chore(deps): bump the elt-common-dependencies group across 1 directory with 8 updates

[dependabot]

Updates the requirements on dlt[parquet,s3], pyiceberg[pyiceberg-core], s3fs, click, sqlalchemy, requests, ruff and setuptools to permit the latest version.
Updates dlt[parquet,s3] to 1.24.0

Release notes

Sourced from dlt[parquet,s3]'s releases.

1.24.0

dlt 1.24.0 Release Notes

Breaking Changes

1. Custom resource metrics now stored as tables (#3718 @​rudolfix) — Incremental metrics in the trace are now represented in table format. This changes the location and structure of incremental metrics in the trace object.

Highlights

• Insert-only merge strategy (#3741 @​rudolfix, based on #3372 by @​OnAzart) — New insert-only merge strategy that performs idempotent, key-based appending: inserts records whose primary key doesn't exist in the destination while silently skipping duplicates. No updates or deletes. Supported across all SQL destinations, Delta Lake, and Iceberg.
• Parallelize all sources in Airflow (#3652 @​JustinSobayo) — In parallel and parallel-isolated decompose modes, all source components now fan out concurrently from a shared start node. Previously the first source had to complete before others could begin, adding unnecessary wall-clock time. This release also adds basic Airflow 3 support with smoke tests.
• ClickHouse ReplacingMergeTree support (#3366 @​prevostc) — New replacing_merge_tree table engine type for ClickHouse that enables native deduplication and soft deletes via dedup_sort and hard_delete column hints.
• Custom resource metrics as tables (#3718 @​rudolfix) — Resources can now emit custom metrics that are stored as tables in the trace, enabling richer observability for pipelines.

Core Library

• Insert-only merge strategy (#3741 @​rudolfix, based on #3372 by @​OnAzart) — See Highlights.
• ClickHouse ReplacingMergeTree support (#3366 @​prevostc) — See Highlights.
• Parallelize all sources in Airflow (#3652 @​JustinSobayo) — See Highlights.
• Custom resource metrics as tables (#3718 @​rudolfix) — See Highlights.
• Configurable Arrow table concatenation promote_options (#3701 @​AyushPatel101) — arrow_concat_promote_options can now be set to "default" or "permissive" instead of the hardcoded "none", enabling automatic type promotion when yielding multiple Arrow tables with slightly different inferred types.
• Fix: CLI info/show fails on custom destinations (#3676 @​anuunchin) — dlt pipeline info/show no longer crashes with UnknownDestinationModule on pipelines using @dlt.destination.
• Fix: Primary key assignment for incremental resources (#3679 @​shnhdan) — Passing primary_key=() to Incremental to disable deduplication is no longer silently overwritten by the resource's own primary key.
• Fix: MotherDuck missing catalog validation (#3723 @​YuF-9468) — Connection strings that omit the catalog/database name (e.g. bare md:) now raise a clear configuration error instead of a confusing connection failure.
• Fix: BigQuery infinite loop on internal error (#3732 @​aditypan) — BigQuery jobs that encounter an internal error no longer cause an infinite retry loop.
• Fix: SCD2 column order mismatch in SQLAlchemy destinations (#3733 @​anuunchin) — SCD2 validity column insert jobs now match the column order of existing tables in SQLAlchemy destinations.
• Fix: Timezone mapping in SQL timestamp datatype (#3735 @​aditypan) — Timezone is now correctly set for timestamp/datetime column datatypes.

Docs

• Realistic closure-based data masking example (#3617 @​veeceey) — Replaced the hardcoded example with a reusable mask_columns() function supporting all sql_database backends.
• Redirects for removed pages (#3688 @​djudjuu)
• AI workbench license info (#3729 @​lis365b)
• Minor doc fixes (#3734 @​anuunchin)

Chores

• Bumps npm docs deps (#3728 @​rudolfix)
• Switch lancedb example from Spotify to PodcastIndex (#3736 @​Travior)
• Adds CLI docs check to docs CI workflow (#3739 @​rudolfix)
• Moves render CLI docs command to a separate tool (#3740 @​rudolfix)

New Contributors

• @​prevostc made their first contribution in #3366
• @​veeceey made their first contribution in #3617
• @​JustinSobayo made their first contribution in #3652
• @​shnhdan made their first contribution in #3679
• @​YuF-9468 made their first contribution in #3723

Commits

• fa36355 Merge pull request #3757 from dlt-hub/devel
• 385a44f bumps to version 1.24.0 (#3751)
• f348b12 docs: add realistic closure-based data masking example (#3617)
• a1be2f4 Fix/3637 cli info, show fail on custom destinations (#3676)
• 8a116b6 feat: parallelize all sources in Airflow, including the first one (#3652)
• b58fcb0 (Feat) insert only merge strategy (#3741)
• b99d78d Add clickhouse ReplacingMergeTree (#3366)
• 8e4c448 (chore) moves render cli docs command to a separate tool (#3740)
• 2e1cf96 fix: validate missing MotherDuck catalog (#3723)
• 4b1cc41 docs: redirects for removed pages (#3688)
• Additional commits viewable in compare view

Updates pyiceberg[pyiceberg-core] to 0.11.1

Release notes

Sourced from pyiceberg[pyiceberg-core]'s releases.

pyiceberg-0.11.1

What's Changed

• fix: Accept all valid http method for IRC's ConfigResponse by @​sumanth-manchala in apache/iceberg-python#3010
• fix: add Field alias for SetPartitionStatisticsUpdate.partition_stati… by @​shiwk in apache/iceberg-python#3035
• fix: Extract ADLS account_name from URI hostname in FsspecFileIO by @​antonlin1 in apache/iceberg-python#3005
• fix ssl deactivation from catalog properties #2985 by @​MenelikV in apache/iceberg-python#3012

Full Changelog: apache/iceberg-python@pyiceberg-0.11.0...pyiceberg-0.11.1

Commits

• 8dee48a Fix SSL deactivation using catalog properties (#3012)
• f718209 fix: Extract ADLS account_name from URI hostname in FsspecFileIO (#3005)
• 97f2d46 bump to 0.11.1
• c1ac231 fix: add Field alias for SetPartitionStatisticsUpdate (#3035)
• 62c909b fix: Accept all valid http method for IRC's ConfigResponse (#3010)
• See full diff in compare view

Updates s3fs from 2026.2.0 to 2026.3.0

Commits

• 731e125 changelog (#1018)
• 0889cca made changes to _find to support combinations of prefix; withdirs and maxdept...
• 14a8f7d Use bisect for listing deduplication (#1010)
• 250107a Add concurrent downloads to get_file and cat_file (#1007)
• 1b4a544 Add option to check file expiry locally (#1008)
• See full diff in compare view

Updates click from 8.3.1 to 8.3.2

Release notes

Sourced from click's releases.

8.3.2

This is the Click 8.3.2 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/click/8.3.2/ Changes: https://click.palletsprojects.com/page/changes/#version-8-3-2 Milestone: https://github.com/pallets/click/milestone/29

• Fix handling of flag_value when is_flag=False to allow such options to be used without an explicit value. #3084 #3152
• Hide Sentinel.UNSET values as None when using lookup_default(). #3136 #3199 #3202 #3209 #3212 #3224
• Prevent _NamedTextIOWrapper from closing streams owned by StreamMixer. #824 #2991 #2993 #3110 #3139 #3140
• Add comprehensive tests for CliRunner stream lifecycle, covering logging interaction, multi-threaded safety, and sequential invocation isolation. Add high-iteration stress tests behind a stress marker with a dedicated CI job. #3139
• Fix callable flag_value being instantiated when used as a default via default=True. #3121 #3201 #3213 #3225

Changelog

Sourced from click's changelog.

Version 8.3.2

Released 2026-04-02

• Fix handling of flag_value when is_flag=False to allow such options to be used without an explicit value. :issue:3084 :pr:3152
• Hide Sentinel.UNSET values as None when using lookup_default(). :issue:3136 :pr:3199 :pr:3202 :pr:3209 :pr:3212 :pr:3224
• Prevent _NamedTextIOWrapper from closing streams owned by StreamMixer. :issue:824 :issue:2991 :issue:2993 :issue:3110 :pr:3139 :pr:3140
• Add comprehensive tests for CliRunner stream lifecycle, covering logging interaction, multi-threaded safety, and sequential invocation isolation. Add high-iteration stress tests behind a stress marker with a dedicated CI job. :pr:3139
• Fix callable flag_value being instantiated when used as a default via default=True. :issue:3121 :pr:3201 :pr:3213 :pr:3225

Commits

• 052c006 Change update release date.
• 502b7ce Merge branch 'stable' of https://github.com/pallets/click into release-8.3.2
• a0a37e4 Change publish to werkzeug latest. (#3301)
• 57be6fc Change publish to werkzeug latest.
• 781d6a8 Update publish workflows (#3266)
• ff795b6 Update precommit pins with tox
• dd87ef4 Update github action pins with tox
• 93d3f9d Release version 8.3.2
• 3299ba1 Add missing PR to changelog. (#3264)
• b7f62c4 Add missing PR to changelog.
• Additional commits viewable in compare view

Updates sqlalchemy from 2.0.48 to 2.0.49

Release notes

Sourced from sqlalchemy's releases.

2.0.49

Released: April 3, 2026

orm

• [orm] [bug] Fixed issue where _orm.Session.get() would bypass the identity map and emit unnecessary SQL when with_for_update=False was passed, rather than treating it equivalently to the default of None. Pull request courtesy of Joshua Swanson.

  References: #13176

• [orm] [bug] Fixed issue where chained _orm.joinedload() options would not be applied correctly when the final relationship in the chain is declared on a base mapper and accessed through a subclass mapper in a _orm.with_polymorphic() query. The path registry now correctly computes the natural path when a property declared on a base class is accessed through a path containing a subclass mapper, ensuring the loader option can be located during query compilation.

  References: #13193

• [orm] [bug] [inheritance] Fixed issue where using _orm.Load.options() to apply a chained loader option such as _orm.joinedload() or _orm.selectinload() with _orm.PropComparator.of_type() for a polymorphic relationship would not generate the necessary clauses for the polymorphic subclasses. The polymorphic loading strategy is now correctly propagated when using a call such as joinedload(A.b).options(joinedload(B.c.of_type(poly))) to match the behavior of direct chaining e.g. joinedload(A.b).joinedload(B.c.of_type(poly)).

  References: #13202

• [orm] [bug] [inheritance] Fixed issue where using chained loader options such as _orm.selectinload() after _orm.joinedload() with _orm.PropComparator.of_type() for a polymorphic relationship would not properly apply the chained loader option. The loader option is now correctly applied when using a call such as joinedload(A.b.of_type(poly)).selectinload(poly.SubClass.c) to eagerly load related objects.

  References: #13209

typing

• [typing] [bug] Fixed a typing issue where the typed members of :data:.func would return the appropriate class of the same name, however this creates an issue for

... (truncated)

Commits

• See full diff in compare view

Updates requests from 2.33.0 to 2.33.1

Release notes

Sourced from requests's releases.

v2.33.1

2.33.1 (2026-03-30)

Bugfixes

• Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (#7305)
• Fixed Content-Type header parsing for malformed values. (#7309)
• Improved error consistency for malformed header values. (#7308)

New Contributors

• @​ferdnyc made their first contribution in psf/requests#7277

Full Changelog: https://github.com/psf/requests/blob/main/HISTORY.md#2331-2026-03-30

Changelog

Sourced from requests's changelog.

2.33.1 (2026-03-30)

Bugfixes

• Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary files in the tmp directory. (#7305)
• Fixed Content-Type header parsing for malformed values. (#7309)
• Improved error consistency for malformed header values. (#7308)

Commits

• 111d2b7 v2.33.1
• f0198e6 Fix malformed value parsing for Content-Type (#7309)
• bc7dd0f Fix cosmetic header validity parsing regex (#7308)
• 4443b1a Fix unintended test extra (#7306)
• 389eea5 Cleanup extracted file after extract_zipped_path test (#7305)
• 7407309 Packaging: DRY out extras definition (#7277)
• See full diff in compare view

Updates ruff from 0.15.7 to 0.15.9

Release notes

Sourced from ruff's releases.

0.15.9

Release Notes

Released on 2026-04-02.

Preview features

• [pyflakes] Flag annotated variable redeclarations as F811 in preview mode (#24244)
• [ruff] Allow dunder-named assignments in non-strict mode for RUF067 (#24089)

Bug fixes

• [flake8-errmsg] Avoid shadowing existing msg in fix for EM101 (#24363)
• [flake8-simplify] Ignore pre-initialization references in SIM113 (#24235)
• [pycodestyle] Fix W391 fixes for consecutive empty notebook cells (#24236)
• [pyupgrade] Fix UP008 nested class matching (#24273)
• [pyupgrade] Ignore strings with string-only escapes (UP012) (#16058)
• [ruff] RUF072: skip formfeeds on dedent (#24308)
• [ruff] Avoid re-using symbol in RUF024 fix (#24316)
• [ruff] Parenthesize expression in RUF050 fix (#24234)
• Disallow starred expressions as values of starred expressions (#24280)

Rule changes

• [flake8-simplify] Suppress SIM105 for except* before Python 3.12 (#23869)
• [pyflakes] Extend F507 to flag %-format strings with zero placeholders (#24215)
• [pyupgrade] UP018 should detect more unnecessarily wrapped literals (UP018) (#24093)
• [pyupgrade] Fix UP008 callable scope handling to support lambdas (#24274)
• [ruff] RUF010: Mark fix as unsafe when it deletes a comment (#24270)

Formatter

• Add nested-string-quote-style formatting option (#24312)

Documentation

• [flake8-bugbear] Clarify RUF071 fix safety for non-path string comparisons (#24149)
• [flake8-type-checking] Clarify import cycle wording for TC001/TC002/TC003 (#24322)

Other changes

• Avoid rendering fix lines with trailing whitespace after | (#24343)

Contributors

• @​charliermarsh
• @​MichaReiser
• @​tranhoangtu-it
• @​dylwil3
• @​zsol

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.9

Released on 2026-04-02.

Preview features

• [pyflakes] Flag annotated variable redeclarations as F811 in preview mode (#24244)
• [ruff] Allow dunder-named assignments in non-strict mode for RUF067 (#24089)

Bug fixes

• [flake8-errmsg] Avoid shadowing existing msg in fix for EM101 (#24363)
• [flake8-simplify] Ignore pre-initialization references in SIM113 (#24235)
• [pycodestyle] Fix W391 fixes for consecutive empty notebook cells (#24236)
• [pyupgrade] Fix UP008 nested class matching (#24273)
• [pyupgrade] Ignore strings with string-only escapes (UP012) (#16058)
• [ruff] RUF072: skip formfeeds on dedent (#24308)
• [ruff] Avoid re-using symbol in RUF024 fix (#24316)
• [ruff] Parenthesize expression in RUF050 fix (#24234)
• Disallow starred expressions as values of starred expressions (#24280)

Rule changes

• [flake8-simplify] Suppress SIM105 for except* before Python 3.12 (#23869)
• [pyflakes] Extend F507 to flag %-format strings with zero placeholders (#24215)
• [pyupgrade] UP018 should detect more unnecessarily wrapped literals (UP018) (#24093)
• [pyupgrade] Fix UP008 callable scope handling to support lambdas (#24274)
• [ruff] RUF010: Mark fix as unsafe when it deletes a comment (#24270)

Formatter

• Add nested-string-quote-style formatting option (#24312)

Documentation

• [flake8-bugbear] Clarify RUF071 fix safety for non-path string comparisons (#24149)
• [flake8-type-checking] Clarify import cycle wording for TC001/TC002/TC003 (#24322)

Other changes

• Avoid rendering fix lines with trailing whitespace after | (#24343)

Contributors

• @​charliermarsh
• @​MichaReiser
• @​tranhoangtu-it
• @​dylwil3
• @​zsol
• @​renovate

... (truncated)

Commits

• 724ccc1 Bump 0.15.9 (#24369)
• 96d9e09 [ty] Move the deferred submodule inside infer/builder (#24368)
• 130da28 [ty] Infer the extra_items keyword argument to class-based TypedDicts as an...
• a617c54 [ty] Validate type qualifiers in functional TypedDict fields and the `extra_i...
• d851708 [ty] Improve robustness of various type-qualifier-related checks (#24251)
• aecb587 Only run the release-gate on workflow dispatch (#24366)
• b889571 [ty] Use infer_type_expression for parsing parameter annotations and return...
• 3286a62 Add a "release-gate" step to the release workflow (#24365)
• 5f88756 Disallow starred expressions as values of starred expressions (#24280)
• 5c59f8a [pyupgrade] Ignore strings with string-only escapes (UP012) (#16058)
• Additional commits viewable in compare view

Updates setuptools from 80.9.0 to 82.0.1

Changelog

Sourced from setuptools's changelog.

v82.0.1

Bugfixes

• Fix the loading of launcher manifest.xml file. (#5047)
• Replaced deprecated json.__version__ with fixture in tests. (#5186)

Improved Documentation

• Add advice about how to improve predictability when installing sdists. (#5168)

Misc

• #4941, #5157, #5169, #5175

v82.0.0

Deprecations and Removals

• pkg_resources has been removed from Setuptools. Most common uses of pkg_resources have been superseded by the importlib.resources <https://docs.python.org/3/library/importlib.resources.html>_ and importlib.metadata <https://docs.python.org/3/library/importlib.metadata.html>_ projects. Projects and environments relying on pkg_resources for namespace packages or other behavior should depend on older versions of setuptools. (#3085)

v81.0.0

Deprecations and Removals

• Removed support for the --dry-run parameter to setup.py. This one feature by its nature threads through lots of core and ancillary functionality, adding complexity and friction. Removal of this parameter will help decouple the compiler functionality from distutils and thus the eventual full integration of distutils. These changes do affect some class and function signatures, so any derivative functionality may require some compatibility shims to support their expected interface. Please report any issues to the Setuptools project for investigation. (#4872)

v80.10.2

Bugfixes

• Update vendored dependencies. (#5159)

Misc

... (truncated)

Commits

• 5a13876 Bump version: 82.0.0 → 82.0.1
• 51ab8f1 Avoid using (deprecated) 'json.version' in tests (#5194)
• f9c37b2 Docs/CI: Fix intersphinx references (#5195)
• 8173db2 Docs: Fix intersphinx references
• 09bafbc Fix past tense on newsfragment
• 461ea56 Add news fragment
• c4ffe53 Avoid using (deprecated) 'json.version' in tests
• 749258b Cleanup pkg_resources dependencies and configuration (#5175)
• 2019c16 Parse ext-module.define-macros from pyproject.toml as list of tuples (#5169)
• b809c86 Sync setuptools schema with validate-pyproject (#5157)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions