chore(deps): bump the all-dependencies group with 6 updates

[dependabot]

Updates the requirements on fastapi[standard], pydantic-settings, pyjwt, ruff, sentry-sdk[fastapi] and valkey-glide to permit the latest version.
Updates fastapi[standard] to 0.136.3

Release notes

Sourced from fastapi[standard]'s releases.

0.136.3

Refactors

• ♻️ Do not accept underscore headers when using convert_underscores=True (the default). PR #15589 by @​tiangolo.

Commits

• 8206485 🔖 Release version 0.136.3
• c910e01 📝 Update release notes
• 063b5bf ♻️ Do not accept underscore headers when using convert_underscores=True (th...
• 22b02e2 🔖 Release version 0.136.2
• 3b252a2 📝 Update release notes
• c7fb785 ♻️ Validate Server Sent Event fields to avoid applications from sending broke...
• cb83b83 📝 Update release notes
• 00f805c ✅ Update tests, don't double dispose the engine (#15587)
• 3675137 📝 Update release notes
• 7b57e42 📝 Document --entrypoint CLI option (#15464)
• Additional commits viewable in compare view

Updates pydantic-settings from 2.14.0 to 2.14.1

Release notes

Sourced from pydantic-settings's releases.

v2.14.1

What's Changed

• Bump the python-packages group with 4 updates by @​dependabot[bot] in pydantic/pydantic-settings#850
• Bump the python-packages group with 5 updates by @​dependabot[bot] in pydantic/pydantic-settings#854
• Bump the github-actions group with 3 updates by @​dependabot[bot] in pydantic/pydantic-settings#853
• Bump the python-packages group with 2 updates by @​dependabot[bot] in pydantic/pydantic-settings#856
• Fix field named cls conflicting with classmethod parameter by @​hramezani in pydantic/pydantic-settings#858
• Prepare release 2.14.1 by @​hramezani in pydantic/pydantic-settings#859

Full Changelog: pydantic/pydantic-settings@v2.14.0...v2.14.1

Commits

• e95c30b Prepare release 2.14.1 (#859)
• 0c87345 Fix field named cls conflicting with classmethod parameter (#858)
• 7bd0072 Bump the python-packages group with 2 updates (#856)
• b03e573 Bump the github-actions group with 3 updates (#853)
• eaa3b43 Bump the python-packages group with 5 updates (#854)
• 9f95615 Bump the python-packages group with 4 updates (#850)
• See full diff in compare view

Updates pyjwt from 2.12.1 to 2.13.0

Release notes

Sourced from pyjwt's releases.

2.13.0

PyJWT 2.13.0 — Security Release

This release bundles five security fixes plus three additional hardening / spec-compliance changes. We recommend all users upgrade.

Security

• GHSA-xgmm-8j9v-c9wx — JWK JSON accepted as HMAC secret (algorithm confusion). HMACAlgorithm.prepare_key previously rejected PEM- and SSH-formatted asymmetric keys but did not catch a JWK passed as a raw JSON string. In a verifier configured with both symmetric and asymmetric algorithms in algorithms=[…] and a raw-JSON JWK as the key, an attacker could forge HS256 tokens using the JWK text as the HMAC secret. The guard has been extended to reject any JWK-shaped JSON. Reported by @​aradona91.

• GHSA-jq35-7prp-9v3f — Algorithm allow-list bypass with PyJWK / PyJWKClient. When verifying with a PyJWK, the caller's algorithms=[…] allow-list was checked against the token header alg as a string only; actual verification used the algorithm bound to the PyJWK. An attacker who controlled a registered JWKS key could sign with one algorithm and advertise another on the header. PyJWT now requires the token header alg to match the PyJWK's algorithm before verification. Reported by @​sushi-gif.

• GHSA-w7vc-732c-9m39 — DoS via base64 decode of unused payload segment when b64=false. For detached-payload JWS (b64=false), the compact-form payload segment was base64-decoded before being discarded in favor of the caller-supplied detached_payload. An attacker could inflate the unused segment to force CPU + memory cost without holding a valid signature. The segment is now required to be empty per RFC 7515 Appendix F, and is no longer decoded. Reported by @​thesmartshadow.

• GHSA-993g-76c3-p5m4 — PyJWKClient accepts non-HTTP(S) URIs. PyJWKClient.fetch_data passed its URI to urllib.request.urlopen, which by default also handles file://, ftp://, and data: schemes. An application that fed an attacker-influenced URI into PyJWKClient could be coerced into reading local files or reaching other unintended schemes. PyJWKClient now rejects any URI whose scheme isn't http or https. Reported by @​KEIJOT.

• GHSA-fhv5-28vv-h8m8 — PyJWKClient cache wiped on fetch error. A finally-block put(jwk_set=None) cleared the JWK Set cache whenever a fetch raised, turning a transient JWKS-endpoint outage into application-wide auth failure. The cache write was moved into the success path; transient errors no longer evict valid cached keys. Reported by @​eddieran.

Fixed

• Reject empty HMAC keys outright in HMACAlgorithm.prepare_key with InvalidKeyError instead of accepting them with only a warning. Defends against the os.getenv("JWT_SECRET", "") footgun. Thanks to @​SnailSploit and @​spartan8806 for the reports.
• Forward per-call options (including enforce_minimum_key_length) from PyJWT.decode through to PyJWS._verify_signature. The option was previously silently dropped between the two layers, so it only took effect when set on the PyJWT instance. Thanks to @​WLUB for the report.
• RFC 7797 §3 compliance for b64=false: the encoder now auto-adds "b64" to crit, and the decoder rejects tokens that set b64=false without listing it in crit. Thanks to @​MachineLearning-Nerd for the report.

Changed

• Migrate the dev, docs, and tests package extras to dependency groups, by @​kurtmckee in #1152.

Upgrade notes

Most fixes are invisible to correctly-configured callers. A few behavioral changes you may encounter:

• Empty HMAC keys now raise. If your app passed "" or b"" as a secret (often via a missing env var, e.g. os.getenv("JWT_SECRET", "")), encode/decode will now raise InvalidKeyError. This is the intended behavior — fix the configuration.
• PyJWK decoding now requires the token's alg to match the JWK's algorithm. Previously a mismatch was silently honored if the header alg appeared in the allow-list. Tokens that relied on this mismatch will now fail with InvalidAlgorithmError.
• PyJWKClient now rejects non-HTTP(S) URIs at construction time. Tests or dev environments that fetched JWKS from file:// URIs need to switch to a local HTTP server or load the JWKS by other means (e.g. construct PyJWKSet.from_dict(...) directly).
• b64=false tokens are now strictly RFC 7515 / 7797 compliant. Tokens with a non-empty compact-form payload segment, or that omit "b64" from crit, will be rejected. PyJWT-produced tokens always satisfy both invariants, so round-trips through PyJWT are unaffected.
• enforce_minimum_key_length set per-call now takes effect. Callers who passed options={"enforce_minimum_key_length": True} to jwt.decode() previously got no enforcement; they will now get InvalidKeyError on undersized keys, as documented.

Full changelog: jpadilla/pyjwt@2.12.1...2.13.0

Changelog

Sourced from pyjwt's changelog.

v2.13.0 <https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0>__

Security

- Reject JWK JSON documents passed as raw HMAC secrets in
  ``HMACAlgorithm.prepare_key`` to close an algorithm-confusion gap that
  the existing PEM/SSH guard did not cover. Reported by @aradona91 in
  `GHSA-xgmm-8j9v-c9wx <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx>`__.
- Bind the JWT header ``alg`` to ``PyJWK.algorithm_name`` during
  verification so the caller's ``algorithms=[...]`` allow-list cannot be
  bypassed when decoding with a ``PyJWK`` / ``PyJWKClient`` key. Reported
  by @sushi-gif in `GHSA-jq35-7prp-9v3f <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-jq35-7prp-9v3f>`__.
- Reject non-``http(s)`` URI schemes in ``PyJWKClient`` so attacker-
  influenced URIs cannot read local files or reach unintended schemes via
  urllib's default ``file://`` / ``ftp://`` / ``data:`` handlers. Reported
  by @KEIJOT in `GHSA-993g-76c3-p5m4 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4>`__.
- Preserve the cached JWK Set on fetch errors in ``PyJWKClient.fetch_data``.
  The previous ``finally``-block ``put(None)`` pattern cleared the cache
  on any transient outage, turning one bad JWKS request into application-
  wide auth failure. Reported by @eddieran in `GHSA-fhv5-28vv-h8m8 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8>`__.
- Skip the unconditional base64 decode of the compact-form payload segment
  when ``b64=false`` is set in the protected header, and require that
  segment to be empty (RFC 7515 Appendix F detached form). Closes an
  unauthenticated DoS amplifier. Reported by @thesmartshadow in
  `GHSA-w7vc-732c-9m39 <https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39>`__.
Fixed

- Reject empty HMAC keys outright in ``HMACAlgorithm.prepare_key`` with
  ``InvalidKeyError`` instead of accepting them with only a warning.
  Thanks to @SnailSploit and @spartan8806 for independently flagging the
  footgun.
- Forward per-call ``options`` (including ``enforce_minimum_key_length``)
  from ``PyJWT.decode`` through to ``PyJWS._verify_signature`` so the
  option actually takes effect when set at the call site rather than only
  on the ``PyJWT`` instance. Thanks to @WLUB for the report.
- RFC 7797 §3 compliance for ``b64=false``: the encoder now auto-adds
  ``&quot;b64&quot;`` to the ``crit`` header parameter, and the decoder rejects
  tokens that set ``b64=false`` without listing it in ``crit``. Thanks to
  @MachineLearning-Nerd for the report.
Changed



Migrate the dev, docs, and tests package extras to dependency groups by @​kurtmckee in [#1152](https://github.com/jpadilla/pyjwt/issues/1152) &lt;https://github.com/jpadilla/pyjwt/pull/1152&gt;__

Commits

• 7144e45 Apply ruff format
• d2f4bec Restore cast() calls with cross-version type: ignore for prepare_key
• 22f478c Remove redundant casts in RSAAlgorithm.prepare_key and `ECAlgorithm.prepare...
• 95791b1 Bundle security fixes and hardening into 2.13.0
• dcc27a9 [pre-commit.ci] pre-commit autoupdate (#1155)
• 9d08a9a [pre-commit.ci] pre-commit autoupdate (#1146)
• b87c100 Bump codecov/codecov-action from 5 to 6 (#1154)
• 40e3147 Migrate development extras to dependency groups (#1152)
• See full diff in compare view

Updates ruff from 0.15.12 to 0.15.15

Release notes

Sourced from ruff's releases.

0.15.15

Release Notes

Released on 2026-05-28.

Preview features

• Fix Markdown closing fence handling (#25310)
• [pyflakes] Report duplicate imports in typing.TYPE_CHECKING block (F811) (#22560)

Bug fixes

• [pyflakes] Treat function-scope bare annotations as locals per PEP 526 (F821) (#21540)

Performance

• Avoid redundant TokenValue drops in the lexer (#25300)
• Reduce memory usage by dropping token-excess capacity and improve performance by approximating the initial tokens Vec size (#25354)
• Use ThinVec in AST to shrink Stmt (#25361)

Documentation

• Fix line-length example for --config option (#25389)
• [flake8-comprehensions] Document RecursionError edge case in __len__ (C416) (#25286)
• [mccabe] Improve example (C901) (#25287)
• [pyupgrade] Clarify fix safety docs (UP007, UP045) (#25288)
• [refurb] Document FURB192 exception change for empty sequences (#25317)
• [ruff] Document false negative for user-defined types (RUF013) (#25289)

Formatter

• Fix formatting of lambdas nested within f-strings (#25398)

Server

• Return code action for codeAction/resolve requests that contain no or no valid URL (#25365)

Other changes

• Expand semantic syntax errors for invalid walruses (#25415)

Contributors

• @​chirizxc
• @​ntBre
• @​adityasingh2400
• @​charliermarsh
• @​fallintoplace
• @​martin-schlossarek
• @​MichaReiser

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.15

Released on 2026-05-28.

Preview features

• Fix Markdown closing fence handling (#25310)
• [pyflakes] Report duplicate imports in typing.TYPE_CHECKING block (F811) (#22560)

Bug fixes

• [pyflakes] Treat function-scope bare annotations as locals per PEP 526 (F821) (#21540)

Performance

• Avoid redundant TokenValue drops in the lexer (#25300)
• Reduce memory usage by dropping token-excess capacity and improve performance by approximating the initial tokens Vec size (#25354)
• Use ThinVec in AST to shrink Stmt (#25361)

Documentation

• Fix line-length example for --config option (#25389)
• [flake8-comprehensions] Document RecursionError edge case in __len__ (C416) (#25286)
• [mccabe] Improve example (C901) (#25287)
• [pyupgrade] Clarify fix safety docs (UP007, UP045) (#25288)
• [refurb] Document FURB192 exception change for empty sequences (#25317)
• [ruff] Document false negative for user-defined types (RUF013) (#25289)

Formatter

• Fix formatting of lambdas nested within f-strings (#25398)

Server

• Return code action for codeAction/resolve requests that contain no or no valid URL (#25365)

Other changes

• Expand semantic syntax errors for invalid walruses (#25415)

Contributors

• @​chirizxc
• @​ntBre
• @​adityasingh2400
• @​charliermarsh
• @​fallintoplace
• @​martin-schlossarek
• @​MichaReiser
• @​Ruchir28

... (truncated)

Commits

• db5aa0a Bump 0.15.15 (#25431)
• 366fe21 [ty] Improve diagnostics for syntax errors in forward annotations (#25158)
• e2e1e64 [ty] Remove excess capacity from more Salsa cached collections (#25411)
• 1bd77e1 [ty] Use diagnostic message as tie breaker when sorting (#25424)
• 7e1bc1e Add agent skills for working on ty (#25422)
• 574e107 Expand semantic syntax errors for invalid walruses (#25415)
• 4a7ca06 [ty] Display docs for matching parameter when hovering over the name of an ar...
• 5432709 Refine a few agents instructions (#25423)
• 3cb09eb [ty] Support typing.TypeForm (#25334)
• c8cd59f [ty] Infer class attributes assigned by metaclass initialization (#25342)
• Additional commits viewable in compare view

Updates sentry-sdk[fastapi] to 2.61.1

Release notes

Sourced from sentry-sdk[fastapi]'s releases.

2.61.1

Internal Changes 🔧

Rq

• Pin fakeredis<2.36.0 in tests by @​alexander-alderman-webb in #6454
• Unpin redis and fakeredis for tests by @​alexander-alderman-webb in #6443

Other

• (aiohttp) Unfurl spans explicitly instead of using pop() by @​sentrivana in #6435
• (tox) Migrate from pip to uv via tox-uv by @​sentry-junior in #6390
• Pin redis<8 for rq by @​sl0thentr0py in #6438

Changelog

Sourced from sentry-sdk[fastapi]'s changelog.

2.61.1

Internal Changes 🔧

Rq

• Pin fakeredis<2.36.0 in tests by @​alexander-alderman-webb in #6454
• Unpin redis and fakeredis for tests by @​alexander-alderman-webb in #6443

Other

• (aiohttp) Unfurl spans explicitly instead of using pop() by @​sentrivana in #6435
• (tox) Migrate from pip to uv via tox-uv by @​sentry-junior in #6390
• Pin redis<8 for rq by @​sl0thentr0py in #6438

2.61.0

New Features ✨

• Add server.address to transformed spans when stream_gen_ai_spans=True by @​alexander-alderman-webb in #6307

• Allow integrations to define control flow exceptions by @​sentrivana in #6425

• Disable string truncation for events by default by @​alexander-alderman-webb in #6290

  Following a previous significant increase of the string truncation limit, we've now completely removed the limit by default. In case you have large strings in your events, you should now be able to see them.

  In rare cases, if you have really long strings (or a lot of them), you might see envelopes being dropped because of their size. If that happens, you can set the max_value_length init option to the previous value of 100_000:

  sentry_sdk.init(
      ...,
      max_value_length=100_000,
  )

Bug Fixes 🐛

Langchain

• Stop setting transaction status when child span fails by @​alexander-alderman-webb in #6301
• Catch TypeError on langchain.agents import by @​alexander-alderman-webb in #6268

Openai Agents

• Handle starting_agent keyword argument in runner patches by @​ericapisani in #6428
• Remove hosted MCP tool spans by @​alexander-alderman-webb in #6391
• Use name, not description in start_span by @​sentrivana in #6323
• Stop setting transaction status when child span fails by @​alexander-alderman-webb in #6303

... (truncated)

Commits

• 5c95559 Update CHANGELOG.md
• b98bcb1 release: 2.61.1
• 504cbe9 ci(rq): Pin fakeredis<2.36.0 in tests (#6454)
• 1f3f3eb fix(sampling): Attribute backpressure as unsampling reason more accurately ...
• 2ce26d1 ci(tox): migrate from pip to uv via tox-uv (#6390)
• 8a4062b ci(rq): Unpin redis and fakeredis for tests (#6443)
• 8d442df fix(span-first): Set user.ip_address on all streamed spans (#6434)
• e8d67d8 feat(rust-tracing): Support span streaming (#6433)
• 0749d3e feat(litellm): Support span streaming (#6317)
• b4e0367 test(aiohttp): Unfurl spans explicitly instead of using pop() (#6435)
• Additional commits viewable in compare view

Updates valkey-glide from 2.3.1 to 2.4.1

Release notes

Sourced from valkey-glide's releases.

v2.4.1

What's Changed

• Backport #5916 to release 2.4: Core: Propagate per-command response timeout to multiplexed connection by @​jeremyprime in valkey-io/valkey-glide#5991
• Backport of #5917 to release 2.4: Core: Add dedicated timeout watchdog thread independent of Tokio runtime by @​jeremyprime in valkey-io/valkey-glide#5993
• Cherry-pick of #5952 to release 2.4: Java: Add a synchronous check on inflight request limits before submitting tasks by @​jeremyprime in valkey-io/valkey-glide#5992
• Cherry pick #6015 to release-2.4: Python: Include _fast_response extension in glide-sync wheel by @​xShinnRyuu in valkey-io/valkey-glide#6020
• Implement connection refresh on circular moved (#5893) by @​jamesx-improving in valkey-io/valkey-glide#6023

Full Changelog: valkey-io/valkey-glide@v2.4.0...v2.4.1

v2.4.0

Key Features

Client-Side Caching Support: Full client-side caching support enabling local caching of frequently accessed data to reduce round-trips to the server

Transparent Compression: Client-side transparent compression feature enabled. This feature is experimental

Valkey Search 1.2 Support: Comprehensive FT.* command support for the Valkey Search module

NodeDiscoveryMode for Standalone Clients: New configuration option to allow for better integration with proxies

JSON module support: Full support for Valkey JSON module

URI-Based Client Creation API: New FFI create_client_from_uri function accepting Redis/Valkey URI strings with optional JSON configuration

Performance Enhancements: Multiple performance enhancements in the Valkey Glide Core

What's Changed

• feat(java): add cluster info & topology commands by @​prashanna-frsh in valkey-io/valkey-glide#5433
• feat(jedis-compatibility):add support for connection and tx commands by @​prashanna-frsh in valkey-io/valkey-glide#5422
• Bump redis.clients:jedis from 5.1.2 to 7.0.0 in /java by @​dependabot[bot] in valkey-io/valkey-glide#4916
• Fixed PermissionDenied error to fail fast by @​Aryex in valkey-io/valkey-glide#5515
• feat(python-sync): enable zero-copy SET by accepting bytearray and memoryview in command args by @​omerrubi-amzn in valkey-io/valkey-glide#5492
• feat(python-sync): add response buffer support to get() to improve performance by reducing copies by @​omerrubi-amzn in valkey-io/valkey-glide#5493
• feat(core): Add OTel DB semantic convention attributes to command spans by @​naoki-tateyama in valkey-io/valkey-glide#5413
• Updated attribution files for commit 8f8c3f76ffdc8bcefd140ac1b8e70bb165fcd53b by @​github-actions[bot] in valkey-io/valkey-glide#5523
• Python: Recycle callback indices for cancelled futures and use monotonic counter to prevent index collisions that permanently closed the client by @​xShinnRyuu in valkey-io/valkey-glide#5517
• Java: Fix swallowed errors in JNI async bridge that left CompletableFutures dangling by @​avifenesh in valkey-io/valkey-glide#5536
• Go bug fix: remove pubsub config check for message handler register by @​liorsve in valkey-io/valkey-glide#5534
• Node: add dynamic PubSub support by @​affonsov in valkey-io/valkey-glide#5295
• Fix/go/python cicd test-container tests by @​xShinnRyuu in valkey-io/valkey-glide#5560
• CI: add note to avoid using GitHub runners for macOS ARM workflows by @​liorsve in valkey-io/valkey-glide#5570
• Fix Potential Security Issues for Release 2.3 by @​alexr-bq in valkey-io/valkey-glide#5583
• refactor(java): rename unsubscribe methods to lazy variants by @​yeoncheol-jang in valkey-io/valkey-glide#5532
• Add IAM authentication tests across all clients by @​affonsov in valkey-io/valkey-glide#5402
• Refactor go pubsub tests to support cluster by @​alexr-bq in valkey-io/valkey-glide#5577
• Pypi-CD: fix test-the-release step for linux-arm ephemeral runner by @​liorsve in valkey-io/valkey-glide#5566
• Fix sleep usage to be compatible with trio backend by @​alexr-bq in valkey-io/valkey-glide#5612

... (truncated)

Changelog

Sourced from valkey-glide's changelog.

Pending 2.5

Changes

• Go: Add RESET command support (#5946)
• Java: Add RESET command support (#5947)
• CORE/FFI: Add MonitorClient for the MONITOR command (#5977)
• Node: Add RESET command support (#5945)
• Python: Add RESET command support (#5944)
• Python: Add MIGRATE command support (#5933)
• CORE: Phase 2 client-side caching (#5962)
• CORE: Add RESET command support (#5959)
• Node: Support custom socket address resolution when connecting to valkey (#5873)
• Node: Add MIGRATE command support (#5934)
• Go: Support custom socket address resolution when connecting to valkey (#5873)
• Go: Add MIGRATE command support (#5935)
• CORE: Avoid panic on cluster SCAN when a read-from-replica AZ affinity strategy is configured. The slot map carries no AZ metadata, so these strategies now fall back to their documented round-robin behavior (replicas for AZAffinity, replicas plus primary for AZAffinityReplicasAndPrimary) instead of hitting todo!() (#5909)

2.4

Fixes

• CORE: Add dedicated timeout watchdog thread independent of the Tokio runtime. Under memory pressure or Tokio starvation, tokio::time::sleep may not fire on time. The watchdog uses a separate OS thread to guarantee timeout delivery, preventing commands from hanging indefinitely when the async runtime is overloaded. (#5752)
• CORE: Propagate per-command response timeout to the multiplexed connection layer. The configured request_timeout (including blocking command timeouts) is now enforced at the connection level, ensuring commands time out reliably instead of waiting indefinitely with Duration::MAX. (#5581)
• CORE: Fall back to existing cluster connections when initial nodes are unavailable during topology refresh. When refreshTopologyFromInitialNodes=true and the initial/seed node is unreachable (e.g., dead primary during failover), the topology refresh now queries healthy existing connections instead of failing silently. This complements #5812 to enable failover recovery when the seed node itself is the failed node. (#5814)
• Node: Fix SIGSEGV in pubsub under pnpm strict hoisting — replace value_from_split_pointer(high_u32, low_u32) with value_from_pointer(i64) in the Node.js Rust client to accept response pointers as a single integer, eliminating the high/low split that caused upper 32-bit truncation when protobufjs.util.Long was null (#5851)

Changes

• Go: Expose client interfaces (BaseClientCommands, GlideClientCommands, GlideClusterClientCommands, etc.) as a public package for testing and abstraction (#4900)
• CORE, Python, Java, Node, Go: Add NodeDiscoveryMode configuration for standalone clients — STATIC mode skips role detection for proxy compatibility (e.g., Envoy), DISCOVER_ALL mode discovers full topology (primary + all replicas) from any starting node (#5724)
• Go: Add Valkey Search (FT) command support — FT.CREATE, FT.SEARCH, FT.AGGREGATE, FT.DROPINDEX, FT.LIST, FT.INFO, FT.EXPLAIN, FT.EXPLAINCLI, FT.ALIASADD, FT.ALIASDEL, FT.ALIASUPDATE, FT.ALIASLIST with full Valkey Search 1.2 options for both standalone and cluster clients (#5590)
• FFI: Add URI-based client creation API with full ConnectionRequest support (#5620)
  • New create_client_from_uri FFI function accepts Redis/Valkey URI strings and optional JSON configuration
  • Supports all ConnectionRequest options including compression, periodic checks, IAM credentials, and pub/sub subscriptions
  • Simplifies language binding implementation by moving protobuf construction to Rust
• Python, Java, Node, CORE: Add valkey-search 1.2 support — FT.CREATE index options (SCORE, LANGUAGE, SKIPINITIALSCAN, MINSTEMSIZE, WITHOFFSETS/NOOFFSETS, NOSTOPWORDS/STOPWORDS, PUNCTUATION) and field options (NOSTEM, WEIGHT, WITHSUFFIXTRIE/NOSUFFIXTRIE, SORTABLE); FT.SEARCH options (VERBATIM, INORDER, SLOP, SORTBY, WITHSORTKEYS, NOCONTENT, DIALECT, shard scope, consistency mode); FT.AGGREGATE options (VERBATIM, INORDER, SLOP, DIALECT); FT.INFO scope options (LOCAL, PRIMARY, CLUSTER, shard scope, consistency mode); WITHSORTKEYS and NOCONTENT response conversion in glide-core. Python options parameter for ft.search() and ft.aggregate() is now optional. (#5571)
• Node: Fix HNSW vector field serialization to use correct property names (numberOfEdges, vectorsExaminedOnConstruction, vectorsExaminedOnRuntime) matching the TypeScript type definitions (#5571)
• Node: Fix missing break for NUMERIC field case in FT.CREATE serialization, preventing fall-through to VECTOR case (#5571)
• CORE, Python, Java, Node: Add missing NOCONTENT and DIALECT options for FT.SEARCH (#5550)
• Go: Add JSON.SET and JSON.GET commands (#5589)
• Go: Add JSON module commands - DEL, FORGET, CLEAR, MGET, TYPE, and array operations (#5589)
• Go: Add JSON TOGGLE, RESP, DEBUG, numeric, string and object commands (#5589)
• CORE: Fix Tokio runtime blocking in cluster async code by replacing std::sync locks with async-safe alternatives (#5450)
• Core: Maintain throughput during cluster failover by making reconnection non-blocking (#4990)
• FFI: Add OpenTelemetry DB semantic convention attributes to FFI path (#5596)
• JAVA: Add cluster management commands (CLUSTER MEET, CLUSTER FORGET, CLUSTER REPLICATE, CLUSTER REPLICAS, CLUSTER COUNT-FAILURE-REPORTS, CLUSTER FAILOVER, CLUSTER SETSLOT, CLUSTER BUMPEPOCH, CLUSTER SET-CONFIG-EPOCH, CLUSTER FLUSHSLOTS, CLUSTER RESET, READONLY, READWRITE, ASKING, CLUSTER SAVECONFIG, CLUSTER GETKEYSINSLOT) (#5503)
• Go: Client-Side Caching Support (#5721)
• Go: Add PeriodicChecks configuration to AdvancedClusterClientConfiguration — supports PeriodicChecksEnabled, PeriodicChecksDisabled, and PeriodicChecksManualInterval modes for controlling cluster topology check intervals (#5842)
• JAVA: Client-Side Caching Support (#5172)
• Node: Client-Side Caching Support (#5720)
• JAVA: Support custom socket address resolution when connecting to valkey (#4396)
• Python: Support custom socket address resolution when connecting to valkey (#5873)

... (truncated)

Commits

• f47fd4f Update supported compression commands (#5420)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions