CI: (deps): Bump dask from 2026.3.0 to 2026.6.0 in /ci

[dependabot]

Bumps dask from 2026.3.0 to 2026.6.0.

Release notes

Sourced from dask's releases.

2026.6.0

Changes

• Add PyPI release workflow @​mrocklin (#12452)
• Pandas 3.1: The inplace keyword in DataFrame.drop is deprecated @​crusaderky (#12447)
• test_concat_categorical is still flaky on Pandas 2.0 @​crusaderky (#12454)
• Add tests for the array assert_eq helper @​kyo5uke (#12441)
• Revert "security: enable Jinja2 autoescape to prevent XSS in HTML rep… @​crusaderky (#12451)
• Bump codecov/codecov-action from 6 to 7 @dependabot[bot] (#12450)
• fix:Dataframe.merge loses data when there are 128 or 129 partitions @​hebian1994 (#12430)
• security: enable Jinja2 autoescape to prevent XSS in HTML reprs @​dfgvaetyj3456356-hash (#12423)
• Test vs. NumPy 1.26 and PyArrow 18 @​crusaderky (#12445)
• Do not build the dask-core pixi package twice @​crusaderky (#12443)
• Bump release-drafter/release-drafter from 6 to 7 @dependabot[bot] (#12328)
• TST: Fix broken condition in test_cpu_affinity_taskset @​QuLogic (#12399)
• Fix flaky test_interrupt @​crusaderky (#12437)
• Free-threading: enable msgpack C extension @​crusaderky (#12439)
• Fix Series.map(Series) producing wrong results for non-co-aligned inputs @​xronocode (#12432)
• Repair Upstream CI @​crusaderky (#12436)
• Strictly expect test failures @​crusaderky (#12435)
• pixi update @​crusaderky (#12433)
• quantile/nanquantile fixes @​crusaderky (#12380)
• More thorough tests for Series.map (XFAIL'ed); fix pandas nightly CI @​crusaderky (#12425)
• Add AGENTS.md / CLAUDE.md; clarify guidelines re. AI pull requests @​crusaderky (#12415)
• Tweak local coverage HTML report @​crusaderky (#12422)
• Add support for Cholesky decomposition with complex dtypes @​nicrie (#12416)
• Make tests less dependent on urllib3 and requests @​crusaderky (#12419)
• Don't run scheduled tests on forks @​crusaderky (#12418)
• Repair conda upload @​crusaderky (#12417)
• Fix add_prefix/add_suffix in pandas nightly; support explicit axis @​crusaderky (#12414)
• Remove legacy pandas dtype testing strings vs. decimals @​crusaderky (#12413)
• Better type annotations for import_optional_dependency @​crusaderky (#12412)
• Resurrect PySpark tests @​crusaderky (#12410)
• Test on Linux ARM @​crusaderky (#12408)
• Fix failures in test_describe vs. pandas nightly @​crusaderky (#12409)
• Migrate CI to Pixi @​crusaderky (#12389)
• Fix typos @​crusaderky (#12405)
• XFAIL regression in click 8.4.0 @​crusaderky (#12407)
• Fix flaky test_shared_tasks in free-threading @​crusaderky (#12398)
• Enforce Python 3.10 compatibility in black @​crusaderky (#12397)
• Update Optuna+Dask example to use optuna-integration @​xronocode (#12385)
• Fix flaky test_store_locks @​crusaderky (#12393)
• XFAIL flaky test_len @​crusaderky (#12396)
• Run some tests serially in pytest-xdist @​crusaderky (#12395)
• test_orc segfaults with Pyarrow 16 @​crusaderky (#12394)
• Unskip test_map_block_series @​crusaderky (#12392)
• Speed up test_from_delayed_future @​crusaderky (#12391)
• fix: duplicated words in dask/array routines and slicing docstrings @​lphuc2250gma (#12390)
• Simplify test_dot; suppress spurious test outputs @​crusaderky (#12388)
• Test vs. intermediate versions of numpy and pandas @​crusaderky (#12372)

... (truncated)

Changelog

Sourced from dask's changelog.

There are a variety of other projects related to dask that are often co-released. We may want to check their status while releasing

Releasing dask and distributed:

• Check the release issue on https://github.com/dask/community to see if there are any remaining blockers. If not, comment on the issue signalling that you are starting the release

• Update release notes in docs/source/changelog.rst Start by using this script to autogenerate some of the changelog entries:

  git log $(git describe --tags --abbrev=0)..HEAD --pretty=format:"- %s \`%an\`_"  > change.md && sed -i -e 's/(#/(:pr:`/g' change.md && sed -i -e 's/) `/`) `/g' change.md
  

  Replace single backticks with double backticks.

  Sort the entries into subsections and render docs (make html) to make sure that the changelog renders properly. In particular watch warnings for new contributors who don't yet have a github link at the end of the file.

  Add any new contributors' github links to the end of the file (gh pr view --json author <PR> is helpful for getting their usernames).

• Update dependency bounds in all pyproject.toml files

  • In dask/pyproject.toml, set the optional Distributed extra. For example, for a 2026.6.0 release:

    [project.optional-dependencies]
    distributed = ["distributed >=2026.6.0,<2026.6.1"]
    

  • In distributed/pyproject.toml, set the required Dask dependency. For example, for a 2026.6.0 release:

    dependencies = [
        "dask >=2026.6.0,<2026.6.1",
        ...
    ]
    

  • pins should be >= the current version but < the next version to allow for development installs to resolve correctly

  Dask can be released while its optional distributed extra points at the not-yet-published matching Distributed release. Distributed cannot be published before the matching Dask release is available, because Dask is a required dependency.

• Commit

  git commit -a -m "Version YYYY.M.X"
  

... (truncated)

Commits

• f973ad8 Version 2026.6.0
• aea7965 Add PyPI release workflow (#12452)
• c437b7a Pandas 3.1: The inplace keyword in DataFrame.drop is deprecated (#12447)
• 99af142 test_concat_categorical is still flaky on Pandas 2.0 (#12454)
• 2be4507 Add tests for the array assert_eq helper (#12441)
• d0666ee Revert "security: enable Jinja2 autoescape to prevent XSS in HTML rep… (#12451)
• e2cdbb0 Bump codecov/codecov-action from 6 to 7 (#12450)
• f8e1de3 fix:Dataframe.merge loses data when there are 128 or 129 partitions (#12430)
• 9124454 security: enable Jinja2 autoescape to prevent XSS in HTML reprs (#12423)
• a0856a0 Test vs. NumPy 1.26 and PyArrow 18 (#12445)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)