Bump the python-packages group across 1 directory with 5 updates

[dependabot]

Bumps the python-packages group with 5 updates in the / directory:

Package	From	To
ruff	0.15.6	0.15.9
pytest	9.0.2	9.0.3
sqlalchemy	2.0.48	2.0.49
botocore	1.42.70	1.42.85
apiflask	3.0.2	3.1.0

Updates ruff from 0.15.6 to 0.15.9

Release notes

Sourced from ruff's releases.

0.15.9

Release Notes

Released on 2026-04-02.

Preview features

• [pyflakes] Flag annotated variable redeclarations as F811 in preview mode (#24244)
• [ruff] Allow dunder-named assignments in non-strict mode for RUF067 (#24089)

Bug fixes

• [flake8-errmsg] Avoid shadowing existing msg in fix for EM101 (#24363)
• [flake8-simplify] Ignore pre-initialization references in SIM113 (#24235)
• [pycodestyle] Fix W391 fixes for consecutive empty notebook cells (#24236)
• [pyupgrade] Fix UP008 nested class matching (#24273)
• [pyupgrade] Ignore strings with string-only escapes (UP012) (#16058)
• [ruff] RUF072: skip formfeeds on dedent (#24308)
• [ruff] Avoid re-using symbol in RUF024 fix (#24316)
• [ruff] Parenthesize expression in RUF050 fix (#24234)
• Disallow starred expressions as values of starred expressions (#24280)

Rule changes

• [flake8-simplify] Suppress SIM105 for except* before Python 3.12 (#23869)
• [pyflakes] Extend F507 to flag %-format strings with zero placeholders (#24215)
• [pyupgrade] UP018 should detect more unnecessarily wrapped literals (UP018) (#24093)
• [pyupgrade] Fix UP008 callable scope handling to support lambdas (#24274)
• [ruff] RUF010: Mark fix as unsafe when it deletes a comment (#24270)

Formatter

• Add nested-string-quote-style formatting option (#24312)

Documentation

• [flake8-bugbear] Clarify RUF071 fix safety for non-path string comparisons (#24149)
• [flake8-type-checking] Clarify import cycle wording for TC001/TC002/TC003 (#24322)

Other changes

• Avoid rendering fix lines with trailing whitespace after | (#24343)

Contributors

• @​charliermarsh
• @​MichaReiser
• @​tranhoangtu-it
• @​dylwil3
• @​zsol

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.9

Released on 2026-04-02.

Preview features

• [pyflakes] Flag annotated variable redeclarations as F811 in preview mode (#24244)
• [ruff] Allow dunder-named assignments in non-strict mode for RUF067 (#24089)

Bug fixes

• [flake8-errmsg] Avoid shadowing existing msg in fix for EM101 (#24363)
• [flake8-simplify] Ignore pre-initialization references in SIM113 (#24235)
• [pycodestyle] Fix W391 fixes for consecutive empty notebook cells (#24236)
• [pyupgrade] Fix UP008 nested class matching (#24273)
• [pyupgrade] Ignore strings with string-only escapes (UP012) (#16058)
• [ruff] RUF072: skip formfeeds on dedent (#24308)
• [ruff] Avoid re-using symbol in RUF024 fix (#24316)
• [ruff] Parenthesize expression in RUF050 fix (#24234)
• Disallow starred expressions as values of starred expressions (#24280)

Rule changes

• [flake8-simplify] Suppress SIM105 for except* before Python 3.12 (#23869)
• [pyflakes] Extend F507 to flag %-format strings with zero placeholders (#24215)
• [pyupgrade] UP018 should detect more unnecessarily wrapped literals (UP018) (#24093)
• [pyupgrade] Fix UP008 callable scope handling to support lambdas (#24274)
• [ruff] RUF010: Mark fix as unsafe when it deletes a comment (#24270)

Formatter

• Add nested-string-quote-style formatting option (#24312)

Documentation

• [flake8-bugbear] Clarify RUF071 fix safety for non-path string comparisons (#24149)
• [flake8-type-checking] Clarify import cycle wording for TC001/TC002/TC003 (#24322)

Other changes

• Avoid rendering fix lines with trailing whitespace after | (#24343)

Contributors

• @​charliermarsh
• @​MichaReiser
• @​tranhoangtu-it
• @​dylwil3
• @​zsol
• @​renovate

... (truncated)

Commits

• 724ccc1 Bump 0.15.9 (#24369)
• 96d9e09 [ty] Move the deferred submodule inside infer/builder (#24368)
• 130da28 [ty] Infer the extra_items keyword argument to class-based TypedDicts as an...
• a617c54 [ty] Validate type qualifiers in functional TypedDict fields and the `extra_i...
• d851708 [ty] Improve robustness of various type-qualifier-related checks (#24251)
• aecb587 Only run the release-gate on workflow dispatch (#24366)
• b889571 [ty] Use infer_type_expression for parsing parameter annotations and return...
• 3286a62 Add a "release-gate" step to the release workflow (#24365)
• 5f88756 Disallow starred expressions as values of starred expressions (#24280)
• 5c59f8a [pyupgrade] Ignore strings with string-only escapes (UP012) (#16058)
• Additional commits viewable in compare view

Updates pytest from 9.0.2 to 9.0.3

Release notes

Sourced from pytest's releases.

9.0.3

pytest 9.0.3 (2026-04-07)

Bug fixes

• #12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

• #13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

  Previously this resulted in an internal assertion failure during plugin loading.

  Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

• #13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

• #14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

• #14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

• #13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
• #13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
• #14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
• #14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

• #12689: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible on the web interface.

  -- by aleguy02

Commits

• a7d58d7 Prepare release version 9.0.3
• 089d981 Merge pull request #14366 from bluetech/revert-14193-backport
• 8127eaf Revert "Fix: assertrepr_compare respects dict insertion order (#14050) (#14193)"
• 99a7e60 Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/95d8423bd...
• ddee02a Merge pull request #14343 from bluetech/cve-2025-71176-simple
• 74eac69 doc: Update training info (#14298) (#14301)
• f92dee7 Merge pull request #14267 from pytest-dev/patchback/backports/9.0.x/d6fa26c62...
• 7ee58ac Merge pull request #12378 from Pierre-Sassoulas/fix-implicit-str-concat-and-d...
• 37da870 Merge pull request #14259 from mitre88/patch-4 (#14268)
• c34bfa3 Add explanation for string context diffs (#14257) (#14266)
• Additional commits viewable in compare view

Updates sqlalchemy from 2.0.48 to 2.0.49

Release notes

Sourced from sqlalchemy's releases.

2.0.49

Released: April 3, 2026

orm

• [orm] [bug] Fixed issue where _orm.Session.get() would bypass the identity map and emit unnecessary SQL when with_for_update=False was passed, rather than treating it equivalently to the default of None. Pull request courtesy of Joshua Swanson.

  References: #13176

• [orm] [bug] Fixed issue where chained _orm.joinedload() options would not be applied correctly when the final relationship in the chain is declared on a base mapper and accessed through a subclass mapper in a _orm.with_polymorphic() query. The path registry now correctly computes the natural path when a property declared on a base class is accessed through a path containing a subclass mapper, ensuring the loader option can be located during query compilation.

  References: #13193

• [orm] [bug] [inheritance] Fixed issue where using _orm.Load.options() to apply a chained loader option such as _orm.joinedload() or _orm.selectinload() with _orm.PropComparator.of_type() for a polymorphic relationship would not generate the necessary clauses for the polymorphic subclasses. The polymorphic loading strategy is now correctly propagated when using a call such as joinedload(A.b).options(joinedload(B.c.of_type(poly))) to match the behavior of direct chaining e.g. joinedload(A.b).joinedload(B.c.of_type(poly)).

  References: #13202

• [orm] [bug] [inheritance] Fixed issue where using chained loader options such as _orm.selectinload() after _orm.joinedload() with _orm.PropComparator.of_type() for a polymorphic relationship would not properly apply the chained loader option. The loader option is now correctly applied when using a call such as joinedload(A.b.of_type(poly)).selectinload(poly.SubClass.c) to eagerly load related objects.

  References: #13209

typing

• [typing] [bug] Fixed a typing issue where the typed members of :data:.func would return the appropriate class of the same name, however this creates an issue for

... (truncated)

Commits

• See full diff in compare view

Updates botocore from 1.42.70 to 1.42.85

Commits

• 0db1752 Merge branch 'release-1.42.85'
• 59c7ec6 Bumping version to 1.42.85
• f01ceed Update endpoints model
• 008c515 Update to latest models
• d4e1b92 Merge customizations for AccessAnalyzer
• 5c7d9a3 Apply sigv4a_signing_region_set when SigV4A is resolved via auth scheme prefe...
• 0bb499c Merge branch 'release-1.42.84'
• ef31290 Merge branch 'release-1.42.84' into develop
• 58019d1 Bumping version to 1.42.84
• ed57861 Update endpoints model
• Additional commits viewable in compare view

Updates apiflask from 3.0.2 to 3.1.0

Release notes

Sourced from apiflask's releases.

3.1.0

What's Changed

• Support pagination with Pydantic by @​uncle-lv in apiflask/apiflask#713
• Fix @app.output(Schema(many=True)) is not array type in OpenAPI doc by @​uncle-lv in apiflask/apiflask#725
• Support upload file model by @​uncle-lv in apiflask/apiflask#715
• Fix type checking for view function return types by @​uncle-lv in apiflask/apiflask#736

Full Changelog: apiflask/apiflask@3.0.2...3.1.0

Commits

• 11e98c7 Release 3.1.0
• ab27dfc Fix type checking for view function return types (#736)
• ff79da1 Support upload file model (#715)
• 39af96d docs(usage.md): conversion of ORM models to Pydantic models tip (#735)
• b13130d docs(usage.md): update prerequisites (#724)
• db0e02a Fix @app.output(Schema(many=True)) is not array type in OpenAPI doc (#725)
• bfd2c8d Support pagination with Pydantic (#713)
• 3c36b4f Add a cookies tip (#706)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions