Bump the minor-and-patch group across 1 directory with 6 updates

[dependabot]

Bumps the minor-and-patch group with 6 updates in the / directory:

Package	From	To
requests	2.33.1	2.34.2
ruff	0.13.2	0.15.16
tox	4.30.2	4.55.1
tox-uv	1.28.0	1.35.2
types-requests	2.32.4.20250913	2.33.0.20260518
types-deprecated	1.2.15.20250304	1.3.1.20260520

Updates requests from 2.33.1 to 2.34.2

Release notes

Sourced from requests's releases.

v2.34.2

2.34.2 (2026-05-14)

• Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2342-2026-05-14

v2.34.1

2.34.1 (2026-05-13)

Bugfixes

• Widened json input type from dict and list to Mapping and Sequence. (#7436)
• Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
• Response.reason moved from str | None to str to improve handling for users. (#7437)
• Fixed a bug where some bodies with custom __getattr__ implementations weren't being properly detected as Iterables. (#7433)

New Contributors

• @​k223kim made their first contribution in psf/requests#7433

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2341-2026-05-13

v2.34.0

2.34.0 (2026-05-11)

Announcements

• Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue.

  Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for helping review and test the types ahead of the release. (#7272)

Improvements

• Digest Auth hashing algorithms have added usedforsecurity=False to clarify security considerations. (#7310)
• Requests added support for Python 3.15 based on beta1. Downstream projects should be able to start testing prior to its release in October. (#7422)
• Requests added support for Python 3.14t. (#7419)

Bugfixes

• Response.history no longer contains a reference to itself, preventing accidental looping when traversing the history list. (#7328)
• Requests no longer performs greedy matching on no_proxy domains. The

... (truncated)

Changelog

Sourced from requests's changelog.

2.34.2 (2026-05-14)

• Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

2.34.1 (2026-05-13)

Bugfixes

• Widened json input type from dict and list to Mapping and Sequence. (#7436)
• Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
• Response.reason moved from str | None to str to improve handling for users. (#7437)
• Fixed a bug where some bodies with custom __getattr__ implementations weren't being properly detected as Iterables. (#7433)

2.34.0 (2026-05-11)

Announcements

• Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue.

  Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for helping review and test the types ahead of the release. (#7272)

Improvements

• Digest Auth hashing algorithms have added usedforsecurity=False to clarify security considerations. (#7310)
• Requests added support for Python 3.15 based on beta1. Downstream projects should be able to start testing prior to its release in October. (#7422)
• Requests added support for Python 3.14t. (#7419)

Bugfixes

• Response.history no longer contains a reference to itself, preventing accidental looping when traversing the history list. (#7328)
• Requests no longer performs greedy matching on no_proxy domains. The proxy_bypass implementation has been updated with CPython's fix from bpo-39057. (#7427)
• Requests no longer incorrectly strips duplicate leading slashes in URI paths. This should address user issues with specific presigned URLs. Note the full fix requires urllib3 2.7.0+. (#7315)

Commits

• 6e83187 v2.34.2
• 84d10f0 Move Request.headers back to Mapping (#7441)
• b7b549b v2.34.1
• e511bc7 Fix mutability issues with headers input types (#7431)
• 5691f59 Update JsonType containers to read-based collections (#7436)
• 2144213 Constrain Response.reason to str (#7437)
• 6404f34 Fix prepare_body stream detection for __getattr__-based file wrappers (#7...
• 0b401c7 v2.34.0
• 86b378d Align Session.get parameters with requests.get (#7429)
• a4f9a59 Port bpo-39057 to Requests (#7427)
• Additional commits viewable in compare view

Updates ruff from 0.13.2 to 0.15.16

Release notes

Sourced from ruff's releases.

0.15.16

Release Notes

Released on 2026-06-04.

Preview features

• [flake8-async] Implement yield-in-context-manager-in-async-generator (ASYNC119) (#24644)
• [pylint] Narrow diagnostic range and exclude cases without exception handlers (PLW0717) (#25440)
• [ruff] Treat yield before break from a terminal loop as terminal (RUF075) (#25447)

Bug fixes

• [eradicate] Avoid flagging ruff:ignore comments as code (ERA001) (#25537)
• [eradicate] Fix ERA001/RUF100 conflict when noqa is on commented-out code (#25414)
• [pyflakes] Avoid removing the format call when it would change behavior (F523) (#25320)
• [pylint] Avoid syntax errors in invalid character replacements in f-strings before Python 3.12 (PLE2510, PLE2512, PLE2513, PLE2514, PLE2515) (#25544)
• [pyupgrade] Avoid converting format calls with more kinds of side effects (UP032) (#25484)

Rule changes

• [flake8-pytest-style] Avoid fixes for ambiguous argnames and argvalues combinations (PT006) (#24776)

Performance

• Drop excess capacity from statement suites during parsing (#25368)

Documentation

• [pydocstyle] Improve discoverability of rules enabled for each convention (#24973)
• [ruff] Restore example code for Python versions before 3.15 (RUF017) (#25439)
• Fix typo bin/active → bin/activate in tutorial (#25473)

Other changes

• Shrink additional parser AST collections (#25465)

Contributors

• @​Redslayer112
• @​koriyoshi2041
• @​George-Ogden
• @​TejasAmle
• @​anishgirianish
• @​ntBre
• @​MichaReiser
• @​loganrosen
• @​RafaelJohn9
• @​adityasingh2400

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.16

Released on 2026-06-04.

Preview features

• [flake8-async] Implement yield-in-context-manager-in-async-generator (ASYNC119) (#24644)
• [pylint] Narrow diagnostic range and exclude cases without exception handlers (PLW0717) (#25440)
• [ruff] Treat yield before break from a terminal loop as terminal (RUF075) (#25447)

Bug fixes

• [eradicate] Avoid flagging ruff:ignore comments as code (ERA001) (#25537)
• [eradicate] Fix ERA001/RUF100 conflict when noqa is on commented-out code (#25414)
• [pyflakes] Avoid removing the format call when it would change behavior (F523) (#25320)
• [pylint] Avoid syntax errors in invalid character replacements in f-strings before Python 3.12 (PLE2510, PLE2512, PLE2513, PLE2514, PLE2515) (#25544)
• [pyupgrade] Avoid converting format calls with more kinds of side effects (UP032) (#25484)

Rule changes

• [flake8-pytest-style] Avoid fixes for ambiguous argnames and argvalues combinations (PT006) (#24776)

Performance

• Drop excess capacity from statement suites during parsing (#25368)

Documentation

• [pydocstyle] Improve discoverability of rules enabled for each convention (#24973)
• [ruff] Restore example code for Python versions before 3.15 (RUF017) (#25439)
• Fix typo bin/active → bin/activate in tutorial (#25473)

Other changes

• Shrink additional parser AST collections (#25465)

Contributors

• @​Redslayer112
• @​koriyoshi2041
• @​George-Ogden
• @​TejasAmle
• @​anishgirianish
• @​ntBre
• @​MichaReiser
• @​loganrosen
• @​RafaelJohn9
• @​adityasingh2400

0.15.15

... (truncated)

Commits

• 6c498ab Bump 0.15.16 (#25635)
• e51e132 [flake8-async] Implement yield-in-context-manager-in-async-generator (`AS...
• 7c6dcd9 [ty] Add caching for pattern match narrowing (#25613)
• 27058fc [ty] Compact retained definition and expression identities (#25606)
• bf80d05 Fix CODEOWNERS syntax (#25622)
• 10ccd51 Shrink additional parser AST collections (#25465)
• 0d7135f [ty] Upgrade Salsa (#25545)
• 49493a3 [ty] Show type alias value on hover (#25381)
• 85207d3 [ty] sys.implementation.version is not sys.version_info (#25608)
• a8a0614 [ty] Avoid retaining duplicate function signatures (#25609)
• Additional commits viewable in compare view

Updates tox from 4.30.2 to 4.55.1

Release notes

Sourced from tox's releases.

v4.55.1

What's Changed

• 🐛 fix(config): propagate overrides through config references by @​tales-aparecida in tox-dev/tox#3951

New Contributors

• @​tales-aparecida made their first contribution in tox-dev/tox#3951

Full Changelog: tox-dev/tox@4.55.0...4.55.1

v4.55.0

What's Changed

• 👷 ci(schemastore): sync fork before pushing branch by @​gaborbernat in tox-dev/tox#3942
• feat: Also pass TERMINFO when in an interactive shell by @​edgarrmondragon in tox-dev/tox#3946
• 🐛 fix(pip): skip constrain_package_deps when constraints is set by @​gaborbernat in tox-dev/tox#3948

Full Changelog: tox-dev/tox@4.54.0...4.55.0

v4.54.0

What's Changed

• 🧪 test(conftest): strip broken nspkg.pth files under py3.15 by @​gaborbernat in tox-dev/tox#3937
• ✨ feat(packaging): declare tox.pytest deps via a testing extra by @​gaborbernat in tox-dev/tox#3940
• 🐛 fix(schema): cover every replace form in the TOML schema by @​gaborbernat in tox-dev/tox#3941

Full Changelog: tox-dev/tox@4.53.1...4.54.0

v4.53.1

What's Changed

• 🐛 fix(security): harden user-facing logs and untrusted inputs by @​gaborbernat in tox-dev/tox#3924
• 🐛 fix(type): correct argparse override signatures for ty 0.0.33 by @​gaborbernat in tox-dev/tox#3932
• fix: allow deps arrays in TOML schema by @​cyphercodes in tox-dev/tox#3931

New Contributors

• @​cyphercodes made their first contribution in tox-dev/tox#3931

Full Changelog: tox-dev/tox@4.53.0...4.53.1

v4.53.0

What's Changed

... (truncated)

Changelog

Sourced from tox's changelog.

Bug fixes - 4.55.1

• TOX_OVERRIDE (and -x/--override) now propagates through configuration references. Previously, overriding a base value that was later referenced via {[section]key} (ini) or {replace = "ref", of = [...]} (toml) was ignored because reference resolution read the raw file value, bypassing the override system - by :user:tales-aparecida. (:issue:3950) (:issue:3950)

---

v4.55.0 (2026-05-28)

---

Features - 4.55.0

• Automatically pass the TERMINFO environment variable to tox subprocesses if the output is a TTY. This variable is used by Ghostty to communicate terminal capabilities to programs. (:issue:3946)

Bug fixes - 4.55.0

• When the constraints configuration option is set, constrain_package_deps and use_frozen_constraints are now ignored. Previously, both the user-provided constraints file and the auto-generated constraints file were passed to pip during install_package_deps, which could cause resolver conflicts when the same package appeared in both files - by :user:gaborbernat. (:issue:3945) (:issue:3945)

---

v4.54.0 (2026-05-12)

---

Features - 4.54.0

• Declare the runtime dependencies of the tox.pytest plugin (pytest, devpi-process and pytest-mock) under a new testing extra, so plugin authors can pull them in via tox[testing] - by :user:gaborbernat. (:issue:3938, :issue:3940)

Bug fixes - 4.54.0

• Extend the generated TOML schema to cover every replace table form (env, ref, posargs, glob, if), including conditional replacements used inside commands. A guard test asserts the schema stays in sync with the loader implementation so future replace types cannot be added without a corresponding schema entry. (:issue:3939)

---

v4.53.1 (2026-05-02)

---

Bug fixes - 4.53.1

... (truncated)

Commits

• 7ebde0c release 4.55.1
• 9ac5479 🐛 fix(config): propagate overrides through config references (#3951)
• 28972a9 [pre-commit.ci] pre-commit autoupdate (#3949)
• 928b7f0 release 4.55.0
• a43427f 🐛 fix(pip): skip constrain_package_deps when constraints is set (#3948)
• 27b68b3 [pre-commit.ci] pre-commit autoupdate (#3947)
• 4e6627c feat: Also pass TERMINFO when in an interactive shell (#3946)
• 10c431c [pre-commit.ci] pre-commit autoupdate (#3943)
• c86e876 👷 ci(schemastore): sync fork before pushing branch (#3942)
• 1f1fcc7 release 4.54.0
• Additional commits viewable in compare view

Updates tox-uv from 1.28.0 to 1.35.2

Release notes

Sourced from tox-uv's releases.

1.35.2

What's Changed

• Honor constraints opt for all packages by @​stephenfin in tox-dev/tox-uv#332
• 🐛 fix(lock): honor --recreate in uv-venv-lock-runner by @​gaborbernat in tox-dev/tox-uv#338

New Contributors

• @​stephenfin made their first contribution in tox-dev/tox-uv#332

Full Changelog: tox-dev/tox-uv@1.35.1...1.35.2

1.35.1

What's Changed

• fix(lock-runner): respect UV_FROZEN env var and --frozen in uv_sync_flags by @​alexholtz in tox-dev/tox-uv#327

New Contributors

• @​alexholtz made their first contribution in tox-dev/tox-uv#327

Full Changelog: tox-dev/tox-uv@1.35.0...1.35.1

1.35.0

What's Changed

• Add machine and architecture handling to version spec by @​griels in tox-dev/tox-uv#321
• 🐛 fix(installer): invalidate install cache on UV_* env var changes by @​gaborbernat in tox-dev/tox-uv#325

New Contributors

• @​griels made their first contribution in tox-dev/tox-uv#321

Full Changelog: tox-dev/tox-uv@1.34.0...1.35.0

1.34.0

What's Changed

• 🔒 ci(workflows): add zizmor security auditing by @​gaborbernat in tox-dev/tox-uv#317
• ✨ feat(runner): add PEP 723 inline script metadata support by @​gaborbernat in tox-dev/tox-uv#319

Full Changelog: tox-dev/tox-uv@1.33.4...1.34.0

1.33.4

What's Changed

• 🐛 fix(meta): remove tox_uv namespace conflict by @​gaborbernat in tox-dev/tox-uv#314

... (truncated)

Commits

• 595721d 🐛 fix(lock): honor --recreate in uv-venv-lock-runner (#338)
• 1026808 [pre-commit.ci] pre-commit autoupdate (#337)
• 3f7ea4d [pre-commit.ci] pre-commit autoupdate (#334)
• f976fc1 build(deps): bump astral-sh/setup-uv from 8.0.0 to 8.1.0 (#333)
• c0fabe3 Honor constraints opt for all packages (#332)
• d4aa96d [pre-commit.ci] pre-commit autoupdate (#331)
• ac78519 build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 (#329)
• 8bab9b8 [pre-commit.ci] pre-commit autoupdate (#328)
• 8b0497e fix(lock-runner): respect UV_FROZEN env var and --frozen in uv_sync_flags (#327)
• ad30d57 build(deps): bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 (#324)
• Additional commits viewable in compare view

Updates types-requests from 2.32.4.20250913 to 2.33.0.20260518

Commits

• See full diff in compare view

Updates types-deprecated from 1.2.15.20250304 to 1.3.1.20260520

Commits

• See full diff in compare view

[cursor]

PR Summary

Medium Risk
Bumps the core HTTP client (requests 2.34.x with new inline types and behavior fixes) while also upgrading Ruff across minor versions; no app code changed, so risk is mainly resolver/CI and subtle HTTP or typing regressions.

Overview
Dependency-only update: pyproject.toml widens the runtime requests constraint from ~=2.33.0 to >=2.33,<2.35, and uv.lock is refreshed so resolved requests moves 2.33.1 → 2.34.2 along with dev tools (ruff 0.13.2 → 0.15.16, tox 4.30.2 → 4.55.1, tox-uv 1.28.0 → 1.35.2, plus types-requests / types-deprecated stubs). Lockfile churn also reflects transitive updates (e.g. tox dropping chardet, adding tomli-w / python-discovery, tox-uv split into tox-uv + tox-uv-bare).

No library source changes; HTTP still goes through requests in dune_client/api/base.py. Reviewers should rely on CI/tox after the ruff major jump and confirm requests 2.34 typing/runtime behavior with mypy if types are strict.

^{Reviewed by Cursor Bugbot for commit c9ac9dc. Configure here.}