deps(py): Bump the pip-minor-patch group in /backend with 5 updates

[dependabot]

Bumps the pip-minor-patch group in /backend with 5 updates:

Package	From	To
fastapi	0.135.2	0.135.3
uvicorn	0.42.0	0.43.0
python-multipart	0.0.22	0.0.24
sqlalchemy	2.0.48	2.0.49
mypy	1.19.1	1.20.0

Updates fastapi from 0.135.2 to 0.135.3

Release notes

Sourced from fastapi's releases.

0.135.3

Features

• ✨ Add support for @app.vibe(). PR #15280 by @​tiangolo.
  • New docs: Vibe Coding.

Docs

• ✏️ Fix typo for client_secret in OAuth2 form docstrings. PR #14946 by @​bysiber.

Internal

• 👥 Update FastAPI People - Experts. PR #15279 by @​tiangolo.
• ⬆ Bump orjson from 3.11.7 to 3.11.8. PR #15276 by @​dependabot[bot].
• ⬆ Bump ruff from 0.15.0 to 0.15.8. PR #15277 by @​dependabot[bot].
• 👥 Update FastAPI GitHub topic repositories. PR #15274 by @​tiangolo.
• ⬆ Bump fastmcp from 2.14.5 to 3.2.0. PR #15267 by @​dependabot[bot].
• 👥 Update FastAPI People - Contributors and Translators. PR #15270 by @​tiangolo.
• ⬆ Bump requests from 2.32.5 to 2.33.0. PR #15228 by @​dependabot[bot].
• 👷 Add ty check to lint.sh. PR #15136 by @​svlandeg.

Commits

• 1f442c4 🔖 Release version 0.135.3
• 8f5d157 📝 Update release notes
• 428452a 📝 Update release notes
• 70580da ✨ Add support for @app.vibe() (#15280)
• 6ee8747 📝 Update release notes
• 3e72c09 👥 Update FastAPI People - Experts (#15279)
• 96df35f 📝 Update release notes
• 6c81125 ⬆ Bump orjson from 3.11.7 to 3.11.8 (#15276)
• 428f82c 📝 Update release notes
• 5599c59 ⬆ Bump ruff from 0.15.0 to 0.15.8 (#15277)
• Additional commits viewable in compare view

Updates uvicorn from 0.42.0 to 0.43.0

Release notes

Sourced from uvicorn's releases.

Version 0.43.0

Changed

• Emit http.disconnect ASGI receive() event on server shutting down for streaming responses (#2829)
• Use native context parameter for create_task on Python 3.11+ (#2859)
• Drop cast in ASGI types (#2875)

---

Full Changelog: Kludex/uvicorn@0.42.0...0.43.0

Changelog

Sourced from uvicorn's changelog.

0.43.0 (April 3, 2026)

You can quit Uvicorn now. We heard you, @​pamelafox - all 47 of your Ctrl+C's (thanks for flagging it, and thanks to @​tiangolo for the fix 🙏). See the tweet.

Changed

• Emit http.disconnect ASGI receive() event on server shutting down for streaming responses (#2829)
• Use native context parameter for create_task on Python 3.11+ (#2859)
• Drop cast in ASGI types (#2875)

Commits

• 8d397c7 Version 0.43.0 (#2885)
• 587042d 🐛 Emit http.disconnect ASGI receive() event on server shutting down for s...
• c9a75fb chore(deps): bump the github-actions group with 3 updates (#2878)
• 84fd578 chore(deps): bump pygments from 2.19.2 to 2.20.0 (#2877)
• cd52d34 Use native context parameter for create_task on Python 3.11+ (#2859)
• 5211880 Drop cast in ASGI types (#2875)
• 1cb8e74 Add websocket 500 fallback header test (#2874)
• 28efbb2 chore(deps-dev): bump cryptography from 46.0.5 to 46.0.6 (#2873)
• 042ffeb ci: add zizmor (#2872)
• c61f9d4 chore(deps): bump requests from 2.32.5 to 2.33.0 (#2871)
• See full diff in compare view

Updates python-multipart from 0.0.22 to 0.0.24

Release notes

Sourced from python-multipart's releases.

Version 0.0.24

What's Changed

• Validate chunk_size in parse_form() by @​Kludex in Kludex/python-multipart#244

Full Changelog: Kludex/python-multipart@0.0.23...0.0.24

Version 0.0.23

What's Changed

• Remove unused trust_x_headers parameter and X-File-Name fallback by @​jhnstrk in Kludex/python-multipart#196
• Return processed length from QuerystringParser._internal_write by @​bysiber in Kludex/python-multipart#229
• Cleanup metadata dunders from __init__.py by @​Chesars in Kludex/python-multipart#227

New Contributors

• @​Chesars made their first contribution in Kludex/python-multipart#227
• @​bysiber made their first contribution in Kludex/python-multipart#229

Full Changelog: Kludex/python-multipart@0.0.22...0.0.23

Changelog

Sourced from python-multipart's changelog.

0.0.24 (2026-04-05)

• Validate chunk_size in parse_form() #244.

0.0.23 (2026-04-05)

• Remove unused trust_x_headers parameter and X-File-Name fallback #196.
• Return processed length from QuerystringParser._internal_write #229.
• Cleanup metadata dunders from __init__.py #227.

Commits

• b7cc76d Version 0.0.24 (#245)
• 8f1838d Validate chunk_size in parse_form() (#244)
• 2582c83 Restore mkdocstrings handler options to handler level (#243)
• 8f1dbed Harden GitHub Actions workflows and add zizmor audit (#242)
• 3a4be31 Unbreak docs build on newer pygments/mkdocstrings (#241)
• e59b6b7 Add #227 to changelog (#239)
• 4bd03ea Version 0.0.23 (#238)
• aa6f106 Return processed length from QuerystringParser._internal_write (#229)
• c856319 Remove unused trust_x_headers parameter and X-File-Name fallback (#196)
• 7303c74 Bump the python-packages group with 4 updates (#237)
• Additional commits viewable in compare view

Updates sqlalchemy from 2.0.48 to 2.0.49

Release notes

Sourced from sqlalchemy's releases.

2.0.49

Released: April 3, 2026

orm

• [orm] [bug] Fixed issue where _orm.Session.get() would bypass the identity map and emit unnecessary SQL when with_for_update=False was passed, rather than treating it equivalently to the default of None. Pull request courtesy of Joshua Swanson.

  References: #13176

• [orm] [bug] Fixed issue where chained _orm.joinedload() options would not be applied correctly when the final relationship in the chain is declared on a base mapper and accessed through a subclass mapper in a _orm.with_polymorphic() query. The path registry now correctly computes the natural path when a property declared on a base class is accessed through a path containing a subclass mapper, ensuring the loader option can be located during query compilation.

  References: #13193

• [orm] [bug] [inheritance] Fixed issue where using _orm.Load.options() to apply a chained loader option such as _orm.joinedload() or _orm.selectinload() with _orm.PropComparator.of_type() for a polymorphic relationship would not generate the necessary clauses for the polymorphic subclasses. The polymorphic loading strategy is now correctly propagated when using a call such as joinedload(A.b).options(joinedload(B.c.of_type(poly))) to match the behavior of direct chaining e.g. joinedload(A.b).joinedload(B.c.of_type(poly)).

  References: #13202

• [orm] [bug] [inheritance] Fixed issue where using chained loader options such as _orm.selectinload() after _orm.joinedload() with _orm.PropComparator.of_type() for a polymorphic relationship would not properly apply the chained loader option. The loader option is now correctly applied when using a call such as joinedload(A.b.of_type(poly)).selectinload(poly.SubClass.c) to eagerly load related objects.

  References: #13209

typing

• [typing] [bug] Fixed a typing issue where the typed members of :data:.func would return the appropriate class of the same name, however this creates an issue for

... (truncated)

Commits

• See full diff in compare view

Updates mypy from 1.19.1 to 1.20.0

Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next Release

Mypy 1.20

We’ve just uploaded mypy 1.20.0 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features, performance improvements and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

Planned Changes to Defaults and Flags in Mypy 2.0

As a reminder, we are planning to enable --local-partial-types by default in mypy 2.0, which will likely be the next feature release. This will often require at least minor code changes. This option is implicitly enabled by mypy daemon, so this makes the behavior of daemon and non-daemon modes consistent.

Note that this release improves the compatibility of --local-partial-types significantly to make the switch easier (see below for more).

This can also be configured in a mypy configuration file (use False to disable):

local_partial_types = True

For more information, refer to the documentation.

We will also enable --strict-bytes by default in mypy 2.0. This usually requires at most minor code changes to adopt. For more information, refer to the documentation.

Finally, --allow-redefinition-new will be renamed to --allow-redefinition. If you want to continue using the older --allow-redefinition semantics which are less flexible (e.g. limited support for conditional redefinitions), you can switch to --allow-redefinition-old, which is currently supported as an alias to the legacy --allow-redefinition behavior. To use --allow-redefinition in the upcoming mypy 2.0, you can't use --no-local-partial-types. For more information, refer to the documentation.

Better Type Narrowing

Mypy's implementation of narrowing has been substantially reworked. Mypy will now narrow more aggressively, more consistently, and more correctly. In particular, you are likely to notice new narrowing behavior in equality expressions (==), containment expressions (in),

... (truncated)

Commits

• 770d3ca Remove +dev from version
• 4738ffa Changelog updates for 1.20 (#21109)
• b4f07a7 Use 'native-parser' instead of 'native-parse' for optional dependency (#21115)
• 7bec7b7 [mypyc] Document librt and librt.base64 (#21114)
• c482596 --allow-redefinition-new is no longer experimental (#21110)
• c916ca3 sdist: include misc/{diff-cache,apply-cache-diff}.py for `mypy/test/test_di...
• b137e4e [mypyc] Speed up native-to-native imports within the same group (#21101)
• 978b711 [mypyc] Fix range loop variable off-by-one after loop exit (#21098)
• 67ada30 [stubtest] Check runtime availability of private types not marked `@type_chec...
• bdef6ef librt cache tests: build respecting MYPY_TEST_PREFIX (#21097)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Review Council Results

4 tests   2 ✅  0s ⏱️
1 suites  0 💤
1 files    2 ❌

For more details on these failures, see this check.

Results for commit bc3826d.