chore(deps): bump idna from 3.11 to 3.15

[dependabot]

Bumps idna from 3.11 to 3.15.

Changelog

Sourced from idna's changelog.

3.15 (2026-05-12)

• Enforce DNS-length cap on individual labels early in check_label, short-circuiting contextual-rule processing for oversized input while staying compatible with UTS 46 usage.
• Tidy core helpers: hoist bidi category sets to module-level frozensets (avoiding per-codepoint list construction), simplify length checks, and reuse the shared _unicode_dots_re from idna.core in the codec module.
• Use raise ... from err for proper exception chaining and switch internal string formatting to f-strings.
• Allow flit_core 4.x in the build backend.
• Expand the ruff lint set (flake8-bugbear, flake8-simplify, pyupgrade, perflint) and apply the surfaced fixes; pin lint CI to Python 3.14.
• Add Dependabot configuration for GitHub Actions.
• Convert README and HISTORY from reStructuredText to Markdown.
• Reference CVE-2026-45409 for the 3.14 advisory in place of the initial GHSA identifier.

Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for contributions to this release.

3.14 (2026-05-10)

• Removed opportunity to process long inputs into quadratic time by rejecting oversize inputs up-front. Closes a bypass of the CVE-2024-3651 mitigation. [CVE-2026-45409]

Thanks to Stan Ulbrych for reporting the issue.

3.13 (2026-04-22)

• Correct classification error for codepoint U+A7F1

3.12 (2026-04-21)

• Update to Unicode 17.0.0.
• Issue a deprecation warning for the transitional argument.
• Added lazy-loading to provide some performance improvements.
• Removed vestiges of code related to Python 2 support, including segmentation of data structures specific to Jython.

Thanks to Rodrigo Nogueira for contributions to this release.

Commits

• af30a09 Release 3.15
• 30314d4 Pre-release 3.15rc0
• 05d4b21 Merge pull request #237 from kjd/convert-docs-to-markdown
• 2987fdb Convert README and HISTORY from reStructuredText to Markdown
• 59fa800 Merge pull request #236 from kjd/dependabot/github_actions/actions-f3e34333ea
• def6983 Merge branch 'master' into dependabot/github_actions/actions-f3e34333ea
• bbd8004 Merge pull request #234 from StanFromIreland/patch-1
• edd07c0 Bump github/codeql-action from 3.35.2 to 4.35.2 in the actions group
• 5557db0 Merge branch 'master' into patch-1
• f11746c Merge pull request #235 from StanFromIreland/patch-2
• Additional commits viewable in compare view

[claude]

LGTM, transitive dependency bump including a security fix (CVE-2026-45409 in 3.14).

Extended reasoning...

Overview

This PR bumps the transitive dependency idna from 3.11 to 3.15 in uv.lock. The change is a single-file lockfile update with new version, sdist URL, hash, and wheel URL/hash. No source code is touched.

Security risks

None introduced — in fact, this upgrade includes the 3.14 release which addresses CVE-2026-45409 (bypass of CVE-2024-3651 mitigation for quadratic-time processing of long inputs). The remaining changes between 3.11 and 3.15 are internal cleanups, lazy-loading, a Unicode 17.0.0 data update, and a deprecation warning for the transitional argument.

Level of scrutiny

Low — this is a mechanical dependabot lockfile bump for a transitive dep. idna is not directly imported anywhere in the langfuse-python source; it comes in via requests/httpx-style HTTP clients and only impacts URL/host validation.

Other factors

Single-file diff, no API surface change exposed to this project, and the upgrade is in the safe direction (newer + patches a CVE). No outstanding reviewer comments.