chore(deps)(deps): bump the python-dependencies group with 5 updates

[dependabot]

Bumps the python-dependencies group with 5 updates:

Package	From	To
polars	1.40.1	1.41.1
fastapi	0.136.1	0.136.3
uvicorn	0.47.0	0.48.0
yfinance	1.3.0	1.4.0
marimo	0.23.6	0.23.8

Updates polars from 1.40.1 to 1.41.1

Release notes

Sourced from polars's releases.

Python Polars 1.41.1

🚀 Performance improvements

• Adaptive size dispatch to hashset or radix sort + capacity-aware reset in agg_n_unique (#27719)

✨ Enhancements

• Allow deeper expressions (#27768)

🐞 Bug fixes

• Raise length mismatch in multiple sort_by in group_by (#27772)
• Respect min_samples for rolling_by ops with nulls (#27706)
• Fix memory usage regression affecting TPCH Q22 (#27758)
• Add POLARS_ALLOW_NESTED_CSPE env var and make nested CSPE opt-in (#27765)
• Post-apply residual pyarrow predicates (#27764)
• Fix loss of precision for smaller floating types(#27662) (#27732)
• Filter at scan dropped in CSPE filter pushdown (#27763)
• Fix portstate assertion error on is_in (#27757)
• Fix incorrect when/then after forward fill / reverse in groupby (#27745)
• Accept empty Thrift list encoded as bare 0x00 byte in parquet metadata (#27754)
• Stabilize object store credentialprovider cache key (#27712)
• Add to merge_sorted docs that the input must be nulls first (#27743)

📖 Documentation

• Docs fixes (#27766)
• Sync from Polars Cloud (#27751)
• Add to merge_sorted docs that the input must be nulls first (#27743)

🛠️ Other improvements

• Attribute annotations for CatalogCredentialProvider (#27739)
• Solve type: ignore in _AioDataFrameResult (#27311)
• Remove dead code in _write_utils.py (#27721)
• Remove unnecessary not isinstance(v, DataType) check (#27723)

Thank you to all our contributors for making this release possible! @​EndPositive, @​JakubValtar, @​MarcoGorelli, @​NicoOhR, @​azimafroozeh, @​carnarez, @​dsprenkels, @​jorenham, @​kdn36, @​nameexhaustion, @​orlp and @​ritchie46

Python Polars 1.41.0

🏆 Highlights

• Add LazyFrame.gather (#27501)
• Nested common subplan elimination (#27340)
• Stabilize streaming engine (#27497)
• Speed up parquet metadata decode with hand-written Thrift (#27427)

⚠️ Deprecations

... (truncated)

Commits

• 8b0b902 Python Polars 1.41.1 (#27771)
• 04313c1 fix: Raise length mismatch in multiple sort_by in group_by (#27772)
• 878246b perf: Adaptive size dispatch to hashset or radix sort + capacity-aware reset ...
• 10e97bf fix: Respect min_samples for rolling_by ops with nulls (#27706)
• 17a6216 fix: Fix memory usage regression affecting TPCH Q22 (#27758)
• 3159dad feat: Allow deeper expressions (#27768)
• d87650d fix: Add POLARS_ALLOW_NESTED_CSPE env var and make nested CSPE opt-in (#27765)
• 1165f87 docs(python): Docs fixes (#27766)
• a865828 fix: Post-apply residual pyarrow predicates (#27764)
• 1903d6d fix(rust): Fix loss of precision for smaller cum_sum in floating types (#27732)
• Additional commits viewable in compare view

Updates fastapi from 0.136.1 to 0.136.3

Release notes

Sourced from fastapi's releases.

0.136.3

Refactors

• ♻️ Do not accept underscore headers when using convert_underscores=True (the default). PR #15589 by @​tiangolo.

0.136.2

Refactors

• ♻️ Validate Server Sent Event fields to avoid applications from sending broken data. PR #15588 by @​tiangolo.

Docs

• 📝 Document --entrypoint CLI option. PR #15464 by @​YuriiMotov.
• 📝 Update and simplify docs about help and management. PR #15583 by @​tiangolo.
• 📝 Add docs references to central contributing docs. PR #15580 by @​tiangolo.
• 📝 Update security policy. PR #15577 by @​tiangolo.
• 🍱 Update sponsors: TalorData image. PR #15562 by @​tiangolo.
• 📝 Update docs, simplify usage of admonitions, only default ones. PR #15553 by @​tiangolo.
• 📝 Fix image URLs in index.md. PR #15534 by @​YuriiMotov.
• ✏️ Fix Azkaban spelling typo in virtual-environments.md‎. PR #15463 by @​isaacbernat.
• 💄 Improve layout and styling. PR #15462 by @​alejsdev.
• 💄 Refactor opinions section with interactive tabs and new logos. PR #15458 by @​alejsdev.
• 📝 Add FastAPI Conf '26 announcement to docs. PR #15457 by @​alejsdev.

Translations

• 🌐 Improve translation consistency in ‎docs/pt/docs/advanced/generate-clients.md‎. PR #15456 by @​Will-thom.
• 🌐 Update translations for ja (update-outdated). PR #15530 by @​tiangolo.
• 🌐 Update translations for uk (update-outdated). PR #15529 by @​tiangolo.
• 🌐 Update translations for pt (update-outdated). PR #15528 by @​tiangolo.
• 🌐 Update translations for de (update-outdated). PR #15527 by @​tiangolo.
• 🌐 Update translations for tr (update-outdated). PR #15526 by @​tiangolo.
• 🌐 Update translations for ko (update-outdated). PR #15525 by @​tiangolo.
• 🌐 Update translations for zh-hant (update-outdated). PR #15524 by @​tiangolo.
• 🌐 Update translations for fr (update-outdated). PR #15522 by @​tiangolo.
• 🌐 Update translations for es (update-outdated). PR #15523 by @​tiangolo.
• 🌐 Update translations for zh (update-outdated). PR #15520 by @​tiangolo.
• 🌐 Update translations for ru (update-outdated). PR #15521 by @​tiangolo.
• 🌐 Fix typos in Spanish LLM-prompt. PR #15472 by @​crr004.

Internal

• ✅ Update tests, don't double dispose the engine. PR #15587 by @​tiangolo.
• ⚡️ Speed up test suite via caching and fixture scopes to make it ~24% faster. PR #13583 by @​dikos1337.
• 🔥 Remove config files now in central GitHub repo. PR #15585 by @​tiangolo.
• ⬆ Bump urllib3 from 2.6.3 to 2.7.0. PR #15502 by @​dependabot[bot].
• ⬆ Bump idna from 3.11 to 3.15. PR #15565 by @​dependabot[bot].
• ⬆ Bump cloudflare/wrangler-action from 3.15.0 to 4.0.0. PR #15571 by @​dependabot[bot].
• 🔧 Migrate docs from MkDocs to Zensical. PR #15563 by @​tiangolo.
• 🔒️ Only allow team members to modify dependencies. PR #15548 by @​svlandeg.

... (truncated)

Commits

• 8206485 🔖 Release version 0.136.3
• c910e01 📝 Update release notes
• 063b5bf ♻️ Do not accept underscore headers when using convert_underscores=True (th...
• 22b02e2 🔖 Release version 0.136.2
• 3b252a2 📝 Update release notes
• c7fb785 ♻️ Validate Server Sent Event fields to avoid applications from sending broke...
• cb83b83 📝 Update release notes
• 00f805c ✅ Update tests, don't double dispose the engine (#15587)
• 3675137 📝 Update release notes
• 7b57e42 📝 Document --entrypoint CLI option (#15464)
• Additional commits viewable in compare view

Updates uvicorn from 0.47.0 to 0.48.0

Release notes

Sourced from uvicorn's releases.

Version 0.48.0

What's Changed

• Default ssl_ciphers to None and use OpenSSL defaults by @​Kludex in Kludex/uvicorn#2940
• Ignore duplicate forwarding headers in ProxyHeadersMiddleware by @​Kludex in Kludex/uvicorn#2944

Full Changelog: Kludex/uvicorn@0.47.0...0.48.0

Changelog

Sourced from uvicorn's changelog.

0.48.0 (May 24, 2026)

Changed

• Default ssl_ciphers to None and use OpenSSL defaults (#2940)

Fixed

• Ignore duplicate forwarding headers in ProxyHeadersMiddleware (#2944)

Commits

• 73e84e5 Version 0.48.0 (#2951)
• 45ea116 Ignore duplicate forwarding headers in ProxyHeadersMiddleware (#2944)
• dd4394c chore(deps): bump idna from 3.11 to 3.15 (#2941)
• abe0781 Default ssl_ciphers to None and use OpenSSL defaults (#2940)
• See full diff in compare view

Updates yfinance from 1.3.0 to 1.4.0

Release notes

Sourced from yfinance's releases.

1.4.0

Minor changes

• Login Yahoo account with yf.Auth link
• Region scoping on Sector and Industry link
• Support curl_cffi fallback to requests package link

Patches

• Lots of fixes big and small.

Full changelog #2828

Thanks @​etbala @​dokson @​a-drenaline @​gottostartsomewhere @​Jaypatel1511

Changelog

Sourced from yfinance's changelog.

1.4.0

Features

• Add Auth class for Logging In #2761
• Allow region scoping for Sector and Industry (closes #2601) #2803
• Make curl_cffi optional with fallback to requests (closes #2692) #2802 Fixes
• Add 'repair' to get_history_metadata() #2777
• Adding try block for added protection to "meta" data #2778
• Fix: _dts_in_same_interval("1mo") ignored year #2780
• Fix TypeError when data['chart'] is None in history.py (#2670) #2794
• Fix dividends error on unlisted tickers #2797
• Fix #2784: validate Market region and stop returning misleading status #2801
• Make yf.download() reentrant by removing shared module globals #2805
• Allow lang and region scoping for Ticker (closes #2582) #2804
• Fix localized intraday download() always returning UTC #2825 Maintenance
• chore: fix typos (prividing -> providing, Reponse -> Response) #2779
• Fix Failing Tests #2792
• Simplify phantom-dividend repair branch + drive-by typo/lint fixes #2810
• Drop frozendict hard dependency in favour of an internal fallback #2821

Commits

• e005d2d Version 1.4.0
• ff36bd7 Merge pull request #2828 from ranaroussi/dev
• d893ef4 docs: changelog entry for 54bef21
• 54bef21 Fix tests
• 44cc9ba Merge pull request #2829 from ranaroussi/dependabot/github_actions/zizmorcore...
• 89ad803 Bump zizmorcore/zizmor-action from 0.5.3 to 0.5.6
• 0721ed0 docs: changelog entry for 6ab79ed
• f0aa468 docs: changelog entry for acd2c28
• 970b40a docs: changelog entry for 7538c1f
• 6ab79ed Merge pull request #2825 from ranaroussi/fix/download-tz
• Additional commits viewable in compare view

Updates marimo from 0.23.6 to 0.23.8

Release notes

Sourced from marimo's releases.

0.23.7

What's Changed

This release brings major upgrades to table filtering, adds speaker notes to slide view, and lets WASM notebooks query remote files with DuckDB.

⭐ Highlights

Powerful new table column filters

Table columns now support the full operator set across every dtype. Text columns get contains, starts_with, ends_with, equals, regex, is_empty, and more, with a slash-bracketed regex input and a creatable values picker for in / not_in. Number columns get native between, and the new date/datetime/time filter UI brings the same operator coverage to date-like columns with smart clipboard paste for ISO/US/RFC dates and A - B ranges (#9597, #9615).

Speaker notes for slides

Press S in slide view to open speaker notes alongside the current slide, including in fullscreen and kiosk mode (#9533).

Query remote files with DuckDB in WASM notebooks

WASM notebooks can now read CSV, Parquet, JSON, and GeoJSON over HTTP from mo.sql, SQL cells, raw duckdb.sql/query/execute, connection SQL methods, and the duckdb.read_csv/read_parquet/read_json Python API. marimo rewrites the AST with sqlglot, fetches the remote file via its shared WASM fetch util, and binds the result as a pandas DataFrame that DuckDB can scan (#9480).

SELECT * FROM read_csv('https://example.com/cars.csv')

✨ Enhancements

• Expand column filter operators and pill-editor UX (#9597)
• Date/datetime/time filter UI (#9615)
• Add speaker notes for slides (#9533)
• Support HTTP DuckDB queries in WASM notebooks (#9480)
• Snapshot document and outputs in MCP execute_code (#9654)
• Rename ctx.notify to broadcast_raw_notification (#9581)
• Record staleness reads on .code access only (#9655)
• Expose cell outputs to code_mode (#9653)
• Make marimo new CLI help page render properly at 80 columns (#9636)
• Read-before-write protection for cell edits (#9585)
• Skip stdlib/site-packages on per-cell check (#9629)
• Show cell index in dependency minimap (#9633)
• Extract ModuleReloader/ModuleWatcher into AutoreloadManager (#9590)
• DRY up code between wasm and native kernel (#9591)
• Update default duckdb mo.sql deps (#9599)
• Show .git and .venv in file browser (#9606)
• Support disabled on dropdown and multiselect (#9600)
• Split kernel command dispatch into router + callback bundles (#9577)

... (truncated)

Commits

• 0880349 release: 0.23.8 (#9669)
• 14ff054 Revert "refactor: replace MarimoFileKey alias with FileKey ADT (#9483)" (#9668)
• cbde228 fix(lazy): resolve mo.lazy eagerly in non-interactive exports (#9644)
• 06a9c32 release: 0.23.7 (#9659)
• 0a2780a fix(tests): access .code to register read in scratchpad ctx test (#9658)
• 51b5379 Guard SQL ref extraction on sqlglot availability (#9656)
• 9dc5335 Fix double backticks in broadcast_raw_notification docstring (#9657)
• 9076095 Snapshot document and outputs in MCP execute_code (#9654)
• 448900a Rename ctx.notify to broadcast_raw_notification (#9581)
• d0ed8b2 Record staleness reads on .code access only (#9655)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, python. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.