Python Package Updates — 2026-05-29

See parent: john/pip

Backup

Before updating, a full backup of ~/.local/lib/python3.12/site-packages was created:

~/.local/python_backups/python3.12_site-packages_20260529_123449.tar.gz  # 1.9G compressed
~/.local/python_backups/pip_freeze_20260529_123449.txt                    # 433-package manifest

Packages Updated

Core tools

• openai 2.14.0 → 2.38.0
• mcp 1.21.2 → 1.27.1
• uv 0.9.10 → 0.11.17
• uvicorn 0.37.0 → 0.48.0

LangChain stack

• langchain 1.0.8 → 1.3.2
• langchain-core 1.1.0 → 1.4.0
• langgraph 1.0.3 → 1.2.2
• langgraph-checkpoint 3.0.1 → 4.1.1
• langgraph-prebuilt 1.0.5 → 1.1.0
• langgraph-sdk 0.2.9 → 0.3.15 (pip resolved from 0.4.0)
• langsmith 0.4.46 → 0.8.6

Pydantic

• pydantic 2.12.5 → 2.13.4
• pydantic-core 2.41.5 → 2.46.4 (pip resolved from 2.47.0)

Ansible stack

• ansible 13.4.0 → 13.7.0
• ansible-core 2.20.3 → 2.20.6 (pip resolved from 2.21.0)
• ansible-compat 25.12.1 → 26.3.0
• ansible-creator 26.2.0 → 26.4.3
• ansible-dev-environment 26.2.0 → 26.4.0
• ansible-dev-tools 26.2.0 → 26.4.6
• ansible-lint 26.2.0 → 26.4.0
• ansible-navigator 26.1.3 → 26.4.0
• ansible-runner 2.4.2 → 2.4.3
• molecule 26.2.0 → 26.4.0
• pytest-ansible 26.2.0 → 26.4.0

Google stack

• google-api-python-client 2.194.0 → 2.197.0
• google-auth 2.49.2 → 2.53.0
• google-auth-httplib2 0.3.1 → 0.4.0
• google-auth-oauthlib 1.3.1 → 1.4.0
• googleapis-common-protos 1.74.0 → 1.75.0

FastAPI / Starlette

• fastapi 0.135.1 → 0.136.3
• starlette 0.48.0 → 1.2.0 (major version — see Known Issues)

AWS / crypto / HTTP

• boto3 / botocore 1.42.59 → 1.43.17
• certifi 2026.2.25 → 2026.5.20
• requests 2.32.5 → 2.34.2
• cryptography 46.0.5 → 48.0.0

ML / HuggingFace

• huggingface_hub 1.5.0 → 1.17.0
• transformers 4.57.3 → 5.9.0 (major — GPU-dep-free confirmed)
• grpcio 1.78.0 → 1.80.0
• numpy 2.4.0 → 2.4.6

Dependency fixes

• pyopenssl 26.0.0 → 26.2.0 (now accepts cryptography 48)
• blinker 1.6.3 → 1.9.0 (flask 3.1.3 requires ≥1.9.0)
• pdfplumber 0.11.8 → 0.11.9 (pulled in pdfminer.six 20251230)

Major version upgrades (tested)

• pytest 8.4.1 → 9.0.3
• pandas 2.3.3 → 3.0.3
• protobuf 6.33.5 → 7.35.0
• simplejson 3.19.2 → 4.1.1
• xmltodict 0.13.0 → 1.0.4
• chardet 5.2.0 → 7.4.3
• websockets 15.0.1 → 16.0
• cloudevents 1.12.0 → 2.1.0 (see Breaking Changes)
• gunicorn 25.1.0 → 26.0.0
• pillow 11.2.1 → 12.2.0
• icalendar 6.3.1 → 7.1.2
• fastmcp 2.13.1 → 3.3.1 (see Breaking Changes)
• wrapt 1.17.2 → 2.2.1
• rich 14.0.0 → 15.0.0
• rich-rst 1.3.2 → 2.0.1
• more-itertools 10.7.0 → 11.1.0
• importlib_metadata 8.7.0 → 9.0.0
• zipp 3.23.0 → 4.1.0
• pbr 6.1.1 → 7.0.3
• python-json-logger 3.3.0 → 4.1.0 (see Breaking Changes)
• Send2Trash 1.8.3 → 2.1.0
• gdown 5.2.1 → 6.0.0
• markdown-it-py 3.0.0 → 4.2.0
• rpds-py 0.25.1 → 2026.5.1 (switched to calver)

Bulk minor/patch (140+ packages)

All remaining minor and patch-level packages updated in bulk. Key ones: scipy 1.16→1.17, aiohttp 3.13.3→3.13.5, selenium 4.41→4.44, SQLAlchemy 2.0.41→2.0.50, jupyterlab 4.5.5→4.5.7, ipython 9.10→9.13, pypdf 6.2→6.12, tokenizers 0.22.2→0.23.1, typer 0.24→0.25, urllib3 2.6→2.7, tox 4.49→4.55.

Breaking Changes

cloudevents 1 → 2

Import path changed. Old code will ImportError immediately.

# OLD (broken)
from cloudevents.http import CloudEvent, to_json, from_json

# NEW
from cloudevents.v1.http import CloudEvent
from cloudevents.conversion import to_json, from_json

fastmcp 2 → 3

Three changes: class rename, removed .resource() decorator, and tool API is now async.

# OLD
from fastmcp import FastMCP
mcp = FastMCP('name')
@mcp.resource('data://x')
def r(): ...
tools = mcp._tool_manager.list_tools()  # sync

# NEW
from fastmcp import FastMCPApp
mcp = FastMCPApp('name')
# .resource() removed — use MCP resource providers instead
tools = await mcp.list_tools()           # async

python-json-logger 3 → 4

Module renamed.

# OLD
from json_log_formatter import JsonFormatter

# NEW
from pythonjsonlogger.json import JsonFormatter

websockets 15 → 16

Connection handlers must be async def. Lambda handlers silently fail with a ConnectionClosedError.

# OLD (broken in v16)
websockets.serve(lambda ws: ws.send(ws.recv()), ...)

# NEW
async def handler(ws):
    async for msg in ws:
        await ws.send(msg)
websockets.serve(handler, ...)

pandas 2 → 3

Copy-on-Write is now the default (was opt-in in 2.x). Code that relies on in-place mutation of DataFrame slices will silently stop working. Also: various deprecated APIs removed. Full list: https://pandas.pydata.org/docs/whatsnew/v3.0.0.html

Known Remaining Issues

functions-framework vs starlette (pre-existing)

functions-framework 3.10.1 pins starlette<1.0.0 but we have 1.2.0. All starlette APIs it actually uses are unchanged in 1.x. Import confirmed working. The pin was a security liability (CVE GHSA-86qp-5c8j-p5mr). Verdict: safe to ignore.

functions-framework vs cloudevents (pre-existing)

functions-framework 3.10.1 pins cloudevents<=1.12.0 but we have 2.1.0. Runtime import works. Safe to ignore.

transformers vs tokenizers (unfixable)

transformers 5.9.0 requires tokenizers<=0.23.0 but tokenizers 0.23.0 was yanked from PyPI. We have 0.23.1 (the fix release). Transformers works fine at runtime. Cannot resolve without a transformers update.

Packages Skipped

• All GPU-related packages — policy: no CUDA/torch/tensorflow/nvidia
• Slow sdist builds not yet done: wxPython, PyGObject, llama_cpp_python, pycairo
• Pinned by constraints: ansible-core (2.20.6, wants 2.21.0), langgraph-sdk (0.3.15, wants 0.4.0), pdfminer.six (pinned by pdfplumber)
• gdata PyPI package — unrelated to local gdata-server project, left alone

version 2 · created 2026-05-29 · updated 2026-05-29