Skip to content

chore(deps): update pydantic-ai-slim[logfire] requirement from >=1.90.0 to >=1.103.0#162

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/pydantic-ai-slim-logfire--gte-1.103.0
Open

chore(deps): update pydantic-ai-slim[logfire] requirement from >=1.90.0 to >=1.103.0#162
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/pydantic-ai-slim-logfire--gte-1.103.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 27, 2026
edited
Loading

Updates the requirements on pydantic-ai-slim[logfire] to permit the latest version.

Release notes

Sourced from pydantic-ai-slim[logfire]'s releases.

v1.103.0 (2026-05-26)

What's Changed

🚀 Features

🐛 Bug Fixes

New Contributors

Full Changelog: pydantic/pydantic-ai@v1.102.0...v1.103.0

Changelog

Sourced from pydantic-ai-slim[logfire]'s changelog.

Upgrade Guide

In September 2025, Pydantic AI reached V1, which means we're committed to API stability: we will not introduce changes that break your code until V2. For more information, review our Version Policy.

Breaking Changes

Here's a filtered list of the breaking changes for each version to help you upgrade Pydantic AI.

v1.0.1 (2025-09-05)

The following breaking change was accidentally left out of v1.0.0:

  • See #2808 - Remove Python evaluator from pydantic_evals for security reasons

v1.0.0 (2025-09-04)

  • See #2725 - Drop support for Python 3.9
  • See #2738 - Make many dataclasses require keyword arguments
  • See #2715 - Remove cases and averages attributes from pydantic_evals spans
  • See #2798 - Change ModelRequest.parts and ModelResponse.parts types from list to Sequence
  • See #2726 - Default InstrumentationSettings version to 2
  • See #2717 - Remove errors when passing AsyncRetrying or Retrying object to AsyncTenacityTransport or TenacityTransport instead of RetryConfig

v0.x.x

Before V1, minor versions were used to introduce breaking changes:

v0.8.0 (2025-08-26)

See #2689 - AgentStreamEvent was expanded to be a union of ModelResponseStreamEvent and HandleResponseEvent, simplifying the event_stream_handler function signature. Existing code accepting AgentStreamEvent | HandleResponseEvent will continue to work.

v0.7.6 (2025-08-26)

The following breaking change was inadvertently released in a patch version rather than a minor version:

See #2670 - TenacityTransport and AsyncTenacityTransport now require the use of pydantic_ai.retries.RetryConfig (which is just a TypedDict containing the kwargs to tenacity.retry) instead of tenacity.Retrying or tenacity.AsyncRetrying.

v0.7.0 (2025-08-12)

See #2458 - pydantic_ai.models.StreamedResponse now yields a FinalResultEvent along with the existing PartStartEvent and PartDeltaEvent. If you're using pydantic_ai.direct.model_request_stream or pydantic_ai.direct.model_request_stream_sync, you may need to update your code to account for this.

See #2458 - pydantic_ai.models.Model.request_stream now receives a run_context argument. If you've implemented a custom Model subclass, you will need to account for this.

See #2458 - pydantic_ai.models.StreamedResponse now requires a model_request_parameters field and constructor argument. If you've implemented a custom Model subclass and implemented request_stream, you will need to account for this.

v0.6.0 (2025-08-06)

This release was meant to clean some old deprecated code, so we can get a step closer to V1.

See #2440 - The next method was removed from the Graph class. Use async with graph.iter(...) as run: run.next() instead.

... (truncated)

Commits
  • 7a5bec6 gh-aw: tighten pydantic-ai-stale-issues-finder and share prompt fragments (...
  • d625fa9 ci: constrain hf-xet below deprecated API (#5673)
  • 543b4f8 ci: Fix lowest-version CI dependency resolution (#5564)
  • 4a119b8 fix(toolsets): warn when prepare callbacks return None (#5188)
  • b4de8ae Fix typo in SystemPromptFunc docstring (#5667)
  • aa43e93 Support anthropic_eager_input_streaming in OpenRouterModel (#5656)
  • efd468f fix(vercel-ai): preserve message metadata roundtrips (#5279)
  • d55a211 Add list_prompts and get_prompt functionality to McpServer (#3889)
  • 5c6aea5 fix(ui): Strip force_download flag from client-submitted FileUrl parts in...
  • 0123cf0 gh-aw: add pydantic-ai-stale-issues-finder and share shim workflow fragment...
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels May 27, 2026
@dependabot dependabot Bot mentioned this pull request May 27, 2026
Closed
@amrit110
Copy link
Copy Markdown
Member

amrit110 commented May 28, 2026

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerability reported by pip-audit, but cannot fix it automatically because no patched version has been released to PyPI yet:

Package Version Vulnerability Fix Versions Status
fastapi 0.136.3 MAL-2026-4750 (none) No fix available on PyPI

Vulnerability Details

MAL-2026-4750: fastapi 0.136.3 was flagged for adding an undocumented dependency fastar>=0.9.0 to its [standard] optional dependencies group. This dependency is not documented in the README alongside other standard dependencies (httpx, jinja2, python-multipart, uvicorn, etc.), raising concerns about a potential dependency-confusion / namespace-abuse vector. The pip install "fastapi[standard]" install command silently pulls fastar onto user machines.

Why this cannot be auto-fixed

fastapi 0.136.3 is the latest version on PyPI — there is no newer release that resolves this advisory. The fix must come from the fastapi upstream maintainers releasing a new version.

Recommended next steps

  1. Monitor the MAL-2026-4750 advisory for upstream resolution
  2. Once fastapi releases a patched version (>0.136.3), aieng-bot can re-run and merge automatically
  3. If human review determines this is a false positive, consider adding MAL-2026-4750 to the ignore-vulns list in the CI workflow with appropriate justification

This PR will not be auto-merged until the vulnerability is resolved.

@dependabot
chore(deps): update pydantic-ai-slim[logfire] requirement
3702936 
Updates the requirements on [pydantic-ai-slim[logfire]](https://github.com/pydantic/pydantic-ai) to permit the latest version.
- [Release notes](https://github.com/pydantic/pydantic-ai/releases)
- [Changelog](https://github.com/pydantic/pydantic-ai/blob/main/docs/changelog.md)
- [Commits](pydantic/pydantic-ai@v1.90.0...v1.103.0)

---
updated-dependencies:
- dependency-name: pydantic-ai-slim[logfire]
  dependency-version: 1.103.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/uv/pydantic-ai-slim-logfire--gte-1.103.0 branch from 420b306 to 3702936 Compare May 28, 2026 01:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@amrit110