Python: Update pymongo requirement from <4.16,>=4.8.0 to >=4.8.0,<4.17 in /python

[dependabot]

Updates the requirements on pymongo to permit the latest version.

Release notes

Sourced from pymongo's releases.

PyMongo 4.16.0

Community notes:

Changelog

Sourced from pymongo's changelog.

Changes in Version 4.16.0 (2026/01/07)

PyMongo 4.16 brings a number of changes including:

• Removed invalid documents from :class:bson.errors.InvalidDocument error messages as doing so may leak sensitive user data. Instead, invalid documents are stored in :attr:bson.errors.InvalidDocument.document.
• PyMongo now requires dnspython>=2.6.1, since dnspython 1.0 is no longer maintained. The minimum version is 2.6.1 to account for CVE-2023-29483 <https://www.cve.org/CVERecord?id=CVE-2023-29483>_.
• Removed support for Eventlet. Eventlet is actively being sunset by its maintainers and has compatibility issues with PyMongo's dnspython dependency.
• Use Zstandard support from the standard library for Python 3.14+, and use backports.zstd for older versions.
• Fixed return type annotation for find_one_and_* methods on :class:~pymongo.asynchronous.collection.AsyncCollection and :class:~pymongo.synchronous.collection.Collection to include None.
• Added support for NumPy 1D-arrays in :class:bson.binary.BinaryVector.
• Prevented :class:~pymongo.encryption.ClientEncryption from loading the crypt shared library to fix "MongoCryptError: An existing crypt_shared library is loaded by the application" unless the linked library search path is set.

Changes in Version 4.15.5 (2025/12/02)

Version 4.15.5 is a bug fix release.

• Fixed a bug that could cause AutoReconnect("connection pool paused") errors when cursors fetched more documents from the database after SDAM heartbeat failures.

Changes in Version 4.15.4 (2025/10/21)

Version 4.15.4 is a bug fix release.

• Relaxed the callback type of :meth:~pymongo.asynchronous.client_session.AsyncClientSession.with_transaction to allow the broader Awaitable type rather than only Coroutine objects.
• Added the missing Python 3.14 trove classifier to the package metadata.

Issues Resolved ...............

See the PyMongo 4.15.4 release notes in JIRA_ for the list of resolved issues in this release.

.. _PyMongo 4.15.4 release notes in JIRA: https://jira.mongodb.org/secure/ReleaseNote.jspa?projectId=10004&version=47237

Changes in Version 4.15.3 (2025/10/07)

Version 4.15.3 is a bug fix release.

• Fixed a memory leak when raising :class:bson.errors.InvalidDocument with C extensions.
• Fixed the return type of the :meth:~pymongo.asynchronous.collection.AsyncCollection.distinct,

... (truncated)

Commits

• 3290101 Prepare 4.16.0 release (#2672)
• 1be94d2 PYTHON-5685 Fix unified spec sync metadata for csot and sessions tests (#2669)
• 6585d9c PYTHON-2442: Refactor: use _asdict() in _options_dict() (#2670)
• fdb1f7e PYTHON-5677 Prevent ClientEncryption from loading crypt shared library (#2659)
• 0cd9763 Bump zizmorcore/zizmor-action from cb3d8e846e148d1111d90b03375b9c03deceda37 t...
• 2f263d4 PYTHON-5680 Fix handling of expectedDocuments in Unified Test Runner (#2665)
• e9658b2 Add 4.15.5 release date to changelog (#2666)
• 10dd204 Update coverage[toml] requirement from <=7.10.6,>=5 to >=5,<=7.10.7 (#2662)
• 1300677 [Spec Resync] 12-22-2025 (#2663)
• 18c1f14 PYTHON-5529 Introduce optin setting to await for MinPoolSize population (#2664)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Automated Code Review

Reviewers: 4 | Confidence: 95%

✓ Correctness

This is a trivial dependency version bump raising the pymongo upper bound from < 4.16 to < 4.17. The change is minimal, correct in form, and consistent with the existing version constraint pattern. No correctness issues found.

✓ Security Reliability

This is a minimal, low-risk change that bumps the upper bound of the pymongo dependency from <4.16 to <4.17, allowing users to install pymongo 4.16.x. No security or reliability concerns are introduced by this version range expansion.

✓ Test Coverage

This PR bumps the pymongo upper version bound from < 4.16 to < 4.17 in pyproject.toml. This is a purely declarative dependency constraint change with no code or behavioral modifications. Existing unit tests for the MongoDB Atlas connector (test_mongodb_atlas_store.py, test_mongodb_atlas_collection.py, conftest.py) continue to cover the same functionality. No new behavior is introduced that would require additional tests. No test coverage gaps identified.

✗ Design Approach

The change relaxes the pymongo upper bound from < 4.16 to < 4.17 in pyproject.toml, which is straightforward. However, the uv.lock file still records the semantic-kernel package's pymongo mongo-extra specifier as >=4.8.0,<4.15 (uv.lock line 6458), which is inconsistent with both the old (< 4.16) and new (< 4.17) pyproject.toml constraints. The lock file was never regenerated after previous bumps and still isn't regenerated here, meaning uv sync users remain pined to < 4.15 regardless of this change. The constraint bump in pyproject.toml has no practical effect until uv lock is re-run and the updated lock file is committed.

Flagged Issues

• The uv.lock file is out of sync: it still records the pymongo mongo-extra specifier as >=4.8.0,<4.15 (uv.lock:6458), not the new >=4.8.0,<4.17. Users installing via uv sync will remain constrained to < 4.15, making this change a no-op in practice. The lock file must be regenerated with uv lock and the result committed alongside pyproject.toml.

---

Automated review by dependabot[bot]'s agents

[github-actions]

The lock file (uv.lock:6458) still records >=4.8.0,<4.15 for this extra — it was never updated for prior bumps and isn't updated here. Without running uv lock and committing the refreshed lock file, uv sync users stay pinned to < 4.15 and this relaxation has no effect.