Update dependency homeassistant to v2025 [SECURITY]

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
homeassistant	==2024.11.3 → ==2025.8.0

GitHub Vulnerability Alerts

CVE-2025-65713

Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability.

---

Release Notes

home-assistant/core (homeassistant)

v2025.8.0

Compare Source

https://www.home-assistant.io/blog/2025/08/06/release-20258/

v2025.7.4

Compare Source

• Keep entities of dead Z-Wave devices available (@​AlCalzone - #​148611) (zwave_js docs)
• Fix warning about failure to get action during setup phase (@​mback2k - #​148923) (wmspro docs)
• Fix a bug in rainbird device migration that results in additional devices (@​allenporter - #​149078) (rainbird docs)
• Fix multiple webhook secrets for Telegram bot (@​hanwg - #​149103) (telegram_bot docs)
• Bump pyschlage to 2025.7.2 (@​dknowles2 - #​149148) (schlage docs) (dependency)
• Fix Matter light get brightness (@​jvmahon - #​149186) (matter docs)
• Fix brightness_step and brightness_step_pct via lifx.set_state (@​Djelibeybi - #​149217) (lifx docs)
• Add Z-Wave USB migration confirm step (@​MartinHjelmare - #​149243) (zwave_js docs)
• Add fan off mode to the supported fan modes to fujitsu_fglair (@​crevetor - #​149277) (fujitsu_fglair docs)
• Update Tesla OAuth Server in Tesla Fleet (@​Bre77 - #​149280) (tesla_fleet docs)
• Update slixmpp to 1.10.0 (@​gaaf - #​149374) (xmpp docs) (dependency)
• Bump aioamazondevices to 3.5.1 (@​chemelli74 - #​149385) (alexa_devices docs) (dependency)
• Bump pysuezV2 to 2.0.7 (@​jb101010-2 - #​149436) (suez_water docs) (dependency)
• Bump habiticalib to v0.4.1 (@​tr4nt0r - #​149523) (habitica docs) (dependency)

v2025.7.3

Compare Source

• Handle connection issues after websocket reconnected in homematicip_cloud (@​hahn-th - #​147731) (homematicip_cloud docs)
• Fix Shelly n_current sensor removal condition (@​bieniu - #​148740) (shelly docs)
• Bump pySmartThings to 3.2.8 (@​joostlek - #​148761) (smartthings docs) (dependency)
• Bump Tesla Fleet API to 1.2.2 (@​Bre77 - #​148776) (tessie docs) (teslemetry docs) (tesla_fleet docs) (dependency)
• Use ffmpeg for generic cameras in go2rtc (@​edenhaus - #​148818) (go2rtc docs)
• Add guard to prevent exception in Sonos Favorites (@​PeteRager - #​148854) (sonos docs)
• Fix button platform parent class in Teslemetry (@​Bre77 - #​148863) (teslemetry docs)
• Bump pyenphase to 2.2.2 (@​catsmanac - #​148870) (enphase_envoy docs) (dependency)
• Bump gios to version 6.1.1 (@​bieniu - #​148414) (gios docs) (dependency)
• Bump gios to version 6.1.2 (@​bieniu - #​148884) (gios docs) (dependency)
• Bump async-upnp-client to 0.45.0 (@​StevenLooman - #​148961) (upnp docs) (yeelight docs) (dlna_dmr docs) (samsungtv docs) (ssdp docs) (dlna_dms docs) (dependency)
• Pass Syncthru entry to coordinator (@​joostlek - #​148974) (syncthru docs)
• Update frontend to 2025070.3 (@​bramkragten - #​148994) (frontend docs) (dependency)
• Bump PySwitchbot to 0.68.2 (@​bdraco - #​148996) (switchbot docs) (dependency)
• Ignore MQTT sensor unit of measurement if it is an empty string (@​jbouwh - #​149006) (mqtt docs)
• Bump aioamazondevices to 3.5.0 (@​chemelli74 - #​149011) (alexa_devices docs) (dependency)

v2025.7.2

Compare Source

• Squeezebox: Fix track selection in media browser (@​Hypfer - #​147185) (squeezebox docs)
• Squeezebox: Fix tracks not having thumbnails (@​Hypfer - #​147187) (squeezebox docs)
• Bump pysmlight to v0.2.7 (@​tl-sl - #​148101) (smlight docs) (dependency)
• Fix REST sensor charset handling to respect Content-Type header (@​bdraco - #​148223) (rest docs)
• Fix UTF-8 encoding for REST basic authentication (@​bdraco - #​148225) (rest docs)
• Bump pylamarzocco to 2.0.10 (@​zweckj - #​148233) (lamarzocco docs) (dependency)
• Bump sharkiq to 1.1.1 (@​funkybunch - #​148244) (sharkiq docs) (dependency)
• bump motionblinds to 0.6.29 (@​starkillerOG - #​148265) (motion_blinds docs) (dependency)
• Bump aiowebostv to 0.7.4 (@​thecode - #​148273) (webostv docs) (dependency)
• Bump gios to version 6.1.0 (@​bieniu - #​148274) (gios docs) (dependency)
• Restore httpx compatibility for non-primitive REST query parameters (@​bdraco - #​148286) (rest docs)
• Bump pyenphase to 2.2.1 (@​catsmanac - #​148292) (enphase_envoy docs) (dependency)
• Add lamp states to smartthings selector (@​jvits227 - #​148302) (smartthings docs)
• Fix Switchbot cloud plug mini current unit Issue (@​XiaoLing-git - #​148314) (switchbot_cloud docs)
• Bump pyswitchbot to 0.68.1 (@​zerzhang - #​148335) (switchbot docs) (dependency)
• Handle binary coils with non default mappings in nibe heatpump (@​elupus - #​148354) (nibe_heatpump docs)
• Bump aioamazondevices to 3.2.8 (@​chemelli74 - #​148365) (alexa_devices docs) (dependency)
• Create own clientsession for lamarzocco (@​zweckj - #​148385) (lamarzocco docs)
• Bump pylamarzocco to 2.0.11 (@​zweckj - #​148386) (lamarzocco docs) (dependency)
• Bump pySmartThings to 3.2.7 (@​joostlek - #​148394) (smartthings docs) (dependency)
• Bump uiprotect to version 7.14.2 (@​RaHehl - #​148453) (unifiprotect docs) (dependency)
• Bump hass-nabucasa from 0.105.0 to 0.106.0 (@​ludeeus - #​148473) (cloud docs) (dependency)
• Revert "Deprecate hddtemp" (@​edenhaus - #​148482) (hddtemp docs)
• Fix entity_id should be based on object_id the first time an entity is added (@​jbouwh - #​148484) (mqtt docs)
• Bump aioimmich to 0.10.2 (@​mib1185 - #​148503) (immich docs) (dependency)
• Add workaround for sub units without main device in AVM Fritz!SmartHome (@​mib1185 - #​148507) (fritzbox docs)
• Add Home Connect resume command button when an appliance is paused (@​Diegorro98 - #​148512) (home_connect docs)
• Use the link to the issue instead of creating new issues at Home Connect (@​Diegorro98 - #​148523) (home_connect docs)
• Ensure response is fully read to prevent premature connection closure in rest command (@​jpbede - #​148532) (rest_command docs)
• Fix for Renson set Breeze fan speed (@​krmarien - #​148537) (renson docs)
• Remove vg argument from miele auth flow (@​astrandb - #​148541) (miele docs)
• Bump aiohttp to 3.12.14 (@​bdraco - #​148565) (dependency)
• Update frontend to 2025070.2 (@​bramkragten - #​148573) (frontend docs) (dependency)
• Fix Google Cloud 504 Deadline Exceeded (@​luuquangvu - #​148589) (google_cloud docs)
• Fix - only enable AlexaModeController if at least one mode is offered (@​jbouwh - #​148614) (alexa docs)
• snoo: use correct value for right safety clip binary sensor (@​falconindy - #​148647) (snoo docs)
• Bump nyt_games to 0.5.0 (@​hexEF - #​148654) (nyt_games docs) (dependency)
• Fix Charge Cable binary sensor in Teslemetry (@​Bre77 - #​148675) (teslemetry docs)
• Bump PyViCare to 2.50.0 (@​CFenner - #​148679) (dependency)
• Fix hide empty sections in mqtt subentry flows (@​jbouwh - #​148692) (mqtt docs)
• Bump aioshelly to 13.7.2 (@​thecode - #​148706) (shelly docs) (dependency)
• Bump aioamazondevices to 3.2.10 (@​chemelli74 - #​148709) (alexa_devices docs) (dependency)

v2025.7.1

Compare Source

• Set timeout for remote calendar (@​Thomas55555 - #​147024) (remote_calendar docs)
• Fix missing port in samsungtv (@​epenet - #​147962) (samsungtv docs)
• Bump ZHA to 0.0.62 (@​puddly - #​147966) (zha docs) (dependency)
• Bump aiounifi to v84 (@​Kane610 - #​147987) (unifi docs)
• Fix state being incorrectly reported in some situations on Music Assistant players (@​marcelveldt - #​147997) (music_assistant docs) (dependency)
• Bump hass-nabucasa from 0.104.0 to 0.105.0 (@​ludeeus - #​148040) (cloud docs) (dependency)
• Fix Telegram bots using plain text parser failing to load on restart (@​hanwg - #​148050) (telegram_bot docs)
• Bump pyenphase to 2.2.0 (@​catsmanac - #​148070) (enphase_envoy docs) (dependency)
• Cancel enphase mac verification on unload. (@​catsmanac - #​148072) (enphase_envoy docs)
• Bump aioamazondevices to 3.2.3 (@​chemelli74 - #​148082) (alexa_devices docs) (dependency)
• Update frontend to 2025070.1 (@​bramkragten - #​148131) (frontend docs) (dependency)
• [ci] Fix typing issue with aiohttp and aiosignal (@​cdce8p - #​148141) (http docs)
• Bump venstarcolortouch to 0.21 (@​mlfreeman2 - #​148152) (venstar docs) (dependency)

v2025.7.0

Compare Source

https://www.home-assistant.io/blog/2025/07/02/release-20257/

v2025.6.3

Compare Source

• Update frontend to 2025053.4 (@​bramkragten - #​147414) (frontend docs) (dependency)

v2025.6.2

Compare Source

• Remove address info from Rachio calendar events (@​brg468 - #​145896) (rachio docs) (breaking-change)
• Bump uiprotect to 7.12.0 (@​RaHehl - #​146337) (unifiprotect docs) (dependency)
• Bump uiprotect to 7.13.0 (@​RaHehl - #​146410) (unifiprotect docs) (dependency)
• Bump reolink-aio to 0.14.0 (@​starkillerOG - #​146566) (reolink docs) (dependency)
• Bump pypck to 0.8.7 (@​alengwenus - #​146657) (lcn docs) (dependency)
• Update rokuecp to 0.19.5 (@​ctalkington - #​146788) (roku docs) (dependency)
• Use Shelly main device area as suggested area for sub-devices (@​bieniu - #​146810) (shelly docs)
• Fix blocking open in Minecraft Server (@​elmurato - #​146820) (minecraft_server docs)
• Bump aioamazondevices to 3.1.3 (@​chemelli74 - #​146828) (alexa_devices docs) (dependency)
• Bump aiohttp to 3.12.13 (@​bdraco - #​146830) (dependency)
• Bump motion blinds to 0.6.28 (@​starkillerOG - #​146831) (motion_blinds docs) (dependency)
• Bump pypck to 0.8.8 (@​alengwenus - #​146841) (lcn docs) (dependency)
• Fix missing key for ecosmart in older Wallbox models (@​hesselonline - #​146847) (wallbox docs)
• Bump bthome-ble to 3.13.1 (@​Ernst79 - #​146871) (bthome docs) (dependency)
• Bump reolink-aio to 0.14.1 (@​starkillerOG - #​146903) (reolink docs) (dependency)
• Add debug log for update in onedrive (@​zweckj - #​146907) (onedrive docs)
• Switchbot Cloud: Fix device type filtering in sensor (@​SeraphicRav - #​146945) (switchbot_cloud docs)
• Bump pySmartThings to 3.2.5 (@​joostlek - #​146983) (smartthings docs) (dependency)
• Bump ical to 10.0.4 (@​allenporter - #​147005) (local_calendar docs) (local_todo docs) (remote_calendar docs) (dependency)
• Fix incorrect use of zip in service.async_get_all_descriptions (@​emontnemery - #​147013)
• Disable Z-Wave indidator CC entities by default (@​MartinHjelmare - #​147018) (zwave_js docs)
• Fix Shelly entity names for gen1 sleeping devices (@​bieniu - #​147019) (shelly docs)
• Disable Z-Wave idle notification button (@​MartinHjelmare - #​147026) (zwave_js docs)
• Fix log in onedrive (@​zweckj - #​147029) (onedrive docs)
• Bump holidays lib to 0.75 (@​gjohansson-ST - #​147043) (workday docs) (holiday docs) (dependency)
• Bump aiohomeconnect to 0.18.0 (@​Diegorro98 - #​147044) (home_connect docs) (dependency)
• Bump ZHA to 0.0.60 (@​puddly - #​147045) (zha docs) (dependency)
• Bump pylamarzocco to 2.0.9 (@​zweckj - #​147046) (lamarzocco docs) (dependency)
• Handle missing widget in lamarzocco (@​zweckj - #​147047) (lamarzocco docs)
• Bump aioamazondevices to 3.1.4 (@​chemelli74 - #​146883) (alexa_devices docs) (dependency)
• Bump aioamazondevices to 3.1.12 (@​chemelli74 - #​147055) (alexa_devices docs) (dependency)
• Bump uiprotect to version 7.14.0 (@​RaHehl - #​147102) (unifiprotect docs) (dependency)
• Improve advanced Z-Wave battery discovery (@​MartinHjelmare - #​147127) (zwave_js docs)
• Fix Charge Cable binary sensor in Teslemetry (@​Bre77 - #​147136) (teslemetry docs)
• [ci] Bump cache key version (@​cdce8p - #​147148)
• Bump homematicip to 2.0.6 (@​hahn-th - #​147151) (homematicip_cloud docs) (dependency)
• Wallbox fix too many requests by API (@​hesselonline - #​147197) (wallbox docs)
• Bump deebot-client to 13.4.0 (@​edenhaus - #​147221) (ecovacs docs) (dependency)
• Handle the new JSON payload from traccar clients (@​ludeeus - #​147254) (traccar docs)
• Bump aioamazondevices to 3.1.14 (@​chemelli74 - #​147257) (alexa_devices docs) (dependency)
• Bump uiprotect to version 7.14.1 (@​RaHehl - #​147280) (unifiprotect docs) (dependency)
• Bump aioesphomeapi to 32.2.4 (@​synesthesiam - #​147100) (esphome docs) (dependency)
• Bump aioesphomeapi to 33.0.0 (@​bdraco - #​147296) (esphome docs) (dependency)
• Fix reload for Shelly devices with no script support (@​chemelli74 - #​147344) (shelly docs)
• Add Matter protocol to Switchbot (@​joostlek - #​147356)

v2025.6.1

Compare Source

• Fix palette handling for LIFX Ceiling SKY effect (@​Djelibeybi - #​146582) (lifx docs)
• Fix fan is_on status in xiaomi_miio (@​epenet - #​146592) (xiaomi_miio docs)
• Drop HostKeyAlgorithms in aruba (@​aethrvmn - #​146619) (aruba docs)
• Update frontend to 2025053.3 (@​piitaya - #​146638) (frontend docs)
• Fix cookies with aiohttp >= 3.12.7 for Vodafone Station (@​chemelli74 - #​146647) (vodafone_station docs)
• Bump wakeonlan to 3.1.0 (@​epenet - #​146655) (wake_on_lan docs) (samsungtv docs) (dependency)
• Bump hdate to 1.1.2 (@​tsvi - #​146659) (jewish_calendar docs) (dependency)
• Bump linkplay to v0.2.12 (@​silamon - #​146669) (linkplay docs) (dependency)
• Filter speak notify entity for WHA devices in Alexa Devices (@​chemelli74 - #​146688) (alexa_devices docs)
• Bump aioamazondevices to 3.1.2 (@​chemelli74 - #​146690) (alexa_devices docs) (dependency)
• Fix opower to work with aiohttp>=3.12.7 by disabling cookie quoting (@​tronikos - #​146697) (opower docs) (dependency)
• Revert scan interval change in local calendar (@​allenporter - #​146700) (local_calendar docs)
• Partial revert of update to remote calendar to fix issue where calendar does not update (@​allenporter - #​146702) (remote_calendar docs)
• Ignore lingering pycares shutdown thread (@​cdce8p - #​146733)
• Bump aiodns to 3.5.0 (@​bdraco - #​146758) (dnsip docs) (dependency)
• Fix throttling issue in HomematicIP Cloud (@​hahn-th - #​146683) (homematicip_cloud docs)

v2025.6.0

Compare Source

https://www.home-assistant.io/blog/2025/06/11/release-20256/

v2025.5.3

Compare Source

• Netatmo: do not fail on schedule updates ([@​wuede] - #​142933) ([netatmo docs])
• Fix QNAP fail to load ([@​disforw] - #​144675) ([qnap docs])
• Allow image send with read-only access (matrix notify) ([@​TheOneValen] - #​144819) ([matrix docs])
• Postpone update in WMSPro after service call (@​mback2k - #​144836) (wmspro docs)
• Bump ESPHome stable BLE version to 2025.5.0 (@​bdraco - #​144857) (esphome docs)
• Fix album and artist returning "None" rather than None for Squeezebox media player. ([@​peteS-UK] - #​144971) (squeezebox docs)
• Bump aiontfy to 0.5.2 (@​tr4nt0r - #​145044) ([ntfy docs]) (dependency)
• Fix proberly Ecovacs mower area sensors (@​edenhaus - #​145078) (ecovacs docs)
• Map auto to heat_cool for thermostat in SmartThings (@​joostlek - #​145098) (smartthings docs)
• Add missing device condition translations to lock component (@​jpbede - #​145104) ([lock docs])
• Fix history_stats with sliding window that ends before now ([@​karwosts] - #​145117) ([history_stats docs][history_stats docs])
• Bump sense-energy to 0.13.8 ([@​kbickar] - #​145156) ([sense docs]) ([emulated_kasa docs][emulated_kasa docs]) (dependency)
• Improve Z-Wave config flow tests (@​MartinHjelmare - #​144871) (zwave_js docs)
• Fix Z-Wave unique id update during controller migration (@​MartinHjelmare - #​145185) (zwave_js docs)
• Bump velbusaio to 2025.5.0 ([@​cereal2nd] - #​145198) ([velbus docs]) (dependency)
• Bump aiocomelit to 0.12.3 (@​chemelli74 - #​145209) ([comelit docs]) (dependency)
• Fix Z-Wave config entry unique id after NVM restore (@​MartinHjelmare - #​145221) (zwave_js docs)
• Bump holidays to 0.73 (@​gjohansson-ST - #​145238) (workday docs) (holiday docs) (dependency)
• Bump pyaprilaire to 0.9.0 ([@​chamberlain2007] - #​145260) ([aprilaire docs]) (dependency)
• Add cloud as after_dependency to onedrive (@​zweckj - #​145301) (onedrive docs)
• Handle more exceptions in azure_storage (@​zweckj - #​145320) ([azure_storage docs][azure_storage docs])
• Fix limit of shown backups on Synology DSM location (@​mib1185 - #​145342) ([synology_dsm docs][synology_dsm docs])
• Add initial coordinator refresh for players in Squeezebox ([@​peteS-UK] - #​145347) (squeezebox docs)
• Fix: Revert Ecovacs mower total_stats_area unit to square meters ([@​Augar] - #​145380) (ecovacs docs)
• Bump pysqueezebox to v0.12.1 ([@​rajlaud] - #​145384) (squeezebox docs) (dependency)
• OTBR: remove links to obsolete multiprotocol docs ([@​c0ffeeca7] - #​145394) ([otbr docs])
• Bump pylamarzocco to 2.0.4 (@​zweckj - #​145402) (lamarzocco docs) (dependency)
• Bump py-synologydsm-api to 2.7.2 (@​mib1185 - #​145403) ([synology_dsm docs][synology_dsm docs]) (dependency)
• Mark backflush binary sensor not supported for GS3 MP in lamarzocco (@​zweckj - #​145406) (lamarzocco docs)
• Bump yt-dlp to 2025.05.22 (@​joostlek - #​145441) ([media_extractor docs][media_extractor docs]) (dependency)
• Reolink fix device migration (@​starkillerOG - #​145443) (reolink docs)
• Bump pysmartthings to 3.2.3 (@​joostlek - #​145444) (smartthings docs) (dependency)
• Bump opower to 0.12.1 (@​tronikos - #​145464) (opower docs) (dependency)
• Make Gemma models work in Google AI (@​tronikos - #​145479) ([google_generative_ai_conversation docs][google_generative_ai_conversation docs])
• Fix strings related to Google search tool in Google AI (@​tronikos - #​145480) ([google_generative_ai_conversation docs][google_generative_ai_conversation docs])
• Bump pyfibaro to 0.8.3 ([@​rappenze] - #​145488) ([fibaro docs]) (dependency)
• Bump deebot-client to 13.2.1 (@​edenhaus - #​145492) (ecovacs docs) (dependency)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.