog

Sourced from aws-opentelemetry-distro's changelog.

v0.17.1 - 2026-05-22

• feat(agent-observability): add AWS_GENAI_CONTENT_EXTRACTION_OPT_OUT env var to allow disabling LLO content extraction from spans (#741)
• fix(mcp-instrumentation): suppress MCP /ping spans when agent observability is enabled (#748)
• fix: pin urllib3 to 2.7.0 to fix CVE-2026-44431 and CVE-2026-44432 (#753)

Commits

• 2b12d7e Reapply "Rerun lambda layer release (#717)" (#737) (#757)
• 7cae68b chore: remove Python 3.9 EKS E2E test (#756)
• 967cc6b Pre-release: Update version to 0.17.1 (#755)
• 4d0faad fix: pin urllib3 to 2.7.0 to fix CVE-2026-44431 and CVE-2026-44432 (#753)
• 7bf2836 feat: agentcore feature patches (#751)
• b8917a4 Revert "Rerun lambda layer release (#717)" (#737)
• See full diff in compare view

Updates cedarpy from 4.8.0 to 4.8.3

Release notes

Sourced from cedarpy's releases.

cedarpy v4.8.3

Patch release fixing a behavior regression introduced in 4.8.2. Cedar Policy engine version is unchanged at v4.8.2.

If you upgraded to 4.8.2 and noticed that AuthzResult.diagnostics.reasons started reporting your @id("...") annotation value instead of the parser-generated policyN id — and you depended on the parser id (policyN) for downstream lookups — 4.8.3 restores reasons to the original behavior while keeping the labeling ergonomics in a parallel map.

Changed

• Behavior change (partial revert of 4.8.2). AuthzResult.diagnostics.reasons and ValidationError.policy_id once again surface the parser-generated PolicyId (e.g., policy0), restoring the 4.8.1 contract that was relied on for multi-tenant disambiguation. The @id("...") annotation value is now exposed in a parallel map keyed by the parser id: Diagnostics.id_annotations_by_reason and ValidationResult.id_annotations_by_policy_id. Entries are present whenever the policy declares an @id annotation, with the literal annotation value as the map value. So @id("foo") contributes "foo", and @id("") / bare @id (which the Cedar docs define as equivalent to @id("")) contributes "". Policies with no @id annotation are omitted from the map. This keeps the 4.8.2 ergonomics gain (recover the @id label without rebuilding the policy set) while preventing identity collapse/collision when two policies share the same @id (#77, #78)

Lookup pattern

result = is_authorized(request, policies, entities)
for pid in result.diagnostics.reasons:                       # ["policy0", "policy1", ...]
    label = result.diagnostics.id_annotations_by_reason.get(pid)
    if label:
        print(f"  matched: {pid} ({label})")
    else:
        print(f"  matched: {pid}")

The same pattern applies to ValidationResult.errors[*].policy_id and ValidationResult.id_annotations_by_policy_id.

Thanks

Thanks to @​aashitk for the high-quality bug report in #77, and to @​Iamrodos for joining the design discussion.

---

Full Changelog: k9securityio/cedar-py@v4.8.2...v4.8.3

cedarpy v4.8.2

v4.8.2 ships three improvements:

• Correctness: invalid schemas now surface as Decision.NoDecision (or validation_passed=False) with a diagnostic, instead of being silently discarded while is_authorized returned a real Allow/Deny based on no schema (#65 - thanks @​rupivbluegreen!).
• Ergonomics: @id("...") annotations on a policy now surface as the human-readable id in AuthzResult.diagnostics.reasons and ValidationError.policy_id, making diagnostics easier to read in logs and tooling (#74, #75 - thanks @​rupivbluegreen for the original feature proposal and work in #66 that started us down this path!).
• Release process robustness:
  • make release now actually builds and tests the release-mode wheel that would ship — the target previously produced an unoptimized dev-profile wheel and ran tests against whatever was installed in the venv, neither of which exercised the artifact. PyPI artifacts were unaffected; this only fixed locally-built wheels.
  • Benchmarks now run in release mode against a synthesized median-of-5 v4.8.0 baseline (make benchmark-compare), and a committed cross-state history (make benchmark-history → tests/benchmark/results/HISTORY.md) records performance across cedar-py development states. Together these make performance regressions easier to detect than the previous debug-mode single-run captures (#69, #71, #72).

Cedar Policy engine version is unchanged (still v4.8.2).

Added

• Behavior change. @id("...") annotations on a policy now surface as the human-readable id in AuthzResult.diagnostics.reasons and ValidationError.policy_id, instead of the auto-generated policy0/policy1/... id. Annotations are inert in Cedar evaluation per the Cedar docs; this is a labeling step on the response surface, not a rename of the underlying PolicyId. An @id with an empty value — either @id("") or value-less @id (which per the Cedar docs is equivalent to @id("")) — falls back to the parser-generated id, since an empty display id is unhelpful for logs and lookups (#29, #74, #75 — thanks @​rupivbluegreen for the original feature proposal and prototype in #66).

Changed

• Behavior change. is_authorized / is_authorized_batch now return Decision.NoDecision with a diagnostic when given an invalid schema, instead of silently discarding the schema and returning a real Allow / Deny. The same path applies in validate_policies (#65 — thanks @​rupivbluegreen).

... (truncated)

Changelog

Sourced from cedarpy's changelog.

[4.8.3] - 2026-05-13

Changed

• Behavior change (partial revert of 4.8.2). AuthzResult.diagnostics.reasons and ValidationError.policy_id once again surface the parser-generated PolicyId (e.g., policy0), restoring the 4.8.1 contract that was relied on for multi-tenant disambiguation. The @id("...") annotation value is now exposed in a parallel map keyed by the parser id: Diagnostics.id_annotations_by_reason and ValidationResult.id_annotations_by_policy_id. Entries are present whenever the policy declares an @id annotation, with the literal annotation value as the map value — so @id("foo") contributes "foo", and @id("") / bare @id (which the Cedar docs define as equivalent to @id("")) contributes "". Policies with no @id annotation are omitted from the map. This keeps the 4.8.2 ergonomics gain (recover the @id label without rebuilding the policy set) while preventing identity collapse when two policies share the same @id (#77)

[4.8.2] - 2026-05-12

Added

• Behavior change. @id("...") annotations on a policy now surface as the human-readable id in AuthzResult.diagnostics.reasons and ValidationError.policy_id, instead of the auto-generated policy0/policy1/... id. Annotations are inert in Cedar evaluation per the Cedar docs; this is a labeling step on the response surface, not a rename of the underlying PolicyId. An @id with an empty value — either @id("") or value-less @id (which per the Cedar docs is equivalent to @id("")) — falls back to the parser-generated id, since an empty display id is unhelpful for logs and lookups (#29, #74, #75)

Changed

• Behavior change. is_authorized / is_authorized_batch now return Decision.NoDecision with a diagnostic when given an invalid schema, instead of silently discarding the schema and returning a real Allow / Deny. The same path applies in validate_policies (#65)

Fixed

• make release now builds and tests a release-mode wheel. The target previously ran maturin build (which defaults to the dev/debug profile) and then ran pytest against whatever cedarpy was currently installed in the venv — neither half tested the wheel that would ship. PyPI artifacts were unaffected (CI already passed --release); this fixes locally-built wheels.

[4.8.1] - 2026-04-22

Dependency update release. No functional or API changes — Cedar Policy engine version is unchanged (still v4.8.2).

Security

• Bump pytest 7.4.0 → 9.0.3 — CVE-2025-71176 (#41)
• Bump wheel 0.40.0 → 0.47.0 — CVE-2026-24049 (#41)
• Bump time 0.3.37 → 0.3.47 — CVE-2026-25727 (#42)
• Bump keccak 0.1.5 → 0.1.6 — GHSA-3288-p39f-rqpv (#42)

Changed

• Removed the stale rustix = "~0.37.25" pin; rustix is now governed by the transitive dep graph (#43)

Build & supply chain

• Switched PyPI publishing from a long-lived API token to PyPI Trusted Publishing (OIDC), with a protected pypi-release deployment environment requiring maintainer approval. All wheels and the sdist for this release ship with SLSA build-provenance attestations (#59)
• Added a Dependabot cooldown policy (7 days for minor/patch bumps, 14 for majors) to reduce exposure to newly-published compromised releases (#44, #45)
• Disabled Dependabot version-update PRs; security-update PRs remain active (#60)

Commits

• b76a0cc Merge pull request #79 from k9securityio/release/4.8.3
• 7d6f31c release: bump version to 4.8.3
• ff5a38d Merge pull request #78 from k9securityio/fix/issue-77-policy-ids-to-annotations
• e1ed9a4 refactor: name id_annotations map by its key + add lookup-pattern demo
• ad603bd refactor: report literal @​id annotation value in id_annotations map
• 8a36d10 fix: surface parser policy ids in diagnostics + add id_annotations map
• 3713638 chore(benchmark): declare v4.8.2 release state in history
• 2353045 Merge pull request #76 from k9securityio/release/4.8.2
• 0bbed30 release: bump version to 4.8.2
• bb48fc5 chore(benchmark): record PR #75 Path B state data
• Additional commits viewable in compare view

Updates ruff from 0.15.12 to 0.15.14

Release notes

Sourced from ruff's releases.

0.15.14

Release Notes

Released on 2026-05-21.

Preview features

• [airflow] Implement airflow-task-implicit-multiple-outputs (AIR202) (#25152)
• [flake8-use-pathlib] Mark PTH101 fix as unsafe when first argument is a class attribute annotated as int (#25086)
• [pylint] Implement too-many-try-statements (W0717) (#23970)
• [ruff] Add incorrect-decorator-order (RUF074) (#23461)
• [ruff] Add fallible-context-manager (RUF075) (#22844)

Bug fixes

• Fix lambda formatting in interpolated string expressions (#25144)
• Treat generic frozenset annotations as immutable (#25251)
• [flake8-type-checking] Avoid strict behavior when future-annotations are enabled (TC001, TC002, TC003) (#25035)
• [pylint] Avoid false positives in else clause (PLR1733) (#25177)

Rule changes

• [flake8-comprehensions] Skip C417 for lambdas with positional-only parameters (#25272)
• [flake8-simplify] Preserve f-string source verbatim in SIM101 fix (#25061)

Performance

• Avoid unnecessary parser lookahead for operators (#25290)

Documentation

• Update code example setting Neovim LSP log level (#25284)

Other changes

• Add full PEP 798 support (#25104)
• Add a parser recursion limit (#24810)
• Update various ruff_python_stdlib APIs (#25273)

Contributors

• @​ocaballeror
• @​lerebear
• @​samuelcolvin
• @​baltasarblanco
• @​aconal-com
• @​anishgirianish
• @​JelleZijlstra
• @​AlexWaygood
• @​ntBre

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.14

Released on 2026-05-21.

Preview features

• [airflow] Implement airflow-task-implicit-multiple-outputs (AIR202) (#25152)
• [flake8-use-pathlib] Mark PTH101 fix as unsafe when first argument is a class attribute annotated as int (#25086)
• [pylint] Implement too-many-try-statements (W0717) (#23970)
• [ruff] Add incorrect-decorator-order (RUF074) (#23461)
• [ruff] Add fallible-context-manager (RUF075) (#22844)

Bug fixes

• Fix lambda formatting in interpolated string expressions (#25144)
• Treat generic frozenset annotations as immutable (#25251)
• [flake8-type-checking] Avoid strict behavior when future-annotations are enabled (TC001, TC002, TC003) (#25035)
• [pylint] Avoid false positives in else clause (PLR1733) (#25177)

Rule changes

• [flake8-comprehensions] Skip C417 for lambdas with positional-only parameters (#25272)
• [flake8-simplify] Preserve f-string source verbatim in SIM101 fix (#25061)

Performance

• Avoid unnecessary parser lookahead for operators (#25290)

Documentation

• Update code example setting Neovim LSP log level (#25284)

Other changes

• Add full PEP 798 support (#25104)
• Add a parser recursion limit (#24810)
• Update various ruff_python_stdlib APIs (#25273)

Contributors

• @​ocaballeror
• @​lerebear
• @​samuelcolvin
• @​baltasarblanco
• @​aconal-com
• @​anishgirianish
• @​JelleZijlstra
• @​AlexWaygood
• @​ntBre
• @​adityasingh2400

... (truncated)

Commits

• 9ad2da3 Bump 0.15.14 (#25295)
• c714e84 [ty] Modernize setup of union types in mdtests (#25291)
• 8a8e35e [flake8-comprehensions] Skip C417 for lambdas with positional-only parame...
• aea5ed4 Avoid unnecessary parser lookahead for operators (#25290)
• e9d72bb [ty] Allow enum member accesses on self (#25077)
• 6cbd59b Set exclude-newer = "7 days" in our PEP-723 scripts (#25285)
• 9999a39 Update code example on how to update Neovim LSP log level (#25284)
• 67d8c54 [ty] Retain recursively-defined state in binary expressions (#25277)
• 25a3191 [ty] Refine Callable class-decorator fallback for unknown results (#25250)
• c423054 Add a recursion limit to the parser (#24810)
• Additional commits viewable in compare view

Updates ty from 0.0.35 to 0.0.39

Release notes

Sourced from ty's releases.

0.0.39

Release Notes

Released on 2026-05-22.

This release removes the Python 3.9 branches from our vendored standard library stubs. ty now only has "full" support for Python 3.10 and later, but will still report version-specific syntax errors and other diagnostics when --python-version 3.9 is provided via the CLI.

Bug fixes

• Avoid panicking on __new__ assignments to classes (#25282)
• Preserve declaration order when synthesizing class fields (#25249)
• Respect dict-compatible fallbacks in TypedDict unions (#25242)
• Retain recursively-defined state in binary expressions (#25277)

LSP server

• Add Quick Fix to remove redundant cast (#25211)
• Classify property declaration semantic tokens (#25322)
• Escape HTML syntax in docstring rendering (#25247)
• Prefer symbols from standard library over those of the same name from third party libraries for import completions. (#25108)
• Support type aliases in document symbols (#25302)

Diagnostics

• Add error context for extra callable parameters (#25269)

Performance

• Avoid exponential blow-up in fall-through narrowing (#25278)
• Speed up include filtering for projects with many literal include patterns (#25266)

Core type checking

• Allow enum member accesses on self (#25077)
• Emit a diagnostic for subclassing with order=True (#21704)
• Full-scope bidirectional inference for unconstrained container literals (#25279)
• Infer dict(TypedDict) as dict[str, object] (#24852)
• Refine Callable class-decorator fallback for unknown results (#25250)
• Reject incompatible explicit variance in generic base classes (#25327)
• Support multi-inference through type aliases (#25245)
• Sync vendored typeshed stubs (#25271, #25172)

Contributors

• @​ibraheemdev