chore(deps): update python-nonmajor

[anubhav756]

Note

This PR fixes the dependency version conflicts occurring in #478.

ERROR: Cannot install google-adk==1.28.1 and opentelemetry-sdk==1.40.0 because these package versions have conflicting dependencies.

The conflict is caused by:
   The user requested opentelemetry-sdk==1.40.0
   google-adk 1.28.1 depends on opentelemetry-sdk<1.39.0 and >=1.36.0

Additionally, some packages in these conflicts have no matching distributions available for your environment:
   opentelemetry-sdk

This PR contains the following updates:

Package	Change	Age	Confidence
aiohttp	==3.13.4 → ==3.13.5
black (changelog)	==26.1.0 → ==26.3.1
google-adk (changelog)	==1.27.2 → ==1.28.1
google-auth	==2.45.0 → ==2.49.1
google-auth	==2.47.0 → ==2.49.1
google-auth-oauthlib (source)	==1.2.1 → ==1.3.1
google-cloud-secret-manager (source)	==2.26.0 → ==2.27.0
google-cloud-storage	==3.7.0 → ==3.10.1
isort (changelog)	==8.0.0 → ==8.0.1
langchain-core (changelog)	==1.2.22 → ==1.2.26
llama-index-core	==0.14.12 → ==0.14.20
mypy (changelog)	==1.19.1 → ==1.20.0
opentelemetry-exporter-gcp-trace (source)	==1.9.0 → ==1.11.0
opentelemetry-exporter-otlp-proto-http	==1.37.0 → ==1.40.0
opentelemetry-sdk	==1.37.0 → ==1.38.0
pillow (changelog)	==12.1.0 → ==12.2.0
pytest-cov (changelog)	==7.0.0 → ==7.1.0
requests (changelog)	==2.33.0 → ==2.33.1
typing-extensions (changelog)	==4.14.1 → ==4.15.0

---

Release Notes

aio-libs/aiohttp (aiohttp)

v3.13.5

Compare Source

===================

Bug fixes

• Skipped the duplicate singleton header check in lax mode (the default for response
  parsing). In strict mode (request parsing, or -X dev), all RFC 9110 singletons
  are still enforced -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:12302.

---

psf/black (black)

v26.3.1

Compare Source

Stable style

• Prevent Jupyter notebook magic masking collisions from corrupting cells by using
  exact-length placeholders for short magics and aborting if a placeholder can no longer
  be unmasked safely (#​5038)

Configuration

• Always hash cache filename components derived from --python-cell-magics so custom
  magic names cannot affect cache paths (#​5038)

Blackd

• Disable browser-originated requests by default, add configurable origin allowlisting
  and request body limits, and bound executor submissions to improve backpressure
  (#​5039)

v26.3.0

Compare Source

Stable style

• Don't double-decode input, causing non-UTF-8 files to be corrupted (#​4964)
• Fix crash on standalone comment in lambda default arguments (#​4993)
• Preserve parentheses when # type: ignore comments would be merged with other
  comments on the same line, preventing AST equivalence failures (#​4888)

Preview style

• Fix bug where if guards in case blocks were incorrectly split when the pattern had
  a trailing comma (#​4884)
• Fix string_processing crashing on unassigned long string literals with trailing
  commas (one-item tuples) (#​4929)
• Simplify implementation of the power operator "hugging" logic (#​4918)

Packaging

• Fix shutdown errors in PyInstaller builds on macOS by disabling multiprocessing in
  frozen environments (#​4930)

Performance

• Introduce winloop for windows as an alternative to uvloop (#​4996)
• Remove deprecated function uvloop.install() in favor of uvloop.new_event_loop()
  (#​4996)
• Rename maybe_install_uvloop function to maybe_use_uvloop to simplify loop
  installation and creation of either a uvloop/winloop evenloop or default eventloop
  (#​4996)

Output

• Emit a clear warning when the target Python version is newer than the running Python
  version, since AST safety checks cannot parse newer syntax. Also replace the
  misleading "INTERNAL ERROR" message with an actionable error explaining the version
  mismatch (#​4983)

Blackd

• Introduce winloop to be used when windows in use which enables blackd to run faster on
  windows when winloop is installed. (#​4996)

Integrations

• Remove unused gallery script (#​5030)
• Harden parsing of black requirements in the GitHub Action when use_pyproject is
  enabled so that only version specifiers are accepted and direct references such as
  black @​ https://... are rejected. Users should upgrade to the latest version of the
  action as soon as possible. This update is received automatically when using
  psf/black@stable, and is independent of the version of Black installed by the
  action. (#​5031)

Documentation

• Expand preview style documentation with detailed examples for wrap_comprehension_in,
  simplify_power_operator_hugging, and wrap_long_dict_values_in_parens features
  (#​4987)
• Add detailed documentation for formatting Jupyter Notebooks (#​5009)

google/adk-python (google-adk)

v1.28.1

Compare Source

Features

• live: support live for gemini-3.1-flash-live-preview model (ee69661)

Bug Fixes

• Disallow args on /builder and Add warning about Web UI usage to CLI help (f037f68)
• live: Buffer tool calls and emit them together upon turn completion (081adbd)

v1.28.0

Compare Source

Features

• a2a: add lifespan parameter to to_a2a() (0f4c807), closes #​4701
• Add a new extension for the new version of ADK-A2A integration (6f0dcb3)
• Add ability to run individual unit tests to unittests.sh (b3fcd8a)
• Add database_role property to SpannerToolSettings and use it in execute_sql to support fine grained access controls (360e0f7)
• Add index to events table and update dependencies (3153e6d), closes #​4827
• Add MultiTurn Task success metric (9a75c06)
• Add MultiTurn Task trajectory and tool trajectory metrics (38bfb44)
• Add slack integration to ADK (6909a16)
• Add Spanner Admin Toolset (28618a8)
• Add SSE streaming support to conformance tests (c910961)
• Add support for Anthropic's thinking_blocks format in LiteLLM integration (fc45fa6), closes #​4801
• Add support for timeout to UnsafeLocalCodeExecutor (71d26ef)
• auth: Integrate GCP IAM Connectors (Noop implementation) (78e5a90)
• bigquery: Migrate 1P BQ Toolset (08be442) (7aa1f52) (d112131) (166ff99)
• enable suppressing A2A experimental warnings (fdc2b43)
• Enhance AgentEngineSandboxCodeExecutor sample to automatically provision an Agent Engine if neither agent_engine_resource_name nor sandbox_resource_name is provided (6c34694)
• Extract and merge EventActions from A2A metadata (4b677e7), closes #​3968
• mcp: add sampling callback support for MCP sessions (8f82697)
• Optional GCP project and credential for GCS access (2f90c1a)
• Support new embedding model in files retrieval (faafac9)

Bug Fixes

• add agent name validation to prevent arbitrary module imports (116f75d)
• add protection for arbitrary module imports (995cd1c), closes #​4947
• Add read-only session support in DatabaseSessionService (f6ea58b), closes #​4771
• Allow snake case for skill name (b157276)
• bigquery: use valid dataplex OAuth scope (4010716)
• Default to ClusterIP so GKE deployment isn't publicly exposed by default (f7359e3)
• deps: bump google-genai minimum to >=1.64.0 for gemini-embedding-2-preview (f8270c8)
• enforce allowed file extensions for GET requests in the builder API (96e845e)
• error when event does not contain long_running_tool_ids (1f9f0fe)
• Exclude compromised LiteLLM versions from dependencies pin to 1.82.6 (77f1c41)
• Fix IDE hangs by moving test venv and cache to /tmp (6f6fd95)
• Fix imports for environment simulation files (dcccfca)
• gate builder endpoints behind web flag (6c24ccc)
• Handle concurrent creation of app/user state rows in DatabaseSessionService (d78422a), closes #​4954
• live: convert response_modalities to Modality enum before assigning to LiveConnectConfig (47aaf66), closes #​4869
• models: handle arbitrary dict responses in part_to_message_block (c26d359)
• models: update 429 docs link for Gemini (a231c72)
• populate required for Pydantic BaseModel parameters in FunctionTool (c5d809e), closes #​4777
• Prevent compaction of events with pending function calls (991c411), closes #​4740
• Prevent uv.lock modifications in unittests.sh (e6476c9)
• Refactor blocking subprocess call to use asyncio in bash_tool (58c4536)
• Refactor LiteLlm check to avoid ImportError (7b94a76)
• Reject appends to stale sessions in DatabaseSessionService (b8e7647), closes #​4751
• Remove redundant client_id from fetch_token call (50d6f35), closes #​4782
• returns '<No stdout/stderr captured>' instead of empty strings for clearer agent feedback and correct typing (3e00e95)
• Store and retrieve usage_metadata in Vertex AI custom_metadata (b318eee)
• Support resolving string annotations for find_context_parameter (22fc332)
• telemetry: Rolling back change to fix issue affecting LlmAgent creation due to missing version field (0e18f81)
• tools: disable default httpx 5s timeout in OpenAPI tool _request (4c9c01f), closes #​4431
• tools: support regional Discovery Engine endpoints (30b904e)
• tools: support structured datastores in DiscoveryEngineSearchTool (f35c3a6), closes #​3406
• Update Agent Registry to use the full agent card if available (031f581)
• Update eval extras to Vertex SDK package version with constrained LiteLLM upperbound (27cc98d)
• Update import and version for k8s-agent-sandbox (1ee0623), closes #​4883
• Update list_agents to only list directories, not validate agent definitions (5020954)

Code Refactoring

• rename agent simulator to environment simulation. Also add tracing into environment simulation (99a31bf)

Documentation

• Feat/Issue Monitoring Agent (780093f)
• Use a dedicated API key for docs agents (51c19cb)

v1.27.5

Compare Source

Bug Fixes

• Update eval extras to Vertex SDK package version with constrained LiteLLM upperbound (77928a8)

v1.27.4

Compare Source

Bug Fixes

• Exclude compromised LiteLLM versions from dependencies pin to 1.82.6 (fa5e707)
• gate builder endpoints behind web flag (44b3f72)

v1.27.3

Compare Source

Bug Fixes

• add protection for arbitrary module imports (276adfb)

googleapis/google-auth-library-python (google-auth)

v2.48.0

Compare Source

Features

• add cryptography as required dependency (#​1929) (52558ae2881b1e6555f6f5c0d76365c15807ead9)
• Support the mTLS IAM domain for Certificate based Access (#​1938) (8dcf91a1b05c85fbbd0bcee78d66e498099102ab)
• add configurable GCE Metadata Server retries (#​1488) (454b441b478ec62bbf1a6ad5bceb6c7cbbfd0c37)
• honor NO_GCE_CHECK environment variable (#​1610) (383c9827536d9376e8248370ce4c2b83e468d027)

Bug Fixes

• resolve circular imports (#​1942) (25c1b064545702cbef087cfcd15fbbb6ef1af74f)
• removes content-header from AWS IMDS get request (#​1934) (97bfea9e02ede953fc8ee154e0deed3a3cfc6dcc)
• detect correct auth when ADC env var is set but empty (#​1374) (bfc07e1050bd0aa86fa3b08cdf70c9b68b5fe6a2)
• replace deprecated utcfromtimestamp (#​1799) (e431f20cf73ccac71926a23ec454468cea92e053)
• Use user_verification=preferred for ReAuth WebAuthn challenge (#​1798) (3f88a24089c4ee6822d510de0db210b54260d873)

v2.47.0

Compare Source

Features

• drop cachetools dependency in favor of simple local implementation (#​1590) (5c07e1c4f52bc77a1b16fa3b7b3c5269c242f6f4)

Bug Fixes

• Python 3.8 support (#​1918) (60dc20014a35ec4ba71e8065b9a33ecbdbeca97a)

v2.46.0

Compare Source

Documentation

• update urllib3 docstrings for v2 compatibility (#​1903) (3f1aeea2d1014ea1d244a4c3470e52d74d55404b)

Features

• Recognize workload certificate config in has_default_client_cert_source for mTLS for Agentic Identities (#​1907) (0b9107d573123e358c347ffa067637f992af61b4)

Bug Fixes

• add types to default and verify_token and Request init based on comments in the source code. (#​1588) (59a5f588f7793b59d923a4185c8c07738da618f7)
• fix the document of secure_authorized_session (#​1536) (5d0014707fc359782df5ccfcaa75fd372fe9dce3)
• remove setup.cfg configuration for creating universal wheels (#​1693) (c767531ce05a89002d109f595187aff1fcaacfb7)
• use .read() instead of .content.read() in aiohttp transport (#​1899) (12f4470f808809e8abf1141f98d88ab720c3899b)
• raise RefreshError for missing token in impersonated credentials (#​1897) (94d04e090fdfc61926dd32bc1d65f8820b9cede5)
• Fix test coverage for mtls_helper (#​1886) (02e71631fe275d93825c2e957e830773e75133f7)

googleapis/google-cloud-python (google-auth-oauthlib)

v1.3.1: google-auth-oauthlib: v1.3.1

Compare Source

v1.3.1 (2026-03-26)

v1.3.0: google-auth-oauthlib: v1.3.0

Compare Source

Features

• Log the flow.run_local_server redirect URL (#​362) (84599aa0)

Bug Fixes

• Raise meaningful exception when oauth callback times out (#​363) (adc3ee60)

googleapis/python-storage (google-cloud-storage)

v3.10.1

Compare Source

Bug Fixes

• raise ValueError if api_endpoint is unset when using AnonymousCredentials in AsyncGrpcClient. (#​1778) (17828ea316872938a98a6360b10a2495c54bbbcb)

v3.10.0

Compare Source

Features

• [Bucket Encryption Enforcement] add support for bucket encryption enforcement config (#​1742) (2a6e8b00e4e6ff57460373f8e628fd363be47811)

Perf Improvments

• [Rapid Buckets Reads] Use raw proto access for read resumption strategy (#​1764) (14cfd61ce35365a409650981239ef742cdf375fb)
• [Rapid Buckets Benchmarks] init mp pool & grpc client once, use os.sched_setaffinity (#​1751) (a9eb82c1b9b3c6ae5717d47b76284ed0deb5f769)
• [Rapid Buckets Writes] don't flush at every append, results in bad perf (#​1746) (ab62d728ac7d7be3c4fe9a99d72e35ead310805a)

Bug Fixes

• [Windows] skip downloading blobs whose name contain ":" eg: C: D: etc when application runs in Windows. (#​1774) (558198823ed51918db9c0137715d1e7f5b593975)
• [Path Traversal] Prevent path traversal in download_many_to_path (#​1768) (700fec3bf7aa37bd5ea4b163cc3f9e8e6892bd5a)
• [Rapid Buckets] pass token correctly, '&' instead of ',' (#​1756) (d8dd1e074d2431de9b45e0103181dce749a447a0)

v3.9.0

Compare Source

Features

• add get_object method for async grpc client (#​1735) (0e5ec29bc6a31b77bcfba4254cef5bffb199095c)
• expose DELETE_OBJECT in AsyncGrpcClient (#​1718) (c8dd7a0b124c395b7b60189ee78f47aba8d51f7d)
• update generation for MRD (#​1730) (08bc7082db7392f13bc8c51511b4afa9c7b157c9)
• Move Zonal Buckets features of _experimental (#​1728) (74c9ecc54173420bfcd48498a8956088a035af50)
• add default user agent for grpc (#​1726) (7b319469d2e495ea0bf7367f3949190e8f5d9fff)
• expose finalized_time in blob.py applicable for GET_OBJECT in ZB (#​1719) (8e21a7fe54d0a043f31937671003630a1985a5d2)
• add context manager to mrd (#​1724) (5ac2808a69195c688ed42c3604d4bfadbb602a66)
• integrate writes strategy and appendable object writer (#​1695) (dbd162b3583e32e6f705a51f5c3fef333a9b89d0)
• Add support for opening via write_handle and fix write_handle type (#​1715) (2bc15fa570683ba584230c51b439d189dbdcd580)
• Add micro-benchmarks for writes comparing standard (regional) vs rapid (zonal) buckets. (#​1707) (dbe9d8b89d975dfbed8c830a5687ccfafea51d5f)
• Add micro-benchmarks for reads comparing standard (regional) vs rapid (zonal) buckets. (#​1697) (1917649fac41481da1adea6c2a9f4ab1298a34c4)
• send user_agent to grpc channel (#​1712) (cdb2486bb051dcbfbffc2510aff6aacede5e54d3)
• add samples for appendable objects writes and reads (#​1705) (2e1a1eb5cbe1c909f1f892a0cc74fe63c8ef36ff)
• add samples for appendable objects writes and reads (2e1a1eb5cbe1c909f1f892a0cc74fe63c8ef36ff)
• add support for generation=0 to avoid overwriting existing objects and add is_stream_open support (#​1709) (ea0f5bf8316f4bfcff2728d9d1baa68dde6ebdae)
• add support for generation=0 to prevent overwriting existing objects (ea0f5bf8316f4bfcff2728d9d1baa68dde6ebdae)
• add is_stream_open property to AsyncAppendableObjectWriter for stream status check (ea0f5bf8316f4bfcff2728d9d1baa68dde6ebdae)

Bug Fixes

• receive eof while closing reads stream (#​1733) (2ef63396dca1c36f9b0f0f3cf87a61b5aa4bd465)
• Change contructors of MRD and AAOW AsyncGrpcClient.grpc_client to AsyncGrpcClient (#​1727) (e730bf50c4584f737ab86b2e409ddb27b40d2cec)
• instance grpc client once per process in benchmarks (#​1725) (721ea2dd6c6db2aa91fd3b90e56a831aaaa64061)
• update write handle on every recv() (#​1716) (5d9fafe1466b5ccb1db4a814967a5cc8465148a2)
• Fix formatting in setup.py dependencies list (#​1713) (cc4831d7e253b265b0b96e08b5479f4c759be442)
• implement requests_done method to signal end of requests in async streams. Gracefully close streams. (#​1700) (6c160794afded5e8f4179399f1fe5248e32bf707)
• implement requests_done method to signal end of requests in async streams. Gracefully close streams. (6c160794afded5e8f4179399f1fe5248e32bf707)

v3.8.0

Compare Source

Features

• flush the last chunk in append method (#​1699) (89bfe7a5fcd0391da35e9ceccc185279782b5420)
• add write resumption strategy (#​1663) (a57ea0ec786a84c7ae9ed82c6ae5d38ecadba4af)
• add bidi stream retry manager. (#​1632) (d90f0ee09902a21b186106bcf0a8cb0b81b34340)
• implement "append_from_file" (#​1686) (1333c956da18b4db753cda98c41c3619c84caf69)
• make flush size configurable (#​1677) (f7095faf0a81239894ff9d277849788b62eb6ac5)
• compute chunk wise checksum for bidi_writes (#​1675) (139390cb01f93a2d61e7ec201e3637dffe0b2a34)
• expose persisted size in mrd (#​1671) (0e2961bef285fc064174a5c18e3db05c7a682521)

Bug Fixes

• add system test for opening with read_handle (#​1672) (6dc711dacd4d38c573aa4ca9ad71fe412c0e49c1)
• no state lookup while opening bidi-write stream (#​1636) (2d5a7b16846a69f3a911844971241899f60cce14)
• close write object stream always (#​1661) (4a609a4b3f4ba1396825911cb02f8a9649135cd5)

PyCQA/isort (isort)

v8.0.1

Compare Source

Changes

• Fix #​2461: Added compression to stdlibs for Python 3.14 in isort/stdlibs/py314.py (#​2463) @​FinlayTheBerry
• Fix unindented comments being corrupted in indented blocks (#​2459) @​worksbyfriday

run-llama/llama_index (llama-index-core)

v0.14.20

Compare Source

llama-index-agent-agentmesh [0.2.0]

• fix vulnerability with nltk (#​21275)

llama-index-callbacks-agentops [0.5.0]

• chore(deps): bump the uv group across 50 directories with 2 updates (#​21164)
• chore(deps): bump the uv group across 24 directories with 1 update (#​21219)
• chore(deps): bump the uv group across 21 directories with 2 updates (#​21221)
• fix vulnerability with nltk (#​21275)

llama-index-callbacks-aim [0.4.1]

• fix vulnerability with nltk (#​21275)

llama-index-callbacks-argilla [0.5.0]

• chore(deps): bump the uv group across 58 directories with 1 update (#​21166)
• chore(deps): bump the uv group across 24 directories with 1 update (#​21219)
• chore(deps): bump the uv group across 21 directories with 2 updates (#​21221)
• fix vulnerability with nltk (#​21275)

llama-index-callbacks-arize-phoenix [0.7.0]

• chore(deps): bump the uv group across 58 directories with 1 update (#​21166)
• chore(deps): bump the uv group across 24 directories with 1 update (#​21219)
• chore(deps): bump the uv group across 21 directories with 2 updates (#​21221)
• fix vulnerability with nltk (#​21275)

llama-index-callbacks-honeyhive [0.5.0]

• chore(deps): bump the uv group across 58 directories with 1 update (#​21166)
• chore(deps): bump the uv group across 24 directories with 1 update (#​21219)
• chore(deps): bump the uv group across 21 directories with 2 updates (#​21221)
• fix vulnerability with nltk (#​21275)

llama-index-callbacks-langfuse [0.5.0]

• chore(deps): bump the uv group across 58 directories with 1 update (#​21166)
• chore(deps): bump the uv group across 24 directories with 1 update (#​21219)
• chore(deps): bump the uv group across 21 directories with 2 updates (#​21221)
• fix vulnerability with nltk (#​21275)

llama-index-callbacks-literalai [1.4.0]

• chore(deps): bump the uv group across 58 directories with 1 update (#​21166)
• chore(deps): bump the uv group across 24 directories with 1 update (#​21219)
• chore(deps): bump the uv group across 21 directories with 2 updates (#​21221)
• fix vulnerability with nltk (#​21275)

llama-index-callbacks-openinference [0.5.0]

• chore(deps): bump the uv group across 58 directories with 1 update (#​21166)
• chore(deps): bump the uv group across 24 directories with 1 update (#​21219)
• chore(deps): bump the uv group across 21 directories with 2 updates (#​21221)
• fix vulnerability with nltk (#​21275)

llama-index-callbacks-opik [1.3.0]

• chore(deps): bump the uv group across 58 directories with 1 update (#​21166)
• chore(deps): bump the uv group across 24 directories with 1 update (#​21219)
• chore(deps): bump the uv group across 21 directories with 2 updates (#​21221)
• fix vulnerability with nltk (#​21275)

llama-index-callbacks-promptlayer [0.5.0]

• chore(deps): bump the uv group across 58 directories with 1 update (#​21166)
• chore(deps): bump the uv group across 24 directories with 1 update (#​21219)
• chore(deps): bump the uv group across 21 directories with 2 updates (#​21221)
• fix vulnerability with nltk (#​21275)

llama-index-callbacks-uptrain [0.6.0]

• chore(deps): bump the uv group across 58 directories with 1 update (#​21166)
• chore(deps): bump the uv group across 24 directories with 1 update (#​21219)
• chore(deps): bump the uv group across 21 directories with 2 updates (#​21221)
• fix vulnerability with nltk (#​21275)

llama-index-callbacks-wandb [0.5.0]

• chore(deps): bump the uv group across 58 directories with 1 update (#​21166)
• chore(deps): bump the uv group across 24 directories with 1 update (#​21219)
• chore(deps): bump the uv group across 21 directories with 2 updates (#​21221)
• fix vulnerability with nltk (#​21275)

llama-index-core [0.14.20]

• chore(deps): bump the uv group across 46 directories with 2 updates (#​21153)
• fix(core): use async query generation in QueryFusionRetriever._aretrieve (#​21160)
• chore(deps): bump the uv group across 50 directories with 2 updates (#​21164)
• docs: fix typos, grammar, and formatting inconsistencies (#​21218)
• fix: fix extra bracket in data_sources and typo in data_sinks (#​21251)
• chore(deps): bump the uv group across 47 directories with 1 update (#​21254)
• chore(deps): bump the uv group across 53 directories with 1 update (#​21255)
• fix vulnerability with nltk (#​21275)
• Update llama-index-workflows dependency to >=2.14.0 (#​21277)
• Delete old folders (#​21286)

llama-index-embeddings-adapter [0.5.0]

• chore(deps): bump the uv group across 58 directories with 1 update (#​21166)
• chore(deps): bump the uv group across 24 directories with 1 update (#​21219)
• chore(deps): bump the uv group across 21 directories with 2 updates (#​21221)
• fix vulnerability with nltk ([#​21275](https://redire