deps(pip): bump the pip-major group across 1 directory with 4 updates

[dependabot]

Bumps the pip-major group with 4 updates in the / directory: rich, starlette, textual and zipp.

Updates rich from 14.2.0 to 15.0.0

Release notes

Sourced from rich's releases.

The So Long 3.8 Release

A few fixes. The major version bump is to honor the passing of 3.8 support which reached its EOL in October 7, 2024

[15.0.0] - 2026-04-12

Changed

• Breaking change: Dropped support for Python3.8

Fixed

• Fixed empty print ignoring the end parameter Textualize/rich#4075
• Fixed Text.from_ansi removing newlines Textualize/rich#4076
• Fixed FileProxy.isatty not proxying Textualize/rich#4077
• Fixed inline code in Markdown tables cells Textualize/rich#4079

The Faster Startup Release

No new features in this release, but there should be improved startup time for Rich apps, and potentially improved runtime if you have a lot of links.

[14.3.4] - 2026-04-11

Changed

• Improved import time with lazy loading Textualize/rich#4070
• Changed link id generation to avoid random number generation at runtime Textualize/rich#3845

The infinite Release

Fixed a infinite loop in split_graphemes

[14.3.3] - 2026-02-19

Fixed

• Fixed infinite loop with cells.split_graphemes Textualize/rich#4006

The ZWJy release

A fix for cell_len edge cases

[14.3.2] - 2026-02-01

Fixed

• Fixed solo ZWJ crash Textualize/rich#3953
• Fixed control codes reporting width of 1 Textualize/rich#3953

The Nerdy Fix release

Fixed issue with characters outside of unicode range reporting 0 cell size

[14.3.1] - 2026-01-24

... (truncated)

Changelog

Sourced from rich's changelog.

[15.0.0] - 2026-04-12

Changed

• Breaking change: Dropped support for Python3.8

Fixed

• Fixed empty print ignoring the end parameter Textualize/rich#4075
• Fixed Text.from_ansi removing newlines Textualize/rich#4076
• Fixed FileProxy.isatty not proxying Textualize/rich#4077
• Fixed inline code in Markdown tables cells Textualize/rich#4079

[14.3.4] - 2026-04-11

Changed

• Improved import time with lazy loading Textualize/rich#4070
• Changed link id generation to avoid random number generation at runtime Textualize/rich#3845

[14.3.3] - 2026-02-19

Fixed

• Fixed infinite loop with cells.split_graphemes Textualize/rich#4006

[14.3.2] - 2026-02-01

Fixed

• Fixed solo ZWJ crash Textualize/rich#3953
• Fixed control codes reporting width of 1 Textualize/rich#3953

[14.3.1] - 2026-01-24

Fixed

• Fixed characters out of unicode range reporting a cell size if 0 Textualize/rich#3944

[14.3.0] - 2026-01-24

Fixed

• IPython now respects when a Console instance is passed to pretty.install Textualize/rich#3915
• Fixed extraneous blank line on non-interactive disabled Progress Textualize/rich#3905
• Fixed extra padding on first cell in columns Textualize/rich#3935
• Fixed trailing whitespace removed when soft_wrap=True Textualize/rich#3937
• Fixed style new-lines when soft_wrap = True and a print style is set Textualize/rich#3938

Added

... (truncated)

Commits

• 6ac483c correction
• 458a910 Merge pull request #4080 from Textualize/bump1500
• 82e06e0 changelog
• d6556bc bump to 15.0.0
• ffe2edc Merge pull request #4079 from Textualize/inline-table-code
• cf3b5a1 changelog
• 77f0edb remove comments
• 7ef2d05 fix inline code in table cells
• 19c67b9 Merge pull request #4077 from Textualize/isattry
• 494b795 changelog
• Additional commits viewable in compare view

Updates starlette from 0.50.0 to 1.2.1

Release notes

Sourced from starlette's releases.

Version 1.2.1

What's Changed

• Use httpx2 for type checking in the testclient module by @​leifwar in Kludex/starlette#3304
• Add assert error for requires() when request param is not Request type by @​KeeganOP in Kludex/starlette#3298

New Contributors

• @​leifwar made their first contribution in Kludex/starlette#3304
• @​diskeu made their first contribution in Kludex/starlette#3243
• @​KeeganOP made their first contribution in Kludex/starlette#3298

Full Changelog: Kludex/starlette@1.2.0...1.2.1

Version 1.2.0

What's Changed

• Support httpx2 in the test client by @​Kludex in Kludex/starlette#3291

Full Changelog: Kludex/starlette@1.1.0...1.2.0

Version 1.1.0

What's Changed

• Use "application/octet-stream" as the FileResponse media type fallback by @​ATOM00blue in Kludex/starlette#3283
• Only dispatch standard HTTP verbs in HTTPEndpoint by @​Kludex in Kludex/starlette#3286
• Reject absolute paths in StaticFiles.lookup_path by @​Kludex in Kludex/starlette#3287

New Contributors

• @​ATOM00blue made their first contribution in Kludex/starlette#3283

Full Changelog: Kludex/starlette@1.0.1...1.1.0

Version 1.0.1

What's Changed

• Ignore malformed Host header when constructing request.url by @​Kludex in Kludex/starlette#3279

Full Changelog: Kludex/starlette@1.0.0...1.0.1

Version 1.0.0

Starlette 1.0 is here! 🎉

After nearly eight years since its creation, Starlette has reached its first stable release.

A special thank you to @​lovelydinosaur, the creator of Starlette, Uvicorn, HTTPX and MkDocs, whose work helped to lay the foundation for the modern async Python ecosystem. 🙏

Thank you to @​adriangb, @​graingert, @​agronholm, @​florimondmanca, @​aminalaee, @​tiangolo, @​alex-oleshkevich, @​abersheeran, and @​uSpike for helping make Starlette what it is today. And to all my sponsors - especially @​tiangolo, @​huggingface, and @​elevenlabs - thank you for your support!

Thank you to all 290+ contributors who have shaped Starlette over the years! ❤️

Read more on the blog post.

Check out the full release notes at https://www.starlette.io/release-notes/#100-march-22-2026

... (truncated)

Changelog

Sourced from starlette's changelog.

1.2.1 (May 31, 2026)

Fixed

• Use httpx2 for type checking in the testclient module #3304.
• Add assert error for requires() when the request parameter is not a Request type #3298.

1.2.0 (May 28, 2026)

Added

• Support httpx2 in the test client #3291.

1.1.0 (May 23, 2026)

Added

• Use "application/octet-stream" as the FileResponse media type fallback #3283.

Fixed

• Only dispatch standard HTTP verbs in HTTPEndpoint #3286.
• Reject absolute paths in StaticFiles.lookup_path #3287.

1.0.1 (May 21, 2026)

Fixed

• Ignore malformed Host header when constructing request.url #3279.

1.0.0 (March 22, 2026)

Starlette 1.0 is here!

After nearly eight years since its creation, Starlette has reached its first stable release. Thank you to everyone who tested the release candidate and reported issues.

You can read more on the blog post.

Added

• Track session access and modification in SessionMiddleware #3166.

Fixed

• Handle websocket denial responses in StreamingResponse and FileResponse #3189.
• Use bytearray for field accumulation in FormParser #3179.
• Move parser.finalize() inside try/except in MultiPartParser.parse() #3153.

1.0.0rc1 (February 23, 2026)

... (truncated)

Commits

• ef773fe Version 1.2.1 (#3306)
• 3fc68a7 Add sponsors section to docs sidebar (#3305)
• b053f7b chore(deps): bump the python-packages group across 1 directory with 6 updates...
• 1478775 Add assert error for requires() when request param is not Request type (#3298)
• 6576547 Describe disconnected-after-response behavior in test docstring (#3243)
• 9cb1553 Use same module (httpx|httpx2) for type checking as for runtime (#3304)
• 4060987 Version 1.2.0 (#3300)
• 1e289ca Migrate docs deploy from Cloudflare Pages to Workers Static Assets (#3282)
• 100f05a Add httpx2 as a dev dependency (#3295)
• 508023b Support httpx2 in the test client (#3291)
• Additional commits viewable in compare view

Updates textual from 7.5.0 to 8.2.7

Release notes

Sourced from textual's releases.

The more Kitty Release

This release adds additional support for the Kitty key protocol. Which enables some additional keys on some terminals. Additionally, Textual will report modifier keys as separate key events.

Additionally there are a few more shortcuts to the Text Area.

This release sponsored by Mistral AI. See release notes for detail.

[8.2.7] - 2026-05-19

Added

• Added support for Kitty key protocol "Report all keys as escape codes" which enabled alt+backspace on Warp Textualize/textual#6544
• Added support for detecting separate modifier keys for terminals that support the Kitty key protocol Textualize/textual#6544
• Added TEXTUAL_DISABLE_KITTY_KEY env var to disable Kitty key protocol support (debug aid). Textualize/textual#6544

Changed

• Undo/redo/copy/cut/paste in TextArea will now work with cmd+ on supported terminals Textualize/textual#6543
• In TextArea, ctrl+u will now delete a newline if the cursor is at the start Textualize/textual#6543
• in TextArea alt+delete is now bound to delete word right Textualize/textual#6543
• Text opacity applied to an ansi theme will now set the dim attribute if the opacity is < 50% Textualize/textual#6546

The more selective release

Improved text select logic. You can select text without first clicking on a content area.

May break snapshots without affecting appearance.

[8.2.6] - 2026-04-13

Fixed

• Fixed selection to the right of code fence blocks (may break some snapshots)
• Fixed Markdown code fences losing content when switching themes Textualize/textual#6537

Added

• Added ability to select outside of text, so the user doesn't need to be quite so precise Textualize/textual#6523

The Antsy Release

This release adds support for dedicated ansi themes, which are also exposed from the command palette.

There were a few tweaks to the theming system which may result in broken snapshots, but there should be no visual changes.

[8.2.5] - 2026-04-30

Added

... (truncated)

Changelog

Sourced from textual's changelog.

[8.2.7] - 2026-05-19

Added

• Added support for Kitty key protocol "Report all keys as escape codes" which enabled alt+backspace on Warp Textualize/textual#6544
• Added support for detecting separate modifier keys for terminals that support the Kitty key protocol Textualize/textual#6544
• Added TEXTUAL_DISABLE_KITTY_KEY env var to disable Kitty key protocol support (debug aid). Textualize/textual#6544

Changed

• Undo/redo/copy/cut/paste in TextArea will now work with cmd+ on supported terminals Textualize/textual#6543
• In TextArea, ctrl+u will now delete a newline if the cursor is at the start Textualize/textual#6543
• in TextArea alt+delete is now bound to delete word right Textualize/textual#6543
• Text opacity applied to an ansi theme will now set the dim attribute if the opacity is < 50% Textualize/textual#6546

Fixed

• Fixed text opacity with ANSI themes creating RGB colors. Textualize/textual#6546

[8.2.6] - 2026-05-13

Fixed

• Fixed selection to the right of code fence blocks (may break some snapshots)
• Fixed Markdown code fences losing content when switching themes Textualize/textual#6537

Added

• Added ability to select outside of text, so the user doesn't need to be quite so precise Textualize/textual#6523

[8.2.5] - 2026-04-30

Added

• Two new themes: "ansi-dark" and "ansi-light" Textualize/textual#6513
• Added an ansi value to themes Textualize/textual#6513

Changed

• App.ansi_color may now be None to use the ansi value from the theme. Textualize/textual#6513

[8.2.4] - 2026-04-19

Added

• Added DOM.update_classes Textualize/textual#6478

Fixed

• Fixed anchor released when scrolling down with the trackpad Textualize/textual#6503

... (truncated)

Commits

• 182277f Merge pull request #6546 from Textualize/ansi-opacity
• 49cbec4 bump
• b24ef07 snapshot
• 24e34e4 changelog
• 0c8bbc7 text opacity change
• 3b04f31 Merge pull request #6543 from Textualize/textarea-actions
• 913f5d2 test fixes
• 1027c41 ctrl+f replaced with ctrl+delete
• 01fb6fd ctrl+backspace binding
• 5431709 words
• Additional commits viewable in compare view

Updates zipp from 3.23.1 to 4.1.0

Changelog

Sourced from zipp's changelog.

v4.1.0

Features

• Path.iterdir now raises NotADirectoryError (formerly ValueError) when call on something that's not a directory. (#154)

v4.0.0

Deprecations and Removals

• Drop workaround for stacklevel bug on older PyPy releases. (#149)

Commits

• 29a7a55 Finalize
• bf9bf8c Merge pull request #154 from ShipItAndPray/fix-129-iterdir-notadirectory
• a43226a Add news fragment.
• 5b41b49 Merge branch 'main' into fix-129-iterdir-notadirectory
• f2f3e79 👹 Feed the hobgoblins (delint).
• d14b720 Merge https://github.com/jaraco/skeleton
• b8f1030 More aggressively direct Agents not to add generated artifacts.
• fb8483b Use Python 3.14 as the latest stable.
• 91aed9ajaraco/skeleton#198
• 225b2af Add agent guidance pointing to skeleton documentation.
• Additional commits viewable in compare view

[greptile-apps]

Greptile Summary

Dependabot bump of four major-version pip dependencies: rich 14.2→15.0, starlette 0.50→1.2.1, textual 7.5→8.2.7, and zipp 3.23.1→4.1.0, with matching hash updates in docker-requirements.txt and a tightened lower-bound for rich in pyproject.toml.

• rich 15.0.0 drops Python 3.8 support, which is compatible with the project's requires-python = \">=3.10\" constraint; the pyproject.toml lower-bound is updated from >=13.0 to >=15.0.0 accordingly.
• starlette 0.50→1.2.1 is a major-version jump; a prior review comment has already flagged the conflict with fastapi==0.128.0 in docker-requirements.txt.
• textual 7.5→8.2.7 and zipp 3.23.1→4.1.0 are transitive dependencies (via cisco-ai-skill-scanner) with no direct imports in the project source.

Confidence Score: 4/5

Mostly safe to merge, but the starlette 0.50→1.2.1 bump in docker-requirements.txt conflicts with the pinned fastapi==0.128.0, which was designed for the starlette 0.x API.

The starlette jump crosses a major-version boundary that introduced breaking changes to SessionMiddleware, HTTPEndpoint, and StaticFiles — APIs that FastAPI 0.128.0 relies on. The hash-locked requirements file will install both packages without a resolver error, so the breakage would only surface at runtime. The remaining three package bumps (rich, textual, zipp) are straightforward and carry no compatibility risk for this project.

docker-requirements.txt — the starlette/fastapi version pairing needs attention before this is deployed.

Important Files Changed

Filename	Overview
docker-requirements.txt	Hash-pinned versions updated for rich (14.2→15.0), starlette (0.50→1.2.1), textual (7.5→8.2.7), and zipp (3.23.1→4.1.0); starlette major-version bump conflicts with the pinned fastapi==0.128.0 (already flagged in a prior comment)
pyproject.toml	Tightens the rich lower-bound from >=13.0 to >=15.0.0, aligning the declared constraint with the newly pinned version; consistent with the project's Python >=3.10 requirement

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[pyproject.toml\nhol-guard] -->|direct dep| B[rich 14.2.0 to 15.0.0]
    A -->|direct dep| C[cisco-ai-skill-scanner 2.0.9]
    C -->|transitive| D[textual 7.5.0 to 8.2.7]
    C -->|transitive| E[zipp 3.23.1 to 4.1.0]
    F[docker-requirements.txt] -->|pinned| G[fastapi 0.128.0]
    F -->|pinned| H[starlette 0.50.0 to 1.2.1]
    G -->|expects starlette 0.x| I{Conflict}
    H -->|provides starlette 1.x| I
    style I fill:#f99,stroke:#c00
    style G fill:#fdd,stroke:#c00
    style H fill:#fdd,stroke:#c00

Loading

_{Reviews (3): Last reviewed commit: "deps(pip): bump the pip-major group acro..." | Re-trigger Greptile}

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (2 files)

• docker-requirements.txt — SHA-256 pin updates for rich, starlette, textual, zipp
• pyproject.toml — Lower bound tightened for rich from >=13.0 to >=15.0.0

Other Observations (not in diff)

None. The existing Greptile summary correctly notes the zipp 4.x behavioral change (ValueError → NotADirectoryError from Path.iterdir), but no application code in this repo catches ValueError around importlib.metadata filesystem operations — all existing except ValueError blocks catch application-level validation errors.

---

_{Reviewed by laguna-m.1-20260312:free · 505,166 tokens}

[greptile-apps]

Starlette 1.x incompatible with pinned FastAPI 0.128.0

docker-requirements.txt pins fastapi==0.128.0 (line ~491) alongside starlette==1.2.1, but FastAPI's own release notes show that the 0.128.x patch series explicitly caps its starlette dependency at starlette>=0.40.0,<1.0.0 (documented under the 0.128.3 release). Starlette 1.0 included breaking changes to SessionMiddleware, HTTPEndpoint dispatch, and StaticFiles.lookup_path that FastAPI 0.128 was not designed to handle. Because docker-requirements.txt uses --hash pinning, pip will force-install both packages without raising a resolver conflict, meaning the incompatibility surfaces only at runtime — likely as an ImportError or AttributeError when FastAPI attempts to use starlette internals that changed in 1.0. Consider also bumping fastapi to a version that explicitly supports starlette ≥1.0, or holding starlette back to the 0.x series until fastapi is upgraded.