build(deps): bump the python-deps group across 1 directory with 23 updates

[dependabot]

Bumps the python-deps group with 22 updates in the / directory:

Package	From	To
redis	6.4.0	7.1.0
dynaconf	3.2.11	3.2.12
securesystemslib	1.3.0	1.3.1
sqlalchemy	2.0.43	2.0.44
psycopg2	2.9.10	2.9.11
alembic	1.16.4	1.17.2
pydantic	2.11.7	2.12.5
celery	5.5.3	5.6.0
boto3	1.40.16	1.42.0
awswrangler	3.12.1	3.14.0
sigstore	3.6.5	4.1.0
google-cloud-kms	3.5.1	3.7.0
tox	4.28.4	4.32.0
coverage	7.10.5	7.12.0
black	25.1.0	25.11.0
isort	6.0.1	7.0.0
mypy	1.17.1	1.19.0
pytest	8.4.1	9.0.1
pytest-cov	6.2.1	7.0.0
sphinxcontrib-plantuml	0.30	0.31
pre-commit	4.3.0	4.5.0
bandit	1.8.6	1.9.2

Updates redis from 6.4.0 to 7.1.0

Release notes

Sourced from redis's releases.

7.1.0

Changes

🚀 New Features

• Adding MSETEX command support. (#3823)
• Adding CLAIM option to XREADGROUP command + unit tests (#3825)
• Apply routing and response aggregation policies in OSS Cluster mode (#3834)

🧪 Experimental Features

• Adding support for CAS/CAD commands. (#3837)
• Adding support for HYBRID search. (#3813 #3843)

🔥 Breaking changes (in experimental features)

• Replace default health check and failure detector with custom (#3822)

🐛 Bug Fixes

• Add **options to parse functions for sentinel (#3831)
• Generating unique command cache key (#3765)

🧰 Maintenance

• Adding Redis 8.4 RC1 image to test matrix. (#3820)
• Remove Python 3.9 support. Add Python 3.14 support. (#3814)
• Sync readme with 7.0.1 and update lib version to latest stable released version - 7.0.1 (#3821)
• Bump rojopolis/spellcheck-github-actions from 0.52.0 to 0.53.0 (#3827)
• Bump actions/upload-artifact from 4 to 5 (#3828)
• Bump github/codeql-action from 3 to 4 (#3829)
• Fixing flaky tests (#3833 #3838)
• Update 8.4 RC image tag to 8.4-RC1-pre.2 for pipeline test matrix (#3832)
• Add missing f-string when returning an error. (#3841)
• Adding latest 8.4 image to test matrix. Updating the Hybrid VSIM query format to be in sync with spec after srv issue was fixed. (#3843)
• Expand cluster READ_COMMANDS with additional read-only commands and reorganize the list of commands by category (#3845)
• Update Type Hints for List Command Parameters from str to KeyT (#3848)
• Changing log level to be debug for failed maintenance notification enablement when enabled='auto' (#3851)
• Added custom event handler section (#3853)
• Changing current version to 8.4 as it is already GA (#3854)

We'd like to thank all the contributors who worked on this release! @​ShubhamKaudewar @​matthewwiese @​peperon @​vladvildanov @​petyaslavova

7.0.1

Changes

This release adds small fixes related to documentation.

🧰 Maintenance

• Add 'multi_database' section to documentation index (313d93f)
• Revised multi-database client documentation(78df745)
• Adding info about Multi-database client in README.md (3f7a55e)

... (truncated)

Commits

• f7c1755 Changing current version to 8.4 as it is already GA (#3854)
• 2235cc7 Added custom event handler section (#3853)
• 8cc50a5 Changing log level to be debug for failed maintenance notification enablement...
• d1769a2 #3612 Generating unique command cache key (#3765)
• b49dce1 Update Type Hints for List Command Parameters from str to KeyT (#3848)
• 46ff042 Expand cluster READ_COMMANDS with additional read-only commands and reorganiz...
• dc47675 Updating lib version to 7.1.0 and added note in README that Python 3.9 suppor...
• f026c1e Adding latest 8.4 image to test matrix. Updating the Hybrid VSIM query format...
• a5ab18f Adding support for HYBRID search. (#3813)
• e6fb505 Adding support for CAS/CAD commands. (#3837)
• Additional commits viewable in compare view

Updates dynaconf from 3.2.11 to 3.2.12

Release notes

Sourced from dynaconf's releases.

3.2.12

What's Changed

• Incremental improvment to access performance by @​pedro-psb in dynaconf/dynaconf#1304
• fix: get method to return Any type. by @​rochacbruno in dynaconf/dynaconf#1314
• perf: add lru caching to find_the_correct_casing function by @​pedro-psb in dynaconf/dynaconf#1326

Full Changelog: dynaconf/dynaconf@3.2.11...3.2.12

Changelog

Sourced from dynaconf's changelog.

3.2.12 - 2025-10-10

Bug Fixes

• get method to return Any type.. By Bruno Rocha.
• remove unnecessary recursive evaluation call on Settings.get. By Pedro Brochado.
• improve performance of settings access in a loop (part 1). By Pedro Brochado.

Commits

• 7606f35 Release version 3.2.12
• da44e51 perf: add lru caching to find_the_correct_casing function (#1326)
• b75eda0 fix: get method to return Any type.
• 4f3df1a misc: add some profile/perf scripts
• 420aceb refactor: merge safe{get,copy} into .get and .copy
• 18c0c84 fix: remove unnecessary recursive evaluation call on Settings.get
• 0fde96f refactor: rewrite decorator as explicit call
• 52efd9e Bump to version 3.2.12-dev0
• See full diff in compare view

Updates securesystemslib from 1.3.0 to 1.3.1

Release notes

Sourced from securesystemslib's releases.

v1.3.1

See CHANGELOG.md for details.

Changelog

Sourced from securesystemslib's changelog.

securesystemslib v1.3.1

Fixed

• AWSSigner: Don't send payload to AWS for signing, send hash only (#1026)
• Set Development status classifier to "production/stable" in Python packaging (#1030)

Internals

• Minor infrastructure changes (#1005, #1013)

Commits

• 6f77419 Merge pull request #1030 from jku/release-prep-1.3.1
• b71cc52 Prepare release 1.3.1
• f683509 Merge pull request #1026 from ArkadiuszNitkaSWI/fix-aws-signer
• 9752719 Merge pull request #1027 from secure-systems-lab/dependabot/pip/test-and-lint...
• 4226b76 build(deps): bump the test-and-lint-dependencies group with 4 updates
• 6394e3e Review changes
• dee9a83 linter
• 07b0fc7 update .gitignore
• e8158a4 Fix AWS signer, allow messages bigger than 4kB
• e23f855 Merge pull request #1023 from secure-systems-lab/dependabot/pip/dependencies-...
• Additional commits viewable in compare view

Updates sqlalchemy from 2.0.43 to 2.0.44

Release notes

Sourced from sqlalchemy's releases.

2.0.44

Released: October 10, 2025

platform

• [platform] [bug] Unblocked automatic greenlet installation for Python 3.14 now that there are greenlet wheels on pypi for python 3.14.

orm

• [orm] [usecase] The way ORM Annotated Declarative interprets Python PEP 695 type aliases in Mapped[] annotations has been refined to expand the lookup scheme. A PEP 695 type can now be resolved based on either its direct presence in _orm.registry.type_annotation_map or its immediate resolved value, as long as a recursive lookup across multiple PEP 695 types is not required for it to resolve. This change reverses part of the restrictions introduced in 2.0.37 as part of #11955, which deprecated (and disallowed in 2.1) the ability to resolve any PEP 695 type that was not explicitly present in _orm.registry.type_annotation_map. Recursive lookups of PEP 695 types remains deprecated in 2.0 and disallowed in version 2.1, as do implicit lookups of NewType types without an entry in _orm.registry.type_annotation_map.

  Additionally, new support has been added for generic PEP 695 aliases that refer to PEP 593 Annotated constructs containing _orm.mapped_column() configurations. See the sections below for examples.

  References: #12829

• [orm] [bug] Fixed a caching issue where _orm.with_loader_criteria() would incorrectly reuse cached bound parameter values when used with _sql.CompoundSelect constructs such as _sql.union(). The issue was caused by the cache key for compound selects not including the execution options that are part of the _sql.Executable base class, which _orm.with_loader_criteria() uses to apply its criteria dynamically. The fix ensures that compound selects and other executable constructs properly include execution options in their cache key traversal.

  References: #12905

engine

• [engine] [bug] Implemented initial support for free-threaded Python by adding new tests and reworking the test harness to include Python 3.13t and Python 3.14t in

... (truncated)

Commits

• See full diff in compare view

Updates psycopg2 from 2.9.10 to 2.9.11

Changelog

Sourced from psycopg2's changelog.

Current release

What's new in psycopg 2.9.11 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Add support for Python 3.14.
• Avoid a segfault passing more arguments than placeholders if Python is built with assertions enabled (:ticket:[#1791](https://github.com/psycopg/psycopg2/issues/1791)).
• Add riscv64 platform binary packages (:ticket:[#1813](https://github.com/psycopg/psycopg2/issues/1813)).
• ~psycopg2.errorcodes map and ~psycopg2.errors classes updated to PostgreSQL 18.
• Drop support for Python 3.8.

What's new in psycopg 2.9.10 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Add support for Python 3.13.
• Receive notifications on commit (:ticket:[#1728](https://github.com/psycopg/psycopg2/issues/1728)).
• ~psycopg2.errorcodes map and ~psycopg2.errors classes updated to PostgreSQL 17.
• Drop support for Python 3.7.

What's new in psycopg 2.9.9 ^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Add support for Python 3.12.
• Drop support for Python 3.6.

What's new in psycopg 2.9.8 ^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Wheel package bundled with PostgreSQL 16 libpq in order to add support for recent features, such as sslcertmode.

What's new in psycopg 2.9.7 ^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Fix propagation of exceptions raised during module initialization (:ticket:[#1598](https://github.com/psycopg/psycopg2/issues/1598)).
• Fix building when pg_config returns an empty string (:ticket:[#1599](https://github.com/psycopg/psycopg2/issues/1599)).
• Wheel package bundled with OpenSSL 1.1.1v.

What's new in psycopg 2.9.6 ^^^^^^^^^^^^^^^^^^^^^^^^^^^

... (truncated)

Commits

• fd9ae8c chore: bump to version 2.9.11
• d923840 chore: update docs requirements
• d42dc71 Merge branch 'fix-1791'
• 4fde656 fix: avoid failed assert passing more arguments than placeholders
• 8308c19 fix: drop warning about the use of deprecated PyWeakref_GetObject function
• 1a1eabf build(deps): bump actions/github-script from 7 to 8
• 897af8b build(deps): bump peter-evans/repository-dispatch from 3 to 4
• ceefd30 build(deps): bump actions/checkout from 4 to 5
• 4dc5854 build(deps): bump actions/setup-python from 5 to 6
• 1945788 Merge pull request #1802 from edgarrmondragon/cp314-wheels
• Additional commits viewable in compare view

Updates alembic from 1.16.4 to 1.17.2

Release notes

Sourced from alembic's releases.

1.17.2

Released: November 14, 2025

feature

• [feature] [operations] Added Operations.implementation_for.replace parameter to Operations.implementation_for(), allowing replacement of existing operation implementations. This allows for existing operations such as CreateTableOp to be extended directly. Pull request courtesy justanothercatgirl.

  References: #1750

bug

• [bug] [mssql] Fixed issue in SQL Server dialect where the DROP that's automatically emitted for existing default constraints during an ALTER COLUMN needs to take place before not just the modification of the column's default, but also before the column's type is changed.

  References: #1744

1.17.1

Released: October 28, 2025

usecase

• [usecase] [commands] Added command.current.check_heads parameter to command.current() command, available from the command line via the --check-heads option to alembic current. This tests if all head revisions are applied to the database and raises DatabaseNotAtHead (or from the command line, exits with a non-zero exit code) if this is not the case. The parameter operates equvialently to the cookbook recipe cookbook_check_heads. Pull request courtesy Stefan Scherfke.

  References: #1705

bug

• [bug] [commands] Disallow ':' character in custom revision identifiers. Previously, using a colon in a revision ID (e.g., 'REV:1') would create the revision, however revisions with colons in them are not correctly interpreted by other commands, as it overlaps with the revision range syntax. Pull request courtesy Kim Wooseok with original implementation by Hrushikesh Patil.

... (truncated)

Commits

• See full diff in compare view

Updates pydantic from 2.11.7 to 2.12.5

Release notes

Sourced from pydantic's releases.

v2.12.5 2025-11-26

v2.12.5 (2025-11-26)

This is the fifth 2.12 patch release, addressing an issue with the MISSING sentinel and providing several documentation improvements.

The next 2.13 minor release will be published in a couple weeks, and will include a new polymorphic serialization feature addressing the remaining unexpected changes to the serialize as any behavior.

• Fix pickle error when using model_construct() on a model with MISSING as a default value by @​ornariece in #12522.
• Several updates to the documentation by @​Viicos.

Full Changelog: pydantic/pydantic@v2.12.4...v2.12.5

v2.12.4 2025-11-05

v2.12.4 (2025-11-05)

This is the fourth 2.12 patch release, fixing more regressions, and reverting a change in the build() method of the AnyUrl and Dsn types.

This patch release also fixes an issue with the serialization of IP address types, when serialize_as_any is used. The next patch release will try to address the remaining issues with serialize as any behavior by introducing a new polymorphic serialization feature, that should be used in most cases in place of serialize as any.

• Fix issue with forward references in parent TypedDict classes by @​Viicos in #12427.

  This issue is only relevant on Python 3.14 and greater.

• Exclude fields with exclude_if from JSON Schema required fields by @​Viicos in #12430

• Revert URL percent-encoding of credentials in the build() method of the AnyUrl and Dsn types by @​davidhewitt in pydantic-core#1833.

  This was initially considered as a bugfix, but caused regressions and as such was fully reverted. The next release will include an opt-in option to percent-encode components of the URL.

• Add type inference for IP address types by @​davidhewitt in pydantic-core#1868.

  The 2.12 changes to the serialize_as_any behavior made it so that IP address types could not properly serialize to JSON.

• Avoid getting default values from defaultdict by @​davidhewitt in pydantic-core#1853.

  This fixes a subtle regression in the validation behavior of the collections.defaultdict type.

• Fix issue with field serializers on nested typed dictionaries by @​davidhewitt in pydantic-core#1879.

• Add more pydantic-core builds for the three-threaded version of Python 3.14 by @​davidhewitt in pydantic-core#1864.

Full Changelog: pydantic/pydantic@v2.12.3...v2.12.4

v2.12.3 2025-10-17

v2.12.3 (2025-10-17)

What's Changed

This is the third 2.13 patch release, fixing issues related to the FieldInfo class, and reverting a change to the supported after model validator function signatures.

... (truncated)

Changelog

Sourced from pydantic's changelog.

v2.12.5 (2025-11-26)

GitHub release

This is the fifth 2.12 patch release, addressing an issue with the MISSING sentinel and providing several documentation improvements.

The next 2.13 minor release will be published in a couple weeks, and will include a new polymorphic serialization feature addressing the remaining unexpected changes to the serialize as any behavior.

• Fix pickle error when using model_construct() on a model with MISSING as a default value by @​ornariece in #12522.
• Several updates to the documentation by @​Viicos.

v2.12.4 (2025-11-05)

GitHub release

This is the fourth 2.12 patch release, fixing more regressions, and reverting a change in the build() method of the AnyUrl and Dsn types.

This patch release also fixes an issue with the serialization of IP address types, when serialize_as_any is used. The next patch release will try to address the remaining issues with serialize as any behavior by introducing a new polymorphic serialization feature, that should be used in most cases in place of serialize as any.

• Fix issue with forward references in parent TypedDict classes by @​Viicos in #12427.

  This issue is only relevant on Python 3.14 and greater.

• Exclude fields with exclude_if from JSON Schema required fields by @​Viicos in #12430

• Revert URL percent-encoding of credentials in the build() method of the AnyUrl and Dsn types by @​davidhewitt in pydantic-core#1833.

  This was initially considered as a bugfix, but caused regressions and as such was fully reverted. The next release will include an opt-in option to percent-encode components of the URL.

• Add type inference for IP address types by @​davidhewitt in pydantic-core#1868.

  The 2.12 changes to the serialize_as_any behavior made it so that IP address types could not properly serialize to JSON.

• Avoid getting default values from defaultdict by @​davidhewitt in pydantic-core#1853.

  This fixes a subtle regression in the validation behavior of the collections.defaultdict type.

• Fix issue with field serializers on nested typed dictionaries by @​davidhewitt in pydantic-core#1879.

• Add more pydantic-core builds for the three-threaded version of Python 3.14 by @​davidhewitt in pydantic-core#1864.

v2.12.3 (2025-10-17)

GitHub release

... (truncated)

Commits

• bd2d0dd Prepare release v2.12.5
• 7d0302e Document security implications when using create_model()
• e9ef980 Fix typo in Standard Library Types documentation
• f2c20c0 Add pydantic-docs dev dependency, make use of versioning blocks
• a76c1aa Update documentation about JSON Schema
• 8cbc72c Add documentation about custom __init__()
• 99eba59 Add additional test for FieldInfo.get_default()
• c710769 Special case MISSING sentinel in smart_deepcopy()
• 20a9d77 Do not delete mock validator/serializer in rebuild_dataclass()
• c86515a Update parts of the model and revalidate_instances documentation
• Additional commits viewable in compare view

Updates celery from 5.5.3 to 5.6.0

Release notes

Sourced from celery's releases.

v5.6.0

Celery v5.6.0 is now available.

Key Highlights

See What's new in Celery 5.6 for a complete overview or read the main highlights below.

Python 3.9 Minimum Version

Celery 5.6.0 drops support for Python 3.8 (EOL). The minimum required Python version is now 3.9. Users still on Python 3.8 must upgrade their Python version before upgrading to Celery 5.6.0.

Additionally, this release includes initial support for Python 3.14.

SQS: Reverted to pycurl from urllib3

The switch from pycurl to urllib3 for the SQS transport (introduced in Celery 5.5.0 via Kombu) has been reverted due to critical issues affecting SQS users.

Contributed by @​auvipy in celery/celery#9620.

Security Fix: Broker Credential Leak Prevention

Fixed a security issue where broker URLs containing passwords were being logged in plaintext by the delayed delivery mechanism. Broker credentials are now properly sanitized in all log output.

Contributed by @​giancarloromeo in celery/celery#9997.

Memory Leak Fixes

Two significant memory leaks have been fixed in this release:

Exception Handling Memory Leak: Fixed a critical memory leak in task exception handling that was particularly severe on Python 3.11+ due to enhanced traceback data. The fix properly breaks reference cycles in tracebacks to allow garbage collection.

Contributed by @​jaiganeshs21 in celery/celery#9799.

Pending Result Memory Leak: Fixed a memory leak where AsyncResult subscriptions were not being cleaned up when results were forgotten.

Contributed by @​tsoos99dev in celery/celery#9806.

ETA Task Memory Limit

New configuration option worker_eta_task_limit to prevent out-of-memory crashes when workers fetch large numbers of ETA or countdown tasks. Previously, workers could exhaust available memory when the broker contained many scheduled tasks.

Example usage:

app.conf.worker_eta_task_limit = 1000

Contributed by @​sashu2310 in celery/celery#9853.

Queue Type Selection for Auto-created Queues

... (truncated)

Changelog

Sourced from celery's changelog.

5.6.0

:release-date: 2025-11-30 :release-by: Tomer Nosrati

Celery v5.6.0 is now available.

Key Highlights

See :ref:`whatsnew-5.6` for a complete overview or read the main highlights below.
Python 3.9 Minimum Version
Celery 5.6.0 drops support for Python 3.8 (EOL). The minimum required Python
version is now 3.9. Users still on Python 3.8 must upgrade their Python version
before upgrading to Celery 5.6.0.
Additionally, this release includes initial support for Python 3.14.
SQS: Reverted to pycurl from urllib3
The switch from pycurl to urllib3 for the SQS transport (introduced in
Celery 5.5.0 via Kombu) has been reverted due to critical issues affecting SQS
users:

Processing throughput dropped from ~100 tasks/sec to ~3/sec in some environments
UnknownOperationException errors causing container crash loops
Silent message processing failures with no error logs

Users of the SQS transport must ensure pycurl is installed. If you removed
pycurl after upgrading to Celery 5.5.0, you will need to reinstall it.
Contributed by @auvipy <https://github.com/auvipy>_ in
[#9620](https://github.com/celery/celery/issues/9620) <https://github.com/celery/celery/pull/9620>_.
Security Fix: Broker Credential Leak Prevention
Fixed a security issue where broker URLs containing passwords were being logged
in plaintext by the delayed delivery mechanism. Broker credentials are now
properly sanitized in all log output.
Contributed by @giancarloromeo <https://github.com/giancarloromeo>_ in
[#9997](https://github.com/celery/celery/issues/9997) <https://github.com/celery/celery/pull/9997>_.
Memory Leak Fixes
</tr></table>

... (truncated)

Commits

• cca1116 Prepare for release: v5.6.0 (#10010)
• 1133f22 Bump mypy from 1.14.1 to 1.19.0 (#10008)
• 0932d2c [pre-commit.ci] pre-commit autoupdate (#10007)
• b446910 Prepare for (pre) release: v5.6.0rc2 (#10005)
• 3f0f0fe asynpool: Don't return from inside a finally block (#10000)
• 95d0552 Bump actions/checkout from 5 to 6 (#10003)
• f32b92f Add Py39-314t to CI (#9999)
• 63c1910 Don't fail task on timeout during cold shutdown (#9678)
• 30649db Fix log leaking broker credentials (#9997)
• 929412e Remove Python 4.0 version condition for pytest dependencies (#9993)
• Additional commits viewable in compare view

Updates boto3 from 1.40.16 to 1.42.0

Commits

• 7ce189b Merge branch 'release-1.42.0'
• 29d92d1 Bumping version to 1.42.0
• 743f945 Add changelog entries from botocore
• e3744fd Merge pull request #4629 from hssyoo/crt-mode
• 39215b6 Merge branch 'release-1.41.5'
• 79f2845 Merge branch 'release-1.41.5' into develop
• 0fc8075 Bumping version to 1.41.5
• 573d359 Add changelog entries from botocore
• 177e900 Remove backticks from error msg
• ff9d88c Add warning
• Additional commits viewable in compare view

Updates awswrangler from 3.12.1 to 3.14.0

Release notes

Sourced from awswrangler's releases.

AWS SDK for pandas 3.14.0

Notable Changes ⚠️

• chore: upgrade pg8000 due to CVE-2025-61385 by @​kukushking in aws/aws-sdk-pandas#3225

Features / Enhancements 🚀

• feat: support redshift CLEANPATH by @​kukushking in aws/aws-sdk-pandas#3211
• feat: add result reuse configuration to query execution functions by @​DavidKatz-il in aws/aws-sdk-pandas#3212

Bugfixes 🐛

• fix: Add s3_output parameter to _start_query_execution call in "overwrite" mode by @​sergeymazin in aws/aws-sdk-pandas#3205
• fix: iceberg overwrite partitions with s3 output by @​kukushking in aws/aws-sdk-pandas#3220
• fix: Correct MemoryFormat.set() Parameter Type Annotation by @​DaltonWorsnup in aws/aws-sdk-pandas#3221
• fix: normalize AWS_SESSION_TOKEN=None to empty string for delta-rs compatibility by @​skoschik in aws/aws-sdk-pandas#3223

Security / Dependency Updates 🛡️

• chore(deps): bump the github-actions group with 2 updates by @​dependabot[bot] in aws/aws-sdk-pandas#3208
• chore: update pyarrow constraints by @​kukushking in aws/aws-sdk-pandas#3210
• chore(deps): bump the production-dependencies group across 1 directory with 4 updates by @​dependabot[bot] in aws/aws-sdk-pandas#3213
• chore(deps): bump actions/setup-node from 5 to 6 in the github-actions group by @​dependabot[bot] in aws/aws-sdk-pandas#3214

Housekeeping 🧹

• chore: replace deprecated pr linting action by @​kukushking in aws/aws-sdk-pandas#3215
• chore: Release 3.14.0 by @​kukushking in aws/aws-sdk-pandas#3227
• chore: Update Snyk action by @​kukushking in aws/aws-sdk-pandas#3228
• chore: fix incorrect license field by @​kukushking in aws/aws-sdk-pandas#3229
• chore: Update layers.rst by @​kukushking in aws/aws-sdk-pandas#3230

New Contributors

• @​sergeymazin made their first contribution in aws/aws-sdk-pandas#3205
• @​DaltonWorsnup made their first contribution in aws/aws-sdk-pandas#3221
• @​skoschik made their first contribution in aws/aws-sdk-pandas#3223

Full Changelog: aws/aws-sdk-pandas@3.13.0...3.14.0

AWS SDK for pandas 3.13.0

Notable Changes ⚠️

• updated aiohhtp==3.12.15to fix CVE-2025-53643 (LOW) by @​kukushking in aws/aws-sdk-pandas#3197

Features / Enhancements 🚀

• feat: ray 2.49.0 by @​kukushking in aws/aws-sdk-pandas#3194
• feat: add support for aurora-mysql and aurora-postgresql engines by @​senorcinco in aws/aws-sdk-pandas#3188

Bugfixes 🐛

• fix: opensearch session by @​kukushking in aws/aws-sdk-pandas#3170
• fix: typo with Redshift write example by @​Falydoor in aws/aws-sdk-pandas#3184
• fix: do not remove new columns values by @​Braalfa in aws/aws-sdk-pandas#3181

Security / Dependency Updates 🛡️

• chore(deps): bump the production-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in aws/aws-sdk-pandas#3178
• chore(deps): bump the production-dependencies group with 2 updates by @​dependabot[bot] in aws/aws-sdk-pandas#3180

... (truncated)

Commits

• 20193b4 Update layers.rst
• d1c7910 pin pyarrow in lambda layer
• 3521ddc chore: Release 3.14.0 (#3227)
• 2371f80 fix(delta-rs): normalize AWS_SESSION_TOKEN=None to empty string for delta-rs ...
• 9b84384 Correct MemoryFormat.set() Parameter Type Annotation (#3221)
• f5980f2 chore: upgrade pg8000 due to a CVE-2025-61385 (#3225)
• ed4057e fix: iceberg overwrite partitions with s3 output (#3220)
• d425c50 [FIX] Add s3_output parameter to _start_query_execution call in "overwrite" m...
• 294f35e chore: replace pr linting action (#3215)
• c81581c chore(deps): bump actions/setup-node in the github-actions group (#3214)
• Additional commits viewable in compare view

Updates sigstore from 3.6.5 to 4.1.0

Release notes

Sourced from sigstore's releases.

v4.1.0

Added

• cli: Support using other Sigstore instances with --instance URL. New instances are trusted with new top level command trust-instance ROOTFILE. #1548

Changed

• Added cryptography 46 to list of compatible cryptography releases (#1544)
• Improved error message when verifying bundles with unsupported log entry versions (#1569)

Fixed

• cli: Always read/write UTF-8. This fixes an issue on Windows where the platform default encoding was used: the issue has existed for a while, but became more visible with signature bundles that contain rekor2 entries. #1553

v4.0.0

This is a major release with a host of API and functionality changes. The major new feature is Rekor v2 support but many other changes are also included, see list below.

Added

• cli: Add --rekor-version to sign command arguments: This can be useful if Sigstore instance provides multiple Rekor versions and user wants to override the default choice #1471
• cli: Support parallel signing. When multiple artifacts are signed, the Rekor requests are submitted in parallel: this is especially useful with Rekor v2. #1468, #1478, #1485
• oidc (API): Allow custom audience claims via API #1402
• rekor (API): Support Rekor v2 (aka rekor-tiles) in both verification and signing. #1370, #1422, #1432
• trust (API): Make TrustedRoot, SigningConfig and ClientTrustConfig public API #1496

Changed

• cli: Improve verify UX when wrong instance is used #1510
• deps: replace sigstore_protobuf_specs dependency with sigstore-models #1470

... (truncated)

Changelog

Sourced from sigstore's changelog.

[4.1.0]

Added

• cli: Support using other Sigstore instances with --instance URL. New instances are trusted with new top level command trust-instance ROOTFILE. #1548

Changed

• Added cryptography 46 to list of compatible cryptography releases (#1544)
• Improved error message when verifying bundles with unsupported log entry versions (#1569)

Fixed

• cli: Always read/write UTF-8. This fixes an issue on Windows where the platform default encoding was used: the issue has existed for a while, but became more visible with signature bundles that contain rekor2 entries. #1553

[4.0.0]

This is a major release with a host of API and functionality changes. The major new feature is Rekor v2 support but many other changes are also included, see list below.

Added

• cli: Add --rekor-version to sign command arguments: This can be useful if Sigstore instance provides multiple Rekor versions and user wants to override the default choice #1471
• cli: Support parallel signing. When multiple artifacts are signed, the Rekor requests are submitted in parallel: this is especially useful with Rekor v2. #1468, #1478, #1485
• oidc (API): Allow custom audience claims via API #1402
• rekor (API): Support Rekor v2 (aka rekor-tiles) in both verification and signing. #1370, #1422, #1432
• trust (API): Make TrustedRoot, SigningConfig and ClientTrustConfig public API #1496

Changed

• cli: Improve verify UX when wrong instance is used #1510
• deps: replace sigstore_protobuf_specs dependency with sigstore-models

... (truncated)

Commits

• 3447f96 Forward port entry kindversion error improvement, bump version to 4.1.0 (#1569)
• 2dbe03a build(deps): bump github/codeql-action in the actions group (#1572)
• 02daa69 build(deps): bump rich from 14.1.0 to 14.2.0 (#1571)
• 1615939 build(deps): bump the actions group with 2 updates (#1568)
• 72b6581 build(deps): update ruff requirement from <0.13.4 to <0.14.1 (#1567)
• 64dbeba cli: Support using other Sigstore instances (#1548)