Update all dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Adoption	Passing	Confidence
actions/upload-artifact	action	minor	v4.4.3 -> v4.6.0
certifi	dependencies	minor	2024.8.30 -> 2024.12.14
cgr.dev/chainguard/python	final	digest	2d14d05 -> b4d2208
cgr.dev/chainguard/python	stage	digest	912ce75 -> d1142f4
github/codeql-action	action	minor	v3.27.9 -> v3.28.2
peter-evans/create-pull-request	action	patch	v7.0.5 -> v7.0.6
pydantic (changelog)	dependencies	patch	2.10.3 -> 2.10.5
sqlalchemy (changelog)	dependencies	patch	2.0.36 -> 2.0.37
starlette (changelog)	dependencies	minor	0.41.3 -> 0.45.2
stefanzweifel/git-auto-commit-action	action	minor	v5.0.1 -> v5.1.0
step-security/harden-runner	action	patch	v2.10.2 -> v2.10.4
uvicorn (changelog)	dependencies	minor	0.32.1 -> 0.34.0

---

Release Notes

actions/upload-artifact (actions/upload-artifact)

v4.6.0

Compare Source

What's Changed

• Expose env vars to control concurrency and timeout by @​yacaovsnc in https://github.com/actions/upload-artifact/pull/662

Full Changelog: actions/upload-artifact@v4...v4.6.0

v4.5.0

Compare Source

certifi/python-certifi (certifi)

v2024.12.14

Compare Source

github/codeql-action (github/codeql-action)

v3.28.2

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.2 - 21 Jan 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.28.1

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.1 - 10 Jan 2025

• CodeQL Action v2 is now deprecated, and is no longer updated or supported. For better performance, improved security, and new features, upgrade to v3. For more information, see this changelog post. #​2677
• Update default CodeQL bundle version to 2.20.1. #​2678

See the full CHANGELOG.md for more information.

v3.28.0

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

3.28.0 - 20 Dec 2024

• Bump the minimum CodeQL bundle version to 2.15.5. #​2655
• Don't fail in the unusual case that a file is on the search path. #​2660.

See the full CHANGELOG.md for more information.

peter-evans/create-pull-request (peter-evans/create-pull-request)

v7.0.6: Create Pull Request v7.0.6

Compare Source

⚙️ Fixes an issue with commit signing where unicode characters in file paths were not preserved.

What's Changed

• build(deps-dev): bump @​vercel/ncc from 0.38.1 to 0.38.2 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3365
• Update distribution by @​actions-bot in https://github.com/peter-evans/create-pull-request/pull/3370
• build(deps): bump @​octokit/plugin-rest-endpoint-methods from 13.2.4 to 13.2.5 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3375
• build(deps-dev): bump @​types/node from 18.19.50 to 18.19.54 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3376
• build(deps): bump @​octokit/plugin-paginate-rest from 11.3.3 to 11.3.5 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3377
• Update distribution by @​actions-bot in https://github.com/peter-evans/create-pull-request/pull/3388
• build(deps-dev): bump @​types/node from 18.19.54 to 18.19.55 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3400
• build(deps): bump @​actions/core from 1.10.1 to 1.11.1 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3401
• build(deps): bump @​octokit/plugin-rest-endpoint-methods from 13.2.5 to 13.2.6 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3403
• build(deps-dev): bump eslint-plugin-import from 2.30.0 to 2.31.0 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3402
• build(deps): bump @​octokit/plugin-throttling from 9.3.1 to 9.3.2 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3404
• Update distribution by @​actions-bot in https://github.com/peter-evans/create-pull-request/pull/3423
• build(deps-dev): bump typescript from 5.6.2 to 5.6.3 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3441
• build(deps): bump undici from 6.19.8 to 6.20.1 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3442
• Update distribution by @​actions-bot in https://github.com/peter-evans/create-pull-request/pull/3451
• build(deps-dev): bump @​types/node from 18.19.55 to 18.19.58 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3457
• build(deps-dev): bump @​types/jest from 29.5.13 to 29.5.14 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3462
• build(deps-dev): bump @​types/node from 18.19.58 to 18.19.60 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3463
• chore: don't bundle undici by @​benmccann in https://github.com/peter-evans/create-pull-request/pull/3475
• Update distribution by @​actions-bot in https://github.com/peter-evans/create-pull-request/pull/3478
• chore: use node-fetch-native support for proxy env vars by @​peter-evans in https://github.com/peter-evans/create-pull-request/pull/3483
• build(deps-dev): bump @​types/node from 18.19.60 to 18.19.64 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3488
• build(deps-dev): bump undici from 6.20.1 to 6.21.0 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3499
• build(deps-dev): bump @​vercel/ncc from 0.38.2 to 0.38.3 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3500
• docs: note push-to-repo classic PAT workflow scope requirement by @​scop in https://github.com/peter-evans/create-pull-request/pull/3511
• docs: spelling fixes by @​scop in https://github.com/peter-evans/create-pull-request/pull/3512
• build(deps-dev): bump typescript from 5.6.3 to 5.7.2 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3516
• build(deps-dev): bump prettier from 3.3.3 to 3.4.0 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3517
• build(deps-dev): bump @​types/node from 18.19.64 to 18.19.66 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3518
• docs(README): clarify that an existing open PR is managed by @​caugner in https://github.com/peter-evans/create-pull-request/pull/3498
• Update distribution by @​actions-bot in https://github.com/peter-evans/create-pull-request/pull/3529
• build(deps): bump @​octokit/plugin-paginate-rest from 11.3.5 to 11.3.6 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3542
• build(deps-dev): bump @​types/node from 18.19.66 to 18.19.67 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3543
• build(deps-dev): bump prettier from 3.4.0 to 3.4.1 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3544
• build(deps-dev): bump eslint-import-resolver-typescript from 3.6.3 to 3.7.0 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3559
• build(deps-dev): bump prettier from 3.4.1 to 3.4.2 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3560
• build(deps-dev): bump @​types/node from 18.19.67 to 18.19.68 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3570
• build(deps): bump p-limit from 6.1.0 to 6.2.0 by @​dependabot in https://github.com/peter-evans/create-pull-request/pull/3578
• Update distribution by @​actions-bot in https://github.com/peter-evans/create-pull-request/pull/3583
• fix: preserve unicode in filepaths when commit signing by @​peter-evans in https://github.com/peter-evans/create-pull-request/pull/3588

New Contributors

• @​benmccann made their first contribution in https://github.com/peter-evans/create-pull-request/pull/3475
• @​scop made their first contribution in https://github.com/peter-evans/create-pull-request/pull/3511
• @​caugner made their first contribution in https://github.com/peter-evans/create-pull-request/pull/3498

Full Changelog: peter-evans/create-pull-request@v7.0.5...v7.0.6

pydantic/pydantic (pydantic)

v2.10.5

Compare Source

GitHub release

What's Changed

• Remove custom MRO implementation of Pydantic models by @​Viicos in #​11184
• Fix URL serialization for unions by @​sydney-runkle in #​11233

v2.10.4

Compare Source

GitHub release

What's Changed

Packaging

• Bump pydantic-core to v2.27.2 by @​davidhewitt in #​11138

Fixes

• Fix for comparison of AnyUrl objects by @​alexprabhat99 in #​11082
• Properly fetch PEP 695 type params for functions, do not fetch annotations from signature by @​Viicos in #​11093
• Include JSON Schema input core schema in function schemas by @​Viicos in #​11085
• Add len to _BaseUrl to avoid TypeError by @​Kharianne in #​11111
• Make sure the type reference is removed from the seen references by @​Viicos in #​11143

New Contributors

• @​FyZzyss made their first contribution in #​10789
• @​tamird made their first contribution in #​10948
• @​felixxm made their first contribution in #​11077
• @​alexprabhat99 made their first contribution in #​11082
• @​Kharianne made their first contribution in #​11111

encode/starlette (starlette)

v0.45.2: Version 0.45.2

Compare Source

Fixed

• Make create_memory_object_stream compatible with old anyio versions once again, and bump anyio minimum version to 3.6.2 by @​graingert in #​2833.

Full Changelog: encode/starlette@0.45.1...0.45.2

v0.45.1: Version 0.45.1

Compare Source

Fixed

• Collect errors more reliably from WebSocket test client by @​graingert in https://github.com/encode/starlette/pull/2814
• Fix unclosed MemoryObjectReceiveStream upon exception in BaseHTTPMiddleware children by @​Kludex in https://github.com/encode/starlette/pull/2813

Refactor

• Use a pair of memory object streams instead of two queues by @​graingert in https://github.com/encode/starlette/pull/2829

---

Full Changelog: encode/starlette@0.45.0...0.45.1

v0.45.0: Version 0.45.0

Compare Source

Removed

• Drop Python 3.8 by @​Kludex in https://github.com/encode/starlette/pull/2823
• Remove ExceptionMiddleware import proxy from starlette.exceptions module by @​Kludex in https://github.com/encode/starlette/pull/2826
• Remove deprecated WS_1004_NO_STATUS_RCVD and WS_1005_ABNORMAL_CLOSURE by @​Kludex in https://github.com/encode/starlette/pull/2827

---

Full Changelog: encode/starlette@0.44.0...0.45.0

v0.44.0: Version 0.44.0

Compare Source

Added

• Add max_part_size parameter to Request.form() by @​iudeen in https://github.com/encode/starlette/pull/2815
• Add client parameter to TestClient by @​iudeen in https://github.com/encode/starlette/pull/2810

New Contributors

• @​iudeen made their first contribution in https://github.com/encode/starlette/pull/2815

Full Changelog: encode/starlette@0.43.0...0.44.0

v0.43.0: Version 0.43.0

Compare Source

Removed

• Remove deprecated allow_redirects argument from TestClient #​2808.

Added

• Make UUID path parameter conversion more flexible #​2806.

---

New Contributors

• @​AbduazizZiyodov made their first contribution in https://github.com/encode/starlette/pull/2799
• @​edthrn made their first contribution in https://github.com/encode/starlette/pull/2806

Full Changelog: encode/starlette@0.42.0...0.43.0

v0.42.0

Compare Source

Added

• Raise ClientDisconnect on StreamingResponse #​2732.

Fixed

• Use ETag from headers when parsing If-Range in FileResponse #​2761.
• Follow directory symlinks in StaticFiles when follow_symlinks=True #​2711.
• Bump minimum python-multipart version to 0.0.18 0ba8395.
• Bump minimum httpx version to 0.27.0 #​2773.

---

New Contributors

• @​logan-connolly made their first contribution in https://github.com/encode/starlette/pull/2763
• @​eltoder made their first contribution in https://github.com/encode/starlette/pull/2768
• @​hanxi made their first contribution in https://github.com/encode/starlette/pull/2711
• @​viccie30 made their first contribution in https://github.com/encode/starlette/pull/2761
• @​dbowring made their first contribution in https://github.com/encode/starlette/pull/2782
• @​lealre made their first contribution in https://github.com/encode/starlette/pull/2793

Full Changelog: encode/starlette@0.41.3...0.42.0

stefanzweifel/git-auto-commit-action (stefanzweifel/git-auto-commit-action)

v5.1.0

Compare Source

Changed

• Include github.actor_id in default commit_author (#​354) @​parkerbxyz

Fixed

• docs(README): fix broken protected branch docs link (#​346) @​scarf005
• Update README.md (#​343) @​Kludex

Dependency Updates

• Bump bats from 1.11.0 to 1.11.1 (#​353) @​dependabot
• Bump github/super-linter from 6 to 7 (#​342) @​dependabot
• Bump github/super-linter from 5 to 6 (#​335) @​dependabot

step-security/harden-runner (step-security/harden-runner)

v2.10.4

Compare Source

What's Changed

Fixed a potential Harden-Runner post step failure that could occur when printing agent service logs. The fix gracefully handles failures without failing the post step.

Full Changelog: step-security/harden-runner@v2...v2.10.4

v2.10.3

Compare Source

What's Changed

Fixed an issue where DNS requests using uppercase characters (e.g., EXAMPLE.com) were blocked even when the domain was present in the allowed list. This update standardizes domain names to lowercase for consistent comparison.

Full Changelog: step-security/harden-runner@v2...v2.10.3

encode/uvicorn (uvicorn)

v0.34.0

Compare Source

Added

• Add content-length to 500 response in wsproto implementation (#​2542)

Removed

• Drop support for Python 3.8 (#​2543)

v0.33.0

Compare Source

Removed

• Remove WatchGod support for --reload (#​2536)

---

Configuration

📅 Schedule: Branch creation - "every 1 hours every weekday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: poetry.lock

Updating dependencies
Resolving dependencies...

Creating virtualenv ms-compitem-crud-9fPGTjUE-py3.13 in /home/ubuntu/.cache/pypoetry/virtualenvs

Because ms-compitem-crud depends on fastapi (0.115.6) which depends on starlette (>=0.40.0,<0.42.0), starlette is required.
So, because ms-compitem-crud depends on starlette (0.45.2), version solving failed.