chore(deps)(deps): bump the production-dependencies group across 1 directory with 5 updates

[dependabot]

Warning

Dependabot will stop supporting python v3.9!

Please upgrade to one of the following versions: v3.9, v3.10, v3.11, v3.12, v3.13, or v3.14.

Bumps the production-dependencies group with 5 updates in the / directory:

Package	From	To
graphql-core	3.2.3	3.2.11
openpyxl	3.1.2	3.1.5
xlrd	2.0.1	2.0.2
sqlalchemy	2.0.39	2.0.51
drf-yasg	1.21.7	1.21.15

Updates graphql-core from 3.2.3 to 3.2.11

Release notes

Sourced from graphql-core's releases.

v3.2.11

Patch-release GraphQL-core v3.2.11, based on GraphQL.js v16.14.1.

This patch-release supports Python 3.7 to 3.14.

Notable changes:

• Allow configuration of the ofType introspection depth
• Add support for directives on directive definitions
• Restore variable own-property checks in value_from_ast
• Remove unused variable-definition tracking in ValuesOfCorrectTypeRule

Thanks to all who are sponsoring me (@​Cito) for maintaining this project.

v3.2.10

Patch-release GraphQL-core v3.2.10, based on GraphQL.js v16.13.0.

This patch-release supports Python 3.7 to 3.14.

New features:

• Add support for schema coordinates (parsing and resolving)
• Support descriptions on executable definitions (e.g. variable definitions)
• Add a max_coercion_errors option

Bug fixes:

• Fix incorrect validation errors when variable descriptions are used
• Don't add sibling errors after null propagation has occurred
• Remove erroneous oneOf validation from the "values of correct type" rule
• Validate that nullable variables aren't passed to oneOf input object fields (per spec)
• Catch unhandled exceptions during abstract type resolution

Thanks to all who are sponsoring me (@​Cito) for maintaining this project.

v3.2.9

Patch-release GraphQL-core v3.2.9, based on GraphQL.js v16.10.0.

This patch-release supports Python 3.7 to 3.14.

Notable changes:

• Fix OverlappingFieldsCanBeMergedRule to catch field-merge conflicts hidden behind nested fragments
• Fix handling of empty selection sets
• Correctly type extensions in GraphQLFormattedError
• Add kind to the introspection query/mutation/subscription root types
• Expose token_count on DocumentNode
• Preserve schema and input-field properties (e.g. descriptions) when sorting

Thanks to @​kathychurch and @​arichberg for reporting the sorting issue.

... (truncated)

Commits

• d5a5464 Bump version
• 6d7c4dd docs: fix inline examples, deprecation descriptions, type category
• 456fa2c Allow configuration of the ofType introspection depth
• 672281d Add support for directives on directive definitions
• 1922ab7 Restore variable own-property checks in valueFromAST
• 0ccc1a5 Use Object.create(null) to avoid prototype issues
• 12bcb49 Bump version
• 4070240 Incorrect validation errors when variable descriptions are used
• 66adfb4 Sibling errors should not be added after propagation
• 20de4b0 Schema coordinates
• Additional commits viewable in compare view

Updates openpyxl from 3.1.2 to 3.1.5

Updates xlrd from 2.0.1 to 2.0.2

Changelog

Sourced from xlrd's changelog.

2.0.2 (14 June 2025)

• Fix bug reading sheets containing invalid formulae.

Thanks to sanshi42 for the fix!

Commits

• 3a19d22 Prepare for 2.0.2 release
• f3521c8 Merge pull request #380 from sanshi42/master
• 99270dd Improve test coverage for invalid formula handling
• 18e314e bugfix: Fix an occasional compatibility issue when using Excel formulas
• 0c4e80b Update README.rst
• f45f630 emboldening breaks RTD rendering, and likely won't help :-(
• b37d159 embolden for the hard of thinking
• 58ccbb1 admit defeat
• See full diff in compare view

Updates sqlalchemy from 2.0.39 to 2.0.51

Release notes

Sourced from sqlalchemy's releases.

2.0.51

Released: June 15, 2026

orm

• [orm] [bug] Fixed issue where _orm.subqueryload() combined with PropComparator.of_type() and PropComparator.and_() would silently drop the additional filter criteria, causing all related objects to be loaded instead of only those matching the filter. The LoaderCriteriaOption was being constructed against the base entity rather than the effective entity indicated by PropComparator.of_type(). Pull request courtesy Arya Rizky.

  References: #13207

• [orm] [bug] Fixed bug where a failure during tpc_prepare() within _orm.Session.commit() for a two-phase session would raise IllegalStateChangeError instead of the original database exception. The internal _prepare_impl() method's error handler was unable to invoke _orm.SessionTransaction.rollback() due to a state-change guard, preventing proper cleanup and masking the underlying error.

  References: #13356

engine

• [engine] [bug] Fixed issue where Result.freeze() would lose track of ambiguous column names present in the original CursorResult, causing key-based access on the thawed result to silently return a value instead of raising InvalidRequestError. The SimpleResultMetaData now accepts and propagates ambiguous key information so that frozen, thawed, and pickled results raise consistently for duplicate column names. Pull request courtesy Saurabh Kohli.

  References: #9427

sql

• [sql] [bug] Fixed issue where _sql.StatementLambdaElement would proxy attribute access through the cached "expected" expression rather than the resolved expression, causing stale closure-bound parameter values to be used when a lambda statement was extended with non-lambda criteria such as an additional .where() clause. Courtesy cjc0013.

  References: #10827

... (truncated)

Commits

• See full diff in compare view

Updates drf-yasg from 1.21.7 to 1.21.15

Release notes

Sourced from drf-yasg's releases.

1.21.15

IMPROVED: Use Python's native dict instead of OrderedDict (#954) FIXED: Fix Python 3.12 type parameter syntax with from __future__ import annotations (#921)

1.21.14

FIXED: Fix missing swagger-ui sourcemaps (#950)

1.21.12

FIXED: Bring the bundled swagger ui up to date (#944) IMPROVED: Update the logout button to use a POST request. (#945) ADDED: Add a live demo domain (#946) ADDED: Handle annotations that are not available at runtime (#941)

1.21.11

FIXED: Fix list views with parameters in last path segment not named "list" views (#917) ADDED: Allow overriding produces/consumes with @​swagger_auto_schema decorator (#916) FIXED: Fix filter parameters not appearing in swagger with django-filter>=25 (#926) IMPROVED: Update Python, Django, and DRF versions and packaging configuration (#922) IMPROVED: Remove usage of pkg_resources (#928) FIXED: Fix call_view_method warning to include the method name again (#923) ADDED: Add a hide download button option (#848) ADDED: Add ruff linters (#903)

1.21.10

FIXED: Fix type hints when using postponed evaluation of annotations (PEP-563) (#840) IMPROVED: Update JSON & YAML renderers to not use a "." in their format string (#911) FIXED: Fix lint errors when comparing types with == instead of is (#868) IMPROVED: Update swagger-ui-dist to address CVE-2021-46708 (#904)

1.21.9

ADDED: Added support for zoneinfo object fields (#908)

1.21.8

ADDED: Python 3.11 and 3.12 support (#891) FIXED: Fix pkg_resources version lookups for Python 3.9+ (#891)

Changelog

Sourced from drf-yasg's changelog.

######### Changelog #########

---

1.21.15

---

IMPROVED: Use Python's native dict instead of OrderedDict (:pr:954) FIXED: Fix Python 3.12 type parameter syntax with from __future__ import annotations (:pr:921)

---

1.21.14

---

---

1.21.13

---

FIXED: Fix missing swagger-ui sourcemaps (:pr:950)

---

1.21.12

---

FIXED: Bring the bundled swagger ui up to date (:pr:944) IMPROVED: Update the logout button to use a POST request. (:pr:945) ADDED: Add a live demo domain (:pr:946) ADDED: Handle annotations that are not available at runtime (:pr:941)

---

1.21.11

---

FIXED: Fix list views with parameters in last path segment not named "list" views (:pr:917) ADDED: Allow overriding produces/consumes with @​swagger_auto_schema decorator (:pr:916) FIXED: Fix filter parameters not appearing in swagger with django-filter>=25 (:pr:926) IMPROVED: Update Python, Django, and DRF versions and packaging configuration (:pr:922) IMPROVED: Remove usage of pkg_resources (:pr:928) FIXED: Fix call_view_method warning to include the method name again (:pr:923) ADDED: Add a hide download button option (:pr:848) ADDED: Add ruff linters (:pr:903)

---

1.21.10

---

FIXED: Fix type hints when using postponed evaluation of annotations (PEP-563) (:pr:840) IMPROVED: Update JSON & YAML renderers to not use a "." in their format string (:pr:911) FIXED: Fix lint errors when comparing types with == instead of is (:pr:868)

... (truncated)

Commits

• d40c97f Add version 1.21.15 details to the changelog (#956)
• 2e37afd Modernise and add .DS_Store to the .gitignore (#955)
• 76a138a Use Python's native dict instead of OrderedDict (#954)
• b55ba0f fix Python 3.12 type parameter syntax with ``from future import annotatio...
• 7dceb27 Add version 1.21.14 details to the changelog (#952)
• 763cdd6 Add version 1.21.13 details to the changelog (#951)
• a0559fc Add missing swagger-ui sourcemaps (#950)
• 2bf74d0 Add version 1.21.12 details to the changelog (#948)
• b421e89 swagger ui fix (#944)
• 40fee2b Add live demo domain and environment variables (#946)
• Additional commits viewable in compare view

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!