Bumps [qs](https://github.com/ljharb/qs) from 6.14.0 to 6.14.1.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/ljharb/qs/blob/main/CHANGELOG.md">qs's
changelog</a>.</em></p>
<blockquote>
<h2><strong>6.14.1</strong></h2>
<ul>
<li>[Fix] ensure arrayLength applies to <code>[]</code> notation as
well</li>
<li>[Fix] <code>parse</code>: when a custom decoder returns
<code>null</code> for a key, ignore that key</li>
<li>[Refactor] <code>parse</code>: extract key segment splitting
helper</li>
<li>[meta] add threat model</li>
<li>[actions] add workflow permissions</li>
<li>[Tests] <code>stringify</code>: increase coverage</li>
<li>[Dev Deps] update <code>eslint</code>,
<code>@ljharb/eslint-config</code>, <code>npmignore</code>,
<code>es-value-fixtures</code>, <code>for-each</code>,
<code>object-inspect</code></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="3fa11a5f64"><code>3fa11a5</code></a>
v6.14.1</li>
<li><a
href="a62670423c"><code>a626704</code></a>
[Dev Deps] update <code>npmignore</code></li>
<li><a
href="3086902ecf"><code>3086902</code></a>
[Fix] ensure arrayLength applies to <code>[]</code> notation as
well</li>
<li><a
href="fc7930e86c"><code>fc7930e</code></a>
[Dev Deps] update <code>eslint</code>,
<code>@ljharb/eslint-config</code></li>
<li><a
href="0b06aac566"><code>0b06aac</code></a>
[Dev Deps] update <code>@ljharb/eslint-config</code></li>
<li><a
href="64951f6200"><code>64951f6</code></a>
[Refactor] <code>parse</code>: extract key segment splitting helper</li>
<li><a
href="e1bd2599cd"><code>e1bd259</code></a>
[Dev Deps] update <code>@ljharb/eslint-config</code></li>
<li><a
href="f4b3d39709"><code>f4b3d39</code></a>
[eslint] add eslint 9 optional peer dep</li>
<li><a
href="6e94d9596c"><code>6e94d95</code></a>
[Dev Deps] update <code>eslint</code>,
<code>@ljharb/eslint-config</code>, <code>npmignore</code></li>
<li><a
href="973dc3c51c"><code>973dc3c</code></a>
[actions] add workflow permissions</li>
<li>Additional commits viewable in <a
href="https://github.com/ljharb/qs/compare/v6.14.0...v6.14.1">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/googleapis/genai-toolbox/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from
0.43.0 to 0.45.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="4e0068c009"><code>4e0068c</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="e79546e28b"><code>e79546e</code></a>
ssh: curb GSSAPI DoS risk by limiting number of specified OIDs</li>
<li><a
href="f91f7a7c31"><code>f91f7a7</code></a>
ssh/agent: prevent panic on malformed constraint</li>
<li><a
href="2df4153a03"><code>2df4153</code></a>
acme/autocert: let automatic renewal work with short lifetime certs</li>
<li><a
href="bcf6a849ef"><code>bcf6a84</code></a>
acme: pass context to request</li>
<li><a
href="b4f2b62076"><code>b4f2b62</code></a>
ssh: fix error message on unsupported cipher</li>
<li><a
href="79ec3a51fc"><code>79ec3a5</code></a>
ssh: allow to bind to a hostname in remote forwarding</li>
<li><a
href="122a78f140"><code>122a78f</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="c0531f9c34"><code>c0531f9</code></a>
all: eliminate vet diagnostics</li>
<li><a
href="0997000b45"><code>0997000</code></a>
all: fix some comments</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/crypto/compare/v0.43.0...v0.45.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/googleapis/genai-toolbox/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from
0.43.0 to 0.45.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="4e0068c009"><code>4e0068c</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="e79546e28b"><code>e79546e</code></a>
ssh: curb GSSAPI DoS risk by limiting number of specified OIDs</li>
<li><a
href="f91f7a7c31"><code>f91f7a7</code></a>
ssh/agent: prevent panic on malformed constraint</li>
<li><a
href="2df4153a03"><code>2df4153</code></a>
acme/autocert: let automatic renewal work with short lifetime certs</li>
<li><a
href="bcf6a849ef"><code>bcf6a84</code></a>
acme: pass context to request</li>
<li><a
href="b4f2b62076"><code>b4f2b62</code></a>
ssh: fix error message on unsupported cipher</li>
<li><a
href="79ec3a51fc"><code>79ec3a5</code></a>
ssh: allow to bind to a hostname in remote forwarding</li>
<li><a
href="122a78f140"><code>122a78f</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="c0531f9c34"><code>c0531f9</code></a>
all: eliminate vet diagnostics</li>
<li><a
href="0997000b45"><code>0997000</code></a>
all: fix some comments</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/crypto/compare/v0.43.0...v0.45.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/googleapis/genai-toolbox/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [jws](https://github.com/brianloveswords/node-jws) from 4.0.0 to
4.0.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/brianloveswords/node-jws/releases">jws's
releases</a>.</em></p>
<blockquote>
<h2>v4.0.1</h2>
<h3>Changed</h3>
<ul>
<li>Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now
require
that a non empty secret is provided (via opts.secret, opts.privateKey or
opts.key)
when using HMAC algorithms.</li>
<li>Upgrading JWA version to 2.0.1, addressing a compatibility issue for
Node >= 25.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/auth0/node-jws/blob/master/CHANGELOG.md">jws's
changelog</a>.</em></p>
<blockquote>
<h2>[4.0.1]</h2>
<h3>Changed</h3>
<ul>
<li>Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now
require
that a non empty secret is provided (via opts.secret, opts.privateKey or
opts.key)
when using HMAC algorithms.</li>
<li>Upgrading JWA version to 2.0.1, adressing a compatibility issue for
Node >= 25.</li>
</ul>
<h2>[3.2.3]</h2>
<h3>Changed</h3>
<ul>
<li>Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now
require
that a non empty secret is provided (via opts.secret, opts.privateKey or
opts.key)
when using HMAC algorithms.</li>
<li>Upgrading JWA version to 1.4.2, adressing a compatibility issue for
Node >= 25.</li>
</ul>
<h2>[3.0.0]</h2>
<h3>Changed</h3>
<ul>
<li><strong>BREAKING</strong>: <code>jwt.verify</code> now requires an
<code>algorithm</code> parameter, and
<code>jws.createVerify</code> requires an <code>algorithm</code> option.
The <code>"alg"</code> field
signature headers is ignored. This mitigates a critical security flaw
in the library which would allow an attacker to generate signatures with
arbitrary contents that would be accepted by <code>jwt.verify</code>.
See
<a
href="https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/">https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/</a>
for details.</li>
</ul>
<h2><a
href="https://github.com/brianloveswords/node-jws/compare/v1.0.1...v2.0.0">2.0.0</a>
- 2015-01-30</h2>
<h3>Changed</h3>
<ul>
<li>
<p><strong>BREAKING</strong>: Default payload encoding changed from
<code>binary</code> to
<code>utf8</code>. <code>utf8</code> is a is a more sensible default
than <code>binary</code> because
many payloads, as far as I can tell, will contain user-facing
strings that could be in any language. (<!-- raw HTML omitted
-->[6b6de48]<!-- raw HTML omitted -->)</p>
</li>
<li>
<p>Code reorganization, thanks [<a
href="https://github.com/fearphage"><code>@fearphage</code></a>]! (<!--
raw HTML omitted --><a
href="https://github.com/brianloveswords/node-jws/commit/7880050">7880050</a><!--
raw HTML omitted -->)</p>
</li>
</ul>
<h3>Added</h3>
<ul>
<li>Option in all relevant methods for <code>encoding</code>. For those
few users
that might be depending on a <code>binary</code> encoding of the
messages, this
is for them. (<!-- raw HTML omitted -->[6b6de48]<!-- raw HTML omitted
-->)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="34c45b2c04"><code>34c45b2</code></a>
Merge commit from fork</li>
<li><a
href="49bc39b1f5"><code>49bc39b</code></a>
version 4.0.1</li>
<li><a
href="d42350ccab"><code>d42350c</code></a>
Enhance tests for HMAC streaming sign and verify</li>
<li><a
href="5cb007cf82"><code>5cb007c</code></a>
Improve secretOrKey initialization in VerifyStream</li>
<li><a
href="f9a2e1c8c6"><code>f9a2e1c</code></a>
Improve secret handling in SignStream</li>
<li><a
href="b9fb8d30e9"><code>b9fb8d3</code></a>
Merge pull request <a
href="https://redirect.github.com/brianloveswords/node-jws/issues/102">#102</a>
from auth0/SRE-57-Upload-opslevel-yaml</li>
<li><a
href="95b75ee56c"><code>95b75ee</code></a>
Upload OpsLevel YAML</li>
<li><a
href="8857ee7762"><code>8857ee7</code></a>
test: remove unused variable (<a
href="https://redirect.github.com/brianloveswords/node-jws/issues/96">#96</a>)</li>
<li>See full diff in <a
href="https://github.com/brianloveswords/node-jws/compare/v4.0.0...v4.0.1">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~julien.wollscheid">julien.wollscheid</a>, a
new releaser for jws since your current version.</p>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/googleapis/genai-toolbox/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from
0.43.0 to 0.45.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="4e0068c009"><code>4e0068c</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="e79546e28b"><code>e79546e</code></a>
ssh: curb GSSAPI DoS risk by limiting number of specified OIDs</li>
<li><a
href="f91f7a7c31"><code>f91f7a7</code></a>
ssh/agent: prevent panic on malformed constraint</li>
<li><a
href="2df4153a03"><code>2df4153</code></a>
acme/autocert: let automatic renewal work with short lifetime certs</li>
<li><a
href="bcf6a849ef"><code>bcf6a84</code></a>
acme: pass context to request</li>
<li><a
href="b4f2b62076"><code>b4f2b62</code></a>
ssh: fix error message on unsupported cipher</li>
<li><a
href="79ec3a51fc"><code>79ec3a5</code></a>
ssh: allow to bind to a hostname in remote forwarding</li>
<li><a
href="122a78f140"><code>122a78f</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="c0531f9c34"><code>c0531f9</code></a>
all: eliminate vet diagnostics</li>
<li><a
href="0997000b45"><code>0997000</code></a>
all: fix some comments</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/crypto/compare/v0.43.0...v0.45.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/googleapis/genai-toolbox/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com>
Bumps [jws](https://github.com/brianloveswords/node-jws) from 4.0.0 to
4.0.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/brianloveswords/node-jws/releases">jws's
releases</a>.</em></p>
<blockquote>
<h2>v4.0.1</h2>
<h3>Changed</h3>
<ul>
<li>Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now
require
that a non empty secret is provided (via opts.secret, opts.privateKey or
opts.key)
when using HMAC algorithms.</li>
<li>Upgrading JWA version to 2.0.1, addressing a compatibility issue for
Node >= 25.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/auth0/node-jws/blob/master/CHANGELOG.md">jws's
changelog</a>.</em></p>
<blockquote>
<h2>[4.0.1]</h2>
<h3>Changed</h3>
<ul>
<li>Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now
require
that a non empty secret is provided (via opts.secret, opts.privateKey or
opts.key)
when using HMAC algorithms.</li>
<li>Upgrading JWA version to 2.0.1, adressing a compatibility issue for
Node >= 25.</li>
</ul>
<h2>[3.2.3]</h2>
<h3>Changed</h3>
<ul>
<li>Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now
require
that a non empty secret is provided (via opts.secret, opts.privateKey or
opts.key)
when using HMAC algorithms.</li>
<li>Upgrading JWA version to 1.4.2, adressing a compatibility issue for
Node >= 25.</li>
</ul>
<h2>[3.0.0]</h2>
<h3>Changed</h3>
<ul>
<li><strong>BREAKING</strong>: <code>jwt.verify</code> now requires an
<code>algorithm</code> parameter, and
<code>jws.createVerify</code> requires an <code>algorithm</code> option.
The <code>"alg"</code> field
signature headers is ignored. This mitigates a critical security flaw
in the library which would allow an attacker to generate signatures with
arbitrary contents that would be accepted by <code>jwt.verify</code>.
See
<a
href="https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/">https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/</a>
for details.</li>
</ul>
<h2><a
href="https://github.com/brianloveswords/node-jws/compare/v1.0.1...v2.0.0">2.0.0</a>
- 2015-01-30</h2>
<h3>Changed</h3>
<ul>
<li>
<p><strong>BREAKING</strong>: Default payload encoding changed from
<code>binary</code> to
<code>utf8</code>. <code>utf8</code> is a is a more sensible default
than <code>binary</code> because
many payloads, as far as I can tell, will contain user-facing
strings that could be in any language. (<!-- raw HTML omitted
-->[6b6de48]<!-- raw HTML omitted -->)</p>
</li>
<li>
<p>Code reorganization, thanks [<a
href="https://github.com/fearphage"><code>@fearphage</code></a>]! (<!--
raw HTML omitted --><a
href="https://github.com/brianloveswords/node-jws/commit/7880050">7880050</a><!--
raw HTML omitted -->)</p>
</li>
</ul>
<h3>Added</h3>
<ul>
<li>Option in all relevant methods for <code>encoding</code>. For those
few users
that might be depending on a <code>binary</code> encoding of the
messages, this
is for them. (<!-- raw HTML omitted -->[6b6de48]<!-- raw HTML omitted
-->)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="34c45b2c04"><code>34c45b2</code></a>
Merge commit from fork</li>
<li><a
href="49bc39b1f5"><code>49bc39b</code></a>
version 4.0.1</li>
<li><a
href="d42350ccab"><code>d42350c</code></a>
Enhance tests for HMAC streaming sign and verify</li>
<li><a
href="5cb007cf82"><code>5cb007c</code></a>
Improve secretOrKey initialization in VerifyStream</li>
<li><a
href="f9a2e1c8c6"><code>f9a2e1c</code></a>
Improve secret handling in SignStream</li>
<li><a
href="b9fb8d30e9"><code>b9fb8d3</code></a>
Merge pull request <a
href="https://redirect.github.com/brianloveswords/node-jws/issues/102">#102</a>
from auth0/SRE-57-Upload-opslevel-yaml</li>
<li><a
href="95b75ee56c"><code>95b75ee</code></a>
Upload OpsLevel YAML</li>
<li><a
href="8857ee7762"><code>8857ee7</code></a>
test: remove unused variable (<a
href="https://redirect.github.com/brianloveswords/node-jws/issues/96">#96</a>)</li>
<li>See full diff in <a
href="https://github.com/brianloveswords/node-jws/compare/v4.0.0...v4.0.1">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~julien.wollscheid">julien.wollscheid</a>, a
new releaser for jws since your current version.</p>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/googleapis/genai-toolbox/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com>
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from
0.43.0 to 0.45.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="4e0068c009"><code>4e0068c</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="e79546e28b"><code>e79546e</code></a>
ssh: curb GSSAPI DoS risk by limiting number of specified OIDs</li>
<li><a
href="f91f7a7c31"><code>f91f7a7</code></a>
ssh/agent: prevent panic on malformed constraint</li>
<li><a
href="2df4153a03"><code>2df4153</code></a>
acme/autocert: let automatic renewal work with short lifetime certs</li>
<li><a
href="bcf6a849ef"><code>bcf6a84</code></a>
acme: pass context to request</li>
<li><a
href="b4f2b62076"><code>b4f2b62</code></a>
ssh: fix error message on unsupported cipher</li>
<li><a
href="79ec3a51fc"><code>79ec3a5</code></a>
ssh: allow to bind to a hostname in remote forwarding</li>
<li><a
href="122a78f140"><code>122a78f</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="c0531f9c34"><code>c0531f9</code></a>
all: eliminate vet diagnostics</li>
<li><a
href="0997000b45"><code>0997000</code></a>
all: fix some comments</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/crypto/compare/v0.43.0...v0.45.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/googleapis/genai-toolbox/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Averi Kitsch <akitsch@google.com>
## Description
## PR Checklist
> Thank you for opening a Pull Request! Before submitting your PR, there
are a
> few things you can do to make sure it goes smoothly:
- [x] Make sure you reviewed
[CONTRIBUTING.md](https://github.com/googleapis/genai-toolbox/blob/main/CONTRIBUTING.md)
- [ ] Make sure to open an issue as a
[bug/issue](https://github.com/googleapis/genai-toolbox/issues/new/choose)
before writing your code! That way we can discuss the change, evaluate
designs, and agree on the general idea
- [x] Ensure the tests and linter pass
- [ ] Code coverage does not decrease (if any source code was changed)
- [x] Appropriate docs were updated (if necessary)
- [ ] Make sure to add `!` if this involve a breaking change
🛠️ Fixes #<issue_number_goes_here>
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from
0.43.0 to 0.45.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="4e0068c009"><code>4e0068c</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="e79546e28b"><code>e79546e</code></a>
ssh: curb GSSAPI DoS risk by limiting number of specified OIDs</li>
<li><a
href="f91f7a7c31"><code>f91f7a7</code></a>
ssh/agent: prevent panic on malformed constraint</li>
<li><a
href="2df4153a03"><code>2df4153</code></a>
acme/autocert: let automatic renewal work with short lifetime certs</li>
<li><a
href="bcf6a849ef"><code>bcf6a84</code></a>
acme: pass context to request</li>
<li><a
href="b4f2b62076"><code>b4f2b62</code></a>
ssh: fix error message on unsupported cipher</li>
<li><a
href="79ec3a51fc"><code>79ec3a5</code></a>
ssh: allow to bind to a hostname in remote forwarding</li>
<li><a
href="122a78f140"><code>122a78f</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="c0531f9c34"><code>c0531f9</code></a>
all: eliminate vet diagnostics</li>
<li><a
href="0997000b45"><code>0997000</code></a>
all: fix some comments</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/crypto/compare/v0.43.0...v0.45.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/googleapis/genai-toolbox/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com>
This PR contains the following updates:
| Package | Change | Age | Confidence |
|---|---|---|---|
| [google-adk](https://redirect.github.com/google/adk-python)
([changelog](https://redirect.github.com/google/adk-python/blob/main/CHANGELOG.md))
| `==1.18.0` -> `==1.19.0` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
---
> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.
---
### Release Notes
<details>
<summary>google/adk-python (google-adk)</summary>
###
[`v1.19.0`](https://redirect.github.com/google/adk-python/blob/HEAD/CHANGELOG.md#1190-2025-11-19)
[Compare
Source](https://redirect.github.com/google/adk-python/compare/v1.18.0...v1.19.0)
##### Features
- **\[Core]**
- Add `id` and `custom_metadata` fields to `MemoryEntry`
([4dd28a3](4dd28a3970))
- Add progressive SSE streaming feature
([a5ac1d5](a5ac1d5e14))
- Add a2a\_request\_meta\_provider to RemoteAgent init
([d12468e](d12468ee5a))
- Add feature decorator for the feature registry system
([871da73](871da731f1))
- Breaking: Raise minimum Python version to 3\_10
([8402832](840283228e))
- Refactor and rename BigQuery agent analytics plugin
([6b14f88](6b14f88726))
- Pass custom\_metadata through forwarding artifact service
([c642f13](c642f13f21))
- Update save\_files\_as\_artifacts\_plugin to never keep inline data
([857de04](857de04deb))
- **\[Evals]**
- Add support for InOrder and AnyOrder match in ToolTrajectoryAvgScore
Metric
([e2d3b2d](e2d3b2d862))
- **\[Integrations]**
- Enhance BQ Plugin Schema, Error Handling, and Logging
([5ac5129](5ac5129fb0))
- Schema Enhancements with Descriptions, Partitioning, and Truncation
Indicator
([7c993b0](7c993b01d1))
- **\[Services]**
- Add file-backed artifact service
([99ca6aa](99ca6aa6e6))
- Add service factory for configurable session and artifact backends
([a12ae81](a12ae812d3))
- Add SqliteSessionService and a migration script to migrate existing DB
using DatabaseSessionService to SqliteSessionService
([e218254](e218254495))
- Add transcription fields to session events
([3ad30a5](3ad30a58f9))
- Full async implementation of DatabaseSessionService
([7495941](74959414d8))
- **\[Models]**
- Add experimental feature to use `parameters_json_schema` and
`response_json_schema` for McpTool
([1dd97f5](1dd97f5b45))
- Add support for parsing inline JSON tool calls in LiteLLM responses
([22eb7e5](22eb7e5b06))
- Expose artifact URLs to the model when available
([e3caf79](e3caf79139))
- **\[Tools]**
- Add BigQuery related label handling
([ffbab4c](ffbab4cf4e))
- Allow setting max\_billed\_bytes in BigQuery tools config
([ffbb0b3](ffbb0b37e1))
- Propagate `application_name` set for the BigQuery Tools as BigQuery
job labels
([f13a11e](f13a11e1dc))
- Set per-tool user agent in BQ calls and tool label in BQ jobs
([c0be1df](c0be1df052))
- **\[Observability]**
- Migrate BigQuery logging to Storage Write API
([a2ce34a](a2ce34a0b9))
##### Bug Fixes
- Add `jsonschema` dependency for Agent Builder config validation
([0fa7e46](0fa7e4619d))
- Add None check for `event` in `remote_a2a_agent.py`
([744f94f](744f94f0c8))
- Add vertexai initialization for code being deployed to AgentEngine
([b8e4aed](b8e4aedfbf))
- Change LiteLLM content and tool parameter handling
([a19be12](a19be12c1f))
- Change name for builder agent
([131d39c](131d39c3db))
- Ensure event compaction completes by awaiting task
([b5f5df9](b5f5df9fa8))
- Fix deploy to cloud run on Windows
([29fea7e](29fea7ec1f))
- Fix error handling when MCP server is unreachable
([ee8106b](ee8106be77))
- Fix error when query job destination is None
([0ccc43c](0ccc43cf49))
- Fix Improve logic for checking if a MCP session is disconnected
([a754c96](a754c96d3c))
- Fix McpToolset crashing with anyio.BrokenResourceError
([8e0648d](8e0648df23))
- Fix Safely handle `FunctionDeclaration` without a `required` attribute
([93aad61](93aad61198))
- Fix status code in error message in RestApiTool
([9b75456](9b754564b3))
- Fix Use `async for` to loop through event iterator to get all events
in vertex\_ai\_session\_service
([9211f4c](9211f4ce8c))
- Fix: Fixes DeprecationWarning when using send method
([2882995](2882995289))
- Improve logic for checking if a MCP session is disconnected
([a48a1a9](a48a1a9e88))
- Improve handling of partial and complete transcriptions in live calls
([1819ecb](1819ecb4b8))
- Keep vertex session event after the session update time
([0ec0195](0ec01956e8))
- Let part converters also return multiple parts so they can support
more usecases
([824ab07](824ab07212))
- Load agent/app before creating session
([236f562](236f562cd2))
- Remove app name from FileArtifactService directory structure
([12db84f](12db84f5cd))
- Remove hardcoded `google-cloud-aiplatform` version in agent engine
requirements
([e15e19d](e15e19da05))
- Stop updating write mode in the global settings during tool execution
([5adbf95](5adbf95a0a))
- Update description for `load_artifacts` tool
([c485889](c4858896ff))
##### Improvements
- Add BigQuery related label handling
([ffbab4c](ffbab4cf4e))
- Add demo for rewind
([8eb1bdb](8eb1bdbc58))
- Add debug logging for live connection
([5d5708b](5d5708b2ab))
- Add debug logging for missing function call events
([f3d6fcf](f3d6fcf444))
- Add default retry options as fall back to llm\_request that are made
during evals
([696852a](696852a280))
- Add plugin for returning GenAI Parts from tools into the model request
([116b26c](116b26c33e))
- Add support for abstract types in AFC
([2efc184](2efc184a46))
- Add support for structured output schemas in LiteLLM models
([7ea4aed](7ea4aed35b))
- Add tests for `max_query_result_rows` in BigQuery tool config
([fd33610](fd33610e96))
- Add type hints in `cleanup_unused_files.py`
([2dea573](2dea5733b7))
- Add util to build our llms.txt and llms-full.txt files
- ADK changes
([f1f4467](f1f44675e4))
- Defer import of `google.cloud.storage` in `GCSArtifactService`
([999af55](999af55880))
- Defer import of `live`, `Client` and `_transformers` in `google.genai`
([22c6dbe](22c6dbe83c))
- Enhance the messaging with possible fixes for RESOURCE\_EXHAUSTED
errors from Gemini
([b2c45f8](b2c45f8d91))
- Improve gepa tau-bench colab for external use
([e02f177](e02f177790))
- Improve gepa voter agent demo colab
([d118479](d118479ccf))
- Lazy import DatabaseSessionService in the adk/sessions/ module
([5f05749](5f057498a2))
- Move adk\_agent\_builder\_assistant to built\_in\_agents
([b2b7f2d](b2b7f2d6aa))
- Plumb memory service from LocalEvalService to EvaluationGenerator
([dc3f60c](dc3f60cc93))
- Removes the unrealistic todo comment of visibility management
([e511eb1](e511eb1f70))
- Returns agent state regardless if ctx.is\_resumable
([d6b928b](d6b928bdf7))
- Stop logging the full content of LLM blobs
([0826755](082675546f))
- Update ADK web to match main branch
([14e3802](14e3802643))
- Update agent instructions and retry limit in
`plugin_reflect_tool_retry` sample
([01bac62](01bac62f0c))
- Update conformance test CLI to handle long-running tool calls
([dd706bd](dd706bdc45))
- Update Gemini Live model names in live bidi streaming sample
([aa77834](aa77834e2e))
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/googleapis/genai-toolbox).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi4xNi4xIiwidXBkYXRlZEluVmVyIjoiNDIuMTYuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: Harsh Jha <83023263+rapid-killer-9@users.noreply.github.com>
Bumps [glob](https://github.com/isaacs/node-glob) from 10.4.5 to 10.5.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="56774ef73b"><code>56774ef</code></a>
10.5.0</li>
<li><a
href="1e4e297342"><code>1e4e297</code></a>
bin: Do not expose filenames to shell expansion</li>
<li>See full diff in <a
href="https://github.com/isaacs/node-glob/compare/v10.4.5...v10.5.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/googleapis/genai-toolbox/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Anmol Shukla <shuklaanmol@google.com>
Co-authored-by: Twisha Bansal <58483338+twishabansal@users.noreply.github.com>
This PR contains the following updates:
| Package | Change | Age | Confidence |
|---|---|---|---|
| [pytest](https://redirect.github.com/pytest-dev/pytest)
([changelog](https://docs.pytest.org/en/stable/changelog.html)) |
`==8.4.2` -> `==9.0.0` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
---
### Release Notes
<details>
<summary>pytest-dev/pytest (pytest)</summary>
###
[`v9.0.0`](https://redirect.github.com/pytest-dev/pytest/releases/tag/9.0.0)
[Compare
Source](https://redirect.github.com/pytest-dev/pytest/compare/8.4.2...9.0.0)
### pytest 9.0.0 (2025-11-05)
#### New features
-
[#​1367](https://redirect.github.com/pytest-dev/pytest/issues/1367):
**Support for subtests** has been added.
`subtests <subtests>` are an alternative to parametrization, useful in
situations where the parametrization values are not all known at
collection time.
Example:
```python
def contains_docstring(p: Path) -> bool:
"""Return True if the given Python file contains a top-level
docstring."""
...
def test_py_files_contain_docstring(subtests: pytest.Subtests) -> None:
for path in Path.cwd().glob("*.py"):
with subtests.test(path=str(path)):
assert contains_docstring(path)
```
Each assert failure or error is caught by the context manager and
reported individually, giving a clear picture of all files that are
missing a docstring.
In addition, `unittest.TestCase.subTest` is now also supported.
This feature was originally implemented as a separate plugin in
[pytest-subtests](https://redirect.github.com/pytest-dev/pytest-subtests),
but since then has been merged into the core.
> \[!NOTE]
> This feature is experimental and will likely evolve in future
releases. By that we mean that we might change how subtests are reported
on failure, but the functionality and how to use it are stable.
-
[#​13743](https://redirect.github.com/pytest-dev/pytest/issues/13743):
Added support for **native TOML configuration files**.
While pytest, since version 6, supports configuration in
`pyproject.toml` files under `[tool.pytest.ini_options]`,
it does so in an "INI compatibility mode", where all configuration
values are treated as strings or list of strings.
Now, pytest supports the native TOML data model.
In `pyproject.toml`, the native TOML configuration is under the
`[tool.pytest]` table.
```toml
# pyproject.toml
[tool.pytest]
minversion = "9.0"
addopts = ["-ra", "-q"]
testpaths = [
"tests",
"integration",
]
```
The `[tool.pytest.ini_options]` table remains supported, but both tables
cannot be used at the same time.
If you prefer to use a separate configuration file, or don't use
`pyproject.toml`, you can use `pytest.toml` or `.pytest.toml`:
```toml
# pytest.toml or .pytest.toml
[pytest]
minversion = "9.0"
addopts = ["-ra", "-q"]
testpaths = [
"tests",
"integration",
]
```
The documentation now (sometimes) shows configuration snippets in both
TOML and INI formats, in a tabbed interface.
See `config file formats` for full details.
-
[#​13823](https://redirect.github.com/pytest-dev/pytest/issues/13823):
Added a **"strict mode"** enabled by the `strict` configuration option.
When set to `true`, the `strict` option currently enables
- `strict_config`
- `strict_markers`
- `strict_parametrization_ids`
- `strict_xfail`
The individual strictness options can be explicitly set to override the
global `strict` setting.
The previously-deprecated `--strict` command-line flag now enables
strict mode.
If pytest adds new strictness options in the future, they will also be
enabled in strict mode.
Therefore, you should only enable strict mode if you use a pinned/locked
version of pytest,
or if you want to proactively adopt new strictness options as they are
added.
See `strict mode` for more details.
-
[#​13737](https://redirect.github.com/pytest-dev/pytest/issues/13737):
Added the `strict_parametrization_ids` configuration option.
When set, pytest emits an error if it detects non-unique parameter set
IDs,
rather than automatically making the IDs unique by adding <span
class="title-ref">0</span>, <span class="title-ref">1</span>, ... to
them.
This can be particularly useful for catching unintended duplicates.
-
[#​13072](https://redirect.github.com/pytest-dev/pytest/issues/13072):
Added support for displaying test session **progress in the terminal
tab** using the [OSC
9;4;](https://conemu.github.io/en/AnsiEscapeCodes.html#ConEmu_specific_OSC)
ANSI sequence.
When pytest runs in a supported terminal emulator like ConEmu, Gnome
Terminal, Ptyxis, Windows Terminal, Kitty or Ghostty,
you'll see the progress in the terminal tab or window,
allowing you to monitor pytest's progress at a glance.
This feature is automatically enabled when running in a TTY. It is
implemented as an internal plugin. If needed, it can be disabled as
follows:
- On a user level, using `-p no:terminalprogress` on the command line or
via an environment variable `PYTEST_ADDOPTS='-p no:terminalprogress'`.
- On a project configuration level, using `addopts = "-p
no:terminalprogress"`.
-
[#​478](https://redirect.github.com/pytest-dev/pytest/issues/478):
Support PEP420 (implicit namespace packages) as <span
class="title-ref">--pyargs</span> target when
`consider_namespace_packages` is <span class="title-ref">true</span> in
the config.
Previously, this option only impacted package imports, now it also
impacts tests discovery.
-
[#​13678](https://redirect.github.com/pytest-dev/pytest/issues/13678):
Added a new `faulthandler_exit_on_timeout` configuration option set to
"false" by default to let <span class="title-ref">faulthandler</span>
interrupt the <span class="title-ref">pytest</span> process after a
timeout in case of deadlock.
Previously, a <span class="title-ref">faulthandler</span> timeout would
only dump the traceback of all threads to stderr, but would not
interrupt the <span class="title-ref">pytest</span> process.
\-- by `ogrisel`.
-
[#​13829](https://redirect.github.com/pytest-dev/pytest/issues/13829):
Added support for configuration option aliases via the `aliases`
parameter in `Parser.addini() <pytest.Parser.addini>`.
Plugins can now register alternative names for configuration options,
allowing for more flexibility in configuration naming and supporting
backward compatibility when renaming options.
The canonical name always takes precedence if both the canonical name
and an alias are specified in the configuration file.
#### Improvements in existing functionality
-
[#​13330](https://redirect.github.com/pytest-dev/pytest/issues/13330):
Having pytest configuration spread over more than one file (for example
having both a `pytest.ini` file and `pyproject.toml` with a
`[tool.pytest.ini_options]` table) will now print a warning to make it
clearer to the user that only one of them is actually used.
\-- by `sgaist`
-
[#​13574](https://redirect.github.com/pytest-dev/pytest/issues/13574):
The single argument `--version` no longer loads the entire plugin
infrastructure, making it faster and more reliable when displaying only
the pytest version.
Passing `--version` twice (e.g., `pytest --version --version`) retains
the original behavior, showing both the pytest version and plugin
information.
> \[!NOTE]
> Since `--version` is now processed early, it only takes effect when
passed directly via the command line. It will not work if set through
other mechanisms, such as `PYTEST_ADDOPTS` or `addopts`.
-
[#​13823](https://redirect.github.com/pytest-dev/pytest/issues/13823):
Added `strict_xfail` as an alias to the `xfail_strict` option,
`strict_config` as an alias to the `--strict-config` flag,
and `strict_markers` as an alias to the `--strict-markers` flag.
This makes all strictness options consistently have configuration
options with the prefix `strict_`.
-
[#​13700](https://redirect.github.com/pytest-dev/pytest/issues/13700):
<span class="title-ref">--junitxml</span> no longer prints the <span
class="title-ref">generated xml file</span> summary at the end of the
pytest session when <span class="title-ref">--quiet</span> is given.
-
[#​13732](https://redirect.github.com/pytest-dev/pytest/issues/13732):
Previously, when filtering warnings, pytest would fail if the filter
referenced a class that could not be imported. Now, this only outputs a
message indicating the problem.
-
[#​13859](https://redirect.github.com/pytest-dev/pytest/issues/13859):
Clarify the error message for <span
class="title-ref">pytest.raises()</span> when a regex <span
class="title-ref">match</span> fails.
-
[#​13861](https://redirect.github.com/pytest-dev/pytest/issues/13861):
Better sentence structure in a test's expected error message.
Previously, the error message would be "expected exception must be
\<expected>, but got \<actual>". Now, it is "Expected \<expected>, but
got \<actual>".
#### Removals and backward incompatible breaking changes
-
[#​12083](https://redirect.github.com/pytest-dev/pytest/issues/12083):
Fixed a bug where an invocation such as <span class="title-ref">pytest
a/ a/b</span> would cause only tests from <span
class="title-ref">a/b</span> to run, and not other tests under <span
class="title-ref">a/</span>.
The fix entails a few breaking changes to how such overlapping arguments
and duplicates are handled:
1. <span class="title-ref">pytest a/b a/</span> or <span
class="title-ref">pytest a/ a/b</span> are equivalent to <span
class="title-ref">pytest a</span>; if an argument overlaps another
arguments, only the prefix remains.
2. <span class="title-ref">pytest x.py x.py</span> is equivalent to
<span class="title-ref">pytest x.py</span>; previously such an
invocation was taken as an explicit request to run the tests from the
file twice.
If you rely on these behaviors, consider using `--keep-duplicates
<duplicate-paths>`, which retains its existing behavior (including the
bug).
-
[#​13719](https://redirect.github.com/pytest-dev/pytest/issues/13719):
Support for Python 3.9 is dropped following its end of life.
-
[#​13766](https://redirect.github.com/pytest-dev/pytest/issues/13766):
Previously, pytest would assume it was running in a CI/CD environment if
either of the environment variables <span class="title-ref">$CI</span>
or <span class="title-ref">$BUILD\_NUMBER</span> was defined;
now, CI mode is only activated if at least one of those variables is
defined and set to a *non-empty* value.
-
[#​13779](https://redirect.github.com/pytest-dev/pytest/issues/13779):
**PytestRemovedIn9Warning deprecation warnings are now errors by
default.**
Following our plan to remove deprecated features with as little
disruption as
possible, all warnings of type `PytestRemovedIn9Warning` now generate
errors
instead of warning messages by default.
**The affected features will be effectively removed in pytest 9.1**, so
please consult the
`deprecations` section in the docs for directions on how to update
existing code.
In the pytest `9.0.X` series, it is possible to change the errors back
into warnings as a
stopgap measure by adding this to your `pytest.ini` file:
```ini
[pytest]
filterwarnings =
ignore::pytest.PytestRemovedIn9Warning
```
But this will stop working when pytest `9.1` is released.
**If you have concerns** about the removal of a specific feature, please
add a
comment to `13779`.
#### Deprecations (removal in next major release)
-
[#​13807](https://redirect.github.com/pytest-dev/pytest/issues/13807):
`monkeypatch.syspath_prepend() <pytest.MonkeyPatch.syspath_prepend>` now
issues a deprecation warning when the prepended path contains legacy
namespace packages (those using `pkg_resources.declare_namespace()`).
Users should migrate to native namespace packages (`420`).
See `monkeypatch-fixup-namespace-packages` for details.
#### Bug fixes
-
[#​13445](https://redirect.github.com/pytest-dev/pytest/issues/13445):
Made the type annotations of `pytest.skip` and friends more
spec-complaint to have them work across more type checkers.
-
[#​13537](https://redirect.github.com/pytest-dev/pytest/issues/13537):
Fixed a bug in which `ExceptionGroup` with only `Skipped` exceptions in
teardown was not handled correctly and showed as error.
-
[#​13598](https://redirect.github.com/pytest-dev/pytest/issues/13598):
Fixed possible collection confusion on Windows when short paths and
symlinks are involved.
-
[#​13716](https://redirect.github.com/pytest-dev/pytest/issues/13716):
Fixed a bug where a nonsensical invocation like `pytest x.py[a]` (a file
cannot be parametrized) was silently treated as `pytest x.py`. This is
now a usage error.
-
[#​13722](https://redirect.github.com/pytest-dev/pytest/issues/13722):
Fixed a misleading assertion failure message when using `pytest.approx`
on mappings with differing lengths.
-
[#​13773](https://redirect.github.com/pytest-dev/pytest/issues/13773):
Fixed the static fixture closure calculation to properly consider
transitive dependencies requested by overridden fixtures.
-
[#​13816](https://redirect.github.com/pytest-dev/pytest/issues/13816):
Fixed `pytest.approx` which now returns a clearer error message when
comparing mappings with different keys.
-
[#​13849](https://redirect.github.com/pytest-dev/pytest/issues/13849):
Hidden `.pytest.ini` files are now picked up as the config file even if
empty.
This was an inconsistency with non-hidden `pytest.ini`.
-
[#​13865](https://redirect.github.com/pytest-dev/pytest/issues/13865):
Fixed <span class="title-ref">--show-capture</span> with <span
class="title-ref">--tb=line</span>.
-
[#​13522](https://redirect.github.com/pytest-dev/pytest/issues/13522):
Fixed `pytester` in subprocess mode ignored all :attr\`pytester.plugins
\<pytest.Pytester.plugins>\` except the first.
Fixed `pytester` in subprocess mode silently ignored non-str
`pytester.plugins <pytest.Pytester.plugins>`.
Now it errors instead.
If you are affected by this, specify the plugin by name, or switch the
affected tests to use `pytester.runpytest_inprocess
<pytest.Pytester.runpytest_inprocess>` explicitly instead.
#### Packaging updates and notes for downstreams
-
[#​13791](https://redirect.github.com/pytest-dev/pytest/issues/13791):
Minimum requirements on `iniconfig` and `packaging` were bumped to
`1.0.1` and `22.0.0`, respectively.
#### Contributor-facing changes
-
[#​12244](https://redirect.github.com/pytest-dev/pytest/issues/12244):
Fixed self-test failures when <span class="title-ref">TERM=dumb</span>.
-
[#​12474](https://redirect.github.com/pytest-dev/pytest/issues/12474):
Added scheduled GitHub Action Workflow to run Sphinx linkchecks in repo
documentation.
-
[#​13621](https://redirect.github.com/pytest-dev/pytest/issues/13621):
pytest's own testsuite now handles the `lsof` command hanging (e.g. due
to unreachable network filesystems), with the affected selftests being
skipped after 10 seconds.
-
[#​13638](https://redirect.github.com/pytest-dev/pytest/issues/13638):
Fixed deprecated `gh pr new` command in `scripts/prepare-release-pr.py`.
The script now uses `gh pr create` which is compatible with GitHub CLI
v2.0+.
-
[#​13695](https://redirect.github.com/pytest-dev/pytest/issues/13695):
Flush <span class="title-ref">stdout</span> and <span
class="title-ref">stderr</span> in <span
class="title-ref">Pytester.run</span> to avoid truncated outputs in
<span class="title-ref">test\_faulthandler.py::test\_timeout</span> on
CI -- by `ogrisel`.
-
[#​13771](https://redirect.github.com/pytest-dev/pytest/issues/13771):
Skip <span
class="title-ref">test\_do\_not\_collect\_symlink\_siblings</span> on
Windows environments without symlink support to avoid false negatives.
-
[#​13841](https://redirect.github.com/pytest-dev/pytest/issues/13841):
`tox>=4` is now required when contributing to pytest.
-
[#​13625](https://redirect.github.com/pytest-dev/pytest/issues/13625):
Added missing docstrings to `pytest_addoption()`, `pytest_configure()`,
and `cacheshow()` functions in `cacheprovider.py`.
#### Miscellaneous internal changes
-
[#​13830](https://redirect.github.com/pytest-dev/pytest/issues/13830):
Configuration overrides (`-o`/`--override-ini`) are now processed during
startup rather than during `config.getini() <pytest.Config.getini>`.
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/googleapis/genai-toolbox).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNTkuNCIsInVwZGF0ZWRJblZlciI6IjQxLjE1OS40IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
This PR contains the following updates:
| Package | Change | Age | Confidence |
|---|---|---|---|
| [google-adk](https://redirect.github.com/google/adk-python)
([changelog](https://redirect.github.com/google/adk-python/blob/main/CHANGELOG.md))
| `==1.15.1` -> `==1.18.0` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
---
### Release Notes
<details>
<summary>google/adk-python (google-adk)</summary>
###
[`v1.18.0`](https://redirect.github.com/google/adk-python/blob/HEAD/CHANGELOG.md#1180-2025-11-05)
[Compare
Source](https://redirect.github.com/google/adk-python/compare/v1.17.0...v1.18.0)
##### Features
- **\[ADK Visual Agent Builder]**
- Core Features
- Visual workflow designer for agent creation
- Support for multiple agent types (LLM, Sequential, Parallel, Loop,
Workflow)
- Agent tool support with nested agent tools
- Built-in and custom tool integration
- Callback management for all ADK callback types (before/after agent,
model, tool)
- Assistant to help you build your agents with natural language
- Assistant proposes and writes agent configuration yaml files for you
- Save to test with chat interfaces as normal
- Build and debug at the same time in adk web!
- **\[Core]**
- Add support for extracting cache-related token counts from LiteLLM
usage
([4f85e86](4f85e86fc3))
- Expose the Python code run by the code interpreter in the logs
([a2c6a8a](a2c6a8a85c))
- Add run\_debug() helper method for quick agent experimentation
([0487eea](0487eea2ab))
- Allow injecting a custom Runner into `agent_to_a2a`
([156d235](156d235479))
- Support MCP prompts via the McpInstructionProvider class
([88032cf](88032cf5c5))
- **\[Models]**
- Add model tracking to LiteLlm and introduce a LiteLLM with fallbacks
demo
([d4c63fc](d4c63fc562))
- Add ApigeeLlm as a model that lets ADK Agent developers to connect
with an Apigee proxy
([87dcb3f](87dcb3f7ba))
- **\[Integrations]**
- Add example and fix for loading and upgrading old ADK session
databases
([338c3c8](338c3c89c6))
- Add support for specifying logging level for adk eval cli command
([b1ff85f](b1ff85fb23))
- Propagate LiteLLM finish\_reason to LlmResponse for use in callbacks
([71aa564](71aa5645f6))
- Allow LLM request to override the model used in the generate content
async method in LiteLLM
([ce8f674](ce8f674a28))
- Add api key argument to Vertex Session and Memory services for Express
Mode support
([9014a84](9014a849ea))
- Added support for enums as arguments for function tools
([240ef5b](240ef5beea))
- Implement artifact\_version related methods in GcsArtifactService
([e194ebb](e194ebb33c))
- **\[Services]**
- Add support for Vertex AI Express Mode when deploying to Agent Engine
([d4b2a8b](d4b2a8b49f))
- Remove custom polling logic for Vertex AI Session Service since LRO
polling is supported in express mode
([546c2a6](546c2a6816))
- Make VertexAiSessionService fully asynchronous
([f7e2a7a](f7e2a7a40e))
- **\[Tools]**
- Add Bigquery detect\_anomalies tool
([9851340](9851340ad1))
- Extend Bigquery detect\_anomalies tool to support future data anomaly
detection
([38ea749](38ea749c9c))
- Add get\_job\_info tool to BigQuery toolset
([6429457](64294572c1))
- **\[Evals]**
- Add "final\_session\_state" to the EvalCase data model
([2274c4f](2274c4f304))
- Marked expected\_invocation as optional field on evaluator interface
([b17c8f1](b17c8f19e5))
- Adds LLM-backed user simulator
([54c4ecc](54c4ecc733))
- **\[Observability]**
- Add BigQueryLoggingPlugin for event logging to BigQuery
([b7dbfed](b7dbfed4a3))
- **\[Live]**
- Add token usage to live events for bidi streaming
([6e5c0eb](6e5c0eb6e0))
##### Bug Fixes
- Reduce logging spam for MCP tools without authentication
([11571c3](11571c37ab))
- Fix typo in several files
([d2888a3](d2888a3766))
- Disable SetModelResponseTool workaround for Vertex AI Gemini 2+ models
([6a94af2](6a94af24bf))
- Bug when callback\_context\_invocation\_context is missing in
GlobalInstructionPlugin
([f81ebdb](f81ebdb622))
- Support models slash prefix in model name extraction
([8dff850](8dff85099d))
- Do not consider events with state delta and no content as final
response
([1ee93c8](1ee93c8bcb))
- Parameter filtering for CrewAI functions with \*\*kwargs
([74a3500](74a3500fc5))
- Do not treat FinishReason.STOP as error case for LLM responses
containing candidates with empty contents
([2f72ceb](2f72ceb49b))
- Fixes null check for reflect\_retry plugin sample
([86f0155](86f01550bd))
- Creates evalset directory on evalset create
([6c3882f](6c3882f2d6))
- Add ADK\_DISABLE\_LOAD\_DOTENV environment variable that disables
automatic loading of .env when running ADK cli, if set to true or 1
([15afbcd](15afbcd158))
- Allow tenacity 9.0.0
([ee8acc5](ee8acc58be))
- Output file uploading to artifact service should handle both base64
encoded and raw bytes
([496f8cd](496f8cd6bb))
- Correct message part ordering in A2A history
([5eca72f](5eca72f9bf))
- Change instruction insertion to respect tool call/response pairs
([1e6a9da](1e6a9daa63))
- DynamicPickleType to support MySQL dialect
([fc15c9a](fc15c9a0c3))
- Enable usage metadata in LiteLLM streaming
([f9569bb](f9569bbb1a))
- Fix issue with MCP tools throwing an error
([1a4261a](1a4261ad4b))
- Remove redundant `format` field from LiteLLM content objects
([489c39d](489c39db01))
- Update the contribution analysis tool to use original write mode
([54db3d4](54db3d4434))
- Fix agent evaluations detailed output rows wrapping
issue([4284c61](4284c61901))
- Update dependency version constraints to be based on PyPI
versions([0b1784e](0b1784e0e4))
##### Improvements
- Add Community Repo section to README
([432d30a](432d30af48))
- Undo adding MCP tools output schema to FunctionDeclaration
([92a7d19](92a7d19573))
- Refactor ADK README for clarity and consistency
([b0017ae](b0017aed44))
- Add support for reversed proxy in adk web
([a0df75b](a0df75b6fa))
- Avoid rendering empty columns as part of detailed results rendering of
eval results
([5cb35db](5cb35db921))
- Clear the behavior of disallow\_transfer\_to\_parent
([48ddd07](48ddd07894))
- Disable the scheduled execution for issue triage workflow
([a02f321](a02f321f1b))
- Include delimiter when matching events from parent nodes in content
processor
([b8a2b6c](b8a2b6c570))
- Improve Tau-bench ADK colab stability
([04dbc42](04dbc42e50))
- Implement ADK-based agent factory for Tau-bench
([c0c67c8](c0c67c8698))
- Add util to run ADK LLM Agent with simulation environment
([87f415a](87f415a7c3))
- Demonstrate CodeExecutor customization for environment setup
([8eeff35](8eeff35b35))
- Add sample agent for VertexAiCodeExecutor
([edfe553](edfe553942))
- Adds a new sample agent that demonstrates how to integrate PostgreSQL
databases using the Model Context Protocol (MCP)
([45a2168](45a2168e0e))
- Add example for using ADK with Fast MCP sampling
([d3796f9](d3796f9b33))
- Refactor gepa sample code and clean-up user demo
colab([63353b2](63353b2b74))
###
[`v1.17.0`](https://redirect.github.com/google/adk-python/blob/HEAD/CHANGELOG.md#1170-2025-10-22)
[Compare
Source](https://redirect.github.com/google/adk-python/compare/v1.16.0...v1.17.0)
##### Features
- **\[Core]**
- Add a service registry to provide a generic way to register custom
service implementations to be used in FastAPI server. See short
instruction
[here](https://redirect.github.com/google/adk-python/discussions/3175#discussioncomment-14745120).
([391628f](391628fcdc))
- Add the ability to rewind a session to before a previous invocation
([9dce06f](9dce06f9b0))
- Support resuming a parallel agent with multiple branches paused on
tool confirmation requests
([9939e0b](9939e0b087))
- Support content union as static instruction
([cc24d61](cc24d616f8))
- **\[Evals]**
- ADK cli allows developers to create an eval set and add an eval case
([ae139bb](ae139bb461))
- **\[Integrations]**
- Allow custom request and event converters in A2aAgentExecutor
([a17f3b2](a17f3b2e6d))
- **\[Observability]**
- Env variable for disabling llm\_request and llm\_response in spans
([e50f05a](e50f05a9fc))
- **\[Services]**
- Allow passing extra kwargs to create\_session of
VertexAiSessionService
([6a5eac0](6a5eac0bdc))
- Implement new methods in in-memory artifact service to support custom
metadata, artifact versions, etc.
([5a543c0](5a543c00df))
- Add create\_time and mime\_type to ArtifactVersion
([2c7a342](2c7a342593))
- Support returning all sessions when user id is none
([141318f](141318f775))
- **\[Tools]**
- Support additional headers for Google API toolset
([ed37e34](ed37e343f0))
- Introduces a new AgentEngineSandboxCodeExecutor class that supports
executing agent-generated code using the Vertex AI Code Execution
Sandbox API
([ee39a89](ee39a89110))
- Support dynamic per-request headers in MCPToolset
([6dcbb5a](6dcbb5aca6))
- Add `bypass_multi_tools_limit` option to GoogleSearchTool and
VertexAiSearchTool
([9a6b850](9a6b8507f0),
[6da7274](6da7274858))
- Extend `ReflectAndRetryToolPlugin` to support hallucinating function
calls
([f51380f](f51380f9ea))
- Add require\_confirmation param for MCP tool/toolset
([78e74b5](78e74b5bf2))
- **\[UI]**
- Granular per agent speech configuration
([409df13](409df1378f))
##### Bug Fixes
- Returns dict as result from McpTool to comply with BaseTool
expectations
([4df9263](4df926388b))
- Fixes the identity prompt to be one line
([7d5c6b9](7d5c6b9acf))
- Fix the broken langchain importing caused their 1.0.0 release
([c850da3](c850da3a07))
- Fix BuiltInCodeExecutor to support visualizations
([ce3418a](ce3418a69d))
- Relax runner app-name enforcement and improve agent origin inference
([dc4975d](dc4975dea9))
- Improve error message when adk web is run in wrong directory
([4a842c5](4a842c5a13))
- Handle App objects in eval and graph endpoints
([0b73a69](0b73a6937b))
- Exclude `additionalProperties` from Gemini schemas
([307896a](307896aece))
- Overall eval status should be NOT\_EVALUATED if no invocations were
evaluated
([9fbed0b](9fbed0b15a))
- Create context cache only when prefix matches with previous request
([9e0b1fb](9e0b1fb62b))
- Handle `App` instances returned by `agent_loader.load_agent`
([847df16](847df1638c))
- Add support for file URIs in LiteLLM content conversion
([85ed500](85ed500871))
- Only exclude scores that are None
([998264a](998264a5b1))
- Better handling the A2A streaming tasks
([bddc70b](bddc70b5d0))
- Correctly populate context\_id in remote\_a2a\_agent library
([2158b3c](2158b3c915))
- Remove unnecessary Aclosing
([2f4f561](2f4f5611bd))
- Fix pickle data was truncated error in database session using MySql
([36c96ec](36c96ec5b3))
##### Improvements
- Improve hint message in agent loader
([fe1fc75](fe1fc75c15))
- Fixes MCPToolset --> McpToolset in various places
([d4dc645](d4dc645478))
- Add span for context caching handling and new cache creation
([a2d9f13](a2d9f13fa1))
- Checks gemini version for `2 and above` for gemini-builtin tools
([0df6759](0df67599c0))
- Refactor and fix state management in the session service
([8b3ed05](8b3ed059c2))
- Update agent builder instructions and remove run command details
([89344da](89344da813))
- Clarify how to use adk built-in tool in instruction
([d22b8bf](d22b8bf890))
- Delegate the agent state reset logic to LoopAgent
([bb1ea74](bb1ea74924))
- Adjust the instruction about default model
([214986e](214986ebeb))
- Migrate invocation\_context to callback\_context
([e2072af](e2072af69f))
- Correct the callback signatures
([fa84bcb](fa84bcb575))
- Set default for `bypass_multi_tools_limit` to False for
GoogleSearchTool and VertexAiSearchTool
([6da7274](6da7274858))
- Add more clear instruction to the doc updater agent about one PR for
each recommended change
([b21d0a5](b21d0a50d6))
- Add a guideline to avoid content deletion
([16b030b](16b030b2b2))
- Add an sample agent for the `ReflectAndRetryToolPlugin`
([9b8a4aa](9b8a4aad6f))
- Improve error message when adk web is run in wrong directory
([4a842c5](4a842c5a13))
- Add an sample agent for the `ReflectAndRetryToolPlugin`
([9b8a4aa](9b8a4aad6f))
- Add span for context caching handling and new cache creation
([a2d9f13](a2d9f13fa1))
- Disable the scheduled execution for issue triage workflow
([bae2102](bae21027d9))
- Correct the callback signatures
([fa84bcb](fa84bcb575))
##### Documentation
- Format README.md for samples
([0bdba30](0bdba30263))
- Bump models in llms and llms-full to Gemini 2.5
([ce46386](ce4638651f))
- Update gemini\_llm\_connection.py - typo spelling correction
([e6e2767](e6e2767c39))
- Announce the first ADK Community Call in the README
([731bb90](731bb9078d))
###
[`v1.16.0`](https://redirect.github.com/google/adk-python/blob/HEAD/CHANGELOG.md#1160-2025-10-08)
[Compare
Source](https://redirect.github.com/google/adk-python/compare/v1.15.1...v1.16.0)
##### Features
- **\[Core]**
- Implementation of LLM context compaction
([e0dd06f](e0dd06ff04))
- Support pause and resume an invocation in ADK
([ce9c39f](ce9c39f5a8),
[2f1040f](2f1040f296),
[1ee01cc](1ee01cc05a),
[f005414](f005414895),
[fbf7576](fbf75761bb))
- **\[Models]**
- Add `citation_metadata` to `LlmResponse`
([3f28e30](3f28e30c6d))
- Add support for gemma model via gemini api
([2b5acb9](2b5acb98f5))
- **\[Tools]**
- Add `dry_run` functionality to BigQuery `execute_sql` tool
([960eda3](960eda3d1f))
- Add BigQuery analyze\_contribution tool
([4bb089d](4bb089d386))
- Spanner ADK toolset supports customizable template SQL and
parameterized SQL
([da62700](da62700d73))
- Support Oauth2 client credentials grant type
([5c6cdcd](5c6cdcd197))
- Add `ReflectRetryToolPlugin` to reflect from errors and retry with
different arguments when tool errors
([e55b894](e55b8946d6))
- Support using `VertexAiSearchTool` built-in tool with other tools in
the same agent
([4485379](4485379a04))
- Support using google search built-in tool with other tools in the same
agent
([d3148da](d3148dacc9))
- **\[Evals]**
- Add HallucinationsV1 evaluation metric
([8c73d29](8c73d29c75))
- Add Rubric based tool use metric
([c984b9e](c984b9e552))
- **\[UI]**
- Adds `adk web` options for custom logo
([822efe0](822efe0065))
- **\[Observability]**
- **otel:** Switch CloudTraceSpanExporter to telemetry.googleapis.com
([bd76b46](bd76b46ce2))
##### Bug Fixes
- Adapt to new computer use tool name in genai sdk 1.41.0
([c6dd444](c6dd444fc9))
- Add AuthConfig json serialization in vertex ai session service
([636def3](636def3687))
- Added more agent instructions for doc content changes
([7459962](745996212d))
- Convert argument to pydantic model when tool declares it accepts
pydantic model as argument
([571c802](571c802fba))
- Do not re-create `App` object when loader returns an `App`
([d5c46e4](d5c46e4960))
- Fix compaction logic
([3f2b457](3f2b457efd))
- Fix the instruction in workflow\_triage example agent
([8f3ca03](8f3ca0359e))
- Fixes a bug that causes intermittent `pydantic` validation errors when
uploading files
([e680063](e68006386f))
- Handle A2A Task Status Update Event when streaming in
remote\_a2a\_agent
([a5cf80b](a5cf80b952))
- Make compactor optional in Events Compaction Config and add a default
([3f4bd67](3f4bd67b49))
- Rename SlidingWindowCompactor to LlmEventSummarizer and refine its
docstring
([f1abdb1](f1abdb1938))
- Rollback compaction handling from \_get\_contents
([84f2f41](84f2f417f7))
- Set `max_output_tokens` for the agent builder
([2e2d61b](2e2d61b6fe))
- Set default response modality to AUDIO in run\_session
([68402bd](68402bda49))
- Update remote\_a2a\_agent to better handle streaming events and avoid
duplicate responses
([8e5f361](8e5f361264))
- Update the load\_artifacts tool so that the model can reliably call it
for follow up questions about the same artifact
([238472d](238472d083))
- Fix VertexAiSessionService base\_url override to preserve initialized
http\_options
([8110e41](8110e41b36),
[c51ea0b](c51ea0b52e))
- Handle `App` instances returned by `agent_loader.load_agent`
([847df16](847df1638c))
##### Improvements
- Migrate VertexAiSessionService to use Agent Engine SDK
([90d4c19](90d4c19c51))
- Migrate VertexAiMemoryBankService to use Agent Engine SDK
([d1efc84](d1efc8461e),
[97b950b](97b950b36b),
[83fd045](83fd045718))
- Add support for resolving $ref and $defs in OpenAPI schemas
([a239716](a239716930))
##### Documentation
- Update BigQuery samples README
([3021266](30212669ff))
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/googleapis/genai-toolbox).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNTkuNCIsInVwZGF0ZWRJblZlciI6IjQxLjE1OS40IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Co-authored-by: Averi Kitsch <akitsch@google.com>
dependabot[bot]