Bump the minor-and-patch group across 1 directory with 6 updates

[dependabot]

Bumps the minor-and-patch group with 6 updates in the / directory:

Package	From	To
requests	2.33.1	2.34.2
ruff	0.13.2	0.15.17
tox	4.30.2	4.55.1
tox-uv	1.28.0	1.35.2
types-requests	2.32.4.20250913	2.33.0.20260518
types-deprecated	1.2.15.20250304	1.3.1.20260520

Updates requests from 2.33.1 to 2.34.2

Release notes

Sourced from requests's releases.

v2.34.2

2.34.2 (2026-05-14)

• Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2342-2026-05-14

v2.34.1

2.34.1 (2026-05-13)

Bugfixes

• Widened json input type from dict and list to Mapping and Sequence. (#7436)
• Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
• Response.reason moved from str | None to str to improve handling for users. (#7437)
• Fixed a bug where some bodies with custom __getattr__ implementations weren't being properly detected as Iterables. (#7433)

New Contributors

• @​k223kim made their first contribution in psf/requests#7433

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2341-2026-05-13

v2.34.0

2.34.0 (2026-05-11)

Announcements

• Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue.

  Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for helping review and test the types ahead of the release. (#7272)

Improvements

• Digest Auth hashing algorithms have added usedforsecurity=False to clarify security considerations. (#7310)
• Requests added support for Python 3.15 based on beta1. Downstream projects should be able to start testing prior to its release in October. (#7422)
• Requests added support for Python 3.14t. (#7419)

Bugfixes

• Response.history no longer contains a reference to itself, preventing accidental looping when traversing the history list. (#7328)
• Requests no longer performs greedy matching on no_proxy domains. The

... (truncated)

Changelog

Sourced from requests's changelog.

2.34.2 (2026-05-14)

• Moved headers input type back to Mapping to avoid invariance issues with MutableMapping and inferred dict types. Users calling Request.headers.update() may need to narrow typing in their code. (#7441)

2.34.1 (2026-05-13)

Bugfixes

• Widened json input type from dict and list to Mapping and Sequence. (#7436)
• Changed headers input type to MutableMapping and removed None from Request.headers typing to improve handling for users. (#7431)
• Response.reason moved from str | None to str to improve handling for users. (#7437)
• Fixed a bug where some bodies with custom __getattr__ implementations weren't being properly detected as Iterables. (#7433)

2.34.0 (2026-05-11)

Announcements

• Requests 2.34.0 introduces inline types, replacing those provided by typeshed. Public API types should be fully compatible with mypy, pyright, and ty. We believe types are comprehensive but if you find issues, please report them to the pinned tracking issue.

  Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for helping review and test the types ahead of the release. (#7272)

Improvements

• Digest Auth hashing algorithms have added usedforsecurity=False to clarify security considerations. (#7310)
• Requests added support for Python 3.15 based on beta1. Downstream projects should be able to start testing prior to its release in October. (#7422)
• Requests added support for Python 3.14t. (#7419)

Bugfixes

• Response.history no longer contains a reference to itself, preventing accidental looping when traversing the history list. (#7328)
• Requests no longer performs greedy matching on no_proxy domains. The proxy_bypass implementation has been updated with CPython's fix from bpo-39057. (#7427)
• Requests no longer incorrectly strips duplicate leading slashes in URI paths. This should address user issues with specific presigned URLs. Note the full fix requires urllib3 2.7.0+. (#7315)

Commits

• 6e83187 v2.34.2
• 84d10f0 Move Request.headers back to Mapping (#7441)
• b7b549b v2.34.1
• e511bc7 Fix mutability issues with headers input types (#7431)
• 5691f59 Update JsonType containers to read-based collections (#7436)
• 2144213 Constrain Response.reason to str (#7437)
• 6404f34 Fix prepare_body stream detection for __getattr__-based file wrappers (#7...
• 0b401c7 v2.34.0
• 86b378d Align Session.get parameters with requests.get (#7429)
• a4f9a59 Port bpo-39057 to Requests (#7427)
• Additional commits viewable in compare view

Updates ruff from 0.13.2 to 0.15.17

Release notes

Sourced from ruff's releases.

0.15.17

Release Notes

Released on 2026-06-11.

Preview features

• Allow human-readable names in suppression comments (#25614)
• Fix handling of ignore comments within a disable/enable pair (#25845)
• Prioritize human-readable names in CLI output (#25869)
• Respect diagnostic start and parent ranges and trailing comments in ruff:ignore suppressions (#25673)
• [flake8-async] Add trio.as_safe_channel to safe decorators (ASYNC119) (#25775)
• [flake8-pytest-style] Also check pytest_asyncio fixtures (#25375)
• [ruff] Ban pytest autouse fixtures (RUF076) (#25477)
• [pyupgrade] Add from __future__ import annotations automatically (UP007, UP045) (#23259)

Bug fixes

• Fix diagnostic when ruff:enable or ruff:disable appears where ruff:ignore is expected (#25700)
• [pyupgrade] Preserve leading empty literals to avoid syntax errors (UP032) (#25491)

Rule changes

• [flake8-pytest-style] Clarify diagnostic message for single parameters (PT007) (#25592)
• [numpy] Drop autofix for np.in1d (NPY201) (#25612)
• [pylint] Exempt Python version comparisons (PLR2004) (#25743)

Performance

• Reserve AST Vecs with correct capacity for common cases (#25451)

Formatter

• Preserve whitespace for Quarto cell option comments (#25641)

CLI

• Allow rule names in ruff rule (#25640)

Other changes

• Fix playground diagnostics scrollbars (#25642)

Contributors

• @​SuryanshSS1011
• @​anishgirianish
• @​romero-deshaw
• @​karlhillx
• @​carljm

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.17

Released on 2026-06-11.

Preview features

• Allow human-readable names in suppression comments (#25614)
• Fix handling of ignore comments within a disable/enable pair (#25845)
• Prioritize human-readable names in CLI output (#25869)
• Respect diagnostic start and parent ranges and trailing comments in ruff:ignore suppressions (#25673)
• [flake8-async] Add trio.as_safe_channel to safe decorators (ASYNC119) (#25775)
• [flake8-pytest-style] Also check pytest_asyncio fixtures (#25375)
• [ruff] Ban pytest autouse fixtures (RUF076) (#25477)
• [pyupgrade] Add from __future__ import annotations automatically (UP007, UP045) (#23259)

Bug fixes

• Fix diagnostic when ruff:enable or ruff:disable appears where ruff:ignore is expected (#25700)
• [pyupgrade] Preserve leading empty literals to avoid syntax errors (UP032) (#25491)

Rule changes

• [flake8-pytest-style] Clarify diagnostic message for single parameters (PT007) (#25592)
• [numpy] Drop autofix for np.in1d (NPY201) (#25612)
• [pylint] Exempt Python version comparisons (PLR2004) (#25743)

Performance

• Reserve AST Vecs with correct capacity for common cases (#25451)

Formatter

• Preserve whitespace for Quarto cell option comments (#25641)

CLI

• Allow rule names in ruff rule (#25640)

Other changes

• Fix playground diagnostics scrollbars (#25642)

Contributors

• @​SuryanshSS1011
• @​anishgirianish
• @​romero-deshaw
• @​karlhillx
• @​carljm
• @​ntBre

... (truncated)

Commits

• 7c645a9 Bump 0.15.17 (#25872)
• f381eb1 Prioritize human-readable names in CLI output (#25869)
• b9b4546 Minor workflow simplification (#25870)
• 1e77ba0 [ty] Move PreformattedBlockScanner to format-agnostic location. (#25856)
• 6f2b772 [ty] Preserve nominal type of enum.property instances (#25849)
• be4777c [ty] Fix site-package error when multiple versions of pythons are installed i...
• 53f6ff7 Allow human-readable names in suppression comments (#25614)
• 6740325 [ty] Restrict uncached raw signature access (#25866)
• 970b1bf Auto-update snapshots when syncing typeshed (#25841)
• 0785793 Fix handling of ignore comments within a disable/enable pair (#25845)
• Additional commits viewable in compare view

Updates tox from 4.30.2 to 4.55.1

Release notes

Sourced from tox's releases.

v4.55.1

What's Changed

• 🐛 fix(config): propagate overrides through config references by @​tales-aparecida in tox-dev/tox#3951

New Contributors

• @​tales-aparecida made their first contribution in tox-dev/tox#3951

Full Changelog: tox-dev/tox@4.55.0...4.55.1

v4.55.0

What's Changed

• 👷 ci(schemastore): sync fork before pushing branch by @​gaborbernat in tox-dev/tox#3942
• feat: Also pass TERMINFO when in an interactive shell by @​edgarrmondragon in tox-dev/tox#3946
• 🐛 fix(pip): skip constrain_package_deps when constraints is set by @​gaborbernat in tox-dev/tox#3948

Full Changelog: tox-dev/tox@4.54.0...4.55.0

v4.54.0

What's Changed

• 🧪 test(conftest): strip broken nspkg.pth files under py3.15 by @​gaborbernat in tox-dev/tox#3937
• ✨ feat(packaging): declare tox.pytest deps via a testing extra by @​gaborbernat in tox-dev/tox#3940
• 🐛 fix(schema): cover every replace form in the TOML schema by @​gaborbernat in tox-dev/tox#3941

Full Changelog: tox-dev/tox@4.53.1...4.54.0

v4.53.1

What's Changed

• 🐛 fix(security): harden user-facing logs and untrusted inputs by @​gaborbernat in tox-dev/tox#3924
• 🐛 fix(type): correct argparse override signatures for ty 0.0.33 by @​gaborbernat in tox-dev/tox#3932
• fix: allow deps arrays in TOML schema by @​cyphercodes in tox-dev/tox#3931

New Contributors

• @​cyphercodes made their first contribution in tox-dev/tox#3931

Full Changelog: tox-dev/tox@4.53.0...4.53.1

v4.53.0

What's Changed

... (truncated)

Changelog

Sourced from tox's changelog.

Bug fixes - 4.55.1

• TOX_OVERRIDE (and -x/--override) now propagates through configuration references. Previously, overriding a base value that was later referenced via {[section]key} (ini) or {replace = "ref", of = [...]} (toml) was ignored because reference resolution read the raw file value, bypassing the override system - by :user:tales-aparecida. (:issue:3950) (:issue:3950)

---

v4.55.0 (2026-05-28)

---

Features - 4.55.0

• Automatically pass the TERMINFO environment variable to tox subprocesses if the output is a TTY. This variable is used by Ghostty to communicate terminal capabilities to programs. (:issue:3946)

Bug fixes - 4.55.0

• When the constraints configuration option is set, constrain_package_deps and use_frozen_constraints are now ignored. Previously, both the user-provided constraints file and the auto-generated constraints file were passed to pip during install_package_deps, which could cause resolver conflicts when the same package appeared in both files - by :user:gaborbernat. (:issue:3945) (:issue:3945)

---

v4.54.0 (2026-05-12)

---

Features - 4.54.0

• Declare the runtime dependencies of the tox.pytest plugin (pytest, devpi-process and pytest-mock) under a new testing extra, so plugin authors can pull them in via tox[testing] - by :user:gaborbernat. (:issue:3938, :issue:3940)

Bug fixes - 4.54.0

• Extend the generated TOML schema to cover every replace table form (env, ref, posargs, glob, if), including conditional replacements used inside commands. A guard test asserts the schema stays in sync with the loader implementation so future replace types cannot be added without a corresponding schema entry. (:issue:3939)

---

v4.53.1 (2026-05-02)

---

Bug fixes - 4.53.1

... (truncated)

Commits

• 7ebde0c release 4.55.1
• 9ac5479 🐛 fix(config): propagate overrides through config references (#3951)
• 28972a9 [pre-commit.ci] pre-commit autoupdate (#3949)
• 928b7f0 release 4.55.0
• a43427f 🐛 fix(pip): skip constrain_package_deps when constraints is set (#3948)
• 27b68b3 [pre-commit.ci] pre-commit autoupdate (#3947)
• 4e6627c feat: Also pass TERMINFO when in an interactive shell (#3946)
• 10c431c [pre-commit.ci] pre-commit autoupdate (#3943)
• c86e876 👷 ci(schemastore): sync fork before pushing branch (#3942)
• 1f1fcc7 release 4.54.0
• Additional commits viewable in compare view

Updates tox-uv from 1.28.0 to 1.35.2

Release notes

Sourced from tox-uv's releases.

1.35.2

What's Changed

• Honor constraints opt for all packages by @​stephenfin in tox-dev/tox-uv#332
• 🐛 fix(lock): honor --recreate in uv-venv-lock-runner by @​gaborbernat in tox-dev/tox-uv#338

New Contributors

• @​stephenfin made their first contribution in tox-dev/tox-uv#332

Full Changelog: tox-dev/tox-uv@1.35.1...1.35.2

1.35.1

What's Changed

• fix(lock-runner): respect UV_FROZEN env var and --frozen in uv_sync_flags by @​alexholtz in tox-dev/tox-uv#327

New Contributors

• @​alexholtz made their first contribution in tox-dev/tox-uv#327

Full Changelog: tox-dev/tox-uv@1.35.0...1.35.1

1.35.0

What's Changed

• Add machine and architecture handling to version spec by @​griels in tox-dev/tox-uv#321
• 🐛 fix(installer): invalidate install cache on UV_* env var changes by @​gaborbernat in tox-dev/tox-uv#325

New Contributors

• @​griels made their first contribution in tox-dev/tox-uv#321

Full Changelog: tox-dev/tox-uv@1.34.0...1.35.0

1.34.0

What's Changed

• 🔒 ci(workflows): add zizmor security auditing by @​gaborbernat in tox-dev/tox-uv#317
• ✨ feat(runner): add PEP 723 inline script metadata support by @​gaborbernat in tox-dev/tox-uv#319

Full Changelog: tox-dev/tox-uv@1.33.4...1.34.0

1.33.4

What's Changed

• 🐛 fix(meta): remove tox_uv namespace conflict by @​gaborbernat in tox-dev/tox-uv#314

... (truncated)

Commits

• 595721d 🐛 fix(lock): honor --recreate in uv-venv-lock-runner (#338)
• 1026808 [pre-commit.ci] pre-commit autoupdate (#337)
• 3f7ea4d [pre-commit.ci] pre-commit autoupdate (#334)
• f976fc1 build(deps): bump astral-sh/setup-uv from 8.0.0 to 8.1.0 (#333)
• c0fabe3 Honor constraints opt for all packages (#332)
• d4aa96d [pre-commit.ci] pre-commit autoupdate (#331)
• ac78519 build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 (#329)
• 8bab9b8 [pre-commit.ci] pre-commit autoupdate (#328)
• 8b0497e fix(lock-runner): respect UV_FROZEN env var and --frozen in uv_sync_flags (#327)
• ad30d57 build(deps): bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 (#324)
• Additional commits viewable in compare view

Updates types-requests from 2.32.4.20250913 to 2.33.0.20260518

Commits

• See full diff in compare view

Updates types-deprecated from 1.2.15.20250304 to 1.3.1.20260520

Commits

• See full diff in compare view

[cursor]

PR Summary

Medium Risk
Bumps the core HTTP client (requests 2.34.x with new inline types and behavior fixes) while also upgrading Ruff across minor versions; no app code changed, so risk is mainly resolver/CI and subtle HTTP or typing regressions.

Overview
Dependency-only update: pyproject.toml widens the runtime requests constraint from ~=2.33.0 to >=2.33,<2.35, and uv.lock is refreshed so resolved requests moves 2.33.1 → 2.34.2 along with dev tools (ruff 0.13.2 → 0.15.16, tox 4.30.2 → 4.55.1, tox-uv 1.28.0 → 1.35.2, plus types-requests / types-deprecated stubs). Lockfile churn also reflects transitive updates (e.g. tox dropping chardet, adding tomli-w / python-discovery, tox-uv split into tox-uv + tox-uv-bare).

No library source changes; HTTP still goes through requests in dune_client/api/base.py. Reviewers should rely on CI/tox after the ruff major jump and confirm requests 2.34 typing/runtime behavior with mypy if types are strict.

^{Reviewed by Cursor Bugbot for commit c9ac9dc. Configure here.}

[bh2smith]

@dependabot rebase on latest main

[dependabot]

Looks like this PR is already up-to-date with main! If you'd still like to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

[bh2smith]

@dependabot recreate

[bh2smith]

@cursor Can you fix the lint errors in this failing CI from this failed job: https://github.com/duneanalytics/dune-client/actions/runs/27761925587/job/82138298203?pr=207

[cursor]

Fixed — I pulled the failed job log and addressed the exact lint violation it reported.

What was failing

CI lint-format-types (3.13) failed on:

• FURB110 in dune_client/api/base.py:202
• Ruff requested replacing a ternary with or

Change made

In dune_client/api/base.py, I changed:

• **headers if headers else {}
• to **(headers or {})

inside the _post request headers merge.

Verification

Ran the same checks from CI locally:

• make fmt-check
• make lint

Both pass now.

The fix has been committed and pushed on the PR branch (c72aacd).