chore(deps-dev): bump the python-dependencies group across 1 directory with 7 updates

[dependabot]

Bumps the python-dependencies group with 7 updates in the / directory:

Package	From	To
boto3	1.42.59	1.42.64
pypdf	6.7.5	6.8.0
langchain-core	1.2.17	1.2.18
langchain-openai	1.1.10	1.1.11
cachetools	7.0.2	7.0.5
moto[proxy]	5.1.21	5.1.22
black	26.1.0	26.3.0

Updates boto3 from 1.42.59 to 1.42.64

Commits

• 12c6ff2 Merge branch 'release-1.42.64'
• e006a9a Bumping version to 1.42.64
• e4935ee Add changelog entries from botocore
• 3cb7506 Fix typo in CONTRIBUTING.rst: codstyle to codestyle (#4731)
• 5e8adc5 Merge branch 'release-1.42.63'
• 1c19e8c Merge branch 'release-1.42.63' into develop
• ab9feea Bumping version to 1.42.63
• ea37886 Add changelog entries from botocore
• 1e80b23 Merge branch 'release-1.42.62'
• e36ca90 Merge branch 'release-1.42.62' into develop
• Additional commits viewable in compare view

Updates pypdf from 6.7.5 to 6.8.0

Release notes

Sourced from pypdf's releases.

Version 6.8.0, 2026-03-09

What's new

Security (SEC)

• Limit allowed /Length value of stream (#3675) by @​stefan6419846

New Features (ENH)

• Add /IRT (in-reply-to) support for markup annotations (#3631) by @​costajohnt

Documentation (DOC)

• Avoid using PageObject.replace_contents on PdfReader (#3669) by @​stefan6419846
• Document how to disable jbig2dec calls by @​stefan6419846

Full Changelog

Changelog

Sourced from pypdf's changelog.

Version 6.8.0, 2026-03-09

Security (SEC)

• Limit allowed /Length value of stream (#3675)

New Features (ENH)

• Add /IRT (in-reply-to) support for markup annotations (#3631)

Documentation (DOC)

• Avoid using PageObject.replace_contents on PdfReader (#3669)
• Document how to disable jbig2dec calls

Full Changelog

Commits

• a869ece REL: 6.8.0
• 3c550b3 SEC: Limit allowed /Length value of stream (#3675)
• 5dae0e2 MAINT: Document and test XMP security (#3674)
• b9f66ab DEV: Change to loadfile strategy for PyPy in CI (#3671)
• 071118b MAINT: Remove excessive logging in extract_links while not clear (#3670)
• 43add64 DEV: Timeout PyPy tests after one minute
• 4228dd2 DOC: Avoid using PageObject.replace_contents on PdfReader (#3669)
• 0e9792d ENH: Add /IRT (in-reply-to) support for markup annotations (#3631)
• ede6db9 DOC: Document how to disable jbig2dec calls
• 6d0fa2f MAINT: Move and rename _xobj_image_helpers.py (#3661)
• See full diff in compare view

Updates langchain-core from 1.2.17 to 1.2.18

Release notes

Sourced from langchain-core's releases.

langchain-core==1.2.18

Changes since langchain-core==1.2.17

release(core): 1.2.18 (#35704) fix(core): fix double backticks in deprecation docstring for alternative_import (#35658) fix(core): preserve default_factory when generating tool call schema (#35550) feat(openai): support tool search (#35582) chore: bump the minor-and-patch group across 3 directories with 7 updates (#35605)

Commits

• 6b25caf release(core): 1.2.18 (#35704)
• 6371450 release(openai): 1.1.11 (#35703)
• ee64597 ci: auto-reopen external PRs after issue link requirement is satisfied (#35699)
• 1a39508 ci: update PR template (#35698)
• 5b1b37e ci: auto-close external PRs failing issue-link check (#35697)
• de5d68c ci: require PR author is assigned to linked issue (#35692)
• 225bb5b ci(infra): require issue link for external PRs (#35690)
• 360e016 ci: add contributor tier labels, PR size labels, and backfill job (#35687)
• 527fc02 chore(model-profiles): refresh model profile data (#35681)
• 3af0bc0 fix(openai): update responses API model detection for pro and codex models (#...
• Additional commits viewable in compare view

Updates langchain-openai from 1.1.10 to 1.1.11

Release notes

Sourced from langchain-openai's releases.

langchain-openai==1.1.11

Changes since langchain-openai==1.1.10

fix(openai): bump min core version (#35705) release(openai): 1.1.11 (#35703) fix(openai): update responses API model detection for pro and codex models (#35594) feat(openai): support tool search (#35582) chore: bump langgraph from 1.0.8 to 1.0.10rc1 in /libs/partners/openai (#35612) chore(model-profiles): refresh model profile data (#35593) fix(openai): avoid PydanticSerializationUnexpectedValue for structured output (#35543) feat(openrouter): add streaming token usage support (#35559) fix: compaction typo (#35467) fix(openai): add test for CSV and accommodate breaking changes in file url inputs (#35454) chore: bump langgraph-checkpoint from 3.0.0 to 4.0.0 in /libs/partners/openai (#35448) fix(model-profiles): sort generated profiles by model ID for stable diffs (#35344) fix(openai): accept valid responses that are falsy at runtime (#35307)

Commits

• fcca6e2 fix(openai): bump min core version (#35705)
• 6b25caf release(core): 1.2.18 (#35704)
• 6371450 release(openai): 1.1.11 (#35703)
• ee64597 ci: auto-reopen external PRs after issue link requirement is satisfied (#35699)
• 1a39508 ci: update PR template (#35698)
• 5b1b37e ci: auto-close external PRs failing issue-link check (#35697)
• de5d68c ci: require PR author is assigned to linked issue (#35692)
• 225bb5b ci(infra): require issue link for external PRs (#35690)
• 360e016 ci: add contributor tier labels, PR size labels, and backfill job (#35687)
• 527fc02 chore(model-profiles): refresh model profile data (#35681)
• Additional commits viewable in compare view

Updates cachetools from 7.0.2 to 7.0.5

Changelog

Sourced from cachetools's changelog.

v7.0.5 (2026-03-09)

• Minor @cachedmethod performance improvements.

v7.0.4 (2026-03-08)

• Fix and properly document @cachedmethod.cache_key behavior.

• Minor documentation improvements.

v7.0.3 (2026-03-05)

• Fix DeprecationWarning when creating an autospec mock with @cachedmethod decorations.

Commits

• 5dce86f Release v7.0.5.
• af5e688 Minor @​cachedmethod performance improvements.
• 0ca75e6 Relase v7.0.4.
• 5b1fa39 Prepare v7.0.4.
• 18e5930 Fix #218: Fix and properly document @​cachedmethod.cache_key handling.
• 98ec79f Drop "class method" from @​cachedmethod docstring.
• 93822a3 Release v7.0.3.
• 57d2e48 Fix #387: Handle obj=None case for inspection in _DescriptorBase.
• See full diff in compare view

Updates moto[proxy] from 5.1.21 to 5.1.22

Changelog

Sourced from moto[proxy]'s changelog.

5.1.22

Docker Digest for 5.1.22: sha256:1e3802c95726373544967b428201c548f0247c15b00db2d96a5ba0a77d8643b8

New Methods:
    * APIGateway:
        * delete_model()
* Athena:
    * tag_resource()
    * untag_resource()


Pipes:

list_tags_for_resource()



OSIS:

delete_resource_policy()
get_resource_policy()
put_resource_policy()



RDS:

copy_db_cluster_parameter_group()



STS:

get_access_key_info()



Transfer:

list_servers()





Miscellaneous:
* CloudFormation now supports the creation/update/deletion of AWS::CloudWatch::Dashboard resources
* CloudFormation now supports the creation/update/deletion of AWS::KMS::Alias resources
* CloudFormation now supports the creation/update/deletion of AWS::SSM::Document resources
* EC2: create_fleet() now supports the parameters DryRun and LaunchTemplateConfigs.Overrides
* EC2: describe_network_interfaces() now supports the 'attachment.attachment-id'-filter
* EC2: Instances created from a LaunchTemplate now have the 'aws:ec2launchtemplate:id' and 'aws:ec2launchtemplate:version' tags
* RDS: create_db_cluster_parameter_group() now validates the provided group name/description/familiy
* RDS: delete_db_cluster_parameter_group() now validates that the provided group exists
* S3: delete_object() now supports IfMatch
* SecretsManager: create-secret() now throw ResourceExistsException for duplicate requests with different token (broken since 5.1.11)
* SQS: send_message() now returns the SequenceNumber-attribute
* VPCLattice: list_access_log_subscriptions() now also supports arns as resourceIdentifiers

Commits

• 28d5ca8 Pre-Release: Up Version Number
• f58dc18 Prep release 5.1.22 (#9824)
• 84cbb40 chore: update SSM default parameters (#9828)
• 2f32dc1 chore: update EC2 Instance Types (#9827)
• 2a1c7ca chore: update EC2 Instance Offerings (#9826)
• e063c5a chore: update EMR Instance Types (#9825)
• 681b47a API Gateway: implement DeleteModel operation (#9823)
• d652e4a STS: implement GetAccessKeyInfo operation (#9822)
• 40a6520 Implement Athena TagResource and UntagResource (#9796)
• dc425e8 Modernize Java tests (#9817)
• Additional commits viewable in compare view

Updates black from 26.1.0 to 26.3.0

Release notes

Sourced from black's releases.

26.3.0

Stable style

• Don't double-decode input, causing non-UTF-8 files to be corrupted (#4964)
• Fix crash on standalone comment in lambda default arguments (#4993)
• Preserve parentheses when # type: ignore comments would be merged with other comments on the same line, preventing AST equivalence failures (#4888)

Preview style

• Fix bug where if guards in case blocks were incorrectly split when the pattern had a trailing comma (#4884)
• Fix string_processing crashing on unassigned long string literals with trailing commas (one-item tuples) (#4929)
• Simplify implementation of the power operator "hugging" logic (#4918)

Packaging

• Fix shutdown errors in PyInstaller builds on macOS by disabling multiprocessing in frozen environments (#4930)

Performance

• Introduce winloop for windows as an alternative to uvloop (#4996)
• Remove deprecated function uvloop.install() in favor of uvloop.new_event_loop() (#4996)
• Rename maybe_install_uvloop function to maybe_use_uvloop to simplify loop installation and creation of either a uvloop/winloop evenloop or default eventloop (#4996)

Output

• Emit a clear warning when the target Python version is newer than the running Python version, since AST safety checks cannot parse newer syntax. Also replace the misleading "INTERNAL ERROR" message with an actionable error explaining the version mismatch (#4983)

Blackd

• Introduce winloop to be used when windows in use which enables blackd to run faster on windows when winloop is installed. (#4996)

Integrations

• Remove unused gallery script (#5030)
• Harden parsing of black requirements in the GitHub Action when use_pyproject is enabled so that only version specifiers are accepted and direct references such as black @ https://... are rejected. Users should upgrade to the latest version of the action as soon as possible. This update is received automatically when using psf/black@stable, and is independent of the version of Black installed by the

... (truncated)

Changelog

Sourced from black's changelog.

26.3.0

Stable style

• Don't double-decode input, causing non-UTF-8 files to be corrupted (#4964)
• Fix crash on standalone comment in lambda default arguments (#4993)
• Preserve parentheses when # type: ignore comments would be merged with other comments on the same line, preventing AST equivalence failures (#4888)

Preview style

• Fix bug where if guards in case blocks were incorrectly split when the pattern had a trailing comma (#4884)
• Fix string_processing crashing on unassigned long string literals with trailing commas (one-item tuples) (#4929)
• Simplify implementation of the power operator "hugging" logic (#4918)

Packaging

• Fix shutdown errors in PyInstaller builds on macOS by disabling multiprocessing in frozen environments (#4930)

Performance

• Introduce winloop for windows as an alternative to uvloop (#4996)
• Remove deprecated function uvloop.install() in favor of uvloop.new_event_loop() (#4996)
• Rename maybe_install_uvloop function to maybe_use_uvloop to simplify loop installation and creation of either a uvloop/winloop evenloop or default eventloop (#4996)

Output

• Emit a clear warning when the target Python version is newer than the running Python version, since AST safety checks cannot parse newer syntax. Also replace the misleading "INTERNAL ERROR" message with an actionable error explaining the version mismatch (#4983)

Blackd

• Introduce winloop to be used when windows in use which enables blackd to run faster on windows when winloop is installed. (#4996)

Integrations

• Remove unused gallery script (#5030)
• Harden parsing of black requirements in the GitHub Action when use_pyproject is enabled so that only version specifiers are accepted and direct references such as black @ https://... are rejected. Users should upgrade to the latest version of the action as soon as possible. This update is received automatically when using

... (truncated)

Commits

• 35ea679 Prepare release 26.3.0 (#5032)
• 4d81750 Remove gallery/ (#5030)
• 0a2560b Harden Black action version parsing (#5031)
• deab5d6 Revert "Bump hatch from 1.15.1 to 1.16.4" (#5028)
• 2beece7 Bump hatch from 1.15.1 to 1.16.4 (#5020)
• d764c0b Bump actions/upload-artifact from 6.0.0 to 7.0.0 (#5024)
• f5be8e0 Bump actions/download-artifact from 7.0.0 to 8.0.0 (#5019)
• 8b9d3e3 add winloop support and remove deprecated functionality from uvloop (#4996)
• 457320a [pre-commit.ci] pre-commit autoupdate (#5018)
• 4da809e Do not encourage the use of an obsolete GitHub Actions (#5016)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.