Bump the minor-patch group with 4 updates

[dependabot]

Bumps the minor-patch group with 4 updates: lxml, pydantic, pydantic-settings and ruff.

Updates lxml from 6.0.4 to 6.1.0

Changelog

Sourced from lxml's changelog.

6.1.0 (2026-04-17)

This release fixes a possible external entity injection (XXE) vulnerability in iterparse() and the ETCompatXMLParser.

Features added

• GH#486: The HTML ARIA accessibility attributes were added to the set of safe attributes in lxml.html.defs. This allows lxml_html_clean to pass them through. Patch by oomsveta.

• The default chunk size for reading from file-likes in iterparse() is now configurable with a new chunk_size argument.

Bugs fixed

• LP#2146291: The resolve_entities option was still set to True for iterparse and ETCompatXMLParser, allowing for external entity injection (XXE) when using these parsers without setting this option explicitly. The default was now changed to 'internal' only (as for the normal XML and HTML parsers since lxml 5.0). Issue found by Sihao Qiu as CVE-2026-41066.

Commits

• 43722f4 Update changelog.
• 8747040 Name version of option change in docstring.
• 6c36e6c Fix pypistats URL in download statistics script.
• c7d76d6 Change security policy to point to Github security advisories.
• 378ccf8 Update project income report.
• 315270b Docs: Reduce TOC depth of package pages and move module contents first.
• 6dbba7f Docs: Show current year in copyright line.
• e4385bf Update project income report.
• 5bed1e1 Validate file hashes in release download script.
• c13ee10 Prepare release of 6.1.0.
• Additional commits viewable in compare view

Updates pydantic from 2.13.0 to 2.13.3

Release notes

Sourced from pydantic's releases.

v2.13.3 2026-04-20

v2.13.3 (2026-04-20)

What's Changed

Fixes

• Handle AttributeError subclasses with from_attributes by @​Viicos in #13096

Full Changelog: pydantic/pydantic@v2.13.2...v2.13.3

v2.13.2 2026-04-17

v2.13.2 (2026-04-17)

What's Changed

Fixes

• Fix ValidationInfo.field_name missing with model_validate_json() by @​Viicos in #13084

Full Changelog: pydantic/pydantic@v2.13.1...v2.13.2

v2.13.1 2026-04-15

v2.13.1 (2026-04-15)

What's Changed

Fixes

• Fix ValidationInfo.data missing with model_validate_json() by @​davidhewitt in #13079

Full Changelog: pydantic/pydantic@v2.13.0...v2.13.1

Changelog

Sourced from pydantic's changelog.

v2.13.3 (2026-04-20)

GitHub release

What's Changed

Fixes

• Handle AttributeError subclasses with from_attributes by @​Viicos in #13096

v2.13.2 (2026-04-17)

GitHub release

What's Changed

Fixes

• Fix ValidationInfo.field_name missing with model_validate_json() by @​Viicos in #13084

v2.13.1 (2026-04-15)

GitHub release

What's Changed

Fixes

• Fix ValidationInfo.data missing with model_validate_json() by @​davidhewitt in #13079

Commits

• 9e9a111 Fix backported test
• 1ec8c6a Prepare release v2.13.3
• fb4f204 Handle AttributeError subclasses with from_attributes
• ca3ddd1 Prepare release v2.13.2
• 000e823 Fix ValidationInfo.field_name missing with model_validate_json()
• d45d8be Prepare release 2.13.1
• 54aca60 Fix ValidationInfo.data missing with model_validate_json()
• See full diff in compare view

Updates pydantic-settings from 2.13.1 to 2.14.0

Release notes

Sourced from pydantic-settings's releases.

v2.14.0

What's Changed

• Fix parsing env vars into Optional Strict types by @​hramezani in pydantic/pydantic-settings#792
• Fix RecursionError with mutually recursive models in CLI by @​hramezani in pydantic/pydantic-settings#794
• Fix env_file from model_config ignored in CliApp.run() (#795) by @​hramezani in pydantic/pydantic-settings#796
• Update dependencies by @​hramezani in pydantic/pydantic-settings#798
• Add Dependabot configuration by @​hramezani in pydantic/pydantic-settings#801
• Bump samuelcolvin/check-python-version from 4.1 to 5 by @​dependabot[bot] in pydantic/pydantic-settings#802
• Bump actions/upload-artifact from 4 to 7 by @​dependabot[bot] in pydantic/pydantic-settings#803
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in pydantic/pydantic-settings#804
• Bump astral-sh/setup-uv from 5 to 7 by @​dependabot[bot] in pydantic/pydantic-settings#805
• Bump actions/setup-python from 5 to 6 by @​dependabot[bot] in pydantic/pydantic-settings#806
• Ignore chardet and group GitHub Actions in Dependabot by @​hramezani in pydantic/pydantic-settings#808
• Bump actions/download-artifact from 4 to 8 in the github-actions group by @​dependabot[bot] in pydantic/pydantic-settings#809
• Bump the python-packages group with 2 updates by @​dependabot[bot] in pydantic/pydantic-settings#810
• Support reading .env files from FIFOs (e.g. 1Password Environments) by @​JacobHayes in pydantic/pydantic-settings#776
• Fix AliasChoices ignored when changing provider priority by @​hramezani in pydantic/pydantic-settings#813
• fix: resolve KeyError in run_subcommand for underscore field names by @​bradykieffer in pydantic/pydantic-settings#799
• Bump the python-packages group with 3 updates by @​dependabot[bot] in pydantic/pydantic-settings#814
• Fix Literal[numeric Enum] coercion for CLI and env vars by @​m9810223 in pydantic/pydantic-settings#811
• Fix nested discriminated unions not discovered by env/CLI providers by @​hramezani in pydantic/pydantic-settings#816
• Bump the python-packages group with 3 updates by @​dependabot[bot] in pydantic/pydantic-settings#820
• CLI ensure env nested max split internally. by @​kschwab in pydantic/pydantic-settings#821
• Bump the python-packages group with 4 updates by @​dependabot[bot] in pydantic/pydantic-settings#824
• Migrate boto3-stubs to types-boto3 by @​hramezani in pydantic/pydantic-settings#831
• Fix CLI not recognizing field name with validate_by_name and AliasChoices by @​hramezani in pydantic/pydantic-settings#826
• Allow customisation of the dotevn setting source to filter variables by @​CaselIT in pydantic/pydantic-settings#832
• Bump the python-packages group with 3 updates by @​dependabot[bot] in pydantic/pydantic-settings#833
• Introduce yamlfmt by @​Viicos in pydantic/pydantic-settings#836
• Bump boto3 from 1.42.82 to 1.42.83 in the python-packages group by @​dependabot[bot] in pydantic/pydantic-settings#837
• Introduce zizmor by @​Viicos in pydantic/pydantic-settings#838
• Fix CliPositionalArg[list[CustomType]] crash for custom types by @​hramezani in pydantic/pydantic-settings#839
• Add note about Mypy plugin for BaseSettings.__init__() by @​Viicos in pydantic/pydantic-settings#842
• Fix cli_ignore_unknown_args=True not working on subcommands by @​hramezani in pydantic/pydantic-settings#844
• Bump the python-packages group with 4 updates by @​dependabot[bot] in pydantic/pydantic-settings#847
• Fix CLI descriptions lost under python -OO by falling back to json_schema_extra by @​hramezani in pydantic/pydantic-settings#843
• Prepare release 2.14.0 by @​hramezani in pydantic/pydantic-settings#848

New Contributors

• @​dependabot[bot] made their first contribution in pydantic/pydantic-settings#802
• @​JacobHayes made their first contribution in pydantic/pydantic-settings#776
• @​bradykieffer made their first contribution in pydantic/pydantic-settings#799
• @​CaselIT made their first contribution in pydantic/pydantic-settings#832

Full Changelog: pydantic/pydantic-settings@v2.13.1...v2.14.0

Commits

• 8916bee Prepare release 2.14.0 (#848)
• 39e551c Fix CLI descriptions lost under python -OO by falling back to `json_schema_...
• 9ed7f48 Bump the python-packages group with 4 updates (#847)
• 617c690 Fix cli_ignore_unknown_args=True not working on subcommands (#844)
• 577c05f Add note about Mypy plugin for BaseSettings.__init__() (#842)
• 2355bc5 Fix CliPositionalArg[list[CustomType]] crash for custom types (#839)
• 16bd6fd Introduce zizmor (#838)
• df8b239 Bump boto3 from 1.42.82 to 1.42.83 in the python-packages group (#837)
• c5401a2 Introduce yamlfmt (#836)
• 953e28e Bump the python-packages group with 3 updates (#833)
• Additional commits viewable in compare view

Updates ruff from 0.15.10 to 0.15.11

Release notes

Sourced from ruff's releases.

0.15.11

Release Notes

Released on 2026-04-16.

Preview features

• [ruff] Ignore RUF029 when function is decorated with asynccontextmanager (#24642)
• [airflow] Implement airflow-xcom-pull-in-template-string (AIR201) (#23583)
• [flake8-bandit] Fix S103 false positives and negatives in mask analysis (#24424)

Bug fixes

• [flake8-async] Omit overridden methods for ASYNC109 (#24648)

Documentation

• [flake8-async] Add override mention to ASYNC109 docs (#24666)
• Update Neovim config examples to use vim.lsp.config (#24577)

Contributors

• @​augustelalande
• @​anishgirianish
• @​benberryallwood
• @​charliermarsh
• @​Dev-iL

Install ruff 0.15.11

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/ruff/releases/download/0.15.11/ruff-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://releases.astral.sh/github/ruff/releases/download/0.15.11/ruff-installer.ps1 | iex"

Download ruff 0.15.11

File	Platform	Checksum
ruff-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
ruff-x86_64-apple-darwin.tar.gz	Intel macOS	checksum
ruff-aarch64-pc-windows-msvc.zip	ARM64 Windows	checksum
ruff-i686-pc-windows-msvc.zip	x86 Windows	checksum

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.11

Released on 2026-04-16.

Preview features

• [ruff] Ignore RUF029 when function is decorated with asynccontextmanager (#24642)
• [airflow] Implement airflow-xcom-pull-in-template-string (AIR201) (#23583)
• [flake8-bandit] Fix S103 false positives and negatives in mask analysis (#24424)

Bug fixes

• [flake8-async] Omit overridden methods for ASYNC109 (#24648)

Documentation

• [flake8-async] Add override mention to ASYNC109 docs (#24666)
• Update Neovim config examples to use vim.lsp.config (#24577)

Contributors

• @​augustelalande
• @​anishgirianish
• @​benberryallwood
• @​charliermarsh
• @​Dev-iL

Commits

• 53554b1 Bump 0.15.11 (#24678)
• 08c56c8 Factor out the mdtest crate (#24616)
• 725fbb7 [ty] Use partially qualified names when reporting diagnostics regarding bad c...
• ddd6a30 [ty] Do not suggest argument completion when at value of keyword argument (#2...
• 9282e61 Disallow @​disjoint_base on TypedDicts and Protocols (#24671)
• e9986d8 [ty] Reject using properties with Never setters or deleters (#24510)
• 9cf212f [ty] Normalize property setter and deleter wrappers (#24509)
• 12a1589 Add override mention to ASYNC109 docs (#24666)
• dccb03d [ty] Avoid panicking on overloaded Callable type context (#24661)
• 61f9a0a [ty] Sync vendored typeshed stubs (#24646)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions