Deps: Bump the dependencies group with 5 updates

[dependabot]

Bumps the dependencies group with 5 updates:

Package	From	To
coverage	7.14.1	7.14.2
anyio	4.13.0	4.14.0
certifi	2026.5.20	2026.6.17
idna	3.17	3.18
ruff	0.15.15	0.15.18

Updates coverage from 7.14.1 to 7.14.2

Changelog

Sourced from coverage's changelog.

Version 7.14.2 — 2026-06-20

• Fix: some messages were being written to stdout, making coverage json -o - useless for capturing JSON output. Now messages are written to stderr, fixing issue 2197_.

• Fix: CoverageData kept one SQLite connection per thread that recorded coverage, but never closed them when those threads terminated. On long runs with many short-lived threads this leaked one file descriptor per dead thread, eventually failing with OSError: [Errno 24] Too many open files. Connections belonging to terminated threads are now closed and dropped. Fixes issue 2192. Thanks, Matthew Lloyd <pull 2193_>.

• Fix: when using sys.monitoring, we were assuming we could use the COVERAGE_ID tool id. But other tools might also assume they could use that id. Pre-allocated ids don't really make sense, so now we search for a usable one instead. Fixes issue 2187_.

• Following the advice of cibuildwheel <no-13t_>_, we no longer distribute wheels for Python 3.13 free-threaded.

.. _issue 2187: coveragepy/coveragepy#2187 .. _issue 2192: coveragepy/coveragepy#2192 .. _pull 2193: coveragepy/coveragepy#2193 .. _issue 2197: coveragepy/coveragepy#2197 .. _no-13t: https://py-free-threading.github.io/ci/#building-free-threaded-wheels-with-cibuildwheel

.. _changes_7-14-1:

Commits

• 153f932 docs: sample HTML for 7.14.2
• 311bc67 docs: prep for 7.14.2
• 7f314be docs: thanks, Matthew Lloyd #2193
• f960696 Fix: close SQLite connections from terminated threads (#2192) (#2193)
• 2429615 docs: fix a changelog entry
• ced7f8a build: cibuildwheel 4.0.0 no longer has this enable option
• 30a567c chore: make upgrade
• 27c11f1 fix: write messages to stderr. #2197
• bdbe01f chore: bump the action-dependencies group with 3 updates (#2191)
• dc2fd3b chore: bump the action-dependencies group with 2 updates (#2188)
• Additional commits viewable in compare view

Updates anyio from 4.13.0 to 4.14.0

Release notes

Sourced from anyio's releases.

4.14.0

• Added support for Python 3.15

• Added an asynchronous implementation of the itertools module (#998; PR by @​11kkw)

• Added the local_port parameter to connect_tcp() to allow binding to a specific local port before connecting (#1067; PR by @​nullwiz)

• Added support for custom capacity limiters in async path and file I/O functions and classes

• Added the create_task() task group method for easier asyncio migration (returns a TaskHandle) (#1098)

• Changed TaskGroup.start_soon() to return a TaskHandle

• Added an option for TaskGroup.start() to return a TaskHandle (which then contains the start value in the start_value property)

• Added the cancel() convenience method to TaskGroup as a shortcut for cancelling the task group's cancel scope

• Improved the error message when a known backend is not installed to suggest the install command (#1115; PR by @​EmmanuelNiyonshuti)

• Improved anyio.Path to preserve subclass types by returning Self in methods that return path objects (#1130; PR by @​EmmanuelNiyonshuti)

• Changed the parameter type annotation in anyio.Path.write_bytes() to accept any ReadableBuffer, thus allowing it to accept bytearray and memoryview to match pathlib.Path.write_bytes() (#1135; PR by @​SAY-5)

• Changed several type annotations to only accept callables returning coroutine-like objects instead of arbitrary awaitables:

  • TaskGroup.start_soon()
  • TaskGroup.start()
  • anyio.from_thread.run()

  This reverts an earlier change from v3.7.0 which was made in error. (#1153)

• Changed anyio.run to support callables returning arbitrary awaitables at runtime on all backends. Previously, this only worked on asyncio (#1171; PR by @​gschaffner)

• Changed several classes (and their subclasses) to have __slots__ (with __weakref__):

  • anyio.CancelScope
  • anyio.CapacityLimiter
  • anyio.Condition
  • anyio.Event
  • anyio.Lock
  • anyio.ResourceGuard
  • anyio.Semaphore

• Fixed cancellation exception escaping a cancel scope when triggered via check_cancelled() in a worker thread (#1113)

• Fixed TaskGroup raising AttributeError instead of a clear error when entered more than once (#1109; PR by @​bahtya)

• Fixed lost type information when passing arguments to lru_cache (#1104; PR by @​Graeme22)

• Fixed test resumption after KeyboardInterrupt in async generator fixtures on the asyncio backend (#1060; PR by @​EmmanuelNiyonshuti)

... (truncated)

Commits

• ffe9133 Bumped up the version
• f8b9f01 Fixed asyncio lock waiter deadlocks after cancellation (#1145)
• d517ee1 [pre-commit.ci] pre-commit autoupdate (#1176)
• 550b68e Make anyio.run support Awaitable at runtime on all backends (#1171)
• 29a5e04 Fixed FastAPI test run
• 4d752ac Updated downstream test setups for FastAPI and Anthropic MCP
• ebdc950 Added task handle support to start() and start_soon() (#1153)
• f32bfb8 Fixed test suite compatibility issues with Pytest 9.1.0
• 85f7e8e Added __slots__ to several classes
• b7ea84c [pre-commit.ci] pre-commit autoupdate (#1165)
• Additional commits viewable in compare view

Updates certifi from 2026.5.20 to 2026.6.17

Commits

• d0ac52f 2026.06.17 (#418)
• d46de62 Bump actions/checkout from 6.0.2 to 6.0.3 (#417)
• 6c183ec fix: update Requests docs link to canonical URL (#415)
• 36e3568 Bump dessant/lock-threads from 6.0.0 to 6.0.2
• See full diff in compare view

Updates idna from 3.17 to 3.18

Changelog

Sourced from idna's changelog.

3.18 (2026-06-02)

• When decoding a domain, add a display argument that will pass through invalid labels rather than raising an exception.

Commits

• f39ea90 Release 3.18
• 40f4e40 Pre-release 3.18rc0
• 1a5bf80 Merge pull request #253 from kjd/lenient-decode
• 5bbb26f Merge branch 'master' into lenient-decode
• c532bae Rename decode() lenient= option to display= (issue #248)
• 0b1758b Merge pull request #252 from kjd/release-3.17
• 47b5cde Add lenient option to decode() for best-effort label recovery (issue #248)
• See full diff in compare view

Updates ruff from 0.15.15 to 0.15.18

Release notes

Sourced from ruff's releases.

0.15.18

Release Notes

Released on 2026-06-18.

Preview features

• Handle nested ruff:ignore comments (#25791)
• Stop displaying severity in output (#26050)
• Use human-readable names in CLI output (#25937)
• Use human-readable names in LSP and playground diagnostics (#26058)
• [pydocstyle] Prevent property docstrings starting with verbs (D421) (#23775)
• [flake8-pyi] Extend PYI033 to Python files (#26129)

Bug fixes

• Detect equivalent numeric mapping keys (#26009)
• Detect mapping keys equivalent to booleans (#25982)
• Detect repeated signed and complex dictionary keys (#26007)

Rule changes

• [flake8-pyi] Rename PYI033 to legacy-type-comment (#26131)

Performance

• Use ThinVec for call keywords (#25999)
• Inline parser recovery context checks (#26038)
• Match parser keywords as bytes (#26037)
• Move value parsing out of lexing (#25360)

Server

• Render subdiagnostics and secondary annotations as related information (#26011)

Documentation

• Update fix availability for always-fixable rules (#26091)
• [flake8-tidy-imports] Add fix safety section (TID252) (#17491)

Parser

• Reject __debug__ lambda parameters (#26022)
• Reject _ as a match-pattern target (#25977)
• Reject multiple starred names in sequence patterns (#25976)
• Reject parenthesized star imports (#26021)
• Reject starred comprehension targets (#26023)
• Reject unparenthesized generator expressions in class bases (#25978)
• Reject yield expressions after commas (#26024)
• Validate function type parameter default order (#25981)

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.18

Released on 2026-06-18.

Preview features

• Handle nested ruff:ignore comments (#25791)
• Stop displaying severity in output (#26050)
• Use human-readable names in CLI output (#25937)
• Use human-readable names in LSP and playground diagnostics (#26058)
• [pydocstyle] Prevent property docstrings starting with verbs (D421) (#23775)
• [flake8-pyi] Extend PYI033 to Python files (#26129)

Bug fixes

• Detect equivalent numeric mapping keys (#26009)
• Detect mapping keys equivalent to booleans (#25982)
• Detect repeated signed and complex dictionary keys (#26007)

Rule changes

• [flake8-pyi] Rename PYI033 to legacy-type-comment (#26131)

Performance

• Use ThinVec for call keywords (#25999)
• Inline parser recovery context checks (#26038)
• Match parser keywords as bytes (#26037)
• Move value parsing out of lexing (#25360)

Server

• Render subdiagnostics and secondary annotations as related information (#26011)

Documentation

• Update fix availability for always-fixable rules (#26091)
• [flake8-tidy-imports] Add fix safety section (TID252) (#17491)

Parser

• Reject __debug__ lambda parameters (#26022)
• Reject _ as a match-pattern target (#25977)
• Reject multiple starred names in sequence patterns (#25976)
• Reject parenthesized star imports (#26021)
• Reject starred comprehension targets (#26023)
• Reject unparenthesized generator expressions in class bases (#25978)
• Reject yield expressions after commas (#26024)
• Validate function type parameter default order (#25981)

... (truncated)

Commits

• 6686f63 Bump 0.15.18 (#26135)
• efbb732 [ty] Suggest keyword-only arguments between variadic parameters (#26134)
• c256d5f [ty] Support Annotated[Any, ...] as a class base (#26133)
• 19a4bea [flake8-pyi] Rename PYI033 to legacy-type-comment (#26131)
• 1d9866c Bump ecosystem-analyzer commit (#26130)
• 8656c73 [ty] Compact indexed AST node storage (#25998)
• c17c8d9 [ty] Garbage-collect cached constraint sets (#26116)
• ef0fb8f [ty] Fix bound TypeVar default cycle recovery (#26124)
• b83c024 [flake8-pyi] Extend PYI033 to Python files in preview (#26129)
• e8a5e38 Update Rust crate zip to v8 (#26078)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Conventional Commits Report

Type	Number
Dependencies	1

🚀 Conventional commits found.