Bump the uv group across 3 directories with 4 updates

[dependabot]

Bumps the uv group with 2 updates in the /python/helpers/pydev/test-requirements directory: pytest and django.
Bumps the uv group with 1 update in the /python/helpers/typeshed directory: uv.
Bumps the uv group with 2 updates in the /python/testData/requirement/generation/baseFileUnchanged directory: django and cookiecutter.

Updates pytest from 4.6.11 to 9.0.3

Release notes

Sourced from pytest's releases.

9.0.3

pytest 9.0.3 (2026-04-07)

Bug fixes

• #12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

• #13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

  Previously this resulted in an internal assertion failure during plugin loading.

  Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

• #13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

• #14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

• #14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

• #13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
• #13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
• #14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
• #14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

• #12689: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible on the web interface.

  -- by aleguy02

9.0.2

pytest 9.0.2 (2025-12-06)

Bug fixes

• #13896: The terminal progress feature added in pytest 9.0.0 has been disabled by default, except on Windows, due to compatibility issues with some terminal emulators.

  You may enable it again by passing -p terminalprogress. We may enable it by default again once compatibility improves in the future.

  Additionally, when the environment variable TERM is dumb, the escape codes are no longer emitted, even if the plugin is enabled.

• #13904: Fixed the TOML type of the tmp_path_retention_count settings in the API reference from number to string.

• #13946: The private config.inicfg attribute was changed in a breaking manner in pytest 9.0.0. Due to its usage in the ecosystem, it is now restored to working order using a compatibility shim. It will be deprecated in pytest 9.1 and removed in pytest 10.

... (truncated)

Commits

• a7d58d7 Prepare release version 9.0.3
• 089d981 Merge pull request #14366 from bluetech/revert-14193-backport
• 8127eaf Revert "Fix: assertrepr_compare respects dict insertion order (#14050) (#14193)"
• 99a7e60 Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/95d8423bd...
• ddee02a Merge pull request #14343 from bluetech/cve-2025-71176-simple
• 74eac69 doc: Update training info (#14298) (#14301)
• f92dee7 Merge pull request #14267 from pytest-dev/patchback/backports/9.0.x/d6fa26c62...
• 7ee58ac Merge pull request #12378 from Pierre-Sassoulas/fix-implicit-str-concat-and-d...
• 37da870 Merge pull request #14259 from mitre88/patch-4 (#14268)
• c34bfa3 Add explanation for string context diffs (#14257) (#14266)
• Additional commits viewable in compare view

Updates django from 1.11.29 to 4.2.30

Commits

• 3396992 [4.2.x] Bumped version for 4.2.30 release.
• ed4dfda [4.2.x] Fixed CVE-2026-33034 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE on body ...
• f13c20f [4.2.x] Fixed CVE-2026-33033 -- Mitigated potential DoS in MultiPartParser.
• abfe1a1 [4.2.x] Fixed CVE-2026-4292 -- Disallowed instance creation via ModelAdmin.li...
• 051f390 [4.2.x] Fixed CVE-2026-4277 -- Checked add permissions in GenericInlineModelA...
• 4412731 [4.2.x] Fixed CVE-2026-3902 -- Ignored headers with underscores in ASGIRequest.
• 8d2a05c [4.2.x] Added stub release notes and release date for 4.2.30.
• b1d9ea4 [4.2.x] Combined scripts confirm_release.sh and test_new_version.sh into veri...
• 385678e [4.2.x] Added CVE-2026-25673 and CVE-2026-25674 to security archive.
• 69de846 [4.2.x] Post-release version bump.
• Additional commits viewable in compare view

Updates uv from 0.9.22 to 0.11.6

Release notes

Sourced from uv's releases.

0.11.6

Release Notes

Released on 2026-04-09.

This release resolves a low severity security advisory in which wheels with malformed RECORD entries could delete arbitrary files on uninstall. See GHSA-pjjw-68hj-v9mw for details.

Bug fixes

• Do not remove files outside the venv on uninstall (#18942)
• Validate and heal wheel RECORD during installation (#18943)
• Avoid uv cache clean errors due to Win32 path normalization (#18856)

Install uv 0.11.6

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/uv/releases/download/0.11.6/uv-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://releases.astral.sh/github/uv/releases/download/0.11.6/uv-installer.ps1 | iex"

Download uv 0.11.6

File	Platform	Checksum
uv-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
uv-x86_64-apple-darwin.tar.gz	Intel macOS	checksum
uv-aarch64-pc-windows-msvc.zip	ARM64 Windows	checksum
uv-i686-pc-windows-msvc.zip	x86 Windows	checksum
uv-x86_64-pc-windows-msvc.zip	x64 Windows	checksum
uv-aarch64-unknown-linux-gnu.tar.gz	ARM64 Linux	checksum
uv-i686-unknown-linux-gnu.tar.gz	x86 Linux	checksum
uv-powerpc64le-unknown-linux-gnu.tar.gz	PPC64LE Linux	checksum
uv-riscv64gc-unknown-linux-gnu.tar.gz	RISCV Linux	checksum
uv-s390x-unknown-linux-gnu.tar.gz	S390x Linux	checksum
uv-x86_64-unknown-linux-gnu.tar.gz	x64 Linux	checksum
uv-armv7-unknown-linux-gnueabihf.tar.gz	ARMv7 Linux	checksum
uv-aarch64-unknown-linux-musl.tar.gz	ARM64 MUSL Linux	checksum
uv-i686-unknown-linux-musl.tar.gz	x86 MUSL Linux	checksum
uv-riscv64gc-unknown-linux-musl.tar.gz	RISCV MUSL Linux	checksum
uv-x86_64-unknown-linux-musl.tar.gz	x64 MUSL Linux	checksum
uv-arm-unknown-linux-musleabihf.tar.gz	ARMv6 MUSL Linux (Hardfloat)	checksum
uv-armv7-unknown-linux-musleabihf.tar.gz	ARMv7 MUSL Linux	checksum

... (truncated)

Changelog

Sourced from uv's changelog.

0.11.6

Released on 2026-04-09.

This release resolves a low severity security advisory in which wheels with malformed RECORD entries could delete arbitrary files on uninstall. See GHSA-pjjw-68hj-v9mw for details.

Bug fixes

• Do not remove files outside the venv on uninstall (#18942)
• Validate and heal wheel RECORD during installation (#18943)
• Avoid uv cache clean errors due to Win32 path normalization (#18856)

0.11.5

Released on 2026-04-08.

Python

• Add CPython 3.13.13, 3.14.4, and 3.15.0a8 (#18908)

Enhancements

• Fix build_system.requires error message (#18911)
• Remove trailing path separators in path normalization (#18915)
• Improve error messages for unsupported or invalid TLS certificates (#18924)

Preview features

• Add exclude-newer to [[tool.uv.index]] (#18839)
• uv audit: add context/warnings for ignored vulnerabilities (#18905)

Bug fixes

• Normalize persisted fork markers before lock equality checks (#18612)
• Clear junction properly when uninstalling Python versions on Windows (#18815)
• Report error cleanly instead of panicking on TLS certificate error (#18904)

Documentation

• Remove the legacy PIP_COMPATIBILITY.md redirect file (#18928)
• Fix uv init example-bare --bare examples (#18822, #18925)

0.11.4

Released on 2026-04-07.

Enhancements

• Add support for --upgrade-group (#18266)
• Merge repeated archive URL hashes by version ID (#18841)

... (truncated)

Commits

• 6595080 Bump version to 0.11.6 (#18948)
• 7983c7a Validate and heal RECORD during installation (#18943)
• b38439b Avoid uv cache clean errors due to Win32 path normalization (#18856)
• a0e461a Do not remove files outside the venv on uninstall (#18942)
• 95eaa68 Bump version to 0.11.5 (#18930)
• f6d67d5 Improve certificate loading error messages (#18924)
• 39b83c3 Add exclude-newer to [[tool.uv.index]] (#18839)
• 7924ba5 uv audit: add context/warnings for ignored vulnerabilities (#18905)
• a352ce0 Remove the legacy PIP_COMPATIBILITY.md redirect file (#18928)
• 33b6338 Normalize persisted fork markers before lock equality checks (#18612)
• Additional commits viewable in compare view

Updates django from 1.1.1 to 4.2.30

Commits

• 3396992 [4.2.x] Bumped version for 4.2.30 release.
• ed4dfda [4.2.x] Fixed CVE-2026-33034 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE on body ...
• f13c20f [4.2.x] Fixed CVE-2026-33033 -- Mitigated potential DoS in MultiPartParser.
• abfe1a1 [4.2.x] Fixed CVE-2026-4292 -- Disallowed instance creation via ModelAdmin.li...
• 051f390 [4.2.x] Fixed CVE-2026-4277 -- Checked add permissions in GenericInlineModelA...
• 4412731 [4.2.x] Fixed CVE-2026-3902 -- Ignored headers with underscores in ASGIRequest.
• 8d2a05c [4.2.x] Added stub release notes and release date for 4.2.30.
• b1d9ea4 [4.2.x] Combined scripts confirm_release.sh and test_new_version.sh into veri...
• 385678e [4.2.x] Added CVE-2026-25673 and CVE-2026-25674 to security archive.
• 69de846 [4.2.x] Post-release version bump.
• Additional commits viewable in compare view

Updates cookiecutter from 1.7.0 to 2.1.1

Release notes

Sourced from cookiecutter's releases.

2.1.1

Documentation updates

• Fix local extensions documentation (#1686) @​alkatar21

Bugfixes

• Sanitize Mercurial branch information before checkout. (#1689) @​ericof

This release is made by wonderful contributors:

@​alkatar21, @​ericof and @​jensens

2.1.0

Preamble

This release log lists all changes from 1.7.3 to this release. It includes the log of the 2.0.x releases, which were never published on PyPI. Because of that it might look a bit blurry.

We release the current stable state of the project, knowing there are a bunch of open pull requests. Those will be reviewed by the core-committers and merged or dropped.

Future releases will happen more frequently. Stay tuned.

Fetch fresh from PyPI https://pypi.org/project/cookiecutter/2.1.0/

Changes

• Move contributors and backers to credits section (#1599) @​doobrie
• test_generate_file_verbose_template_syntax_error fixed (#1671) @​MaciejPatro
• Removed changes related to setuptools_scm (#1629) @​ozer550
• Release 2.0.1 (#1620) @​audreyfeldroy

Breaking Changes

• Release preparation for 2.0.1rc1 (#1608) @​audreyfeldroy
• Replace poyo with pyyaml. (#1489) @​dHannasch
• Added: Path templates will be rendered when copy_without_render used (#839) @​noirbizarre
• Added: End of line detection and configuration. (#1407) @​insspb
• Remove support for python2.7 (#1386) @​ssbarnea

Minor Changes

• Documentation overhaul (#1677) @​jensens
• Feature/local extensions (#1240) @​mwesterhof
• Adopt setuptools-scm packaging (#1577) @​ssbarnea
• Log the error message when git clone fails, not just the return code (#1505) @​logworthy
• allow jinja 3.0.0 (#1548) @​wouterdb
• Added uuid extension to be able to generate uuids (#1493) @​jonaswre

... (truncated)

Changelog

Sourced from cookiecutter's changelog.

2.1.1 (2022-06-01)

Documentation updates

• Fix local extensions documentation (#1686) @​alkatar21

Bugfixes

• Sanitize Mercurial branch information before checkout. (#1689) @​ericof

This release is made by wonderfull contributors:

@​alkatar21, @​ericof and @​jensens

2.1.0 (2022-05-30)

Changes

• Move contributors and backers to credits section (#1599) @​doobrie
• test_generate_file_verbose_template_syntax_error fixed (#1671) @​MaciejPatro
• Removed changes related to setuptools_scm (#1629) @​ozer550
• Feature/local extensions (#1240) @​mwesterhof

CI/CD and QA changes

• Check manifest: pre-commit, fixes, cleaning (#1683) @​jensens
• Follow PyPA guide to release package using GitHub Actions. (#1682) @​ericof

Documentation updates

• Fix typo in dict_variables.rst (#1680) @​ericof
• Documentation overhaul (#1677) @​jensens
• Fixed incorrect link on docs. (#1649) @​luzfcb

Bugfixes

• Restore accidentally deleted support for click 8.x (#1643) @​jaklan

This release was made possible by our wonderful contributors:

@​doobrie, @​jensens, @​ericof, @​luzfcb

2.0.2 (2021-12-27)

Remark: This release never made it to official PyPI

• Fix Python version number in cookiecutter --version and test on Python 3.10 (#1621) @​ozer550
• Removed changes related to setuptools_scm (#1629) @​audreyfeldroy @​ozer550

... (truncated)

Commits

• f9376a9 Prepare release 2.1.1
• fdffddb Merge pull request #1689 from cookiecutter/sanitize-mercurial-checkout
• 85a7884 Lint fixes
• e26c465 Sanitize Mercurial branch information before checkout.
• 94036d0 Merge pull request #1687 from cookiecutter/bump-version-back-to-dev
• 70b2ee2 Merge pull request #1686 from alkatar21/patch-1
• 8b33e96 Bump version to 2.1.1.dev0
• 58d716f [Docs] Fix local extensions documentation
• f601b71 Merge pull request #1684 from cookiecutter/bump-release-2.1.0
• 96c6826 bump version and edit historie
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.