Skip to content

chore(deps): bump the uv group across 1 directory with 5 updates#1122

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/uv/components/runners/ambient-runner/uv-86e462b618
Open

chore(deps): bump the uv group across 1 directory with 5 updates#1122
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/uv/components/runners/ambient-runner/uv-86e462b618

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 31, 2026
edited
Loading

Bumps the uv group with 5 updates in the /components/runners/ambient-runner directory:

Package From To
requests 2.32.5 2.33.0
mcp-atlassian 0.13.0 0.17.0
authlib 1.6.6 1.6.9
black 25.11.0 26.3.1
pyasn1 0.6.2 0.6.3

Updates requests from 2.32.5 to 2.33.0

Release notes

Sourced from requests's releases.

v2.33.0

2.33.0 (2026-03-25)

Announcements

  • 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

  • CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

  • Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

  • Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

  • Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

  • Various typo fixes and doc improvements.

New Contributors

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2330-2026-03-25

Changelog

Sourced from requests's changelog.

2.33.0 (2026-03-25)

Announcements

  • 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at #7271. Give it a try, and report any gaps or feedback you may have in the issue. 📣

Security

  • CVE-2026-25645 requests.utils.extract_zipped_paths now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.

Improvements

  • Migrated to a PEP 517 build system using setuptools. (#7012)

Bugfixes

  • Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. (#7205)

Deprecations

  • Dropped support for Python 3.9 following its end of support. (#7196)

Documentation

  • Various typo fixes and doc improvements.
Commits
  • bc04dfd v2.33.0
  • 66d21cb Merge commit from fork
  • 8b9bc8f Move badges to top of README (#7293)
  • e331a28 Remove unused extraction call (#7292)
  • 753fd08 docs: fix FAQ grammar in httplib2 example
  • 774a0b8 docs(socks): same block as other sections
  • 9c72a41 Bump github/codeql-action from 4.33.0 to 4.34.1
  • ebf7190 Bump github/codeql-action from 4.32.0 to 4.33.0
  • 0e4ae38 docs: exclude Response.is_permanent_redirect from API docs (#7244)
  • d568f47 docs: clarify Quickstart POST example (#6960)
  • Additional commits viewable in compare view

Updates mcp-atlassian from 0.13.0 to 0.17.0

Release notes

Sourced from mcp-atlassian's releases.

v0.17.0

This release fixes two security vulnerabilities, adds new Jira features, and includes multiple bug fixes and hardening improvements.

🔒 Security

  • Path Traversal Guard: Confluence attachment downloads now validate paths against directory traversal attacks via validate_safe_path() with symlink resolution. Jira guards refactored to use the same shared utility. Fixes GHSA-xjgw-4wvw-rgm4 (#987)
  • SSRF Protection: Header-based URLs (X-Atlassian-*-Url) are now validated against SSRF — blocks private IPs, DNS rebinding, and redirect-based attacks. Optional domain allowlist via MCP_ALLOWED_URL_DOMAINS. Fixes GHSA-7r34-79r5-rcc9 (#986)
  • Credential Logging Removal: Removed OAuth token/secret logging from token exchange and response flows (#949)

✨ Features

Jira

  • Service Desk Queue Support: New jira_get_service_desk_queues, jira_get_queue_issues, and jira_get_queue_details tools for Server/DC (#979)
  • Project Components Tool: New jira_get_project_components tool to retrieve project components (#873)

🐛 Fixed

Jira

  • Epic Link Aliases: epicKey, epic_link, epicLink, and "Epic Link" now resolve correctly in create/update operations (#970)
  • JQL Reserved Words: Project keys matching JQL reserved words (e.g., IF, AND) are now auto-quoted (#967)
  • update_issue Fields Parameter: Accepts JSON string input (not just dict), consistent with other tools after schema compatibility changes (#973)

Confluence

  • Double /wiki Prefix: Fixed URL construction in analytics and v2 adapter that prepended /wiki twice on Cloud (#964)

Dependencies

  • Python & Dependency Upgrades: Upgraded Python version in Docker and ran uv lock --upgrade to resolve Trivy scan vulnerabilities (#977)
  • markdown-to-confluence Minimum: Bumped to >=0.3.4 to prevent ModuleNotFoundError on md2conf.metadata (#980)

🧪 Testing

  • E2E Test Suites: Added DC (61 tests) and Cloud (48 tests) end-to-end test suites with auth matrix coverage (#963)
  • Security Regression Tests: Path traversal and JQL sanitization regression tests (#983)

Contributors

Thanks to @​elisa-tfager, @​hteichmann-strato, @​JakubAnderwald, @​legard, @​ilgaur, and @​yotampe-pluto!

Full Changelog: sooperset/mcp-atlassian@v0.16.1...v0.17.0

v0.16.1

This release fixes Confluence Cloud URL construction, adds AI platform schema compatibility, and patches a ReDoS vulnerability.

🐛 Fixed

Confluence

  • Double /wiki Prefix in Cloud URLs: base_url already includes /wiki for Cloud instances (auto-appended by atlassian-python-api), but five URL constructions in v2_adapter.py and analytics.py were prepending it again — producing 404s for analytics views, page attachments, and attachment CRUD operations (#964, fixes #962)

Jira

  • ReDoS in Citation Regex: Citation regex in jira_get_issue used overlapping alternation that caused catastrophic backtracking on unmatched ?? markers — replaced with non-overlapping linear-time pattern (#948)

... (truncated)

Commits
  • e191a2f fix: sync OAuth tokens to base keyring username for load_tokens() compatibili...
  • 5cd697d fix(server): add SSRF protection for header-based URL validation (#986)
  • 52b9b09 fix(confluence): add path traversal guard for attachment downloads (#987)
  • ab36f81 test(jira): add security regression tests for path traversal and JQL sanitiza...
  • 757b821 fix(jira): add Server/DC-only docs and expand queue tests (#982)
  • f501146 fix(jira): update field descriptions and add pattern validation (#981)
  • 6e3073f fix: bump markdown-to-confluence minimum to >=0.3.4 (#980)
  • 0fc96f7 Upgrade python and dependencies to fix trivy scan issues (#977)
  • 9d0e22e feat(jira): add Jira Service Desk queue read support (Server/DC) (#979)
  • 88917c1 fix: remove credential/token logging and harden security (#949)
  • Additional commits viewable in compare view

Updates authlib from 1.6.6 to 1.6.9

Release notes

Sourced from authlib's releases.

v1.6.9

Full Changelog: authlib/authlib@v1.6.8...v1.6.9

Changes in jose module

  • Not using header's jwk automatically
  • Add ES256K into default jwt algorithms
  • Remove deprecated algorithm from default registry
  • Generate random cek when cek length doesn't match

v1.6.8

Full Changelog: authlib/authlib@v1.6.7...v1.6.8

  • Add EdDSA to default jwt instance.

v1.6.7

Full Changelog: authlib/authlib@v1.6.6...v1.6.7

Set supported algorithms for the default jwt instance.

Commits
  • 9266eaa chore: release 1.6.9
  • b9bb2b2 fix(oidc): fail close at validating c_hash and at_hash
  • 1b0a1d9 fix(jose): generate random cek when cek length doesn't match
  • 5be3c51 fix(jose): add ES256K into default jwt algorithms
  • 48b345f fix(jose): remove deprecated algorithm from default registry
  • a5d4b2d fix(jose): do not use header's jwk automatically
  • a769f34 chore: release 1.6.8
  • 84f3fa2 fix: add EdDSA to default jwt algorithms
  • 38e872a chore: release 1.6.7
  • b87c32e fix: remove "none" algorithm from default jwt instance
  • See full diff in compare view

Updates black from 25.11.0 to 26.3.1

Release notes

Sourced from black's releases.

26.3.1

Stable style

  • Prevent Jupyter notebook magic masking collisions from corrupting cells by using exact-length placeholders for short magics and aborting if a placeholder can no longer be unmasked safely (#5038)

Configuration

  • Always hash cache filename components derived from --python-cell-magics so custom magic names cannot affect cache paths (#5038)

Blackd

  • Disable browser-originated requests by default, add configurable origin allowlisting and request body limits, and bound executor submissions to improve backpressure (#5039)

26.3.0

Stable style

  • Don't double-decode input, causing non-UTF-8 files to be corrupted (#4964)
  • Fix crash on standalone comment in lambda default arguments (#4993)
  • Preserve parentheses when # type: ignore comments would be merged with other comments on the same line, preventing AST equivalence failures (#4888)

Preview style

  • Fix bug where if guards in case blocks were incorrectly split when the pattern had a trailing comma (#4884)
  • Fix string_processing crashing on unassigned long string literals with trailing commas (one-item tuples) (#4929)
  • Simplify implementation of the power operator "hugging" logic (#4918)

Packaging

  • Fix shutdown errors in PyInstaller builds on macOS by disabling multiprocessing in frozen environments (#4930)

Performance

  • Introduce winloop for windows as an alternative to uvloop (#4996)
  • Remove deprecated function uvloop.install() in favor of uvloop.new_event_loop() (#4996)
  • Rename maybe_install_uvloop function to maybe_use_uvloop to simplify loop installation and creation of either a uvloop/winloop evenloop or default eventloop (#4996)

Output

... (truncated)

Changelog

Sourced from black's changelog.

Version 26.3.1

Stable style

  • Prevent Jupyter notebook magic masking collisions from corrupting cells by using exact-length placeholders for short magics and aborting if a placeholder can no longer be unmasked safely (#5038)

Configuration

  • Always hash cache filename components derived from --python-cell-magics so custom magic names cannot affect cache paths (#5038)

Blackd

  • Disable browser-originated requests by default, add configurable origin allowlisting and request body limits, and bound executor submissions to improve backpressure (#5039)

Version 26.3.0

Stable style

  • Don't double-decode input, causing non-UTF-8 files to be corrupted (#4964)
  • Fix crash on standalone comment in lambda default arguments (#4993)
  • Preserve parentheses when # type: ignore comments would be merged with other comments on the same line, preventing AST equivalence failures (#4888)

Preview style

  • Fix bug where if guards in case blocks were incorrectly split when the pattern had a trailing comma (#4884)
  • Fix string_processing crashing on unassigned long string literals with trailing commas (one-item tuples) (#4929)
  • Simplify implementation of the power operator "hugging" logic (#4918)

Packaging

  • Fix shutdown errors in PyInstaller builds on macOS by disabling multiprocessing in frozen environments (#4930)

Performance

  • Introduce winloop for windows as an alternative to uvloop (#4996)
  • Remove deprecated function uvloop.install() in favor of uvloop.new_event_loop() (#4996)
  • Rename maybe_install_uvloop function to maybe_use_uvloop to simplify loop installation and creation of either a uvloop/winloop eventloop or default eventloop (#4996)

... (truncated)

Commits

Updates pyasn1 from 0.6.2 to 0.6.3

Release notes

Sourced from pyasn1's releases.

Release 0.6.3

It's a minor release.

  • Added nesting depth limit to ASN.1 decoder to prevent stack overflow from deeply nested structures (CVE-2026-30922).
  • Fixed OverflowError from oversized BER length field.
  • Fixed DeprecationWarning stacklevel for deprecated attributes.
  • Fixed asDateTime incorrect fractional seconds parsing.

All changes are noted in the CHANGELOG.

Changelog

Sourced from pyasn1's changelog.

Revision 0.6.3, released 16-03-2026

Commits
  • af65c3b Prepare release 0.6.3
  • 5a49bd1 Merge commit from fork
  • 5494ba4 Fix asDateTime incorrect fractional seconds parsing (#102)
  • 71f486e Fix DeprecationWarning stacklevel for deprecated attributes (#101)
  • d7cb42d Fix OverflowError from oversized BER length field (#100)
  • See full diff in compare view

@dependabot dependabot bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Mar 31, 2026
@dependabot
chore(deps): bump the uv group across 1 directory with 5 updates
4617c40 
Bumps the uv group with 5 updates in the /components/runners/ambient-runner directory:

| Package | From | To |
| --- | --- | --- |
| [requests](https://github.com/psf/requests) | `2.32.5` | `2.33.0` |
| [mcp-atlassian](https://github.com/sooperset/mcp-atlassian) | `0.13.0` | `0.17.0` |
| [authlib](https://github.com/authlib/authlib) | `1.6.6` | `1.6.9` |
| [black](https://github.com/psf/black) | `25.11.0` | `26.3.1` |
| [pyasn1](https://github.com/pyasn1/pyasn1) | `0.6.2` | `0.6.3` |



Updates `requests` from 2.32.5 to 2.33.0
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.32.5...v2.33.0)

Updates `mcp-atlassian` from 0.13.0 to 0.17.0
- [Release notes](https://github.com/sooperset/mcp-atlassian/releases)
- [Commits](sooperset/mcp-atlassian@v0.13.0...v0.17.0)

Updates `authlib` from 1.6.6 to 1.6.9
- [Release notes](https://github.com/authlib/authlib/releases)
- [Commits](authlib/authlib@v1.6.6...v1.6.9)

Updates `black` from 25.11.0 to 26.3.1
- [Release notes](https://github.com/psf/black/releases)
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md)
- [Commits](psf/black@25.11.0...26.3.1)

Updates `pyasn1` from 0.6.2 to 0.6.3
- [Release notes](https://github.com/pyasn1/pyasn1/releases)
- [Changelog](https://github.com/pyasn1/pyasn1/blob/main/CHANGES.rst)
- [Commits](pyasn1/pyasn1@v0.6.2...v0.6.3)

---
updated-dependencies:
- dependency-name: requests
  dependency-version: 2.33.0
  dependency-type: direct:production
  dependency-group: uv
- dependency-name: mcp-atlassian
  dependency-version: 0.17.0
  dependency-type: direct:production
  dependency-group: uv
- dependency-name: authlib
  dependency-version: 1.6.9
  dependency-type: indirect
  dependency-group: uv
- dependency-name: black
  dependency-version: 26.3.1
  dependency-type: indirect
  dependency-group: uv
- dependency-name: pyasn1
  dependency-version: 0.6.3
  dependency-type: indirect
  dependency-group: uv
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/uv/components/runners/ambient-runner/uv-86e462b618 branch from 9ad7f2c to 4617c40 Compare April 2, 2026 20:25
@ambient-code
Copy link
Copy Markdown
Contributor

ambient-code bot commented Apr 3, 2026

Review Queue Status

Check Status Detail
CI FAIL build (ubuntu-latest, linux/amd64, amd64, frontend, ./components/frontend, quay.io/ambient_code/v..., build (ubuntu-latest, linux/amd64, amd64, backend, ./components/backend, quay.io/ambient_code/vte..., build (ubuntu-latest, linux/amd64, amd64, operator, ./components/operator, quay.io/ambient_code/v... +11 more failed
Conflicts pass
Reviews pass

Action needed: Fix failing build (ubuntu-latest, linux/amd64, amd64, frontend, ./components/frontend, quay.io/ambient_code/v...

Auto-generated by Review Queue workflow. Updated when PR changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants