From 249fb478427ac9d4ffcfa3f1b0e7502df23f9724 Mon Sep 17 00:00:00 2001
From: Lorenzo Guideri <78531018+LorenzoGuideri@users.noreply.github.com>
Date: Sat, 24 Jan 2026 15:33:10 +0100
Subject: [PATCH 1/9] Clarify operators precendence in permissions
 documentation (#9875)

---
 docs/api-guide/permissions.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs/api-guide/permissions.md b/docs/api-guide/permissions.md
index b8179490e..8acbdf77d 100644
--- a/docs/api-guide/permissions.md
+++ b/docs/api-guide/permissions.md
@@ -138,7 +138,10 @@ Provided they inherit from `rest_framework.permissions.BasePermission`, permissi
             return Response(content)
 
 !!! note
-    Composition of permissions supports `&` (and), `|` (or) and `~` (not) operators.
+    Composition of permissions supports the `&` (and), `|` (or) and `~` (not) operators, and also allows the use of brackets `(` `)` to group expressions.
+
+    Operators follow the same precedence and associativity rules as standard logical operators (`~` highest, then `&`, then `|`).
+
 
 # API Reference
 

From b47b36684798f87187b65a97efbf201314a9b0a9 Mon Sep 17 00:00:00 2001
From: sobolevn <mail@sobolevn.me>
Date: Tue, 3 Feb 2026 16:30:18 +0300
Subject: [PATCH 2/9] Fix typo in `authentication.md` (#9880)

---
 docs/api-guide/authentication.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/api-guide/authentication.md b/docs/api-guide/authentication.md
index a00a3873f..e4fff74a6 100644
--- a/docs/api-guide/authentication.md
+++ b/docs/api-guide/authentication.md
@@ -89,7 +89,7 @@ Note that when a request may successfully authenticate, but still be denied perm
 
 ## Django 5.1+ `LoginRequiredMiddleware`
 
-If you're running Django 5.1+ and use the [`LoginRequiredMiddleware`][login-required-middleware], please note that all views from DRF are opted-out of this middleware.  This is because the authentication in DRF is based authentication and permissions classes, which may be determined after the middleware has been applied.  Additionally, when the request is not authenticated, the middleware redirects the user to the login page, which is not suitable for API requests, where it's preferable to return a 401 status code.
+If you're running Django 5.1+ and use the [`LoginRequiredMiddleware`][login-required-middleware], please note that all views from DRF are opted-out of this middleware.  This is because the authentication in DRF is based on authentication and permissions classes, which may be determined after the middleware has been applied.  Additionally, when the request is not authenticated, the middleware redirects the user to the login page, which is not suitable for API requests, where it's preferable to return a 401 status code.
 
 REST framework offers an equivalent mechanism for DRF views via the global settings, `DEFAULT_AUTHENTICATION_CLASSES` and `DEFAULT_PERMISSION_CLASSES`.  They should be changed accordingly if you need to enforce that API requests are logged in.
 

From b5455c5daf845c72b25f8a80c1b210017dfe92d8 Mon Sep 17 00:00:00 2001
From: Bruno Alla <browniebroke@users.noreply.github.com>
Date: Thu, 5 Feb 2026 00:02:04 +0000
Subject: [PATCH 3/9] Fail CI if broken links in the docs (#9877)

* Fail CI if broken links in the docs

* Fix broken links in the docs
---
 .github/workflows/main.yml          | 1 -
 docs/community/3.10-announcement.md | 2 +-
 docs/community/3.11-announcement.md | 2 +-
 docs/community/3.12-announcement.md | 2 +-
 docs/community/3.4-announcement.md  | 2 +-
 docs/community/3.5-announcement.md  | 2 +-
 docs/community/3.6-announcement.md  | 2 +-
 docs/community/3.7-announcement.md  | 2 +-
 docs/community/3.8-announcement.md  | 2 +-
 docs/community/3.9-announcement.md  | 2 +-
 docs/community/jobs.md              | 6 +++---
 docs/community/mozilla-grant.md     | 2 +-
 12 files changed, 13 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 8e1adf7a2..3004ccf1f 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -71,7 +71,6 @@ jobs:
     - run: if [ $WAIT_TIME == 5 ]; then echo cannot start mkdocs server on http://localhost:8000; exit 1; fi
     
     - name: Check links
-      continue-on-error: true
       run: pylinkvalidate.py -P http://localhost:8000/
   
     - run: echo "Done"
diff --git a/docs/community/3.10-announcement.md b/docs/community/3.10-announcement.md
index a2135fd20..898ccde9f 100644
--- a/docs/community/3.10-announcement.md
+++ b/docs/community/3.10-announcement.md
@@ -145,4 +145,4 @@ continued development by **[signing up for a paid plan][funding]**.
 
 [legacy-core-api-docs]:https://github.com/encode/django-rest-framework/blob/3.14.0/docs/coreapi/index.md
 [sponsors]: https://fund.django-rest-framework.org/topics/funding/#our-sponsors
-[funding]: funding.md
+[funding]: https://opencollective.com/django-rest-framework
diff --git a/docs/community/3.11-announcement.md b/docs/community/3.11-announcement.md
index e913d5e0a..02f90d71f 100644
--- a/docs/community/3.11-announcement.md
+++ b/docs/community/3.11-announcement.md
@@ -111,4 +111,4 @@ continued development by **[signing up for a paid plan][funding]**.
 *Many thanks to all our [wonderful sponsors][sponsors], and in particular to our premium backers, [Sentry](https://getsentry.com/welcome/), [Stream](https://getstream.io/?utm_source=drf&utm_medium=banner&utm_campaign=drf), [ESG](https://software.esg-usa.com/), [Rollbar](https://rollbar.com/?utm_source=django&utm_medium=sponsorship&utm_campaign=freetrial), [Cadre](https://cadre.com), [Kloudless](https://hubs.ly/H0f30Lf0), [Lights On Software](https://lightsonsoftware.com), and [Retool](https://retool.com/?utm_source=djangorest&utm_medium=sponsorship).*
 
 [sponsors]: https://fund.django-rest-framework.org/topics/funding/#our-sponsors
-[funding]: funding.md
+[funding]: https://opencollective.com/django-rest-framework
diff --git a/docs/community/3.12-announcement.md b/docs/community/3.12-announcement.md
index 5264ddd85..dd6dc9610 100644
--- a/docs/community/3.12-announcement.md
+++ b/docs/community/3.12-announcement.md
@@ -178,4 +178,4 @@ continued development by **[signing up for a paid plan][funding]**.
 *Many thanks to all our [wonderful sponsors][sponsors], and in particular to our premium backers, [Sentry](https://getsentry.com/welcome/), [Stream](https://getstream.io/?utm_source=drf&utm_medium=banner&utm_campaign=drf), [ESG](https://software.esg-usa.com/), [Rollbar](https://rollbar.com/?utm_source=django&utm_medium=sponsorship&utm_campaign=freetrial), [Cadre](https://cadre.com), [Kloudless](https://hubs.ly/H0f30Lf0), [Lights On Software](https://lightsonsoftware.com), and [Retool](https://retool.com/?utm_source=djangorest&utm_medium=sponsorship).*
 
 [sponsors]: https://fund.django-rest-framework.org/topics/funding/#our-sponsors
-[funding]: funding.md
+[funding]: https://opencollective.com/django-rest-framework
diff --git a/docs/community/3.4-announcement.md b/docs/community/3.4-announcement.md
index 2c68b178a..2b3d5df6d 100644
--- a/docs/community/3.4-announcement.md
+++ b/docs/community/3.4-announcement.md
@@ -177,7 +177,7 @@ The full set of itemized release notes [are available here][release-notes].
 
 [sponsors]: https://fund.django-rest-framework.org/topics/funding/#our-sponsors
 [moss]: mozilla-grant.md
-[funding]: funding.md
+[funding]: https://opencollective.com/django-rest-framework
 [core-api]: https://www.coreapi.org/
 [command-line-client]: https://github.com/encode/django-rest-framework/blob/3.4.7/docs/topics/api-clients.md#command-line-client
 [client-library]: https://github.com/encode/django-rest-framework/blob/3.4.7/docs/topics/api-clients.md#python-client-library
diff --git a/docs/community/3.5-announcement.md b/docs/community/3.5-announcement.md
index eb3bf7fd5..3b0a22dfc 100644
--- a/docs/community/3.5-announcement.md
+++ b/docs/community/3.5-announcement.md
@@ -251,7 +251,7 @@ in version 3.3 and raised a deprecation warning in 3.4. Its usage is now mandato
 ---
 
 [sponsors]: https://fund.django-rest-framework.org/topics/funding/#our-sponsors
-[funding]: funding.md
+[funding]: https://opencollective.com/django-rest-framework
 [uploads]: https://core-api.github.io/python-client/api-guide/utils/#file
 [downloads]: https://core-api.github.io/python-client/api-guide/codecs/#downloadcodec
 [schema-generation-api]: ../api-guide/schemas.md#schemagenerator
diff --git a/docs/community/3.6-announcement.md b/docs/community/3.6-announcement.md
index 9e45473ee..3f4250db4 100644
--- a/docs/community/3.6-announcement.md
+++ b/docs/community/3.6-announcement.md
@@ -193,7 +193,7 @@ Once work on those refinements is complete, we'll be starting feature work
 on realtime support, for the 3.7 release.
 
 [sponsors]: https://fund.django-rest-framework.org/topics/funding/#our-sponsors
-[funding]: funding.md
+[funding]: https://opencollective.com/django-rest-framework
 [api-docs]: ../topics/documenting-your-api.md
 [js-docs]: https://github.com/encode/django-rest-framework/blob/3.14.0/docs/topics/api-clients.md#javascript-client-library
 [py-docs]: https://github.com/encode/django-rest-framework/blob/3.14.0/docs/topics/api-clients.md#python-client-library
diff --git a/docs/community/3.7-announcement.md b/docs/community/3.7-announcement.md
index 49f68ead2..3a8298817 100644
--- a/docs/community/3.7-announcement.md
+++ b/docs/community/3.7-announcement.md
@@ -125,6 +125,6 @@ We're still planning to work on improving real-time support for REST framework b
 
 This will likely be timed so that any REST framework development here ties in with similar work on [API Star][api-star].
 
-[funding]: funding.md
+[funding]: https://opencollective.com/django-rest-framework
 [schema-docs]: ../api-guide/schemas.md
 [api-star]: https://github.com/encode/apistar
diff --git a/docs/community/3.8-announcement.md b/docs/community/3.8-announcement.md
index eef3ae0c9..7bf0015a9 100644
--- a/docs/community/3.8-announcement.md
+++ b/docs/community/3.8-announcement.md
@@ -91,7 +91,7 @@ We're currently working towards moving to using [OpenAPI][openapi] as our defaul
 
 We're doing some consolidation in order to make this happen. It's planned that 3.9 will drop the `coreapi` and `coreschema` libraries, and instead use `apistar` for the API documentation generation, schema generation, and API client libraries.
 
-[funding]: funding.md
+[funding]: https://opencollective.com/django-rest-framework
 [gh5886]: https://github.com/encode/django-rest-framework/issues/5886
 [gh5705]: https://github.com/encode/django-rest-framework/issues/5705
 [openapi]: https://www.openapis.org/
diff --git a/docs/community/3.9-announcement.md b/docs/community/3.9-announcement.md
index bd886482c..1680d919e 100644
--- a/docs/community/3.9-announcement.md
+++ b/docs/community/3.9-announcement.md
@@ -203,7 +203,7 @@ web framework, which is building a foundational set of tooling for working with
 ASGI.
 
 
-[funding]: funding.md
+[funding]: https://opencollective.com/django-rest-framework
 [gh5886]: https://github.com/encode/django-rest-framework/issues/5886
 [gh5705]: https://github.com/encode/django-rest-framework/issues/5705
 [openapi]: https://www.openapis.org/
diff --git a/docs/community/jobs.md b/docs/community/jobs.md
index f3ce37d15..7b16330d3 100644
--- a/docs/community/jobs.md
+++ b/docs/community/jobs.md
@@ -1,6 +1,6 @@
 # Jobs
 
-Looking for a new Django REST Framework related role? On this site we provide a list of job resources that may be helpful. It's also worth checking out if any of [our sponsors are hiring][drf-funding].
+Looking for a new Django REST Framework related role? On this site we provide a list of job resources that may be helpful. It's also worth checking out if any of [our sponsors are hiring][sponsors].
 
 
 ## Places to look for Django REST Framework Jobs
@@ -22,7 +22,7 @@ Looking for a new Django REST Framework related role? On this site we provide a
 
 Know of any other great resources for Django REST Framework jobs that are missing in our list? Please [submit a pull request][submit-pr] or [email us][anna-email].
 
-Wonder how else you can help? One of the best ways you can help Django REST Framework is to ask interviewers if their company is signed up for [REST Framework sponsorship][drf-funding] yet.
+Wonder how else you can help? One of the best ways you can help Django REST Framework is to ask interviewers if their company is signed up for [REST Framework sponsorship][sponsors] yet.
 
 
 [djangoproject-website]: https://www.djangoproject.com/community/jobs/
@@ -38,6 +38,6 @@ Wonder how else you can help? One of the best ways you can help Django REST Fram
 [remoteok-com]: https://remoteok.com/remote-django-jobs
 [remotepython-com]: https://www.remotepython.com/jobs/
 [pyjobs-com]: https://www.pyjobs.com/
-[drf-funding]: https://fund.django-rest-framework.org/topics/funding/
+[sponsors]: https://fund.django-rest-framework.org/topics/funding/#our-sponsors
 [submit-pr]: https://github.com/encode/django-rest-framework
 [anna-email]: mailto:anna@django-rest-framework.org
diff --git a/docs/community/mozilla-grant.md b/docs/community/mozilla-grant.md
index 5248f5cc0..9a7491b61 100644
--- a/docs/community/mozilla-grant.md
+++ b/docs/community/mozilla-grant.md
@@ -37,7 +37,7 @@ at the end of May 2016.
 I have formed a UK limited company, [Encode](https://www.encode.io/), which will
 act as the business entity behind REST framework. I will be issuing monthly reports
 from Encode on progress both towards the Mozilla grant, and for development time
-funded via the [REST framework paid plans](funding.md).
+funded via the REST framework paid plans.
 
 <!-- Begin MailChimp Signup Form -->
 <link href="//cdn-images.mailchimp.com/embedcode/classic-10_7.css" rel="stylesheet" type="text/css">

From 64f6580bf377ba54d293599858a96c8573717bd3 Mon Sep 17 00:00:00 2001
From: Pravin <91125540+p-r-a-v-i-n@users.noreply.github.com>
Date: Thu, 5 Feb 2026 19:32:12 +0530
Subject: [PATCH 4/9] Update pytest versions (#9881)

* Update pytest versions

* Ignore deprecation warnings from coreapi

* ignore coreapi deprecation warnings during test startup

* Use pytest directly in tox and relax version pins
---
 pyproject.toml | 9 ++++++---
 tox.ini        | 2 +-
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 6613f1a66..1915d9444 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -49,8 +49,8 @@ test = [
   "importlib-metadata<5.0",
 
   # Pytest for running the tests.
-  "pytest>=7.0.1,<8",
-  "pytest-cov>=4.0.0,<5.0",
+  "pytest==9.*",
+  "pytest-cov==7.*",
   "pytest-django>=4.5.2,<5",
 
   # Remove when dropping support for Django<5.0
@@ -118,7 +118,10 @@ keep_full_version = true
 [tool.pytest.ini_options]
 addopts = "--tb=short --strict-markers -ra"
 testpaths = [ "tests" ]
-filterwarnings = [ "ignore:CoreAPI compatibility is deprecated*:rest_framework.RemovedInDRF318Warning" ]
+filterwarnings = [
+  "ignore:CoreAPI compatibility is deprecated*:rest_framework.RemovedInDRF318Warning",
+  "ignore:'cgi' is deprecated:DeprecationWarning",
+]
 
 [tool.coverage.run]
 # NOTE: source is ignored with pytest-cov (but uses the same).
diff --git a/tox.ini b/tox.ini
index b13eabd1a..00e5bd57b 100644
--- a/tox.ini
+++ b/tox.ini
@@ -10,7 +10,7 @@ envlist =
        docs
 
 [testenv]
-commands = python -W error::DeprecationWarning -W error::PendingDeprecationWarning runtests.py --coverage {posargs}
+commands = pytest --cov --cov-report xml {posargs}
 envdir = {toxworkdir}/venvs/{envname}
 setenv =
        PYTHONDONTWRITEBYTECODE=1

From e49d025f2d7112cd7d361fb78e7ada497b6af05d Mon Sep 17 00:00:00 2001
From: Pravin <91125540+p-r-a-v-i-n@users.noreply.github.com>
Date: Thu, 5 Feb 2026 19:57:45 +0530
Subject: [PATCH 5/9] Setup Dependabot for automating dependencies updates
 (#9885)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Asif Saif Uddin {"Auvi":"অভি"} <auvipy@gmail.com>
---
 .github/dependabot.yml | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 8c31ed46d..0e7bc610a 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -13,3 +13,37 @@ updates:
       interval: weekly
     cooldown:
       default-days: 7
+  
+  - package-ecosystem: "pip"
+    directory: "/"
+
+    groups:
+      test:
+        patterns:
+          - "pytest*"
+          - "attrs"
+          - "importlib-metadata"
+          - "pytz"
+
+      docs:
+        patterns:
+          - "mkdocs"
+          - "pylinkvalidator"
+
+      optional:
+        patterns:
+          - "coreapi"
+          - "coreschema"
+          - "django-filter"
+          - "django-guardian"
+          - "inflection"
+          - "legacy-cgi"
+          - "markdown"
+          - "psycopg*"
+          - "pygments"
+          - "pyyaml"
+
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7

From 7aa67183fe8dd1d6068fac0514a482e498d2180c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 5 Feb 2026 21:06:46 +0600
Subject: [PATCH 6/9] Bump mkdocs from 1.6.0 to 1.6.1 in the docs group (#9887)

Bumps the docs group with 1 update: [mkdocs](https://github.com/mkdocs/mkdocs).


Updates `mkdocs` from 1.6.0 to 1.6.1
- [Release notes](https://github.com/mkdocs/mkdocs/releases)
- [Commits](https://github.com/mkdocs/mkdocs/compare/1.6.0...1.6.1)

---
updated-dependencies:
- dependency-name: mkdocs
  dependency-version: 1.6.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: docs
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index 1915d9444..ecddea9f4 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -58,7 +58,7 @@ test = [
 ]
 docs = [
   # MkDocs to build our documentation.
-  "mkdocs==1.6.0",
+  "mkdocs==1.6.1",
   # pylinkvalidator to check for broken links in documentation.
   "pylinkvalidator==0.3",
 ]

From 8fe9c5497e4dc20b014f0a1de0c09e626f8005c8 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sat, 7 Feb 2026 13:12:23 +0000
Subject: [PATCH 7/9] Bump the optional group with 4 updates (#9888)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Bump the optional group with 4 updates

Updates the requirements on [coreapi](https://github.com/core-api/python-client), [django-guardian](https://github.com/django-guardian/django-guardian), [pygments](https://github.com/pygments/pygments) and [pyyaml](https://github.com/yaml/pyyaml) to permit the latest version.

Updates `coreapi` from 2.3.1 to 2.3.3
- [Commits](https://github.com/core-api/python-client/compare/2.3.1...2.3.3)

Updates `django-guardian` to 3.2.0
- [Release notes](https://github.com/django-guardian/django-guardian/releases)
- [Commits](https://github.com/django-guardian/django-guardian/compare/v2.4.0...3.2.0)

Updates `pygments` to 2.19.2
- [Release notes](https://github.com/pygments/pygments/releases)
- [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES)
- [Commits](https://github.com/pygments/pygments/compare/2.17.0...2.19.2)

Updates `pyyaml` to 6.0.3
- [Release notes](https://github.com/yaml/pyyaml/releases)
- [Changelog](https://github.com/yaml/pyyaml/blob/6.0.3/CHANGES)
- [Commits](https://github.com/yaml/pyyaml/compare/5.3.1...6.0.3)

---
updated-dependencies:
- dependency-name: coreapi
  dependency-version: 2.3.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: optional
- dependency-name: django-guardian
  dependency-version: 3.2.0
  dependency-type: direct:development
  dependency-group: optional
- dependency-name: pygments
  dependency-version: 2.19.2
  dependency-type: direct:development
  dependency-group: optional
- dependency-name: pyyaml
  dependency-version: 6.0.3
  dependency-type: direct:development
  dependency-group: optional
...

Signed-off-by: dependabot[bot] <support@github.com>

* Add back setuptools

Was added to testing requirements in
https://github.com/encode/django-rest-framework/pull/9818

But that was lost in:
https://github.com/encode/django-rest-framework/pull/9842

Moving to optional dep group as it's only needed for coreapi

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Asif Saif Uddin {"Auvi":"অভি"} <auvipy@gmail.com>
Co-authored-by: Bruno Alla <alla.brunoo@gmail.com>
---
 pyproject.toml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index ecddea9f4..3079e13d4 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -64,16 +64,18 @@ docs = [
 ]
 optional = [
   # Optional packages which may be used with REST framework.
-  "coreapi==2.3.1",
+  "coreapi==2.3.3",
   "coreschema==0.0.4",
   "django-filter",
-  "django-guardian>=2.4.0,<2.5",
+  "django-guardian>=2.4.0,<3.3",
   "inflection==0.5.1",
   "legacy-cgi; python_version>='3.13'",
   "markdown>=3.3.7",
   "psycopg[binary]>=3.1.8",
-  "pygments~=2.17.0",
-  "pyyaml>=5.3.1,<5.4",
+  "pygments>=2.17,<2.20",
+  "pyyaml>=5.3.1,<6.1",
+  # setuptools is needed for coreapi (imports pkg_resources)
+  "setuptools",
 ]
 django42 = [ "django>=4.2,<5.0" ]
 django50 = [ "django>=5.0,<5.1" ]

From 1b63dce808dae688240dd5d7775ad07276140a9a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sat, 7 Feb 2026 13:25:54 +0000
Subject: [PATCH 8/9] Bump the test group with 1 updates and remove attrs pin
 (#9886)

---
 pyproject.toml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 3079e13d4..502f640bb 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -44,9 +44,7 @@ dev = [
   { include-group = "test" },
 ]
 test = [
-  # temporary pin of attrs
-  "attrs==22.1.0",
-  "importlib-metadata<5.0",
+  "importlib-metadata<9.0",
 
   # Pytest for running the tests.
   "pytest==9.*",

From cf38c94ec1376d2b5c875d227cefc2780aa148bd Mon Sep 17 00:00:00 2001
From: Bruno Alla <browniebroke@users.noreply.github.com>
Date: Tue, 10 Feb 2026 14:31:03 +0000
Subject: [PATCH 9/9] Pin setuptools version to keep running coreapi tests
 (#9892)

---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index 502f640bb..121ac357f 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -73,7 +73,7 @@ optional = [
   "pygments>=2.17,<2.20",
   "pyyaml>=5.3.1,<6.1",
   # setuptools is needed for coreapi (imports pkg_resources)
-  "setuptools",
+  "setuptools<82",
 ]
 django42 = [ "django>=4.2,<5.0" ]
 django50 = [ "django>=5.0,<5.1" ]