chore(deps): bump the python-dependencies group across 1 directory with 5 updates

[dependabot]

Updates the requirements on nox, ruff, fastapi, uvicorn[standard] and plotly to permit the latest version.
Updates nox to 2026.2.9

Changelog

Sourced from nox's changelog.

Changelog

2026.02.09

This small release supports uv 0.10's new requirement that --clear be passed to clear an environment. Python 3.8 support was temporarily re-added since uv 0.10 still supports 3.8, so nox on 3.8 was affected.

We'd like to thank the following folks who contributed to this release:

• @​henryiii
• @​kai687 (first contribution)
• @​wu-zhao-min (first contribution)

Bugfixes:

• Support uv 0.10.0 by @​henryiii in wntrblm/nox#1055
• Show tags by @​henryiii in wntrblm/nox#1058
• Better support for multiple session decorators by @​henryiii in wntrblm/nox#1048
• Normalize extra tox-to-nox by @​henryiii in wntrblm/nox#1059
• Better typing for .run by @​henryiii in wntrblm/nox#1037

Internal changes:

• Fix conda CI job by @​henryiii in wntrblm/nox#1035
• Drop Python 3.8 by @​henryiii in wntrblm/nox#1004 and revert in wntrblm/nox#1060
• Fix action test by @​henryiii in wntrblm/nox#1036
• Bump packaging dep to remove pyparsing by @​henryiii in wntrblm/nox#1047
• Avoid newest docutils until sphinx-tabs updates by @​henryiii in wntrblm/nox#1052
• Optimize the naming of constants to enhance readability by @​wu-zhao-min in wntrblm/nox#1041

Documentation:

• Duplicated session name in cookbook by @​kai687 in wntrblm/nox#1050

2025.11.12

This is a small release to fix a warning when running in script mode before we drop Python 3.8.

We'd like to thank the following folks who contributed to this release:

• @​henryiii

Bugfixes:

• Avoid warnings when running in script mode by @​henryiii in wntrblm/nox#1025

... (truncated)

Commits

• 5a277b7 docs: prepare for release (#1061)
• 90a8aef Revert "feat: drop Python 3.8 (#1004)" (#1060)
• 264f457 chore: normalize extra (#1059)
• 516d9bc fix: show tags (#1058)
• 7207b3f fix: support uv 0.10.0 (#1055)
• 11eee27 fix: better support for multiple session decorators (#1048)
• c72769b docs: duplicated session name in cookbook (#1050)
• a0660b1 docs: avoid newest docutils until sphinx-tabs updates (#1052)
• f8edf5f fix(types): Better typing for .run (#1037)
• 5dbd95e chore: optimize the naming of constants to enhance readability (#1041)
• Additional commits viewable in compare view

Updates ruff to 0.15.2

Release notes

Sourced from ruff's releases.

0.15.2

Release Notes

Released on 2026-02-19.

Preview features

• Expand the default rule set (#23385)

  In preview, Ruff now enables a significantly expanded default rule set of 412 rules, up from the stable default set of 59 rules. The new rules are mostly a superset of the stable defaults, with the exception of these rules, which are removed from the preview defaults:

  • multiple-imports-on-one-line (E401)
  • module-import-not-at-top-of-file (E402)
  • module-import-not-at-top-of-file (E701)
  • multiple-statements-on-one-line-semicolon (E702)
  • useless-semicolon (E703)
  • none-comparison (E711)
  • true-false-comparison (E712)
  • not-in-test (E713)
  • not-is-test (E714)
  • type-comparison (E721)
  • lambda-assignment (E731)
  • ambiguous-variable-name (E741)
  • ambiguous-class-name (E742)
  • ambiguous-function-name (E743)
  • undefined-local-with-import-star (F403)
  • undefined-local-with-import-star-usage (F405)
  • undefined-local-with-nested-import-star-usage (F406)
  • forward-annotation-syntax-error (F722)

  If you use preview and prefer the old defaults, you can restore them with configuration like:

  # ruff.toml
  [lint]
  select = ["E4", "E7", "E9", "F"]
  pyproject.toml
  [tool.ruff.lint]
  select = ["E4", "E7", "E9", "F"]

  If you do give them a try, feel free to share your feedback in the GitHub discussion!

• [flake8-pyi] Also check string annotations (PYI041) (#19023)

Bug fixes

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.2

Released on 2026-02-19.

Preview features

• Expand the default rule set (#23385)

  In preview, Ruff now enables a significantly expanded default rule set of 412 rules, up from the stable default set of 59 rules. The new rules are mostly a superset of the stable defaults, with the exception of these rules, which are removed from the preview defaults:

  • multiple-imports-on-one-line (E401)
  • module-import-not-at-top-of-file (E402)
  • module-import-not-at-top-of-file (E701)
  • multiple-statements-on-one-line-semicolon (E702)
  • useless-semicolon (E703)
  • none-comparison (E711)
  • true-false-comparison (E712)
  • not-in-test (E713)
  • not-is-test (E714)
  • type-comparison (E721)
  • lambda-assignment (E731)
  • ambiguous-variable-name (E741)
  • ambiguous-class-name (E742)
  • ambiguous-function-name (E743)
  • undefined-local-with-import-star (F403)
  • undefined-local-with-import-star-usage (F405)
  • undefined-local-with-nested-import-star-usage (F406)
  • forward-annotation-syntax-error (F722)

  If you use preview and prefer the old defaults, you can restore them with configuration like:

  # ruff.toml
  [lint]
  select = ["E4", "E7", "E9", "F"]
  pyproject.toml
  [tool.ruff.lint]
  select = ["E4", "E7", "E9", "F"]

  If you do give them a try, feel free to share your feedback in the GitHub discussion!

... (truncated)

Commits

• 9d18ee9 Hard code workflow name and cancel-in-progress only for PRs (#23431)
• 7cc15f0 Bump 0.15.2 (#23430)
• d1b5443 Add extension mapping to configuration file options (#23384)
• 222574a Expand the default rule set (#23385)
• 1465b5d [flake8-async] Fix in_async_context logic (#23426)
• 410902f [pyupgrade] Fix handling of typing.{io,re} (UP035) (#23131)
• 729610a [ty] Fall back to ambiguous for large control flow graphs (#23399)
• 1425c18 [ty] Add code folding support
• 97acaae [ty] Fix stack overflow for self-referential TypeOf in annotations (#23407)
• 1f380c8 [ty] Update tests reveal_type and Never (#23418)
• Additional commits viewable in compare view

Updates fastapi from 0.128.0 to 0.132.0

Release notes

Sourced from fastapi's releases.

0.132.0

Breaking Changes

• 🔒️ Add strict_content_type checking for JSON requests. PR #14978 by @​tiangolo.
  • Now FastAPI checks, by default, that JSON requests have a Content-Type header with a valid JSON value, like application/json, and rejects requests that don't.
  • If the clients for your app don't send a valid Content-Type header you can disable this with strict_content_type=False.
  • Check the new docs: Strict Content-Type Checking.

Internal

• ⬆ Bump flask from 3.1.2 to 3.1.3. PR #14949 by @​dependabot[bot].
• ⬆ Update all dependencies to use griffelib instead of griffe. PR #14973 by @​svlandeg.
• 🔨 Fix FastAPI People workflow. PR #14951 by @​YuriiMotov.
• 👷 Do not run codspeed with coverage as it's not tracked. PR #14966 by @​tiangolo.
• 👷 Do not include benchmark tests in coverage to speed up coverage processing. PR #14965 by @​tiangolo.

0.131.0

Breaking Changes

• 🗑️ Deprecate ORJSONResponse and UJSONResponse. PR #14964 by @​tiangolo.

0.130.0

Features

• ✨ Serialize JSON response with Pydantic (in Rust), when there's a Pydantic return type or response model. PR #14962 by @​tiangolo.
  • This results in 2x (or more) performance increase for JSON responses.
  • New docs: Custom Response - JSON Performance.

0.129.2

Internal

• ⬆️ Upgrade pytest. PR #14959 by @​tiangolo.
• 👷 Fix CI, do not attempt to publish fastapi-slim. PR #14958 by @​tiangolo.
• ➖ Drop support for fastapi-slim, no more versions will be released, use only "fastapi[standard]" or fastapi. PR #14957 by @​tiangolo.
• 🔧 Update pyproject.toml, remove unneeded lines. PR #14956 by @​tiangolo.

0.129.1

Fixes

• ♻️ Fix JSON Schema for bytes, use "contentMediaType": "application/octet-stream" instead of "format": "binary". PR #14953 by @​tiangolo.

Docs

• 🔨 Add Kapa.ai widget (AI chatbot). PR #14938 by @​tiangolo.
• 🔥 Remove Python 3.9 specific files, no longer needed after updating translations. PR #14931 by @​tiangolo.
• 📝 Update docs for JWT to prevent timing attacks. PR #14908 by @​tiangolo.

Translations

• ✏️ Fix several typos in ru translations. PR #14934 by @​argoarsiks.

... (truncated)

Commits

• acdf52e 📝 Update release notes
• 5c863d0 🔖 Release version 0.132.0
• ac8621a 📝 Update release notes
• 22354a2 🔒️ Add strict_content_type checking for JSON requests (#14978)
• 94a1ee7 📝 Update release notes
• 248d7fb ⬆ Bump flask from 3.1.2 to 3.1.3 (#14949)
• da19374 📝 Update release notes
• 5161f7b ⬆ Update all dependencies to use griffelib instead of griffe (#14973)
• fef2ce7 📝 Update release notes
• a3c8c37 🔨 Fix FastAPI People workflow (#14951)
• Additional commits viewable in compare view

Updates uvicorn[standard] from 0.40.0 to 0.41.0

Release notes

Sourced from uvicorn[standard]'s releases.

Version 0.41.0

Added

• Add --limit-max-requests-jitter to stagger worker restarts (#2707)
• Add socket path to scope["server"] (#2561)

Changed

• Rename LifespanOn.error_occured to error_occurred (#2776)

Fixed

• Ignore permission denied errors in watchfiles reloader (#2817)
• Ensure lifespan shutdown runs when should_exit is set during startup (#2812)
• Reduce the log level of 'request limit exceeded' messages (#2788)

---

New Contributors

• @​t-kawasumi made their first contribution in Kludex/uvicorn#2776
• @​fardyn made their first contribution in Kludex/uvicorn#2800
• @​ewie made their first contribution in Kludex/uvicorn#2807
• @​shevron made their first contribution in Kludex/uvicorn#2788
• @​jonashaag made their first contribution in Kludex/uvicorn#2707

---

Full Changelog: Kludex/uvicorn@0.40.0...0.41.0

Changelog

Sourced from uvicorn[standard]'s changelog.

0.41.0 (February 16, 2026)

Added

• Add --limit-max-requests-jitter to stagger worker restarts (#2707)
• Add socket path to scope["server"] (#2561)

Changed

• Rename LifespanOn.error_occured to error_occurred (#2776)

Fixed

• Ignore permission denied errors in watchfiles reloader (#2817)
• Ensure lifespan shutdown runs when should_exit is set during startup (#2812)
• Reduce the log level of 'request limit exceeded' messages (#2788)

Commits

• 9283c0f Version 0.41.0 (#2821)
• a01a33e Add --limit-max-requests-jitter to stagger worker restarts (#2707)
• 2ce65bd Ignore permission denied errors in watchfiles reloader (#2817)
• 654f2ed Ensure lifespan shutdown runs when should_exit is set during startup (#2812)
• a03d9f6 Reduce the log level of 'request limit exceeded' messages (#2788)
• e377de4 Add socket path to scope["server"] (#2561)
• 0779f7f Poll for readiness in test_multiprocess_health_check and run_server (#2816)
• 7e9ce2c Poll for PID changes in test_multiprocess_sighup instead of fixed sleep (#2...
• 99f0d87 Fix grep warning in scripts/sync-version (#2807)
• 7ae2e63 chore(deps): bump the python-packages group with 18 updates (#2801)
• Additional commits viewable in compare view

Updates plotly to 6.5.2

Release notes

Sourced from plotly's releases.

v6.5.2

Fixed

• Fix issue where pie trace legend, showlegend attributes don't accept array values [#5464 and #5465], with thanks to @​my-tien for the contribution!

Changelog

Sourced from plotly's changelog.

[6.5.2] - 2026-01-14

Fixed

• Fix issue where pie trace legend, showlegend attributes don't accept array values [#5464 and #5465], with thanks to @​my-tien for the contribution!

[6.5.1] - 2026-01-07

Fixed

• Fix issue where Plotly Express ignored trace-specific color sequences defined in templates via template.data.<trace_type> [#5437], with thanks to @​antonymilne for the contribution!

Updated

• Speed up validate_gantt function [#5386], with thanks to @​misrasaurabh1 for the contribution!
• Update plotly.js from version 3.3.0 to version 3.3.1. See the plotly.js release notes for more information. [#5456]. Notable changes include:
  • Add support for arrays for the pie properties showlegend and legend, so that these can be configured per slice. [#7580]

[6.5.0] - 2025-11-17

Updated

• Update plotly.js from version 3.2.0 to version 3.3.0. See the plotly.js release notes for more information. [#5421]. Notable changes include:
  • Add hovertemplate for candlestick and ohlc traces [#7619]

Fixed

• Fix bug where numpy datetime contained in Python list was converted to integer [#5415]

[6.4.0] - 2025-11-02

Updated

• Update plotly.js from version 3.1.1 to version 3.2.0. See the plotly.js release notes for more information. [#5357]. Notable changes include:
  • Add hovertemplatefallback and texttemplatefallback attributes [#7577]
  • Add "SI extended" formatting rule for tick exponents on axis labels, allowing values to be displayed with extended SI prefixes (e.g., femto, pico, atto) [#7249]

Deprecated

• Deprecate create_hexbin_mapbox in favor of create_hexbin_map, update related function calls [5358], with thanks to @​ajlien for the contribution!

[6.3.1] - 2025-10-02

Updated

• Update Plotly.js from version 3.1.0 to version 3.1.1. See the Plotly.js release notes for more information. [#5357]. Notable changes include:
  • Fix issue preventing Scattergl plots with text elements from rendering [plotly.js#7563]
• Use native legends when converting from matplotlib [#5312], with thanks to @​robertoffmoura to the contribution!
• Allow shared_yaxes to work with secondary axes [#5180], with thanks to @​gmjw for the contribution!

Fixed

• Fix issue where width/height in plot layout were not respected during Kaleido image export [#5325]
• Fix typo in default argument to _ternary_contour.py [#5315], with thanks to @​Lexachoc for the contribution!
• Fix incorrect fig.show() behavior when ipython is installed [#5258]

[6.3.0] - 2025-08-12

Updated

... (truncated)

Commits

• 36d8bf8 Version changes for v6.5.2
• 1f45fa5 Merge pull request #5467 from plotly/cam/update-graph-objs
• 7f57ccb fix: Update graph_objs per recent bug fixes
• 3293f4d Merge pull request #5466 from plotly/merge-doc-prod-to-main
• 61c9f6f Merge branch 'main' into merge-doc-prod-to-main
• dad2520 Merge pull request #5465 from my-tien/legend-arrayok
• b587428 Merge branch 'main' into legend-arrayok
• 5a0440c Merge pull request #5464 from plotly/cam/5463/handle-arrays-booleanvalidator
• fff298c Simplify test
• cef18a9 Separate test for coercion of geo1 to geo and legend1 to legend
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions