chore(deps): bump the python-deps group across 1 directory with 18 updates by dependabot[bot] · Pull Request #18 · jgoy-labs/server-nexe

dependabot · 2026-04-12T11:27:52Z

Updates the requirements on fastapi, uvicorn, pydantic, python-multipart, httpx, qdrant-client, click, rich, typer, python-dotenv, numpy, prometheus-client, tenacity, psutil, huggingface-hub, pytest, pytest-asyncio and pytest-cov to permit the latest version.
Updates fastapi from 0.115.14 to 0.135.3

Release notes

Sourced from fastapi's releases.

0.135.3

Features

✨ Add support for @app.vibe(). PR #15280 by @tiangolo.

New docs: Vibe Coding.

Docs

✏️ Fix typo for client_secret in OAuth2 form docstrings. PR #14946 by @bysiber.

Internal

👥 Update FastAPI People - Experts. PR #15279 by @tiangolo.

⬆ Bump orjson from 3.11.7 to 3.11.8. PR #15276 by @dependabot[bot].

⬆ Bump ruff from 0.15.0 to 0.15.8. PR #15277 by @dependabot[bot].

👥 Update FastAPI GitHub topic repositories. PR #15274 by @tiangolo.

⬆ Bump fastmcp from 2.14.5 to 3.2.0. PR #15267 by @dependabot[bot].

👥 Update FastAPI People - Contributors and Translators. PR #15270 by @tiangolo.

⬆ Bump requests from 2.32.5 to 2.33.0. PR #15228 by @dependabot[bot].

👷 Add ty check to lint.sh. PR #15136 by @svlandeg.

0.135.2

Upgrades

⬆️ Increase lower bound to pydantic >=2.9.0. and fix the test suite. PR #15139 by @svlandeg.

Docs

📝 Add missing last release notes dates. PR #15202 by @tiangolo.

📝 Update docs for contributors and team members regarding translation PRs. PR #15200 by @YuriiMotov.

💄 Fix code blocks in reference docs overflowing table width. PR #15094 by @YuriiMotov.

📝 Fix duplicated words in docstrings. PR #15116 by @AhsanSheraz.

📝 Add docs for pyproject.toml with entrypoint. PR #15075 by @tiangolo.

📝 Update links in docs to no longer use the classes external-link and internal-link. PR #15061 by @tiangolo.

🔨 Add JS and CSS handling for automatic target=_blank for links in docs. PR #15063 by @tiangolo.

💄 Update styles for internal and external links in new tab. PR #15058 by @tiangolo.

📝 Add documentation for the FastAPI VS Code extension. PR #15008 by @savannahostrowski.

📝 Fix doctrings for max_digits and decimal_places. PR #14944 by @YuriiMotov.

📝 Add dates to release notes. PR #15001 by @YuriiMotov.

Translations

🌐 Update translations for zh (update-outdated). PR #15177 by @tiangolo.

🌐 Update translations for zh-hant (update-outdated). PR #15178 by @tiangolo.

🌐 Update translations for zh-hant (add-missing). PR #15176 by @tiangolo.

🌐 Update translations for zh (add-missing). PR #15175 by @tiangolo.

🌐 Update translations for ja (update-outdated). PR #15171 by @tiangolo.

🌐 Update translations for ko (update-outdated). PR #15170 by @tiangolo.

🌐 Update translations for tr (update-outdated). PR #15172 by @tiangolo.

🌐 Update translations for ko (add-missing). PR #15168 by @tiangolo.

... (truncated)

Commits

1f442c4 🔖 Release version 0.135.3
8f5d157 📝 Update release notes
428452a 📝 Update release notes
70580da ✨ Add support for @app.vibe() (#15280)
6ee8747 📝 Update release notes
3e72c09 👥 Update FastAPI People - Experts (#15279)
96df35f 📝 Update release notes
6c81125 ⬆ Bump orjson from 3.11.7 to 3.11.8 (#15276)
428f82c 📝 Update release notes
5599c59 ⬆ Bump ruff from 0.15.0 to 0.15.8 (#15277)
Additional commits viewable in compare view

Updates uvicorn from 0.34.3 to 0.44.0

Release notes

Sourced from uvicorn's releases.

Version 0.44.0

What's Changed

Implement websocket keepalive pings for websockets-sansio by @Kludex in Kludex/uvicorn#2888

Full Changelog: Kludex/uvicorn@0.43.0...0.44.0

Version 0.43.0

Changed

Emit http.disconnect ASGI receive() event on server shutting down for streaming responses (#2829)

Use native context parameter for create_task on Python 3.11+ (#2859)

Drop cast in ASGI types (#2875)

Full Changelog: Kludex/uvicorn@0.42.0...0.43.0

Version 0.42.0

Changed

Use bytearray for request body accumulation to avoid O(n^2) allocation on fragmented bodies (#2845)

Fixed

Escape brackets and backslash in httptools HEADER_RE regex (#2824)

Fix multiple issues in websockets sans-io implementation (#2825)

New Contributors

@bysiber made their first contribution in Kludex/uvicorn#2825

Full Changelog: Kludex/uvicorn@0.41.0...0.42.0

Version 0.41.0

Added

Add --limit-max-requests-jitter to stagger worker restarts (#2707)

Add socket path to scope["server"] (#2561)

Changed

Rename LifespanOn.error_occured to error_occurred (#2776)

Fixed

Ignore permission denied errors in watchfiles reloader (#2817)

... (truncated)

Changelog

Sourced from uvicorn's changelog.

0.44.0 (April 6, 2026)

Added

Implement websocket keepalive pings for websockets-sansio (#2888)

0.43.0 (April 3, 2026)

You can quit Uvicorn now. We heard you, @pamelafox - all 47 of your Ctrl+C's (thanks for flagging it, and thanks to @tiangolo for the fix 🙏). See the tweet.

Changed

Emit http.disconnect ASGI receive() event on server shutting down for streaming responses (#2829)

Use native context parameter for create_task on Python 3.11+ (#2859)

Drop cast in ASGI types (#2875)

0.42.0 (March 16, 2026)

Changed

Use bytearray for request body accumulation to avoid O(n^2) allocation on fragmented bodies (#2845)

Fixed

Escape brackets and backslash in httptools HEADER_RE regex (#2824)

Fix multiple issues in websockets sans-io implementation (#2825)

0.41.0 (February 16, 2026)

Added

Add --limit-max-requests-jitter to stagger worker restarts (#2707)

Add socket path to scope["server"] (#2561)

Changed

Rename LifespanOn.error_occured to error_occurred (#2776)

Fixed

Ignore permission denied errors in watchfiles reloader (#2817)

Ensure lifespan shutdown runs when should_exit is set during startup (#2812)

Reduce the log level of 'request limit exceeded' messages (#2788)

0.40.0 (December 21, 2025)

Remove

Drop support for Python 3.9 (#2772)

... (truncated)

Commits

edb54c4 Version 0.44.0 (#2890)
029be08 Implement websocket keepalive pings for websockets-sansio (#2888)
8d397c7 Version 0.43.0 (#2885)
587042d 🐛 Emit http.disconnect ASGI receive() event on server shutting down for s...
c9a75fb chore(deps): bump the github-actions group with 3 updates (#2878)
84fd578 chore(deps): bump pygments from 2.19.2 to 2.20.0 (#2877)
cd52d34 Use native context parameter for create_task on Python 3.11+ (#2859)
5211880 Drop cast in ASGI types (#2875)
1cb8e74 Add websocket 500 fallback header test (#2874)
28efbb2 chore(deps-dev): bump cryptography from 46.0.5 to 46.0.6 (#2873)
Additional commits viewable in compare view

Updates pydantic from 2.10.6 to 2.12.5

Release notes

Sourced from pydantic's releases.

v2.12.5 2025-11-26

v2.12.5 (2025-11-26)

This is the fifth 2.12 patch release, addressing an issue with the MISSING sentinel and providing several documentation improvements.

The next 2.13 minor release will be published in a couple weeks, and will include a new polymorphic serialization feature addressing the remaining unexpected changes to the serialize as any behavior.

Fix pickle error when using model_construct() on a model with MISSING as a default value by @ornariece in #12522.

Several updates to the documentation by @Viicos.

Full Changelog: pydantic/pydantic@v2.12.4...v2.12.5

v2.12.4 2025-11-05

v2.12.4 (2025-11-05)

This is the fourth 2.12 patch release, fixing more regressions, and reverting a change in the build() method of the AnyUrl and Dsn types.

This patch release also fixes an issue with the serialization of IP address types, when serialize_as_any is used. The next patch release will try to address the remaining issues with serialize as any behavior by introducing a new polymorphic serialization feature, that should be used in most cases in place of serialize as any.

Fix issue with forward references in parent TypedDict classes by @Viicos in #12427.

This issue is only relevant on Python 3.14 and greater.

Exclude fields with exclude_if from JSON Schema required fields by @Viicos in #12430

Revert URL percent-encoding of credentials in the build() method of the AnyUrl and Dsn types by @davidhewitt in pydantic-core#1833.

This was initially considered as a bugfix, but caused regressions and as such was fully reverted. The next release will include an opt-in option to percent-encode components of the URL.

Add type inference for IP address types by @davidhewitt in pydantic-core#1868.

The 2.12 changes to the serialize_as_any behavior made it so that IP address types could not properly serialize to JSON.

Avoid getting default values from defaultdict by @davidhewitt in pydantic-core#1853.

This fixes a subtle regression in the validation behavior of the collections.defaultdict type.

Fix issue with field serializers on nested typed dictionaries by @davidhewitt in pydantic-core#1879.

Add more pydantic-core builds for the three-threaded version of Python 3.14 by @davidhewitt in pydantic-core#1864.

Full Changelog: pydantic/pydantic@v2.12.3...v2.12.4

v2.12.3 2025-10-17

v2.12.3 (2025-10-17)

What's Changed

This is the third 2.13 patch release, fixing issues related to the FieldInfo class, and reverting a change to the supported after model validator function signatures.

... (truncated)

Changelog

Sourced from pydantic's changelog.

v2.12.5 (2025-11-26)

GitHub release

This is the fifth 2.12 patch release, addressing an issue with the MISSING sentinel and providing several documentation improvements.

The next 2.13 minor release will be published in a couple weeks, and will include a new polymorphic serialization feature addressing the remaining unexpected changes to the serialize as any behavior.

Fix pickle error when using model_construct() on a model with MISSING as a default value by @ornariece in #12522.

Several updates to the documentation by @Viicos.

v2.12.4 (2025-11-05)

GitHub release

This is the fourth 2.12 patch release, fixing more regressions, and reverting a change in the build() method of the AnyUrl and Dsn types.

This patch release also fixes an issue with the serialization of IP address types, when serialize_as_any is used. The next patch release will try to address the remaining issues with serialize as any behavior by introducing a new polymorphic serialization feature, that should be used in most cases in place of serialize as any.

Fix issue with forward references in parent TypedDict classes by @Viicos in #12427.

This issue is only relevant on Python 3.14 and greater.

Exclude fields with exclude_if from JSON Schema required fields by @Viicos in #12430

Revert URL percent-encoding of credentials in the build() method of the AnyUrl and Dsn types by @davidhewitt in pydantic-core#1833.

This was initially considered as a bugfix, but caused regressions and as such was fully reverted. The next release will include an opt-in option to percent-encode components of the URL.

Add type inference for IP address types by @davidhewitt in pydantic-core#1868.

The 2.12 changes to the serialize_as_any behavior made it so that IP address types could not properly serialize to JSON.

Avoid getting default values from defaultdict by @davidhewitt in pydantic-core#1853.

This fixes a subtle regression in the validation behavior of the collections.defaultdict type.

Fix issue with field serializers on nested typed dictionaries by @davidhewitt in pydantic-core#1879.

Add more pydantic-core builds for the three-threaded version of Python 3.14 by @davidhewitt in pydantic-core#1864.

v2.12.3 (2025-10-17)

GitHub release

... (truncated)

Commits

bd2d0dd Prepare release v2.12.5
7d0302e Document security implications when using create_model()
e9ef980 Fix typo in Standard Library Types documentation
f2c20c0 Add pydantic-docs dev dependency, make use of versioning blocks
a76c1aa Update documentation about JSON Schema
8cbc72c Add documentation about custom __init__()
99eba59 Add additional test for FieldInfo.get_default()
c710769 Special case MISSING sentinel in smart_deepcopy()
20a9d77 Do not delete mock validator/serializer in rebuild_dataclass()
c86515a Update parts of the model and revalidate_instances documentation
Additional commits viewable in compare view

Updates python-multipart from 0.0.22 to 0.0.26

Release notes

Sourced from python-multipart's releases.

Version 0.0.26

What's Changed

Skip preamble before first multipart boundary by @Kludex in Kludex/python-multipart#262

Silently discard epilogue data after the closing boundary by @Kludex in Kludex/python-multipart#259

Full Changelog: Kludex/python-multipart@0.0.25...0.0.26

Version 0.0.25

What's Changed

Apply Apache-2.0 properly by @Kludex in Kludex/python-multipart#247

Handle multipart headers case-insensitively by @Kludex in Kludex/python-multipart#252

Emit field_end for trailing bare field names on finalize by @bysiber in Kludex/python-multipart#230

Add UPLOAD_DELETE_TMP to FormParser config by @Kludex in Kludex/python-multipart#254

Remove custom FormParser classes by @Kludex in Kludex/python-multipart#257

Handle CTE values case-insensitively by @Kludex in Kludex/python-multipart#258

Add MIME content type info to File by @jhnstrk in Kludex/python-multipart#143

Full Changelog: Kludex/python-multipart@0.0.24...0.0.25

Version 0.0.24

What's Changed

Validate chunk_size in parse_form() by @Kludex in Kludex/python-multipart#244

Full Changelog: Kludex/python-multipart@0.0.23...0.0.24

Version 0.0.23

What's Changed

Remove unused trust_x_headers parameter and X-File-Name fallback by @jhnstrk in Kludex/python-multipart#196

Return processed length from QuerystringParser._internal_write by @bysiber in Kludex/python-multipart#229

Cleanup metadata dunders from __init__.py by @Chesars in Kludex/python-multipart#227

New Contributors

@Chesars made their first contribution in Kludex/python-multipart#227

@bysiber made their first contribution in Kludex/python-multipart#229

Full Changelog: Kludex/python-multipart@0.0.22...0.0.23

Changelog

Sourced from python-multipart's changelog.

0.0.26 (2026-04-10)

Skip preamble before the first multipart boundary more efficiently #262.

Silently discard epilogue data after the closing multipart boundary #259.

0.0.25 (2026-04-10)

Add MIME content type info to File #143.

Handle CTE values case-insensitively #258.

Remove custom FormParser classes #257.

Add UPLOAD_DELETE_TMP to FormParser config #254.

Emit field_end for trailing bare field names on finalize #230.

Handle multipart headers case-insensitively #252.

Apply Apache-2.0 properly #247.

0.0.24 (2026-04-05)

Validate chunk_size in parse_form() #244.

0.0.23 (2026-04-05)

Remove unused trust_x_headers parameter and X-File-Name fallback #196.

Return processed length from QuerystringParser._internal_write #229.

Cleanup metadata dunders from __init__.py #227.

Commits

28f4785 Version 0.0.26 (#263)
d4452a7 Silently discard epilogue data after the closing boundary (#259)
6a7b76d Skip preamble before first multipart boundary (#262)
4addb60 Version 0.0.25 (#261)
d3a4698 Add MIME content type info to File (#143)
9a1ecbd Handle CTE values case-insensitively (#258)
ef2a0b9 Remove custom FormParser classes (#257)
3a757d7 Ignore local Claude state (#255)
55e7396 fuzz: Add cifuzz (#186)
d6d1d11 Bump the github-actions group with 2 updates (#249)
Additional commits viewable in compare view

Updates httpx from 0.27.2 to 0.28.1

Release notes

Sourced from httpx's releases.

Version 0.28.1

0.28.1 (6th December, 2024)

Fix SSL case where verify=False together with client side certificates.

Version 0.28.0

0.28.0 (28th November, 2024)

The 0.28 release includes a limited set of deprecations.

Deprecations:

We are working towards a simplified SSL configuration API.

For users of the standard verify=True or verify=False cases, or verify=<ssl_context> case this should require no changes. The following cases have been deprecated...

The verify argument as a string argument is now deprecated and will raise warnings.

The cert argument is now deprecated and will raise warnings.

Our revised SSL documentation covers how to implement the same behaviour with a more constrained API.

The following changes are also included:

The deprecated proxies argument has now been removed.

The deprecated app argument has now been removed.

JSON request bodies use a compact representation. (#3363)

Review URL percent escape sets, based on WHATWG spec. (#3371, #3373)

Ensure certifi and httpcore are only imported if required. (#3377)

Treat socks5h as a valid proxy scheme. (#3178)

Cleanup Request() method signature in line with client.request() and httpx.request(). (#3378)

Bugfix: When passing params={}, always strictly update rather than merge with an existing querystring. (#3364)

Changelog

Sourced from httpx's changelog.

0.28.1 (6th December, 2024)

Fix SSL case where verify=False together with client side certificates.

0.28.0 (28th November, 2024)

Be aware that the default JSON request bodies now use a more compact representation. This is generally considered a prefered style, tho may require updates to test suites.

The 0.28 release includes a limited set of deprecations...

Deprecations:

We are working towards a simplified SSL configuration API.

For users of the standard verify=True or verify=False cases, or verify=<ssl_context> case this should require no changes. The following cases have been deprecated...

The verify argument as a string argument is now deprecated and will raise warnings.

The cert argument is now deprecated and will raise warnings.

Our revised SSL documentation covers how to implement the same behaviour with a more constrained API.

The following changes are also included:

The deprecated proxies argument has now been removed.

The deprecated app argument has now been removed.

JSON request bodies use a compact representation. (#3363)

Review URL percent escape sets, based on WHATWG spec. (#3371, #3373)

Ensure certifi and httpcore are only imported if required. (#3377)

Treat socks5h as a valid proxy scheme. (#3178)

Cleanup Request() method signature in line with client.request() and httpx.request(). (#3378)

Bugfix: When passing params={}, always strictly update rather than merge with an existing querystring. (#3364)

Commits

26d48e0 Version 0.28.1 (#3445)
89599a9 Fix verify=False, cert=... case. (#3442)
8ecb86f Add test for request params behavior changes (#3364) (#3440)
0cb7e5a Bump the python-packages group with 11 updates (#3434)
15e21e9 Updating deprecated docstring Client() class (#3426)
80960fa Version 0.28.0. (#3419)
a33c878 Fix extensions type annotation. (#3380)
ce7e14d Error on verify as str. (#3418)
47f4a96 Handle empty zstd responses (#3412)
189fc4b Update CHANGELOG.md, fix typo(s) (#3406)
Additional commits viewable in compare view

Updates qdrant-client from 1.16.1 to 1.17.1

Release notes

Sourced from qdrant-client's releases.

v1.17.1

Change Log

Features 🌊

#1162 - add a way to provide custom headers in http and grpc by @Anush008 @joein

#1166 - do not use fastembed for bm25 inference with hosted qdrant by @joein

Fixes 🔧

#1169 - do not modify date filters in local mode by @jnMetaCode

#1168 - run server version check in a thread to avoid blocking async client by @joein

#1157 - fix type hint error in grpc_uploader with older versions of protobuf by @joein

Thanks to everyone who contributed to the current release! @jnMetaCode @Anush008 @joein

v1.17.0

Change Log

Features 🚢

#1154 - introduce relevance feedback, add enable_hnsw option to payload indexes, add timeouts to upsert methods, weighted RRF, and more by @joein @coszio @generall

Fixes ⚙️

#1138 - fix score threshold for fusion queries by @cbcoutinho

Thanks to everyone who contributed to the current release! @cbcoutinho @generall @coszio @joein

v1.16.2

Change Log

Deprecations ⏳

#1110 - drop python3.9 support by @joein

Fixes ⚙️

#1132- adjust numpy versioning by @joein

#1133 - propagate lookup_from correctly in query_points_groups by @joein

#1134 - fix qdrant-client import in read-only systems by @holyMolyTolli

Thanks to everyone who contributed to the current release! @holyMolyTolli @joein

Commits

cd5eb25 bump version to v1.17.1
1699d30 feat: Add support for custom headers (#1162)
a410b9d fix: do not modify payload filters in local mode in-place (#1169)
7a01e54 new: run server version check in a thread, don't check bm25 availabil… (#1168)
cb4af4f deprecate: completely replace fastembed bm25 with qdrant core bm25 in hosted ...
2763397 fix: fix type hint union with grpc enum with old protobuf (#1157)
e7101dc bump version to v1.17.0
e50eb17 Update models 1.17 (#1154)
5234450 fix: apply score_threshold filtering after fusion queries in local mode (#1138)
49fa101 bump version to 1.16.2
Additional commits viewable in compare view

Updates click from 8.1.7 to 8.3.2

Release notes

Sourced from click's releases.

8.3.2

This is the Click 8.3.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/click/8.3.2/ Changes: https://click.palletsprojects.com/page/changes/#version-8-3-2 Milestone: https://github.com/pallets/click/milestone/29

Fix handling of flag_value when is_flag=False to allow such options to be used without an explicit value. #3084 #3152

Hide Sentinel.UNSET values as None when using lookup_default(). #3136 #3199 #3202 #3209 #3212 #3224

Prevent _NamedTextIOWrapper from closing streams owned by StreamMixer. #824 #2991 #2993 #3110 #3139 #3140

Add comprehensive tests for CliRunner stream lifecycle, covering logging interaction, multi-threaded safety, and sequential invocation isolation. Add high-iteration stress tests behind a stress marker with a dedicated CI job. #3139

Fix callable flag_value being instantiated when used as a default via default=True. #3121 #3201 #3213 #3225

8.3.1

This is the Click 8.3.1 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/click/8.3.1/ Changes: https://click.palletsprojects.com/page/changes/#version-8-3-1 Milestone: https://github.com/pallets/click/milestone/28

Don't discard pager arguments by correctly using subprocess.Popen. #3039 #3055

Replace Sentinel.UNSET default values by None as they're passed through the Context.invoke() method. #3066 #3065 #3068

Fix conversion of Sentinel.UNSET happening too early, which caused incorrect behavior for multiple parameters using the same name. #3071 #3079

Fix rendering when prompt and confirm parameter prompt_suffix is empty. #3019 #3021

When Sentinel.UNSET is found during parsing, it will skip calls to type_cast_value. #3069 #3090

Hide Sentinel.UNSET values as None when looking up for other parameters through the context inside parameter callbacks. #3136 #3137

8.3.0

This is the Click 8.3.0 feature release. A feature release may include new features, remove previously deprecated code, add new deprecation, or introduce potentially breaking changes.

We encourage everyone to upgrade. You can read more about our Version Support Policy on our website.

PyPI: https://pypi.org/project/click/8.3.0/ Changes: https://click.palletsprojects.com/page/changes/#version-8-3-0 Milestone https://github.com/pallets/click/milestone/27

Improved flag option handling: Reworked the relationship between flag_value and default parameters for better consistency:

The default parameter value is now preserved as-is and passed directly to CLI functions (no more unexpected transformations)

... (truncated)

Changelog

Sourced from click's changelog.

Version 8.3.2

Released 2026-04-02

Fix handling of flag_value when is_flag=False to allow such options to be used without an explicit value. :issue:3084 :pr:3152

Hide Sentinel.UNSET values as None when using lookup_default(). :issue:3136 :pr:3199 :pr:3202 :pr:3209 :pr:3212 :pr:3224

Prevent _NamedTextIOWrapper from closing streams owned by StreamMixer. :issue:824 :issue:2991 :issue:2993 :issue:3110 :pr:3139 :pr:3140

Add comprehensive tests for CliRunner stream lifecycle, covering logging interaction, multi-threaded safety, and sequential invocation isolation. Add high-iteration stress tests behind a stress marker with a dedicated CI job. :pr:3139

Fix callable flag_value being instantiated when used as a default via default=True. :issue:3121 :pr:3201 :pr:3213 :pr:3225

Version 8.3.1

Released 2025-11-15

Don't discard pager arguments by correctly using subprocess.Popen. :issue:3039 :pr:3055

Replace Sentinel.UNSET default values by None as they're passed through the Context.invoke() method. :issue:3066 :issue:3065 :pr:3068

Fix conversion of Sentinel.UNSET happening too early, which caused incorrect behavior for multiple parameters using the same name. :issue:3071 :pr:3079

Hide Sentinel.UNSET values as None when looking up for other parameters through the context inside parameter callbacks. :issue:3136 :pr:3137

Fix rendering when prompt and confirm parameter prompt_suffix is empty. :issue:3019 :pr:3021

When Sentinel.UNSET is found during parsing, it will skip calls to type_cast_value. :issue:3069 :pr:3090

Version 8.3.0

Released 2025-09-17

Improved flag option handling: Reworked the relationship between flag_value and default parameters for better consistency:

The default parameter value is now preserved as-is and passed directly to CLI functions (no more unexpected transformations)

Exception: flag options with default=True maintain backward compatibility by defaulting to their flag_value

The default parameter can now be any type (bool, None, etc.)

Fixes inconsistencies reported in: :issue:1992 :issue:2514 :issue:2610

... (truncated)

Commits

052c006 Change update release date.
502b7ce Merge branch 'stable' of https://github.com/pallets/click into release-8.3.2
a0a37e4 Change publish to werkzeug latest. (#3301)
57be6fc Change publish to werkzeug latest.
781d6a8 Update publish workflows (#3266)
ff795b6 Update precommit pins with tox
dd87ef4 Update ...
Description has been truncated

… nous Release consolidada v0.9.0 resultant de dues fases de treball: ## Fase 1 — Sprints 0-4 vacances 2-5 abril (42 bugs) Coordinat en sessions independents: - **Sprint 0-1**: memoria v1 (Qdrant embedded singleton, SessionManager v1) - **Sprint 2**: fix critic tray.py bloqueja teclat (_RamMonitor background) - **Sprint 3**: 13 bugs test instal·lacio neta + 5 fixes installer - #12 guard thinking+MEM_SAVE, #13 labels col·leccions, #14 pantalla benvinguda clickable, #15 i18n general, #16 tray nom+versio, #17 tray link web, #20 SEC-004 MIME validation - Installer: select_model() prompt_tier+chat_format, validacio Metal MLX - **Sprint 4**: refactoring — helpers extrets (ollama_helpers.py, tray_monitor.py, lifespan_modules.py), DEFAULT_VECTOR_SIZE constant, i18n get_message() complet - **Director 01/04**: 5 UX features (copy, sidebar, rename, donate, X doc) + 3 memory fixes (MEM_SAVE post-render strip, XSS fix, race condition Lock, [MEM:N] token mismatch) Auditoria global final APTE (2026-04-02). ## Fase 2 — HOMAD 2026-04-06 (27 bugs + Ollama GUI) 3 blocs de bugs del fitxer bugs-server-nexe.md (pre-release test): **Bloc 1 — Critics (5)** - #7 Reinstal·lacio 3 modes (wipe/overwrite/backup) + stop server + Keychain - #8 TOCTOU master key (os.open atomic) - #10 DreamingCycle connection leak (6/6 funcions) - #29 Phi-3.5 fora del cataleg - Ollama GUI: ollama serve headless (no open -a Ollama al Dock) **Bloc 2 — Mitjana (12)** - #21 validate_string_input API v1 - #22 auth 21 endpoints + docs gated - #17 MEM_SAVE injection strict (whitelist Unicode, blacklist) - #32 history_floor context budget - #15 Ollama breaker semantic (4xx no infra) - #16 SessionManager RLock reentrant - #19 MLX cache singleton double-checked locking - #11 Bootstrap token renewal + retry backoff (1,5,30) - #13 Qdrant pool flush + logger.warning - #20 Module cycles consumer + startup summary - #9 SQL MIN portable (Python min()) - #28 Installer --skip-model-download **Bloc 3 — Baixa (11)** - #3 HF_TOKEN warning silenciat - #4 ANSI constants buides sense TTY - #5 Qdrant didactic isatty guards - #6 warnings position_ids + Some weights filtered - #12 discover_modules early return - #14 TQDM_DISABLE runtime servidor - #18 encoding fallback utf-8 → cp1252 → latin-1 - #23 Ollama no silent fallback → HTTPException 404 - #26 _backend_model_exists best-effort + logger mitigant - #27 _BACKEND_ALIASES backwards-compat - #30 Info.plist LSUIElement=false verificats Workflow HOMAD: Dev paral·lels (Opus) + 9 passades Consultor independents amb Dev D intermedi per findings. Tot verificat al codi real. ## Pytest consolidat **4389 passed**, 7 fails pre-existents (test_chat_unit::test_long_text_truncated, test_root::test_enabled_modules, test_security::test_long_context_truncated, 4× test_memory_helper_async::TestGetMemoryApi), 0 regressions. ## Fitxers nous - core/endpoints/chat_engines/ollama_helpers.py (Sprint 4) - core/lifespan_modules.py (Sprint 4) - installer/tray_monitor.py (Sprint 4) - installer/installer_reinstall.py (Bloc 1 Bug 7) ## Stats - 61 fitxers modificats (57 codi/knowledge/tests/installer/personality + README.md + 3 nous) - +1870 / -674 linies ## Version bump v0.8.5 → v0.9.0 (cataleg, pyproject, README, CHANGELOG, index.html, footer) ## Post-release pendent - Build DMG v0.9.0 (/dmg-nexe) amb tots els fixes - Notaritzacio Apple (re-firma si cal) - Test manual DMG per Bug 30 (icona Dock) + smoke tests release - Webs .org i .com ja desplegades durant vacances NO PUSH en aquest commit — pendent OK explicit Jordi per al tag v0.9.0 final i push a GitHub release.

…dates Dependabot couldn't find the original pull request head commit, a576d21.

dependabot · 2026-04-13T20:16:27Z

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

…ralitzades - Àrea B: 5 bugs memòria+RAG (MEM_DELETE, re-ingest, logging, attribution, batch) - BUG #18: processa [MEM_DELETE] tags del model output - Àrea C: 8 bugs i18n/UI (textos hardcoded, mida model, tags visibles) - Àrea D: VLM passthrough llama_cpp + version.py centralitzat

chore(release): 0.9.9 — bug #18 MEM_DELETE cirurgia test(memory): e2e integration tests for MEM_DELETE with real Qdrant (#18 P0) fix(memory): lower DELETE_THRESHOLD 0.70→0.20 (#18 P0 e2e finding) feat(memory): clear_all intent with 2-turn confirmation (#18 P0) fix(security): neutralize MEM_DELETE/MEM_SAVE tags in RAG content (#18 P0)

Bundles the 8-commit surgery from dev (759eb87..958b993) that closes the last P0 blocker before v1.0: Code: - chat_sanitization.py — neutralize MEM_DELETE/MEM_SAVE tags in RAG content (G3 P0 security) - memory_helper.py — clear_all intent + DELETE_THRESHOLD 0.70→0.20 (G1 P0 + empirical finding from e2e suite) - routes_chat.py — pipeline wiring for clear_all 2-turn confirmation - ui/app.js — centralized system-marker strip in renderMarkdown (fixes [MODEL:…] / [DEL:N:…] leaking in non-streamed responses) - server.toml — all 6 prompts (ca/es/en × small/full) reworked with explicit "ATOMIC RULE: one MEM_SAVE per fact" + counter-examples - pyproject.toml, 4 plugin manifests — version bump to 0.9.9 - tests/integration/test_mem_delete_e2e.py — 8 e2e tests with real Qdrant embedded Diari: - 20260415_bug18_auditoria.md — formal Phase 1 audit - 20260415_bug18_tancament.md — closure log - director/2026-04-15.md — director session for the day - TODO-server-nexe.md marks #18 ✅, TODO-postrelease adds §2.bis for granular split+rewrite (post-v1.0 follow-up) - INDEX_DIARI, INDEX_DIRECTOR updated Baseline: 4706 passed, 11 pre-existing fails, 0 regressions. E2E 8/8. Empirically validated on the active M4 Pro 0.9.8 install (the fix made "Oblida que tinc 8 anys" delete with score=0.56 — would have silently failed with the old 0.70 threshold).

Post-closure paperwork for bug #18 — consolidated director-session entry with full audit trail (commits, decisions, problems, next steps) and INDEX_DIARI link to it.

…1 Cluster 7) 9 independent assignment/arg-type findings closed via minimal annotations or casts (no behavioural change): - installer/installer_catalog_data.py:450 — cast(str, value) after truthy guard (#1) - core/config.py:115 — pre-declare found_path: Optional[Path] before if/else branch (#4) - core/cli/client.py:46 — declare self._ssl_context: Optional[ ssl.SSLContext] = None before populating in if-branch (#13) - core/cli/output.py:33 — annotate module-level console: Any to bridge the dual-decl Console / FallbackConsole (#14) - core/resources.py:110 — cast(Any, resource_path) so Path() accepts the importlib.resources Traversable that exposes __fspath__ (#17) - core/resilience/circuit_breaker.py:76 — annotate __lock_loop: Optional[asyncio.AbstractEventLoop] = None (#18) - core/dependencies.py:43-44 — annotate rate_limit_tracker / start_rate_limit_cleanup_task as Optional[Any] = None in the import fallback (#29, #30) - core/cli/cli.py:215 — annotate found: list[tuple[str, Optional[str], list[int]]] = [] (#62)