build(deps): bump the version-all group across 1 directory with 19 updates

[dependabot]

Bumps the version-all group with 19 updates in the / directory:

Package	From	To
pillow	11.3.0	12.2.0
huggingface-hub	0.34.4	1.9.2
modal	1.1.4	1.4.1
pandas	2.3.2	3.0.2
tqdm	4.67.1	4.67.3
gitpython	3.1.45	3.1.46
fastmcp	2.12.4	3.2.1
lmnr	0.7.25	0.7.47
python-dotenv	1.1.1	1.2.2
python-json-logger	4.0.0	4.1.0
requests	2.32.5	2.33.1
tenacity	9.1.2	9.1.4
websockets	15.0.1	16.0
pre-commit	4.3.0	4.5.1
psutil	7.0.0	7.2.2
pyright	1.1.405	1.1.408
pytest-cov	7.0.0	7.1.0
pytest	8.4.2	9.0.3
ruff	0.13.0	0.15.9

Updates pillow from 11.3.0 to 12.2.0

Release notes

Sourced from pillow's releases.

12.2.0

https://pillow.readthedocs.io/en/stable/releasenotes/12.2.0.html

Documentation

• Update 12.2.0 release notes #9522 [@​hugovk]
• Add loader plugins: AMOS abk, Atari Degas, 40+ more obscure formats via Netpbm #9482 [@​bitplane]
• Update Python versions #9515 [@​radarhere]
• Jeffrey A. Clark -> Jeffrey 'Alex' Clark #9513 [@​aclark4life]
• Add release notes for #9394, #9419 and #9456 #9467 [@​radarhere]
• Add Amiga Workbench .info loader to 3rd party plugins list #9459 [@​bitplane]
• Merge PFM documentation into PPM #9434 [@​radarhere]
• Update macOS tested Pillow versions #9431 [@​radarhere]
• Fix CVE number #9430 [@​hugovk]

Dependencies

• Update xz to 5.8.3 #9523 [@​radarhere]
• Update libjpeg-turbo to 3.1.4.1 #9507 [@​radarhere]
• Update libpng to 1.6.56 #9499 [@​radarhere]
• Update freetype to 2.14.3 #9485 [@​radarhere]
• Updated libavif to 1.4.1 #9479 [@​radarhere]
• Updated harfbuzz to 13.2.1 #9461 [@​radarhere]
• Update Ghostscript to 10.7.0 #9469 [@​radarhere]
• Update harfbuzz to 13.0.1 #9453 [@​radarhere]
• Update libavif to 1.4.0 #9460 [@​radarhere]
• Update freetype to 2.14.2 #9449 [@​radarhere]
• Update actions/download-artifact action to v8 #9451 [@renovate[bot]]
• Updated libpng to 1.6.55 #9425 [@​radarhere]

Testing

• Cleanup .spider extension in the same test where it is added #9517 [@​radarhere]
• Run tests in parallel via tox for 3.5x speedup #9516 [@​hugovk]
• Enable colour in CI logs #9486 [@​hugovk]
• Update Ghostscript to 10.7.0 #9469 [@​radarhere]
• Simplify TGA test code #9477 [@​radarhere]
• Update tests to check for ValueError when encoding an empty image #9464 [@​radarhere]
• Upgrade CI from macos-15-intel to macos-26-intel #9454 [@​hugovk]
• Add check-case-conflict hook #9446 [@​radarhere]
• Specify platform when pulling docker image #9440 [@​radarhere]
• GHA: Cache libavif and webp builds for Ubuntu #9437 [@​hugovk]
• Update macOS tested Pillow versions #9431 [@​radarhere]

Other changes

• Check calloc return value #9527 [@​radarhere]
• Check all allocs in the Arrow tree #9488 [@​wiredfool]
• Reject non-numeric elements inside list coords #9526 [@​hugovk]
• Move variable declaration inside define #9525 [@​radarhere]

... (truncated)

Commits

• 3c41c09 12.2.0 version bump
• cdaa29e Check calloc return value (#9527)
• 585b2f5 Check calloc return value
• ecf011e Check all allocs in the Arrow tree (#9488)
• cf6de8c Reject non-numeric elements inside list coords (#9526)
• ffdcede Update 12.2.0 release notes (#9522)
• 7929d77 Added security release notes (#149)
• c4f7aa5 Added security release notes
• 22cdb5f Move variable declaration inside define (#9525)
• fc15b3b Resize tall images vertically first (#9524)
• Additional commits viewable in compare view

Updates huggingface-hub from 0.34.4 to 1.9.2

Release notes

Sourced from huggingface-hub's releases.

[v1.9.2] Fix set_space_volume / delete_space_volume return types

• Fix set_space_volume / delete_space_volume return types #4061 by @​abidlabs @​Wauplin

Full Changelog: huggingface/huggingface_hub@v1.9.1...v1.9.2

[v1.9.1] Fix: set_space_volumes sending bare array instead of object

• Fix set_space_volumes sending bare array instead of object #4054 by @​davanstrien

Full Changelog: huggingface/huggingface_hub@v1.9.0...v1.9.1

[v1.9.0] Agent-Aware CLI, Spaces Volumes, and more

🚀 Spaces Volumes: Mount Models, Datasets, and Buckets Directly

Hugging Face Spaces now support mounting volumes, giving your Space direct filesystem access to models, datasets, and storage buckets. This replaces the deprecated persistent storage feature.

from huggingface_hub import HfApi, Volume
api = HfApi()
api.set_space_volumes(
repo_id="username/my-space",
volumes=[
Volume(type="model", source="username/my-model", mount_path="/models", read_only=True),
Volume(type="bucket", source="username/my-bucket", mount_path="/data"),
],
)

Volumes can also be set at creation time via create_repo(space_volumes=...) and duplicate_repo(space_volumes=...), and from the CLI with the --volume / -v flag:

# Create a Space with volumes mounted
hf repos create my-space --type space --space-sdk gradio \
    -v hf://gpt2:/models -v hf://buckets/org/b:/data
Duplicate a Space with volumes
hf repos duplicate org/my-space my-space --type space 
-v hf://gpt2:/models -v hf://buckets/org/b:/data

• Add support for mounted volumes by @​Wauplin in #4018
• Support volumes at repo creation and duplication by @​Wauplin in #4035

🤖 The hf CLI Now Auto-Detects AI Agents and Adapts Its Output

AI coding agents (Claude Code, Cursor, Codex, Copilot, Gemini, ...) increasingly use the hf CLI to interact with the Hub. Until now, the output was designed for humans - ANSI colors, padded tables, emoji booleans, truncated cells - making it hard for agents to parse reliably.

Starting with v1.9, the CLI automatically detects when it's running inside an agent and adapts its output: no ANSI, no truncation, tab-separated tables, compact JSON, full timestamps. No configuration needed - it just works. This is only a first step toward making the hf CLI the primary entry point to the Hugging Face Hub for AI agents!

... (truncated)

Commits

• 29920ab Release: v1.9.2
• c0c6af4 Fix set_space_volume / delete_space_volume return types (#4061)
• 6d1a377 Release: v1.9.1
• 4a41761 Fix set_space_volumes sending wrong JSON structure (#4054)
• b768bb2 Release: v1.9.0
• 9d30ff2 Release: v1.9.0.rc0
• 657b8b9 chore: remove claude.yml workflow file (#4031)
• 38d48d9 [CLI] Migrate models, datasets, spaces, papers to out singleton (#4...
• 4e2337d [CLI] enrich CLI errors with available options and commands (#4034)
• ea1f4b7 Support volumes at repo creation and duplication (#4035)
• Additional commits viewable in compare view

Updates modal from 1.1.4 to 1.4.1

Commits

• 9c35a2d Release 1.4.1 of the Python SDK (#37152)
• 3b1d52e sandboxes: [sandbox inifnity] Add SandboxGetCommandRouterAccessRequest prot...
• ad1ba59 Include flash functions in modal shell (#35280)
• 22ff071 Send agent harness metadata to datadog on client connection (#37113)
• f97e41b Remove stale flaky flags from tests that haven't flaked in 7 days (#37118)
• 1a31e8f Restrict quarantine tag to only recently flaky tests (#37112)
• d593a1b Return user-friendly ConnectionError on DNS failure in task command router cl...
• 2b27b49 Classproperty updates w/ synchronicity bump (#37092)
• 9dcd16e Add direct exec env support to task command router (#36966)
• e798605 pin synchronicity in root workflow client-tests (#37032)
• Additional commits viewable in compare view

Updates pandas from 2.3.2 to 3.0.2

Release notes

Sourced from pandas's releases.

pandas 3.0.2

We are pleased to announce the release of pandas 3.0.2. This is a patch release in the 3.0.x series and includes some regression fixes and bug fixes. We recommend that all users of the 3.0.x series upgrade to this version.

See the full whatsnew for a list of all the changes.

Pandas 3.0 supports Python 3.11 and higher. The release can be installed from PyPI:

python -m pip install --upgrade pandas==3.0.*

Or from conda-forge

conda install -c conda-forge pandas=3.0

Please report any issues with the release on the pandas issue tracker.

Thanks to all the contributors who made this release possible.

pandas 3.0.1

We are pleased to announce the release of pandas 3.0.1. This is a patch release in the 3.0.x series and includes some regression fixes and bug fixes. We recommend that all users of the 3.0.x series upgrade to this version.

See the full whatsnew for a list of all the changes.

Pandas 3.0.0 supports Python 3.11 and higher. The release can be installed from PyPI:

python -m pip install --upgrade pandas==3.0.*

Or from conda-forge

conda install -c conda-forge pandas=3.0

Please report any issues with the release on the pandas issue tracker.

Thanks to all the contributors who made this release possible.

pandas 3.0.0

We are pleased to announce the release of pandas 3.0.0, a major release from the pandas 2.x series. This release includes various new features, bug fixes, and performance improvements, as well as possible breaking changes.

The pandas 3.0 release removed a functionality that was deprecated in previous releases. It is recommended to first upgrade to pandas 2.3 and to ensure your code is working without warnings, before upgrading to pandas 3.0.

Highlights include:

• Dedicated string data type by default
• Consistent copy/view behaviour with Copy-on-Write (CoW) (a.k.a. getting rid of the SettingWithCopyWarning)
• New default resolution for datetime-like data
• Initial support for the new pd.col syntax

... (truncated)

Commits

• ab90747 RLS: 3.0.2 (#64934)
• 6f27013 Backport PR #64931 on branch 3.0.x (DOC/BLD: temporary disable upload of docs...
• 48ddc60 Backport PR #64664 on branch 3.0.x (BUG: DataFrame.sum() crashes on empty Dat...
• 8774488 [backport 3.0.x] PERF: fix slow python loop in validation for ArrowStringArra...
• 33af6cc Backport PR #64133 on branch 3.0.x (BUG: str.find returns byte offset instead...
• 4ef49d8 [backport 3.0.x] BUG: fix convert_dtypes dropping values from sliced mixed-dt...
• 0668f34 [backport 3.0.x] BUG: Fix HDFStore.put with StringDtype columns and compressi...
• 23f2f44 [backport 3.0.x] BUG: Suppress unnecessary RuntimeWarning in to_datetime with...
• 83ba804 Backport PR #64886: BUG: Compute Variance of Complex Numbers Correctly (#64892)
• bb5ca1a Backport PR #64386 on branch 3.0.x (BUG: fix sort_index AssertionError with R...
• Additional commits viewable in compare view

Updates tqdm from 4.67.1 to 4.67.3

Release notes

Sourced from tqdm's releases.

tqdm v4.67.3 stable

• fix py3.7 dependencies (#1706 <- #1705)

tqdm v4.67.2 stable

• support pandas>=3 (#1703 <- #1701, #1650, #1700)
• fix format_interval for negative numbers (#1703)
• misc linting
• framework updates (#1704)
  • bump CI workflow & pre-commit dependencies
  • add pyupgrade
  • add py3.13 support
  • fix py3.7 tests
  • update setuptools-scm usage
  • support auto-dedented docstrings when building docs in py3.13
• tests: relax flaky benchmarks

Commits

• 75bdb6c fix py3.7 compat
• 09a863b bump version, merge pull request #1704 from tqdm/devel
• 33d24cd update pyproject syntax
• 70b9124 add py3.13 support
• a74d8f8 drop _dist_ver
• 14d72e2 Merge pull request #1703 from wingding12/fix-pandas-3.0-and-negative-interval
• a69dac8 fix dedented docstrings
• a986d22 tests: fix pandas deprecation warnings
• bb7aa4d tests: fix pandas deprecated applymap
• 0647db1 misc tidy
• Additional commits viewable in compare view

Updates gitpython from 3.1.45 to 3.1.46

Release notes

Sourced from gitpython's releases.

3.1.46

What's Changed

• Prepare a new release by @​Byron in gitpython-developers/GitPython#2063
• Bump actions/checkout from 4 to 5 by @​dependabot[bot] in gitpython-developers/GitPython#2067
• Bump git/ext/gitdb from 335c0f6 to 39d7dbf by @​dependabot[bot] in gitpython-developers/GitPython#2068
• Bump actions/setup-python from 5 to 6 by @​dependabot[bot] in gitpython-developers/GitPython#2070
• Bump git/ext/gitdb from 39d7dbf to f8fdfec by @​dependabot[bot] in gitpython-developers/GitPython#2071
• Fix type hint for SymbolicReference.reference property by @​emmanuel-ferdman in gitpython-developers/GitPython#2074
• feat: Add support for hasconfig git rule. by @​bvanelli in gitpython-developers/GitPython#2075
• Bump github/codeql-action from 3 to 4 by @​dependabot[bot] in gitpython-developers/GitPython#2076
• Use actual return type in annotation for method submodule_update by @​extrwi in gitpython-developers/GitPython#2078
• Bump git/ext/gitdb from f8fdfec to 65321a2 by @​dependabot[bot] in gitpython-developers/GitPython#2082
• Preliminary support for index format v3 by @​blahgeek in gitpython-developers/GitPython#2081
• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in gitpython-developers/GitPython#2084
• Pin mypy==1.18.2 by @​George-Ogden in gitpython-developers/GitPython#2087
• Respect os.Pathlike by @​George-Ogden in gitpython-developers/GitPython#2086
• Bump git/ext/gitdb from 65321a2 to 4c63ee6 by @​dependabot[bot] in gitpython-developers/GitPython#2093
• Join Pathlike Object to Tree by @​George-Ogden in gitpython-developers/GitPython#2094

New Contributors

• @​emmanuel-ferdman made their first contribution in gitpython-developers/GitPython#2074
• @​bvanelli made their first contribution in gitpython-developers/GitPython#2075
• @​extrwi made their first contribution in gitpython-developers/GitPython#2078
• @​blahgeek made their first contribution in gitpython-developers/GitPython#2081
• @​George-Ogden made their first contribution in gitpython-developers/GitPython#2087

Full Changelog: gitpython-developers/GitPython@3.1.45...3.1.46

Commits

• 9e24eb6 Prepare next release
• b8bb60e Merge pull request #2094 from George-Ogden/join-pathlike
• c8b58c0 Update test/test_tree.py
• 88e2614 Allow joining path to tree
• 9fa28ae Add failing tests for joining paths
• 6d66a02 Merge pull request #2093 from gitpython-developers/dependabot/submodules/git/...
• f738029 Bump git/ext/gitdb from 65321a2 to 4c63ee6
• eecc28d Merge pull request #2086 from George-Ogden/true-pathlike
• 0cb55fb Revert "Add tests with non-ascii characters"
• 1710626 Add tests with non-ascii characters
• Additional commits viewable in compare view

Updates fastmcp from 2.12.4 to 3.2.1

Release notes

Sourced from fastmcp's releases.

v3.2.1: Audience Participation

Most of the fixes in this patch are about auth providers getting audience validation wrong. Cognito token verification was checking the aud JWT claim, but Cognito access tokens don't include one; they use client_id instead. Azure was hardcoding the raw client ID as the expected audience, ignoring the identifier_uri parameter even though Entra v2.0 tokens use the Application ID URI as aud. Both now validate correctly without changing the provider API. Consent cookies also had an unbounded growth problem in high-DCR-client environments, eventually blowing past reverse proxy header limits; they're now capped as an LRU.

On the OpenAPI side, nullable: true fields from 3.0 specs were leaking into tool input schemas as-is instead of being converted to JSON Schema's type: ["string", "null"]. Server variable templates in base URLs (like https://{region}.api.example.com) were also being passed through raw instead of substituted with their defaults.

Smaller fixes: form submissions from Prefab UI now correctly handle unchecked boolean checkboxes, the client no longer crashes on error responses with empty or non-text content from third-party servers, and asyncio.iscoroutinefunction no longer emits deprecation warnings on Python 3.14.

What's Changed

Breaking Changes ⚠️

• fix(google): use sub (user ID) for client_id instead of aud (app ID) by @​shigechika in PrefectHQ/fastmcp#3722
• fix: remove CSP from tool metadata, keep on resource only by @​jlowin in PrefectHQ/fastmcp#3754

Enhancements ✨

• [codex] Add FastMCP docs telemetry by @​aaazzam in PrefectHQ/fastmcp#3727
• chore: split SDK navigation into standalone $ref file by @​jlowin in PrefectHQ/fastmcp#3773
• fix: bump ty to >=0.0.29 and suppress new false positives by @​jlowin in PrefectHQ/fastmcp#3790

Fixes 🐞

• fix: use explicit None checks for JWT exp validation by @​jlowin in PrefectHQ/fastmcp#3724
• Unify background task context forwarding, fix concurrent dependency bugs by @​chrisguidry in PrefectHQ/fastmcp#3710
• fix: add proxy timeouts and modernize networking in apps dev by @​mateeaaa in PrefectHQ/fastmcp#3741
• fix: ResponseLimitingMiddleware no longer breaks outputSchema tools by @​jlowin in PrefectHQ/fastmcp#3756
• fix: substitute server variable defaults when building base URL from OpenAPI spec by @​mrishav in PrefectHQ/fastmcp#3770
• fix: FastAPI TestClient compatibility and lifespan re-initialization by @​kvdhanush06 in PrefectHQ/fastmcp#3736
• fix: propagate upstream_claims in load_access_token by @​kvdhanush06 in PrefectHQ/fastmcp#3750
• Remove deprecated asyncio.iscoroutinefunction fallback by @​kaiisfree in PrefectHQ/fastmcp#3767
• fix: changeable allowed_client_redirect_uris on OAuthProxy by @​fengarix in PrefectHQ/fastmcp#3772
• fix: broken link in changelog by @​jlowin in PrefectHQ/fastmcp#3775
• fix(docs): correct FastMCP tool name in welcome docs by @​buyua9 in PrefectHQ/fastmcp#3781
• fix: cap consent cookie size to prevent header overflow by @​jlowin in PrefectHQ/fastmcp#3784
• Fix boolean property schemas in JSON Schema parsing by @​jlowin in PrefectHQ/fastmcp#3785
• Fix OpenAPI 3.0 nullable fields in tool input schemas by @​kvdhanush06 in PrefectHQ/fastmcp#3768
• fix: Cognito token verification checks client_id instead of aud by @​jlowin in PrefectHQ/fastmcp#3786
• fix: use identifier_uri as audience for Azure token validation by @​jlowin in PrefectHQ/fastmcp#3787
• Harden client tool result error handling by @​aimable100 in PrefectHQ/fastmcp#3778

Docs 📚

• Github integraiton documentation fix: use result.data otherwise CallToolResult not scriptable by @​c4jquick in PrefectHQ/fastmcp#3753
• chore: split v2 docs navigation into separate file by @​jlowin in PrefectHQ/fastmcp#3762
• docs: document forward_resource parameter on OAuthProxy by @​jlowin in PrefectHQ/fastmcp#3788

Examples & Contrib 💡

• fix: boolean false values dropped in form submissions by @​jlowin in PrefectHQ/fastmcp#3776

Dependencies 📦

• chore(deps): bump fastmcp from 3.1.1 to 3.2.0 in /examples/testing_demo in the uv group across 1 directory by @​dependabot[bot] in PrefectHQ/fastmcp#3728
• chore(deps): bump anthropic from 0.86.0 to 0.87.0 in the uv group across 1 directory by @​dependabot[bot] in PrefectHQ/fastmcp#3742

New Contributors

• @​c4jquick made their first contribution in PrefectHQ/fastmcp#3753
• @​mateeaaa made their first contribution in PrefectHQ/fastmcp#3741
• @​mrishav made their first contribution in PrefectHQ/fastmcp#3770

... (truncated)

Changelog

Sourced from fastmcp's changelog.

---

title: "Changelog" icon: "list-check" rss: true tag: NEW

v3.1.1: 'Tis But a Patch

Pins pydantic-monty below 0.0.8 to fix a breaking change in Monty that affects code mode. Monty 0.0.8 removed the external_functions constructor parameter, causing MontySandboxProvider to fail. This patch caps the version so existing installs work correctly.

Fixes 🐞

• Pin pydantic-monty below 0.0.8 to fix code mode by @​jlowin in #3497

Full Changelog: v3.1.0...v3.1.1

v3.1.0: Code to Joy

FastMCP 3.1 is the Code Mode release. The 3.0 architecture introduced providers and transforms as the extensibility layer — 3.1 puts that architecture to work, shipping the most requested capability since launch: servers that can find and execute code on behalf of agents, without requiring clients to know what tools exist.

New Features 🎉

• feat: Search transforms for tool discovery by @​jlowin in #3154
• Add experimental CodeMode transform by @​aaazzam in #3297
• Add Prefab Apps integration for MCP tool UIs by @​jlowin in #3316

Enhancements 🔧

• Lazy-load heavy imports to reduce import time by @​jlowin in #3295
• Add http_client parameter to all token verifiers for connection pooling by @​jlowin in #3300
• Add in-memory caching for token introspection results by @​jlowin in #3298
• Add SessionStart hook to install gh CLI in cloud sessions by @​jlowin in #3308
• Fix ty 0.0.19 type errors by @​jlowin in #3310
• Code Mode: Add resource limits to MontySandboxProvider by @​jlowin in #3326
• Accept transforms as FastMCP init kwarg by @​jlowin in #3324
• Split large test files to comply with loq line limit by @​jlowin in #3328
• Add -m/--module flag to fastmcp run and dev inspector by @​dgenio in #3331
• Add search_result_serializer hook and serialize_tools_for_output_markdown by @​MagnusS0 in #3337
• Add MultiAuth for composing multiple token verification sources by @​jlowin in #3335
• Adds PropelAuth as an AuthProvider by @​andrew-propelauth in #3358
• Replace vendored DI with uncalled-for by @​chrisguidry in #3301
• Decompose CodeMode into composable discovery tools by @​jlowin in #3354
• feat(contrib): auto-sync MCPMixin decorators with from_function signatures by @​AnkeshThakur in #3323
• Add Google GenAI Sampling Handler by @​strawgate in #2977
• Add ListTools, search limit, and catalog size annotation to CodeMode by @​jlowin in #3359
• Allow configuring FastMCP transport setting in the same way as other configuration by @​jvdmr in #1796
• Add include_unversioned option to VersionFilter by @​yangbaechu in #3349

... (truncated)

Commits

• 556fd8f Harden client tool result error handling (#3778)
• e064ba6 chore: Update SDK documentation (#3791)
• a3c5cc1 chore: Update SDK documentation (#3757)
• f5be772 fix: bump ty to >=0.0.29 and suppress new false positives (#3790)
• f14456d docs: document forward_resource parameter on OAuthProxy (#3788)
• 2b9d3ee fix: use identifier_uri as audience for Azure token validation (#3787)
• e1ea133 fix: Cognito token verification checks client_id instead of aud (#3786)
• 042db1d Fix OpenAPI 3.0 nullable fields in tool input schemas (#3768)
• e5b9634 Fix boolean property schemas in JSON Schema parsing (#3785)
• 3ef9130 fix: cap consent cookie size to prevent header overflow (#3784)
• Additional commits viewable in compare view

Updates lmnr from 0.7.25 to 0.7.47

Commits

• See full diff in compare view

Updates python-dotenv from 1.1.1 to 1.2.2

Release notes

Sourced from python-dotenv's releases.

v1.2.2

Added

• Support for Python 3.14, including the free-threaded (3.14t) build. (#)

Changed

• The dotenv run command now forwards flags directly to the specified command by @​bbc2 in theskumar/python-dotenv#607
• Improved documentation clarity regarding override behavior and the reference page.
• Updated PyPy support to version 3.11.
• Documentation for FIFO file support.
• Support for Python 3.9.

Fixed

• Improved set_key and unset_key behavior when interacting with symlinks by @​bbc2 in #790c5
• Corrected the license specifier and added missing Python 3.14 classifiers in package metadata by @​JYOuyang in theskumar/python-dotenv#590

Breaking Changes

• dotenv.set_key and dotenv.unset_key used to follow symlinks in some situations. This is no longer the case. For that behavior to be restored in all cases, follow_symlinks=True should be used.

• In the CLI, set and unset used to follow symlinks in some situations. This is no longer the case.

• dotenv.set_key, dotenv.unset_key and the CLI commands set and unset used to reset the file mode of the modified .env file to 0o600 in some situations. This is no longer the case: The original mode of the file is now preserved. Is the file needed to be created or wasn't a regular file, mode 0o600 is used.

Misc

• skip 000 permission tests for root user by @​burnout-projects in theskumar/python-dotenv#561
• Bump actions/checkout from 5 to 6 in the github-actions group by @​dependabot[bot] in theskumar/python-dotenv#593
• Add Windows testing to CI by @​bbc2 in theskumar/python-dotenv#604
• Improve workflow efficiency with best practices by @​theskumar in theskumar/python-dotenv#609
• Remove the use of sh in tests by @​bbc2 in theskumar/python-dotenv#612

New Contributors

• @​JYOuyang made their first contribution in theskumar/python-dotenv#590
• @​burnout-projects made their first contribution in theskumar/python-dotenv#561
• @​cpackham-atlnz made their first contribution in theskumar/python-dotenv#597

Full Changelog: theskumar/python-dotenv@v1.2.1...v1.2.2

v1.2.1

What's Changed

... (truncated)

Changelog

Sourced from python-dotenv's changelog.

[1.2.2] - 2026-03-01

Added

• Support for Python 3.14, including the free-threaded (3.14t) build. (#588)

Changed

• The dotenv run command now forwards flags directly to the specified command by [@​bbc2] in #607
• Improved documentation clarity regarding override behavior and the reference page.
• Updated PyPy support to version 3.11.
• Documentation for FIFO file support.
• Dropped Support for Python 3.9.

Fixed

• Improved set_key and unset_key behavior when interacting with symlinks by [@​bbc2] in [790c5c0]
• Corrected the license specifier and added missing Python 3.14 classifiers in package metadata by [@​JYOuyang] in #590

Breaking Changes

• dotenv.set_key and dotenv.unset_key used to follow symlinks in some situations. This is no longer the case. For that behavior to be restored in all cases, follow_symlinks=True should be used.

• In the CLI, set and unset used to follow symlinks in some situations. This is no longer the case.

• dotenv.set_key, dotenv.unset_key and the CLI commands set and unset used to reset the file mode of the modified .env file to 0o600 in some situations. This is no longer the case: The original mode of the file is now preserved. Is the file needed to be created or wasn't a regular file, mode 0o600 is used.

[1.2.1] - 2025-10-26

• Move more config to pyproject.toml, removed setup.cfg
• Add support for reading .env from FIFOs (Unix) by [@​sidharth-sudhir] in #586

[1.2.0] - 2025-10-26

• Upgrade build system to use PEP 517 & PEP 518 to use build and pyproject.toml by [@​EpicWink] in #583
• Add support for Python 3.14 by [@​23f3001135] in #579
• Add support for disabling of load_dotenv() using PYTHON_DOTENV_DISABLED env var. by [@​matthewfranglen] in #569

Commits

• 36004e0 Bump version: 1.2.1 → 1.2.2
• eb20252 docs: update changelog for v1.2.2
• 790c5c0 Merge commit from fork
• 43340da Remove the use of sh in tests (Description has been truncated

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.