chore(deps): bump the pip group across 1 directory with 7 updates

[dependabot]

Bumps the pip group with 7 updates in the / directory:

Package	From	To
prefect	2.16.2	2.16.5
aiohttp	3.9.3	3.9.4
idna	3.6	3.7
langchain-core	0.1.27	0.1.35
pillow	10.2.0	10.3.0
sqlparse	0.4.4	0.5.0
tqdm	4.66.1	4.66.3

Updates prefect from 2.16.2 to 2.16.5

Release notes

Sourced from prefect's releases.

Release 2.16.5

Multi-select deletion of flow runs

It is now easier to bulk select and delete flow runs through the UI. Listings of filterable and selectable flow runs (e.g. on the flow runs, flow, and deployment pages) now include a top-level checkbox for (de)selecting all currently filtered flow runs for bulk deletion.

See the following pull request for implementation details:

• PrefectHQ/prefect#12356
• PrefectHQ/prefect-ui-library#2227
• PrefectHQ/prefect#12285

Visualize state changes and artifacts in the UI

Additionally, the flow run graph UI enhancements for visualizing state changes and artifacts added in 2.16.4 are now enabled by default. See the release notes in 2.16.4 for more details!

Full Changelog: PrefectHQ/prefect@2.16.4...2.16.5

---

See the release notes for more!

Release 2.16.4

Flow Run Graph updates

The Flow Run Graph has been updated to display additional layers of information! Interactive and real-time state changes and artifacts are now visible in context on the graph.

These new layers are available for opt-in usage via the PREFECT_EXPERIMENTAL_ENABLE_ARTIFACTS_ON_FLOW_RUN_GRAPH and PREFECT_EXPERIMENTAL_ENABLE_STATES_ON_FLOW_RUN_GRAPH settings.

Agents

A year ago, we released workers as a replacement for agents. Workers significantly enhance the experience of deploying flows and simplify the specification of each flow's infrastructure and runtime environment.

With this release we are adding a six month (September 14) deprecation warning to agents and related concepts. Please note that:

• Deprecation will not impact or break any work running with agents and agent-related concepts - although we encourage users to upgrade to workers because they provide a better deployment experience, you can continue to use existing agents and related concepts after deprecation
• After September 14, Prefect Cloud users will not be able to create new agent work pools or infrastructure blocks
• After September 14, new minor versions of the Prefect Python package will not include agents

Like agents, workers support creating deployments through the Prefect CLI and through Python, but require different syntax. For more information, please refer to the Upgrade from Agents to Workers guide.

Enhancements

• Give better client-side feedback on websocket authT/authZ issues - PrefectHQ/prefect#12221
• Allow table artifact cells to render markdown content - [#2190](https://github.com/PrefectHQ/prefect/issues/2190)
• Add an 'AzureBlobStorageContainer' block - [#139](https://github.com/PrefectHQ/prefect/issues/139)
• API for task run counts by state - PrefectHQ/prefect#12244
• Improved UI handling of custom flow run states. Badges for a state with a custom name will now more closely resemble their underlying state - PrefectHQ/prefect-ui-library#2210 and PrefectHQ/prefect-ui-library#2208

Fixes

• Fix support for legacy schedule in build_from_flow - PrefectHQ/prefect#12257

... (truncated)

Changelog

Sourced from prefect's changelog.

Release 2.16.5

Multi-select deletion of flow runs

It is now easier to bulk select and delete flow runs through the UI. Listings of filterable and selectable flow runs (e.g. on the flow runs, flow, and deployment pages) now include a top-level checkbox for (de)selecting all currently filtered flow runs for bulk deletion.

See the following pull request for implementation details:

• PrefectHQ/prefect#12356
• PrefectHQ/prefect-ui-library#2227
• PrefectHQ/prefect#12285

Visualize state changes and artifacts in the UI

Additionally, the flow run graph UI enhancements for visualizing state changes and artifacts added in 2.16.4 are now enabled by default. See the release notes in 2.16.14 for more details!

Enhancements

• Keep artifacts file in prefect-client — PrefectHQ/prefect#12316
• remove feature flagging around enhanced-deployment-experiment — PrefectHQ/prefect#12360
• Feature : #11773 UI: Add checkboxes for runs for an individual flow to allow multi-selection/-deletion — PrefectHQ/prefect#12285
• Add a capability to verify ssl certificates in Prefect CLI — PrefectHQ/prefect#11771
• Add prefect task-run command group to CLI — PrefectHQ/prefect#12307
• Correct emit background task state change events — PrefectHQ/prefect#12352
• Update CsrfTokenApi to retry failed requests due to invalid tokens — PrefectHQ/prefect#12373

Fixes

• Refactor logic to set task_key for background tasks — PrefectHQ/prefect#12337
• Correct a memory leak with the outbound task run websockets — PrefectHQ/prefect#12346
• Correctly type hint in flow run state change hooks — PrefectHQ/prefect#12231

Experimental

• Create CsrfToken model and utilities — PrefectHQ/prefect#12289
• Create csrf_token endpoint to generate tokens for clients — PrefectHQ/prefect#12297
• Integrate CsrfMiddleware into API server — PrefectHQ/prefect#12303
• Add CSRF support to client — PrefectHQ/prefect#12314
• Return 422 when CSRF is disabled and delete expired tokens — PrefectHQ/prefect#12342
• Add model_dump definition for Pydantic v2 compatibility layer — PrefectHQ/prefect#12345
• Add experimental model_json_schema definition for Pydantic V2 compatibility - PrefectHQ/prefect#12362
• Implement CSRF support in the UI — PrefectHQ/prefect#12354

Documentation

• Add upstream dependencies guide to docs — PrefectHQ/prefect#12351
• Update documentation on event and metric automation triggers — PrefectHQ/prefect#12366
• Add documentation on compound and sequence automation triggers — PrefectHQ/prefect#12374
• Add CSRF settings to common settings section in docs — PrefectHQ/prefect#12376

Uncategorized

• Pin BuildKit to 0.12.5 to fix issue with test image build — PrefectHQ/prefect#12343
• Backporting the Prefect Cloud composite trigger schemas — PrefectHQ/prefect#12378

Contributors

... (truncated)

Commits

• 6d0ad74 Add release notes for 2.16.5 (#12383)
• 6ef2190 Revert "Enhancement: Base client retry on 500 (#12084)" (#12385)
• 20612b5 CSRF is defaulting to False for now (#12386)
• 7193e1e Add experimental model_json_schema function for Pydantic V2 compatibility (...
• b2df34d Attempt to fix agent/work queue test CI flakes (#12375)
• 6e1886e Feature : #11773 UI: Add checkboxes for runs for an indivdual flow to allow m...
• c962546 Backporting the Prefect Cloud composite trigger schemas (#12378)
• 9e79cdc Add a line about appropriate settings for flow run graph layers. (#12380)
• c2416f0 add a capability to verify ssl certificate in Prefect CLI (#11771)
• 1ea9e0e Update @​prefecthq/prefect-ui-library to version 2.6.46 (#12379)
• Additional commits viewable in compare view

Updates aiohttp from 3.9.3 to 3.9.4

Release notes

Sourced from aiohttp's releases.

3.9.4

Bug fixes

• The asynchronous internals now set the underlying causes when assigning exceptions to the future objects -- by :user:webknjaz.

  Related issues and pull requests on GitHub: #8089.

• Treated values of Accept-Encoding header as case-insensitive when checking for gzip files -- by :user:steverep.

  Related issues and pull requests on GitHub: #8104.

• Improved the DNS resolution performance on cache hit -- by :user:bdraco.

  This is achieved by avoiding an :mod:asyncio task creation in this case.

  Related issues and pull requests on GitHub: #8163.

• Changed the type annotations to allow dict on :meth:aiohttp.MultipartWriter.append, :meth:aiohttp.MultipartWriter.append_json and :meth:aiohttp.MultipartWriter.append_form -- by :user:cakemanny

  Related issues and pull requests on GitHub: #7741.

• Ensure websocket transport is closed when client does not close it -- by :user:bdraco.

  The transport could remain open if the client did not close it. This change ensures the transport is closed when the client does not close it.

... (truncated)

Changelog

Sourced from aiohttp's changelog.

3.9.4 (2024-04-11)

Bug fixes

• The asynchronous internals now set the underlying causes when assigning exceptions to the future objects -- by :user:webknjaz.

  Related issues and pull requests on GitHub: :issue:8089.

• Treated values of Accept-Encoding header as case-insensitive when checking for gzip files -- by :user:steverep.

  Related issues and pull requests on GitHub: :issue:8104.

• Improved the DNS resolution performance on cache hit -- by :user:bdraco.

  This is achieved by avoiding an :mod:asyncio task creation in this case.

  Related issues and pull requests on GitHub: :issue:8163.

• Changed the type annotations to allow dict on :meth:aiohttp.MultipartWriter.append, :meth:aiohttp.MultipartWriter.append_json and :meth:aiohttp.MultipartWriter.append_form -- by :user:cakemanny

  Related issues and pull requests on GitHub: :issue:7741.

• Ensure websocket transport is closed when client does not close it -- by :user:bdraco.

  The transport could remain open if the client did not close it. This change ensures the transport is closed when the client does not close it.

... (truncated)

Commits

• b3397c7 Release v3.9.4 (#8201)
• a7e240a [PR #8320/9ba9a4e5 backport][3.9] Fix Python parser to mark responses without...
• 2833552 Escape filenames and paths in HTML when generating index pages (#8317) (#8319)
• ed43040 [PR #8309/c29945a1 backport][3.9] Improve reliability of run_app test (#8315)
• ec2be05 [PR #8299/28d026eb backport][3.9] Create marker for internal tests (#8307)
• 292d961 [PR #8304/88c80c14 backport][3.9] Check for backports in CI (#8305)
• cebe526 Fix handling of multipart/form-data (#8280) (#8302)
• 270ae9c [PR #8297/d15f07cf backport][3.9] Upgrade to llhttp 9.2.1 (#8292) (#8298)
• bb23105 [PR #8283/54e13b0a backport][3.9] Fix blocking I/O in the event loop while pr...
• 3f79241 [PR #8286/28f1fd88 backport][3.9] docs: remove repetitive word in comment (#8...
• Additional commits viewable in compare view

Updates idna from 3.6 to 3.7

Release notes

Sourced from idna's releases.

v3.7

What's Changed

• Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Full Changelog: kjd/idna@v3.6...v3.7

Changelog

Sourced from idna's changelog.

3.7 (2024-04-11) ++++++++++++++++

• Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Commits

• 1d365e1 Release v3.7
• c1b3154 Merge pull request #172 from kjd/optimize-contextj
• 0394ec7 Merge branch 'master' into optimize-contextj
• cd58a23 Merge pull request #152 from elliotwutingfeng/dev
• 5beb28b More efficient resolution of joiner contexts
• 1b12148 Update ossf/scorecard-action to v2.3.1
• d516b87 Update Github actions/checkout to v4
• c095c75 Merge branch 'master' into dev
• 60a0a4c Fix typo in GitHub Actions workflow key
• 5918a0e Merge branch 'master' into dev
• Additional commits viewable in compare view

Updates langchain-core from 0.1.27 to 0.1.35

Commits

• See full diff in compare view

Updates pillow from 10.2.0 to 10.3.0

Release notes

Sourced from pillow's releases.

10.3.0

https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html

Changes

• CVE-2024-28219: Use strncpy to avoid buffer overflow #7928 [@​hugovk]
• Use functools.lru_cache for hopper() #7912 [@​hugovk]
• Raise ValueError if seeking to greater than offset-sized integer in TIFF #7883 [@​radarhere]
• Improve speed of loading QOI images #7925 [@​radarhere]
• Added RGB to I;16N conversion #7920 [@​radarhere]
• Add --report argument to main.py to omit supported formats #7818 [@​nulano]
• Added RGB to I;16, I;16L and I;16B conversion #7918 [@​radarhere]
• Fix editable installation with custom build backend and configuration options #7658 [@​nulano]
• Fix putdata() for I;16N on big-endian #7209 [@​Yay295]
• Determine MPO size from markers, not EXIF data #7884 [@​radarhere]
• Improved conversion from RGB to RGBa, LA and La #7888 [@​radarhere]
• Support FITS images with GZIP_1 compression #7894 [@​radarhere]
• Use I;16 mode for 9-bit JPEG 2000 images #7900 [@​scaramallion]
• Raise ValueError if kmeans is negative #7891 [@​radarhere]
• Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893 [@​radarhere]
• Raise ValueError for negative values when loading P1-P3 PPM images #7882 [@​radarhere]
• Added reading of JPEG2000 palettes #7870 [@​radarhere]
• Added alpha_quality argument when saving WebP images #7872 [@​radarhere]
• Fixed joined corners for ImageDraw rounded_rectangle() non-integer dimensions #7881 [@​radarhere]
• Removed Python and NumPy pinning on Cygwin #7880 [@​radarhere]
• Update UnidentifiedImageError and version imports #7644 [@​radarhere]
• Stop reading EPS image at EOF marker #7753 [@​radarhere]
• PSD layer co-ordinates may be negative #7706 [@​radarhere]
• Use subprocess with CREATE_NO_WINDOW flag in ImageShow WindowsViewer #7791 [@​radarhere]
• When saving GIF frame that restores to background color, do not fill identical pixels #7788 [@​radarhere]
• Fixed reading PNG iCCP compression method #7823 [@​radarhere]
• Allow writing IFDRational to UNDEFINED tag #7840 [@​radarhere]
• Fix logged tag name when loading Exif data #7842 [@​radarhere]
• Use maximum frame size in IHDR chunk when saving APNG images #7821 [@​radarhere]
• Prevent opening P TGA images without a palette #7797 [@​radarhere]
• Use palette when loading ICO images #7798 [@​radarhere]
• Use consistent arguments for load_read and load_seek #7713 [@​radarhere]
• Turn off nullability warnings for macOS SDK #7827 [@​radarhere]
• Fix shift-sign issue in Convert.c #7838 [@​r-barnes]
• winbuild: Refactor dependency versions into constants #7843 [@​hugovk]
• Build macOS arm64 wheels natively #7852 [@​radarhere]
• Fixed typo #7855 [@​radarhere]
• Open 16-bit grayscale PNGs as I;16 #7849 [@​radarhere]
• Handle truncated chunks at the end of PNG images #7709 [@​lajiyuan]
• Match mask size to pasted image size in GifImagePlugin #7779 [@​radarhere]
• Changed SupportsGetMesh protocol to be public #7841 [@​radarhere]
• Release GIL while calling WebPAnimDecoderGetNext #7782 [@​evanmiller]
• Fixed reading FLI/FLC images with a prefix chunk #7804 [@​twolife]
• Updated package name for Tidelift #7810 [@​radarhere]
• Removed unused code #7744 [@​radarhere]

... (truncated)

Changelog

Sourced from pillow's changelog.

10.3.0 (2024-04-01)

• CVE-2024-28219: Use strncpy to avoid buffer overflow #7928 [radarhere, hugovk]

• Deprecate eval(), replacing it with lambda_eval() and unsafe_eval() #7927 [radarhere, hugovk]

• Raise ValueError if seeking to greater than offset-sized integer in TIFF #7883 [radarhere]

• Add --report argument to __main__.py to omit supported formats #7818 [nulano, radarhere, hugovk]

• Added RGB to I;16, I;16L, I;16B and I;16N conversion #7918, #7920 [radarhere]

• Fix editable installation with custom build backend and configuration options #7658 [nulano, radarhere]

• Fix putdata() for I;16N on big-endian #7209 [Yay295, hugovk, radarhere]

• Determine MPO size from markers, not EXIF data #7884 [radarhere]

• Improved conversion from RGB to RGBa, LA and La #7888 [radarhere]

• Support FITS images with GZIP_1 compression #7894 [radarhere]

• Use I;16 mode for 9-bit JPEG 2000 images #7900 [scaramallion, radarhere]

• Raise ValueError if kmeans is negative #7891 [radarhere]

• Remove TIFF tag OSUBFILETYPE when saving using libtiff #7893 [radarhere]

• Raise ValueError for negative values when loading P1-P3 PPM images #7882 [radarhere]

• Added reading of JPEG2000 palettes #7870 [radarhere]

• Added alpha_quality argument when saving WebP images #7872 [radarhere]

... (truncated)

Commits

• 5c89d88 10.3.0 version bump
• 63cbfcf Update CHANGES.rst [ci skip]
• 2776126 Merge pull request #7928 from python-pillow/lcms
• aeb51cb Merge branch 'main' into lcms
• 5beb0b6 Update CHANGES.rst [ci skip]
• cac6ffa Merge pull request #7927 from python-pillow/imagemath
• f5eeeac Name as 'options' in lambda_eval and unsafe_eval, but '_dict' in deprecated eval
• facf3af Added release notes
• 2a93aba Use strncpy to avoid buffer overflow
• a670597 Update CHANGES.rst [ci skip]
• Additional commits viewable in compare view

Updates sqlparse from 0.4.4 to 0.5.0

Changelog

Sourced from sqlparse's changelog.

Release 0.5.0 (Apr 13, 2024)

Notable Changes

• Drop support for Python 3.5, 3.6, and 3.7.
• Python 3.12 is now supported (pr725, by hugovk).
• IMPORTANT: Fixes a potential denial of service attack (DOS) due to recursion error for deeply nested statements. Instead of recursion error a generic SQLParseError is raised. See the security advisory for details: GHSA-2m57-hf25-phgg The vulnerability was discovered by @​uriyay-jfrog. Thanks for reporting!

Enhancements:

• Splitting statements now allows to remove the semicolon at the end. Some database backends love statements without semicolon (issue742).
• Support TypedLiterals in get_parameters (pr749, by Khrol).
• Improve splitting of Transact SQL when using GO keyword (issue762).
• Support for some JSON operators (issue682).
• Improve formatting of statements containing JSON operators (issue542).
• Support for BigQuery and Snowflake keywords (pr699, by griffatrasgo).
• Support parsing of OVER clause (issue701, pr768 by r33s3n6).

Bug Fixes

• Ignore dunder attributes when creating Tokens (issue672).
• Allow operators to precede dollar-quoted strings (issue763).
• Fix parsing of nested order clauses (issue745, pr746 by john-bodley).
• Thread-safe initialization of Lexer class (issue730).
• Classify TRUNCATE as DDL and GRANT/REVOKE as DCL keywords (based on pr719 by josuc1, thanks for bringing this up!).
• Fix parsing of PRIMARY KEY (issue740).

Other

• Optimize performance of matching function (pr799, by admachainz).

Commits

• ddbd0ec Bump version.
• 29f2e0a Raise recursion limit for tests.
• b4a39d9 Raise SQLParseError instead of RecursionError.
• f1bcf2f Update AUHTORS and Changelog.
• e03b74e Fix Function.get_parameters(), add Funtion.get_window()
• 617b8f6 Add OVER clause, and group it into Function (fixes #701)
• d8f8147 Update AUHTORS and Changelog.
• 012c9f1 Optimize sqlparse.utils.imt().
• 46971e5 Fix parsing of PRIMARY KEY (fixes #740).
• fc4b0be Code cleanup.
• Additional commits viewable in compare view

Updates tqdm from 4.66.1 to 4.66.3

Release notes

Sourced from tqdm's releases.

tqdm v4.66.3 stable

• cli: eval safety (fixes CVE-2024-34062, GHSA-g7vv-2v7x-gj9p)

tqdm v4.66.2 stable

• pandas: add DataFrame.progress_map (#1549)
• notebook: fix HTML padding (#1506)
• keras: fix resuming training when verbose>=2 (#1508)
• fix format_num negative fractions missing leading zero (#1548)
• fix Python 3.12 DeprecationWarning on import (#1519)
• linting: use f-strings (#1549)
• update tests (#1549)
  • fix pandas warnings
  • fix asv (airspeed-velocity/asv#1323)
  • fix macos notebook docstring indentation
• CI: bump actions (#1549)

Commits

• 4e613f8 Merge pull request from GHSA-g7vv-2v7x-gj9p
• b53348c cli: eval safety
• cc372d0 bump version, merge pull request #1549 from tqdm/devel
• e9f0c05 use PyPI trusted publishing
• 7323d5b slight makefile clean
• 5306125 tests: bump pre-commit
• 4a6fd4f fix datetime.utcfromtimestamp py3.12 warning (#1519)
• 6f13759 tests: fix macos notebook indentation
• 3abcd2a tests: fix asv
• a4d15c8 tests: fix pandas warnings
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
vortex	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	May 3, 2024 10:14pm

[dependabot]

Superseded by #32.