chore(deps)(deps): bump the production-dependencies group across 1 directory with 5 updates

[dependabot]

Bumps the production-dependencies group with 5 updates in the / directory:

Package	From	To
graphql-core	3.2.3	3.2.8
openpyxl	3.1.2	3.1.5
xlrd	2.0.1	2.0.2
sqlalchemy	2.0.39	2.0.49
drf-yasg	1.21.7	1.21.15

Updates graphql-core from 3.2.3 to 3.2.8

Release notes

Sourced from graphql-core's releases.

v3.2.8

Patch-release GraphQL-core v3.2.8, based on GraphQL.js v16.9.0.

This patch-release supports Python 3.7 to 3.14.

One change has been backported from the v3.3 branch:

• Require non-empty directive locations

Also, for backward compatibility, introspection.TypeResolvers is available again, as alias for TypeFields.

Thanks to all who are sponsoring me (@​Cito) for maintaining this project.

v3.2.7

Patch-release GraphQL-core v3.2.7, based on GraphQL.js v16.9.0.

This patch-release supports Python 3.7 to 3.14.

The following changes have been backported from the v3.3 branch:

• Keep extensions when sorting schemas
• Introduce "recommended" validation rules
• Implement OneOf Input Objects via @​oneOf directive
• Values can now be passed to GraphQLEnumType as a thunk
• Solved issues with pickled schemas

Thanks to all who are sponsoring me (@​Cito) for maintaining this project.

v3.2.6

Patch-release GraphQL-core v3.2.6, based on GraphQL.js v16.8.2.

This patch-release supports Python 3.6 to 3.13. Notable fixes:

• Transform input objects used as default values (#206)
• Allow deep copy of schema with directive with args of custom type (#210)

Thanks to all who are sponsoring me (@​Cito) for maintaining this project.

v3.2.5

Patch-release GraphQL-core v3.2.5, based on GraphQL.js v16.8.2.

This patch-release supports Python 3.6 to 3.13.

Thanks to all who are sponsoring me (@​Cito) for maintaining this project.

v3.2.4

Patch-release GraphQL-core v3.2.4, based on GraphQL.js v16.8.2.

This patch-release supports Python 3.6 to 3.12 and includes these changes:

... (truncated)

Commits

• a78b548 Bump version
• c026723 Update year of copyright
• a8c3348 Export TypeResolvers for backward compatibility
• b6fd7b2 Update dependencies
• 663d00d backport: Require non-empty directive locations
• 42328a6 backport: Solve issues with pickled schemas (#173)
• dd4d5a1 Bump JavaScript version
• ba6b6e4 backport: Enable passing values configuration to GraphQLEnumType as a thunk
• 6687245 backport: Add @​oneOf support to introspection query (#241)
• 18df18e backport: Implement OneOf Input Objects via @​oneOf directive
• Additional commits viewable in compare view

Updates openpyxl from 3.1.2 to 3.1.5

Updates xlrd from 2.0.1 to 2.0.2

Changelog

Sourced from xlrd's changelog.

2.0.2 (14 June 2025)

• Fix bug reading sheets containing invalid formulae.

Thanks to sanshi42 for the fix!

Commits

• 3a19d22 Prepare for 2.0.2 release
• f3521c8 Merge pull request #380 from sanshi42/master
• 99270dd Improve test coverage for invalid formula handling
• 18e314e bugfix: Fix an occasional compatibility issue when using Excel formulas
• 0c4e80b Update README.rst
• f45f630 emboldening breaks RTD rendering, and likely won't help :-(
• b37d159 embolden for the hard of thinking
• 58ccbb1 admit defeat
• See full diff in compare view

Updates sqlalchemy from 2.0.39 to 2.0.49

Release notes

Sourced from sqlalchemy's releases.

2.0.49

Released: April 3, 2026

orm

• [orm] [bug] Fixed issue where _orm.Session.get() would bypass the identity map and emit unnecessary SQL when with_for_update=False was passed, rather than treating it equivalently to the default of None. Pull request courtesy of Joshua Swanson.

  References: #13176

• [orm] [bug] Fixed issue where chained _orm.joinedload() options would not be applied correctly when the final relationship in the chain is declared on a base mapper and accessed through a subclass mapper in a _orm.with_polymorphic() query. The path registry now correctly computes the natural path when a property declared on a base class is accessed through a path containing a subclass mapper, ensuring the loader option can be located during query compilation.

  References: #13193

• [orm] [bug] [inheritance] Fixed issue where using _orm.Load.options() to apply a chained loader option such as _orm.joinedload() or _orm.selectinload() with _orm.PropComparator.of_type() for a polymorphic relationship would not generate the necessary clauses for the polymorphic subclasses. The polymorphic loading strategy is now correctly propagated when using a call such as joinedload(A.b).options(joinedload(B.c.of_type(poly))) to match the behavior of direct chaining e.g. joinedload(A.b).joinedload(B.c.of_type(poly)).

  References: #13202

• [orm] [bug] [inheritance] Fixed issue where using chained loader options such as _orm.selectinload() after _orm.joinedload() with _orm.PropComparator.of_type() for a polymorphic relationship would not properly apply the chained loader option. The loader option is now correctly applied when using a call such as joinedload(A.b.of_type(poly)).selectinload(poly.SubClass.c) to eagerly load related objects.

  References: #13209

typing

• [typing] [bug] Fixed a typing issue where the typed members of :data:.func would return the appropriate class of the same name, however this creates an issue for

... (truncated)

Commits

• See full diff in compare view

Updates drf-yasg from 1.21.7 to 1.21.15

Release notes

Sourced from drf-yasg's releases.

1.21.15

IMPROVED: Use Python's native dict instead of OrderedDict (#954) FIXED: Fix Python 3.12 type parameter syntax with from __future__ import annotations (#921)

1.21.14

FIXED: Fix missing swagger-ui sourcemaps (#950)

1.21.12

FIXED: Bring the bundled swagger ui up to date (#944) IMPROVED: Update the logout button to use a POST request. (#945) ADDED: Add a live demo domain (#946) ADDED: Handle annotations that are not available at runtime (#941)

1.21.11

FIXED: Fix list views with parameters in last path segment not named "list" views (#917) ADDED: Allow overriding produces/consumes with @​swagger_auto_schema decorator (#916) FIXED: Fix filter parameters not appearing in swagger with django-filter>=25 (#926) IMPROVED: Update Python, Django, and DRF versions and packaging configuration (#922) IMPROVED: Remove usage of pkg_resources (#928) FIXED: Fix call_view_method warning to include the method name again (#923) ADDED: Add a hide download button option (#848) ADDED: Add ruff linters (#903)

1.21.10

FIXED: Fix type hints when using postponed evaluation of annotations (PEP-563) (#840) IMPROVED: Update JSON & YAML renderers to not use a "." in their format string (#911) FIXED: Fix lint errors when comparing types with == instead of is (#868) IMPROVED: Update swagger-ui-dist to address CVE-2021-46708 (#904)

1.21.9

ADDED: Added support for zoneinfo object fields (#908)

1.21.8

ADDED: Python 3.11 and 3.12 support (#891) FIXED: Fix pkg_resources version lookups for Python 3.9+ (#891)

Changelog

Sourced from drf-yasg's changelog.

######### Changelog #########

---

1.21.15

---

IMPROVED: Use Python's native dict instead of OrderedDict (:pr:954) FIXED: Fix Python 3.12 type parameter syntax with from __future__ import annotations (:pr:921)

---

1.21.14

---

---

1.21.13

---

FIXED: Fix missing swagger-ui sourcemaps (:pr:950)

---

1.21.12

---

FIXED: Bring the bundled swagger ui up to date (:pr:944) IMPROVED: Update the logout button to use a POST request. (:pr:945) ADDED: Add a live demo domain (:pr:946) ADDED: Handle annotations that are not available at runtime (:pr:941)

---

1.21.11

---

FIXED: Fix list views with parameters in last path segment not named "list" views (:pr:917) ADDED: Allow overriding produces/consumes with @​swagger_auto_schema decorator (:pr:916) FIXED: Fix filter parameters not appearing in swagger with django-filter>=25 (:pr:926) IMPROVED: Update Python, Django, and DRF versions and packaging configuration (:pr:922) IMPROVED: Remove usage of pkg_resources (:pr:928) FIXED: Fix call_view_method warning to include the method name again (:pr:923) ADDED: Add a hide download button option (:pr:848) ADDED: Add ruff linters (:pr:903)

---

1.21.10

---

FIXED: Fix type hints when using postponed evaluation of annotations (PEP-563) (:pr:840) IMPROVED: Update JSON & YAML renderers to not use a "." in their format string (:pr:911) FIXED: Fix lint errors when comparing types with == instead of is (:pr:868)

... (truncated)

Commits

• d40c97f Add version 1.21.15 details to the changelog (#956)
• 2e37afd Modernise and add .DS_Store to the .gitignore (#955)
• 76a138a Use Python's native dict instead of OrderedDict (#954)
• b55ba0f fix Python 3.12 type parameter syntax with ``from future import annotatio...
• 7dceb27 Add version 1.21.14 details to the changelog (#952)
• 763cdd6 Add version 1.21.13 details to the changelog (#951)
• a0559fc Add missing swagger-ui sourcemaps (#950)
• 2bf74d0 Add version 1.21.12 details to the changelog (#948)
• b421e89 swagger ui fix (#944)
• 40fee2b Add live demo domain and environment variables (#946)
• Additional commits viewable in compare view