chore(deps): update all dependencies

[renovate-bot]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
actions/cache	action	major	v4 → v5
actions/checkout	action	major	v5 → v6
actions/checkout	action	major	v4 → v6
actions/setup-python	action	major	v5 → v6
aiohttp		patch	==3.13.3 → ==3.13.4
alembic (changelog)		minor	==1.17.0 → ==1.18.4
attrs (changelog)		major	==25.4.0 → ==26.1.0
build (changelog)		patch	==1.4.0 → ==1.4.2
cachetools		major	==6.2.6 → ==7.0.5
cachetools		major	==6.2.1 → ==7.0.5
certifi		major	==2025.10.5 → ==2026.2.25
charset-normalizer (changelog)		patch	==3.4.4 → ==3.4.6
click (changelog)		patch	==8.3.0 → ==8.3.1
dorny/paths-filter	action	major	v3 → v4
google-api-core		minor	==2.26.0 → ==2.30.0
google-api-core		minor	==2.28.1 → ==2.30.0
google-auth		minor	==2.41.1 → ==2.49.1
google-auth		minor	==2.48.0 → ==2.49.1
google-auth		minor	==2.43.0 → ==2.49.1
google-cloud-core		minor	==2.4.3 → ==2.5.0
google-cloud-spanner		minor	==3.58.0 → ==3.63.0
google-cloud-testutils (source)		patch	==1.7.0 → ==1.7.1
googleapis-common-protos (source)		minor	==1.71.0 → ==1.73.1
googleapis-common-protos (source)		minor	==1.72.0 → ==1.73.1
grpcio		minor	==1.75.1 → ==1.80.0
grpcio		minor	==1.76.0 → ==1.80.0
grpcio-status		minor	==1.75.1 → ==1.80.0
importlib-metadata		major	==8.7.1 → ==9.0.0
ipython		minor	==9.10.0 → ==9.12.0
multidict		patch	==6.7.0 → ==6.7.1
packaging		major	==25.0 → ==26.0
pandas		major	==2.3.3 → ==3.0.1
parameterized		minor	==0.8.1 → ==0.9.0
proto-plus		patch	==1.27.1 → ==1.27.2
proto-plus		minor	==1.26.1 → ==1.27.2
protobuf		major	==6.33.5 → ==7.34.1
pygments (changelog)		minor	==2.19.2 → ==2.20.0
pypandoc		minor	==1.16 → ==1.17
pytest (changelog)		patch	==9.0.0 → ==9.0.2
python	uses-with	minor	3.10 → 3.14
python	uses-with	minor	3.12 → 3.14
python	uses-with	minor	3.9 → 3.14
python	uses-with	minor	3.8 → 3.14
requests (changelog)		minor	==2.32.5 → ==2.33.0
ruff (source, changelog)		minor	==0.14.14 → ==0.15.8
rules_cc	http_archive	minor	0.1.1 → 0.2.17
sphinx (changelog)		major	==4.5.0 → ==9.1.0
sphinxcontrib-applehelp (changelog)		major	==1.0.4 → ==2.0.0
sphinxcontrib-devhelp (changelog)		major	==1.0.2 → ==2.0.0
sphinxcontrib-htmlhelp (changelog)		minor	==2.0.1 → ==2.1.0
sphinxcontrib-qthelp (changelog)		major	==1.0.3 → ==2.0.0
sphinxcontrib-serializinghtml (changelog)		major	==1.1.5 → ==2.0.0
sqlparse (changelog)		patch	==0.5.3 → ==0.5.5
tomli (changelog)		patch	==2.4.0 → ==2.4.1
urllib3 (changelog)		minor	==2.5.0 → ==2.6.3
wheel (changelog)		minor	==0.45.1 → ==0.46.3
wrapt (changelog)		major	==1.17.3 → ==2.1.2
yarl		minor	==1.22.0 → ==1.23.0

---

Release Notes

actions/cache (actions/cache)

v5

Compare Source

actions/checkout (actions/checkout)

v6

Compare Source

actions/setup-python (actions/setup-python)

v6

Compare Source

aio-libs/aiohttp (aiohttp)

v3.13.4

Compare Source

===================

Features

• Added max_headers parameter to limit the number of headers that should be read from a response -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:11955.

• Added a dns_cache_max_size parameter to TCPConnector to limit the size of the cache -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:12106.

Bug fixes

• Fixed server hanging indefinitely when chunked transfer encoding chunk-size
  does not match actual data length. The server now raises
  TransferEncodingError instead of waiting forever for data that will
  never arrive -- by :user:Fridayai700.

  Related issues and pull requests on GitHub:
  :issue:10596.

• Fixed access log timestamps ignoring daylight saving time (DST) changes. The
  previous implementation used :py:data:time.timezone which is a constant and
  does not reflect DST transitions -- by :user:nightcityblade.

  Related issues and pull requests on GitHub:
  :issue:11283.

• Fixed RuntimeError: An event loop is running error when using aiohttp.GunicornWebWorker
  or aiohttp.GunicornUVLoopWebWorker on Python >=3.14.
  -- by :user:Tasssadar.

  Related issues and pull requests on GitHub:
  :issue:11701.

• Fixed :exc:ValueError when creating a TLS connection with ClientTimeout(total=0) by converting 0 to None before passing to ssl_handshake_timeout in :py:meth:asyncio.loop.start_tls -- by :user:veeceey.

  Related issues and pull requests on GitHub:
  :issue:11859.

• Restored :py:meth:~aiohttp.BodyPartReader.decode as a synchronous method
  for backward compatibility. The method was inadvertently changed to async
  in 3.13.3 as part of the decompression bomb security fix. A new
  :py:meth:~aiohttp.BodyPartReader.decode_iter method is now available
  for non-blocking decompression of large payloads using an async generator.
  Internal aiohttp code uses the async variant to maintain security protections.

  Changed multipart processing chunk sizes from 64 KiB to 256KiB, to better
  match aiohttp internals
  -- by :user:bdraco and :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:11898.

• Fixed false-positive :py:class:DeprecationWarning for passing enable_cleanup_closed=True to :py:class:~aiohttp.TCPConnector specifically on Python 3.12.7.
  -- by :user:Robsdedude.

  Related issues and pull requests on GitHub:
  :issue:11972.

• Fixed _sendfile_fallback over-reading beyond requested count -- by :user:bysiber.

  Related issues and pull requests on GitHub:
  :issue:12096.

• Fixed digest auth dropping challenge fields with empty string values -- by :user:bysiber.

  Related issues and pull requests on GitHub:
  :issue:12097.

• ClientConnectorCertificateError.os_error no longer raises :exc:AttributeError
  -- by :user:themylogin.

  Related issues and pull requests on GitHub:
  :issue:12136.

• Adjusted pure-Python request header value validation to align with RFC 9110 control-character handling, while preserving lax response parser behavior, and added regression tests for Host/header control-character cases.
  -- by :user:rodrigobnogueira.

  Related issues and pull requests on GitHub:
  :issue:12231.

• Rejected duplicate singleton headers (Host, Content-Type,
  Content-Length, etc.) in the C extension HTTP parser to match
  the pure Python parser behaviour, preventing potential host-based
  access control bypasses via parser differentials
  -- by :user:rodrigobnogueira.

  Related issues and pull requests on GitHub:
  :issue:12240.

• Aligned the pure-Python HTTP request parser with the C parser by splitting
  comma-separated and repeated Connection header values for keep-alive,
  close, and upgrade handling -- by :user:rodrigobnogueira.

  Related issues and pull requests on GitHub:
  :issue:12249.

Improved documentation

• Documented :exc:asyncio.TimeoutError for WebSocketResponse.receive()
  and related methods -- by :user:veeceey.

  Related issues and pull requests on GitHub:
  :issue:12042.

Packaging updates and notes for downstreams

• Upgraded llhttp to 3.9.1 -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:12069.

Contributor-facing changes

• The benchmark CI job now runs only in the upstream repository -- by :user:Cycloctane.

  It used to always fail in forks, which this change fixed.

  Related issues and pull requests on GitHub:
  :issue:11737.

• Fixed flaky performance tests by using appropriate fixed thresholds that account for CI variability -- by :user:rodrigobnogueira.

  Related issues and pull requests on GitHub:
  :issue:11992.

Miscellaneous internal changes

• Fixed test_invalid_idna to work with idna 3.11 by using an invalid character (\u0080) that is rejected by yarl during URL construction -- by :user:rodrigobnogueira.

  Related issues and pull requests on GitHub:
  :issue:12027.

• Fixed race condition in test_data_file on Python 3.14 free-threaded builds -- by :user:rodrigobnogueira.

  Related issues and pull requests on GitHub:
  :issue:12170.

---

python-attrs/attrs (attrs)

v26.1.0

Compare Source

Backwards-incompatible Changes

• Field aliases are now resolved before calling field_transformer, so transformers receive fully populated Attribute objects with usable alias values instead of None.
  The new Attribute.alias_is_default flag indicates whether the alias was auto-generated (True) or explicitly set by the user (False).
  #​1509

Changes

• Fix type annotations for attrs.validators.optional(), so it no longer rejects tuples with more than one validator.
  #​1496
• The attrs.validators.disabled() contextmanager can now be nested.
  #​1513
• Frozen classes can set on_setattr=attrs.setters.NO_OP in addition to None.
  #​1515
• It's now possible to pass attrs instances in addition to attrs classes to attrs.fields().
  #​1529

pypa/build (build)

v1.4.2

Compare Source

What's Changed

• fix(uv): always pass the python to use by @​henryiii in #​996
• 🐛 fix(release): detect pre-commit environment inconsistencies by @​gaborbernat in #​1001
• 🔧 fix(towncrier): match docstrfmt RST formatting expectations by @​gaborbernat in #​1002
• Fix _has_valid_outer_pip when pip is missing by @​notatallshaw in #​1003
• fix: release changelog issue by @​henryiii in #​1006

New Contributors

• @​notatallshaw made their first contribution in #​1003

Full Changelog: pypa/build@1.4.1...1.4.2

v1.4.1

Compare Source

What's Changed

• Fix documentation grammar and typos by @​DimitriPapadopoulos in #​979
• Allow setting build constraints by @​layday in #​963
• fix: pip hack workaround by @​henryiii in #​980
• 📚 docs: reorganize using Diataxis framework by @​gaborbernat in #​988
• ✨ feat(ci): automate releases and harden workflows by @​gaborbernat in #​991
• chore: avoid template injection zizmor issue by @​henryiii in #​994
• chore: fix PR template by @​henryiii in #​995
• chore: fix fix job by @​henryiii in #​997
• 🐛 fix(ci): resolve pre-release auth failure and change detection by @​gaborbernat in #​999
• 🐛 fix(deps): add pre-commit to release dependency group by @​gaborbernat in #​1000

Full Changelog: pypa/build@1.4.0...1.4.1

certifi/python-certifi (certifi)

v2026.2.25

Compare Source

v2026.1.4

Compare Source

v2025.11.12

Compare Source

jawah/charset_normalizer (charset-normalizer)

v3.4.6

Compare Source

Changed

• Flattened the logic in charset_normalizer.md for higher performance. Removed eligible(..) and feed(...)
  in favor of feed_info(...).
• Raised upper bound for mypy[c] to 1.20, for our optimized version.
• Updated UNICODE_RANGES_COMBINED using Unicode blocks v17.

Fixed

• Edge case where noise difference between two candidates can be almost insignificant. (#​672)
• CLI --normalize writing to wrong path when passing multiple files in. (#​702)

Misc

• Freethreaded pre-built wheels now shipped in PyPI starting with 3.14t. (#​616)

v3.4.5

Compare Source

Changed

• Update setuptools constraint to setuptools>=68,<=82.
• Raised upper bound of mypyc for the optional pre-built extension to v1.19.1

Fixed

• Add explicit link to lib math in our optimized build. (#​692)
• Logger level not restored correctly for empty byte sequences. (#​701)
• TypeError when passing bytearray to from_bytes. (#​703)

Misc

• Applied safe micro-optimizations in both our noise detector and language detector.
• Rewrote the query_yes_no function (inside CLI) to avoid using ambiguous licensed code.
• Added cd.py submodule into mypyc optional compilation to reduce further the performance impact.

pallets/click (click)

v8.3.1

Compare Source

Released 2025-11-15

• Don't discard pager arguments by correctly using subprocess.Popen. :issue:3039
  :pr:3055
• Replace Sentinel.UNSET default values by None as they're passed through
  the Context.invoke() method. :issue:3066 :issue:3065 :pr:3068
• Fix conversion of Sentinel.UNSET happening too early, which caused incorrect
  behavior for multiple parameters using the same name. :issue:3071 :pr:3079
• Hide Sentinel.UNSET values as None when looking up for other parameters
  through the context inside parameter callbacks. :issue:3136 :pr:3137
• Fix rendering when prompt and confirm parameter prompt_suffix is
  empty. :issue:3019 :pr:3021
• When Sentinel.UNSET is found during parsing, it will skip calls to
  type_cast_value. :issue:3069 :pr:3090

dorny/paths-filter (dorny/paths-filter)

v4

Compare Source

• Update action runtime to node24

googleapis/google-cloud-python (google-api-core)

v2.30.0: google-api-core: v2.30.0

Compare Source

Bug Fixes

• preserve exception cause (c7fc19303e0f1d7357109a73c13f875a5ced7606)
• require Python ≥ 3.9, protobuf ≥ 4.25.8 (2d1aa4288c222b247fc49ea0da03c126c051e079)

v2.29.0

v2.28.1

v2.28.0

v2.27.0: google-cloud-secret-manager: v2.27.0

v2.27.0 (2026-03-26)

googleapis/google-auth-library-python (google-auth)

v2.48.0

Compare Source

Features

• add cryptography as required dependency (#​1929) (52558ae2881b1e6555f6f5c0d76365c15807ead9)
• Support the mTLS IAM domain for Certificate based Access (#​1938) (8dcf91a1b05c85fbbd0bcee78d66e498099102ab)
• add configurable GCE Metadata Server retries (#​1488) (454b441b478ec62bbf1a6ad5bceb6c7cbbfd0c37)
• honor NO_GCE_CHECK environment variable (#​1610) (383c9827536d9376e8248370ce4c2b83e468d027)

Bug Fixes

• resolve circular imports (#​1942) (25c1b064545702cbef087cfcd15fbbb6ef1af74f)
• removes content-header from AWS IMDS get request (#​1934) (97bfea9e02ede953fc8ee154e0deed3a3cfc6dcc)
• detect correct auth when ADC env var is set but empty (#​1374) (bfc07e1050bd0aa86fa3b08cdf70c9b68b5fe6a2)
• replace deprecated utcfromtimestamp (#​1799) (e431f20cf73ccac71926a23ec454468cea92e053)
• Use user_verification=preferred for ReAuth WebAuthn challenge (#​1798) (3f88a24089c4ee6822d510de0db210b54260d873)

v2.47.0

Compare Source

Features

• drop cachetools dependency in favor of simple local implementation (#​1590) (5c07e1c4f52bc77a1b16fa3b7b3c5269c242f6f4)

Bug Fixes

• Python 3.8 support (#​1918) (60dc20014a35ec4ba71e8065b9a33ecbdbeca97a)

v2.46.0

Compare Source

Documentation

• update urllib3 docstrings for v2 compatibility (#​1903) (3f1aeea2d1014ea1d244a4c3470e52d74d55404b)

Features

• Recognize workload certificate config in has_default_client_cert_source for mTLS for Agentic Identities (#​1907) (0b9107d573123e358c347ffa067637f992af61b4)

Bug Fixes

• add types to default and verify_token and Request init based on comments in the source code. (#​1588) (59a5f588f7793b59d923a4185c8c07738da618f7)
• fix the document of secure_authorized_session (#​1536) (5d0014707fc359782df5ccfcaa75fd372fe9dce3)
• remove setup.cfg configuration for creating universal wheels (#​1693) (c767531ce05a89002d109f595187aff1fcaacfb7)
• use .read() instead of .content.read() in aiohttp transport (#​1899) (12f4470f808809e8abf1141f98d88ab720c3899b)
• raise RefreshError for missing token in impersonated credentials (#​1897) (94d04e090fdfc61926dd32bc1d65f8820b9cede5)
• Fix test coverage for mtls_helper (#​1886) (02e71631fe275d93825c2e957e830773e75133f7)

v2.45.0

Compare Source

Features

• Adding Agent Identity bound token support and handling certificate mismatches with retries (#​1890) (b32c934e6b0d09b94c467cd432a0a635e8b05f5c)

v2.44.0

Compare Source

Features

• support Python 3.14 (#​1822) (0f7097e78f247665b6ef0287d482033f7be2ed6d)
• add ecdsa p-384 support (#​1872) (39c381a5f6881b590025f36d333d12eff8dc60fc)
• MDS connections use mTLS (#​1856) (0387bb95713653d47e846cad3a010eb55ef2db4c)
• Implement token revocation in STS client and add revoke() metho… (#​1849) (d5638986ca03ee95bfffa9ad821124ed7e903e63)
• Add shlex to correctly parse executable commands with spaces (#​1855) (cf6fc3cced78bc1362a7fe596c32ebc9ce03c26b)

Bug Fixes

• Use public refresh method for source credentials in ImpersonatedCredentials (#​1884) (e0c3296f471747258f6d98d2d9bfde636358ecde)
• Add temporary patch to workload cert logic to accomodate Cloud Run mis-configuration (#​1880) (78de7907b8bdb7b5510e3c6fa8a3f3721e2436d7)
• Delegate workload cert and key default lookup to helper function (#​1877) (b0993c7edaba505d0fb0628af28760c43034c959)

v2.43.0

Compare Source

Features

• Add public wrapper for _mtls_helper.check_use_client_cert which enables mTLS if GOOGLE_API_USE_CLIENT_CERTIFICATE is not set, when the MWID/X.509 cert sources detected (#​1859) Add public wrapper for check_use_client_cert which enables mTLS if
  GOOGLE_API_USE_CLIENT_CERTIFICATE is not set, when the MWID/X.509 cert
  sources detected. Also, fix check_use_client_cert to return boolean
  value.
  Change #​1848 added the check_use_client_cert method that helps know if
  client cert should be used for mTLS connection. However, that was in a
  private class, thus, created a public wrapper of the same function so
  that it can be used by python Client Libraries. Also, updated
  check_use_client_cert to return a boolean value instead of existing
  string value for better readability and future scope.
  --------- (1535eccbff0ad8f3fd6a9775316ac8b77dca66ba)
• Enable mTLS if GOOGLE_API_USE_CLIENT_CERTIFICATE is not set, if the MWID/X.509 cert sources detected (#​1848) The Python SDK will use a hybrid approach for mTLS enablement:

• If the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is set
  (either true or false), the SDK will respect that setting. This is
  necessary for test scenarios and users who need to explicitly control
  mTLS behavior.
• If the GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable is not
  set, the SDK will automatically enable mTLS only if it detects Managed
  Workload Identity (MWID) or X.509 Workforce Identity Federation (WIF)
  certificate sources. In other cases where the variable is not set, mTLS
  will remain disabled.
  ** This change also adds the helper method check_use_client_cert and
  it's unit test, which will be used for checking the criteria for setting
  the mTLS to true
  ** This change is only for Auth-Library, other changes will be created
  for Client-Library use-cases.
  --------- (395e405b64b56ddb82ee639958c2e8056ad2e82b)

• onboard google-auth to librarian (#​1838) This PR onboards google-auth library to the Librarian system.
  Wait for
  #​1819. (c503eaa511357d7a76cc1e1f1d3a3be2dabd5bca)

v2.42.1

Compare Source

Bug Fixes

• Catch ValueError for json.loads() (#​1842) (b074cad)

v2.42.0

Compare Source

Features

• Add trust boundary support for external accounts. (#​1809) (36ecb1d)

Bug Fixes

• Read scopes from ADC json for impersoanted cred (#​1820) (62c0fc8)

googleapis/python-cloud-core (google-cloud-core)

v2.5.0

Compare Source

Features

• Add Python 3.14 support (#​333) (c26e587)

Bug Fixes

• Remove setup.cfg configuration for creating universal wheels (#​332) (78ce8a6)
• Resolve issue where pre-release versions of dependencies are installed (#​329) (ab9785d)

googleapis/python-spanner (google-cloud-spanner)

v3.63.0

Compare Source

Documentation

• snippet for setting read lock mode (#​1473) (7e79920cfc8be76261dea1348931b0ef539dd6e1)

Features

• add requestID info in error exceptions (#​1415) (2c5eb96c4b395f84b60aba1c584ff195dbce4617)

Bug Fixes

• prevent thread leak by ensuring singleton initialization (#​1492) (e792136aa487f327736e01e34afe01cf2015f5a0)

v3.62.0

Compare Source

Features

• add uuid support (#​1310) (3b1792aad1d046b6ae1e5c982f5047289dffd95c)

Bug Fixes

• handle errors during stream restart in snapshot (#​1471) (c0668735cb69532f4c852bb7678f63e54da2d34e)
• resolve pre-release dependency failures and sqlparse recursion (#​1472) (9ec95b7df5e921112bd58b820722103177e0e5b6)
• transaction_tag should be set on BeginTransactionRequest (#​1463) (3d3cea0b5afb414a506ab08eebae733d803f17ac)

v3.61.0

Compare Source

Features

• support mTLS certificates when available (#​1467) (df87c3ed55db7cffa2eed4d7316ca5c375af1c5a)

v3.60.0

Compare Source

Documentation

• Update description for the BatchCreateSessionsRequest and Session (e08260fe24b62313d7964572eeb963eb8c3c923f)
• Update description for the IsolationLevel (e08260fe24b62313d7964572eeb963eb8c3c923f)

Features

• make built-in metrics enabled by default (#​1459) (64aebe7e3ecfec756435f7d102b36f5a41f7cc52)
• Add Spanner location API (#​1457) (e08260fe24b62313d7964572eeb963eb8c3c923f)
• Add Send and Ack mutations for Queues ([e08260fe24b62313d7964572eeb963eb8c3c923f](https://re

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[gemini-code-assist]

Code Review

This pull request updates various dependencies across multiple packages, including rules_cc, ruff, sphinx, and several Google Cloud libraries. Feedback indicates that the update to google-api-core v2.30.0 in sqlalchemy-spanner drops support for Python 3.8, which may be a breaking change for users on that version.

[gemini-code-assist]

The update to google-api-core==2.30.0 drops support for Python 3.8. According to the release notes for google-api-core v2.30.0, this version requires Python ≥ 3.9. This is a breaking change that will drop support for Python 3.8.

If sqlalchemy-spanner needs to continue supporting Python 3.8, this dependency update should be reverted or pinned to a version compatible with Python 3.8 (e.g., <2.30.0).

[forking-renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.