chore(deps)(deps): bump the python-dependencies group with 6 updates

[dependabot]

Bumps the python-dependencies group with 6 updates:

Package	From	To
narwhals	2.18.1	2.19.0
fastapi	0.135.2	0.135.3
uvicorn	0.42.0	0.44.0
python-multipart	0.0.22	0.0.24
pandas	3.0.1	3.0.2
marimo	0.21.1	0.22.4

Updates narwhals from 2.18.1 to 2.19.0

Release notes

Sourced from narwhals's releases.

Narwhals v2.19.0

Changes

✨ Enhancements

• feat: Support other Expr/Series in str.contains for polars and SQL-like backends (#3473)
• feat: Add nw.corr (#3460)

🐞 Bug fixes

• fix: Update version when passing narwhals objects in from_native (#3515)

🛠️ Other improvements

• fix: make typing to re-use uv machinery (#3531)
• chore: Replace weekday with day_of_week for pandas-like and dask (#3527)
• chore: unxfail pandas-nightly test (#3524)
• chore: pre-commit auto-update (#3534)
• Revert "skip changelog(deps): bump release-drafter/release-drafter from 6 to 7" (#3535)

Thank you to all our contributors for making this release possible! @​EdAbati, @​FBruzzesi, @​MarcoGorelli, @​benrutter, @​camriddell, @​dependabot[bot] and dependabot[bot]

Commits

• 61517f8 release: Bump version to 2.19.0
• 27510ab fix: make typing to re-use uv machinery (#3531)
• 25bdb8f fix: Update version when passing narwhals objects in from_native (#3515)
• b95a52d chore: pre-commit auto-update (#3534)
• ba50d5d Revert "skip changelog(deps): bump release-drafter/release-drafter from 6 to ...
• 7e3fcca skip changelog(deps): bump release-drafter/release-drafter from 6 to 7 (#3529)
• b7c644b skip changelog(deps): bump sigstore/gh-action-sigstore-python from 3.2.0 to 3...
• 254655a chore: Replace weekday with day_of_week for pandas-like and dask (#3527)
• 86cd0ab feat: Support other Expr/Series in str.contains for polars and SQL-like bac...
• 228fee8 feat: Add nw.corr (#3460)
• Additional commits viewable in compare view

Updates fastapi from 0.135.2 to 0.135.3

Release notes

Sourced from fastapi's releases.

0.135.3

Features

• ✨ Add support for @app.vibe(). PR #15280 by @​tiangolo.
  • New docs: Vibe Coding.

Docs

• ✏️ Fix typo for client_secret in OAuth2 form docstrings. PR #14946 by @​bysiber.

Internal

• 👥 Update FastAPI People - Experts. PR #15279 by @​tiangolo.
• ⬆ Bump orjson from 3.11.7 to 3.11.8. PR #15276 by @​dependabot[bot].
• ⬆ Bump ruff from 0.15.0 to 0.15.8. PR #15277 by @​dependabot[bot].
• 👥 Update FastAPI GitHub topic repositories. PR #15274 by @​tiangolo.
• ⬆ Bump fastmcp from 2.14.5 to 3.2.0. PR #15267 by @​dependabot[bot].
• 👥 Update FastAPI People - Contributors and Translators. PR #15270 by @​tiangolo.
• ⬆ Bump requests from 2.32.5 to 2.33.0. PR #15228 by @​dependabot[bot].
• 👷 Add ty check to lint.sh. PR #15136 by @​svlandeg.

Commits

• 1f442c4 🔖 Release version 0.135.3
• 8f5d157 📝 Update release notes
• 428452a 📝 Update release notes
• 70580da ✨ Add support for @app.vibe() (#15280)
• 6ee8747 📝 Update release notes
• 3e72c09 👥 Update FastAPI People - Experts (#15279)
• 96df35f 📝 Update release notes
• 6c81125 ⬆ Bump orjson from 3.11.7 to 3.11.8 (#15276)
• 428f82c 📝 Update release notes
• 5599c59 ⬆ Bump ruff from 0.15.0 to 0.15.8 (#15277)
• Additional commits viewable in compare view

Updates uvicorn from 0.42.0 to 0.44.0

Release notes

Sourced from uvicorn's releases.

Version 0.44.0

What's Changed

• Implement websocket keepalive pings for websockets-sansio by @​Kludex in Kludex/uvicorn#2888

Full Changelog: Kludex/uvicorn@0.43.0...0.44.0

Version 0.43.0

Changed

• Emit http.disconnect ASGI receive() event on server shutting down for streaming responses (#2829)
• Use native context parameter for create_task on Python 3.11+ (#2859)
• Drop cast in ASGI types (#2875)

---

Full Changelog: Kludex/uvicorn@0.42.0...0.43.0

Changelog

Sourced from uvicorn's changelog.

0.44.0 (April 6, 2026)

Added

• Implement websocket keepalive pings for websockets-sansio (#2888)

0.43.0 (April 3, 2026)

You can quit Uvicorn now. We heard you, @​pamelafox - all 47 of your Ctrl+C's (thanks for flagging it, and thanks to @​tiangolo for the fix 🙏). See the tweet.

Changed

• Emit http.disconnect ASGI receive() event on server shutting down for streaming responses (#2829)
• Use native context parameter for create_task on Python 3.11+ (#2859)
• Drop cast in ASGI types (#2875)

Commits

• edb54c4 Version 0.44.0 (#2890)
• 029be08 Implement websocket keepalive pings for websockets-sansio (#2888)
• 8d397c7 Version 0.43.0 (#2885)
• 587042d 🐛 Emit http.disconnect ASGI receive() event on server shutting down for s...
• c9a75fb chore(deps): bump the github-actions group with 3 updates (#2878)
• 84fd578 chore(deps): bump pygments from 2.19.2 to 2.20.0 (#2877)
• cd52d34 Use native context parameter for create_task on Python 3.11+ (#2859)
• 5211880 Drop cast in ASGI types (#2875)
• 1cb8e74 Add websocket 500 fallback header test (#2874)
• 28efbb2 chore(deps-dev): bump cryptography from 46.0.5 to 46.0.6 (#2873)
• Additional commits viewable in compare view

Updates python-multipart from 0.0.22 to 0.0.24

Release notes

Sourced from python-multipart's releases.

Version 0.0.24

What's Changed

• Validate chunk_size in parse_form() by @​Kludex in Kludex/python-multipart#244

Full Changelog: Kludex/python-multipart@0.0.23...0.0.24

Version 0.0.23

What's Changed

• Remove unused trust_x_headers parameter and X-File-Name fallback by @​jhnstrk in Kludex/python-multipart#196
• Return processed length from QuerystringParser._internal_write by @​bysiber in Kludex/python-multipart#229
• Cleanup metadata dunders from __init__.py by @​Chesars in Kludex/python-multipart#227

New Contributors

• @​Chesars made their first contribution in Kludex/python-multipart#227
• @​bysiber made their first contribution in Kludex/python-multipart#229

Full Changelog: Kludex/python-multipart@0.0.22...0.0.23

Changelog

Sourced from python-multipart's changelog.

0.0.24 (2026-04-05)

• Validate chunk_size in parse_form() #244.

0.0.23 (2026-04-05)

• Remove unused trust_x_headers parameter and X-File-Name fallback #196.
• Return processed length from QuerystringParser._internal_write #229.
• Cleanup metadata dunders from __init__.py #227.

Commits

• b7cc76d Version 0.0.24 (#245)
• 8f1838d Validate chunk_size in parse_form() (#244)
• 2582c83 Restore mkdocstrings handler options to handler level (#243)
• 8f1dbed Harden GitHub Actions workflows and add zizmor audit (#242)
• 3a4be31 Unbreak docs build on newer pygments/mkdocstrings (#241)
• e59b6b7 Add #227 to changelog (#239)
• 4bd03ea Version 0.0.23 (#238)
• aa6f106 Return processed length from QuerystringParser._internal_write (#229)
• c856319 Remove unused trust_x_headers parameter and X-File-Name fallback (#196)
• 7303c74 Bump the python-packages group with 4 updates (#237)
• Additional commits viewable in compare view

Updates pandas from 3.0.1 to 3.0.2

Release notes

Sourced from pandas's releases.

pandas 3.0.2

We are pleased to announce the release of pandas 3.0.2. This is a patch release in the 3.0.x series and includes some regression fixes and bug fixes. We recommend that all users of the 3.0.x series upgrade to this version.

See the full whatsnew for a list of all the changes.

Pandas 3.0 supports Python 3.11 and higher. The release can be installed from PyPI:

python -m pip install --upgrade pandas==3.0.*

Or from conda-forge

conda install -c conda-forge pandas=3.0

Please report any issues with the release on the pandas issue tracker.

Thanks to all the contributors who made this release possible.

Commits

• ab90747 RLS: 3.0.2 (#64934)
• 6f27013 Backport PR #64931 on branch 3.0.x (DOC/BLD: temporary disable upload of docs...
• 48ddc60 Backport PR #64664 on branch 3.0.x (BUG: DataFrame.sum() crashes on empty Dat...
• 8774488 [backport 3.0.x] PERF: fix slow python loop in validation for ArrowStringArra...
• 33af6cc Backport PR #64133 on branch 3.0.x (BUG: str.find returns byte offset instead...
• 4ef49d8 [backport 3.0.x] BUG: fix convert_dtypes dropping values from sliced mixed-dt...
• 0668f34 [backport 3.0.x] BUG: Fix HDFStore.put with StringDtype columns and compressi...
• 23f2f44 [backport 3.0.x] BUG: Suppress unnecessary RuntimeWarning in to_datetime with...
• 83ba804 Backport PR #64886: BUG: Compute Variance of Complex Numbers Correctly (#64892)
• bb5ca1a Backport PR #64386 on branch 3.0.x (BUG: fix sort_index AssertionError with R...
• Additional commits viewable in compare view

Updates marimo from 0.21.1 to 0.22.4

Release notes

Sourced from marimo's releases.

0.22.0

What's Changed

This release brings a unified data table explorer, reliability improvements to the programmatic notebook API that power the new marimo-pair agent skill, smarter numeric formatting in tables, faster mo.persistent_cache, and a contextual tips system in the CLI.

⭐ Highlights

Combined row viewer and column explorer

The row viewer and column explorer panels are now unified into a single tabbed "Table Explorer" pane. A single toolbar button opens and closes the panel; Rows and Columns tabs live inside it, and your selected tab persists across open/close.

Pair programming with marimo-pair

The experimental _code API receives reliability fixes in this release, enabling the new marimo-pair agent skill for pair programming in marimo notebooks.

npx skills add marimo-team/marimo-pair

🚨 Breaking changes

mo.image no longer normalizes uint8 values (#8889)

Previously, mo.image() normalized all numeric arrays (including uint8) to the [0, 1] float range. Now, uint8 arrays are always rendered with values in [0, 255] without normalization. Two new parameters — vmin and vmax — let you set explicit value bounds for under- or over-saturated displays. If you relied on the old uint8 normalization, pass vmin=0, vmax=1 explicitly.

__marimo__ location now follows sys.pycache_prefix (#8797)

The __marimo__ directory now respects sys.pycache_prefix, consistent with Python's own __pycache__ placement. This also fixes cache placement for notebooks in nested directories. Existing caches will not be migrated — they can be safely deleted.

Cache version bump (#8793)

The cache format version has been bumped, invalidating existing caches.

✨ Enhancements

• Remove auto-instantiate from /api/execute endpoint (#8943)
• Use document as source of truth in code_mode _apply_ops (#8944)
• Enhance SQLAlchemy engine with safe_execute and inspector methods for SnowFlake (#8920)
• Support custom cloudpathlib providers in path normalization (#8929)
• Use variable name as download filename in dataframe viewer (#8811)
• Unify row viewer and column explorer (#8905)
• Fix hide_code not taking effect on kernel-created cells (#8926)
• Virtualize data table rows when pagination is disabled (#8899)
• Emit document transactions from --watch file reload (#8846)
• Remove document mutation from session.notify() (#8886)
• Style fix for li & ol: reduce margin and restore original disc (#8768)
• Avoid selecting cells in table when interactive elements (#8862)
• Lazy-load KaTeX via dynamic import of @​streamdown/math (#8874)
• Display startup tips in CLI (#8836)
• Add ListSQLSchemas to support lazy schema fetching in datasource panel (#8824)

... (truncated)

Commits

• b59cb0e release: 0.22.4 (#9040)
• e787d17 fix: make _CellsView iterate over NotebookCell objects instead of cell IDs (#...
• c945acd fix: anywidget test (#9038)
• 280a1f6 fix: show which cell defines a variable in multiply-defined error (#9037)
• 34f87a5 Add option to display error tracebacks inline and in modal (#8376)
• e62767d feat: add concise repr to NotebookCell for better REPL discoverability (#...
• eba1740 Surface cell errors from _code_mode through scratchpad (#9030)
• 611afac fix: gracefully handle delete of unknown cell and read document on reconnect ...
• 4f345a2 feat: add repr, find(), and grep() to _CellsView and improve KeyError mes...
• cf3d07a Pass model_id as data attribute to prevent loss on value update (#9032)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, python. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.