Skip to content

build(deps): bump the test-and-lint-dependencies group across 1 directory with 3 updates #2850

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

build(deps): bump the test-and-lint-dependencies group across 1 directory with 3 updates #2850

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jul 15, 2025
edited
Loading

Bumps the test-and-lint-dependencies group with 3 updates in the / directory: ruff, mypy and zizmor.

Updates ruff from 0.12.0 to 0.12.3

Release notes

Sourced from ruff's releases.

0.12.3

Release Notes

Preview features

  • [flake8-bugbear] Support non-context-manager calls in B017 (#19063)
  • [flake8-use-pathlib] Add autofixes for PTH100, PTH106, PTH107, PTH108, PTH110, PTH111, PTH112, PTH113, PTH114, PTH115, PTH117, PTH119, PTH120 (#19213)
  • [flake8-use-pathlib] Add autofixes for PTH203, PTH204, PTH205 (#18922)

Bug fixes

  • [flake8-return] Fix false-positive for variables used inside nested functions in RET504 (#18433)
  • Treat form feed as valid whitespace before a line continuation (#19220)
  • [flake8-type-checking] Fix syntax error introduced by fix (TC008) (#19150)
  • [pyupgrade] Keyword arguments in super should suppress the UP008 fix (#19131)

Documentation

  • [flake8-pyi] Make example error out-of-the-box (PYI007, PYI008) (#19103)
  • [flake8-simplify] Make example error out-of-the-box (SIM116) (#19111)
  • [flake8-type-checking] Make example error out-of-the-box (TC001) (#19151)
  • [flake8-use-pathlib] Make example error out-of-the-box (PTH210) (#19189)
  • [pycodestyle] Make example error out-of-the-box (E272) (#19191)
  • [pycodestyle] Make example not raise unnecessary SyntaxError (E114) (#19190)
  • [pydoclint] Make example error out-of-the-box (DOC501) (#19218)
  • [pylint, pyupgrade] Fix syntax errors in examples (PLW1501, UP028) (#19127)
  • [pylint] Update missing-maxsplit-arg docs and error to suggest proper usage (PLC0207) (#18949)
  • [flake8-bandit] Make example error out-of-the-box (S412) (#19241)

Contributors

... (truncated)

Changelog

Sourced from ruff's changelog.

0.12.3

Preview features

  • [flake8-bugbear] Support non-context-manager calls in B017 (#19063)
  • [flake8-use-pathlib] Add autofixes for PTH100, PTH106, PTH107, PTH108, PTH110, PTH111, PTH112, PTH113, PTH114, PTH115, PTH117, PTH119, PTH120 (#19213)
  • [flake8-use-pathlib] Add autofixes for PTH203, PTH204, PTH205 (#18922)

Bug fixes

  • [flake8-return] Fix false-positive for variables used inside nested functions in RET504 (#18433)
  • Treat form feed as valid whitespace before a line continuation (#19220)
  • [flake8-type-checking] Fix syntax error introduced by fix (TC008) (#19150)
  • [pyupgrade] Keyword arguments in super should suppress the UP008 fix (#19131)

Documentation

  • [flake8-pyi] Make example error out-of-the-box (PYI007, PYI008) (#19103)
  • [flake8-simplify] Make example error out-of-the-box (SIM116) (#19111)
  • [flake8-type-checking] Make example error out-of-the-box (TC001) (#19151)
  • [flake8-use-pathlib] Make example error out-of-the-box (PTH210) (#19189)
  • [pycodestyle] Make example error out-of-the-box (E272) (#19191)
  • [pycodestyle] Make example not raise unnecessary SyntaxError (E114) (#19190)
  • [pydoclint] Make example error out-of-the-box (DOC501) (#19218)
  • [pylint, pyupgrade] Fix syntax errors in examples (PLW1501, UP028) (#19127)
  • [pylint] Update missing-maxsplit-arg docs and error to suggest proper usage (PLC0207) (#18949)
  • [flake8-bandit] Make example error out-of-the-box (S412) (#19241)

0.12.2

Preview features

  • [flake8-pyi] Expand Optional[A] to A | None (PYI016) (#18572)
  • [pyupgrade] Mark UP008 fix safe if no comments are in range (#18683)

Bug fixes

  • [flake8-comprehensions] Fix C420 to prepend whitespace when needed (#18616)
  • [perflint] Fix PERF403 panic on attribute or subscription loop variable (#19042)
  • [pydocstyle] Fix D413 infinite loop for parenthesized docstring (#18930)
  • [pylint] Fix PLW0108 autofix introducing a syntax error when the lambda's body contains an assignment expression (#18678)
  • [refurb] Fix false positive on empty tuples (FURB168) (#19058)
  • [ruff] Allow more field calls from attrs (RUF009) (#19021)
  • [ruff] Fix syntax error introduced for an empty string followed by a u-prefixed string (UP025) (#18899)

Rule changes

  • [flake8-executable] Allow uvx in shebang line (EXE003) (#18967)
  • [pandas] Avoid flagging PD002 if pandas is not imported (#18963)
  • [pyupgrade] Avoid PEP-604 unions with typing.NamedTuple (UP007, UP045) (#18682)

... (truncated)

Commits
  • 5bc81f2 Bump 0.12.3 (#19279)
  • 6908e26 Filter ruff_linter::VERSION out of SARIF output tests (#19280)
  • 25c4295 [ty] Avoid stale diagnostics for open files diagnostic mode (#19273)
  • 426fa4b [ty] Add signature help provider to playground (#19276)
  • b0b65c2 [ty] Initial implementation of signature help provider (#19194)
  • 08bc6d2 Add simple integration tests for all output formats (#19265)
  • f2ae12b [flake8-return] Fix false-positive for variables used inside nested functio...
  • 965f415 [ty] Add a --quiet mode (#19233)
  • 83b5bbf Treat form feed as valid whitespace before a line continuation (#19220)
  • 87f6f08 [ty] Make check_file a salsa query (#19255)
  • Additional commits viewable in compare view

Updates mypy from 1.16.1 to 1.17.0

Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next Release

Mypy 1.17

We’ve just uploaded mypy 1.17 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

Optionally Check That Match Is Exhaustive

Mypy can now optionally generate an error if a match statement does not match exhaustively, without having to use assert_never(...). Enable this by using --enable-error-code exhaustive-match.

Example:

# mypy: enable-error-code=exhaustive-match
import enum
class Color(enum.Enum):
RED = 1
BLUE = 2
def show_color(val: Color) -> None:
# error: Unhandled case for values of type "Literal[Color.BLUE]"
match val:
case Color.RED:
print("red")

This feature was contributed by Donal Burns (PR 19144).

Further Improvements to Attribute Resolution

This release includes additional improvements to how attribute types and kinds are resolved. These fix many bugs and overall improve consistency.

  • Handle corner case: protocol/class variable/descriptor (Ivan Levkivskyi, PR 19277)
  • Fix a few inconsistencies in protocol/type object interactions (Ivan Levkivskyi, PR 19267)
  • Refactor/unify access to static attributes (Ivan Levkivskyi, PR 19254)
  • Remove inconsistencies in operator handling (Ivan Levkivskyi, PR 19250)
  • Make protocol subtyping more consistent (Ivan Levkivskyi, PR 18943)

... (truncated)

Commits
  • 0260991 Update version string
  • 3901aa2 Updates to 1.17 changelog (#19436)
  • 7d13396 Initial changelog for 1.17 release (#19427)
  • a182dec Combine the revealed types of multiple iteration steps in a more robust manne...
  • ab4fd57 Improve the handling of "iteration dependent" errors and notes in finally cla...
  • 09ba1f6 [mypyc] Fix exception swallowing in async try/finally blocks with await (#19353)
  • 5c65e33 [mypyc] Fix AttributeError in async try/finally with mixed return paths (#19361)
  • 934ec50 Lessen dmypy suggest path limitations for Windows machines (#19337)
  • a4801f9 Type ignore comments erroneously marked as unused by dmypy (#15043)
  • c3bfa0d Handle corner case: protocol vs classvar vs descriptor (#19277)
  • Additional commits viewable in compare view

Updates zizmor from 1.9.0 to 1.11.0

Release notes

Sourced from zizmor's releases.

v1.11.0

New Features 🌈🔗

Enhancements 🌱🔗

Bug Fixes 🐛🔗

  • Fixed a bug where zizmor would crash when attempting to extract subfeatures from features containing non-ASCII codepoints (#989)

v1.10.0

This is a huge new release, with multiple new features, enhancements, and bugfixes!

New Features 🌈🔗

  • New audit: anonymous-definition detects unnamed workflows and actions. Definitions without a name: field appear anonymously in the GitHub Actions UI, making them harder to distinguish (#937)

    Many thanks to @​andrewpollack for implementing this audit!

  • Auto-fix mode: zizmor now experimentally supports --fix=[MODE], which enables the brand new auto-fix mode. This mode can automatically fix a subset of zizmor's findings. For this experimental release, auto-fixes are available for findings from the following audits:

    • artipacked: zizmor will attempt to add persist-credentials: false to actions/checkout steps that do not already have it.

    • template-injection: zizmor will attempt to rewrite run: blocks containing ${{ foo.bar }} to use ${FOO_BAR} instead, and will add an appropriate env: block to set FOO_BAR to the expression's evaluation.

    Read more about the new auto-fix mode in the documentation.

    Many thanks to @​mostafa for implementing this feature!

Enhancements 🌱🔗

  • The artipacked audit now produces findings on composite action definitions, rather than just workflow definitions (#896)
  • The use-trusted-publishing audit now produces findings on composite action definitions, rather than just workflow definitions (#899)
  • The bot-conditions audit now detects more spoofable actor checks, including checks against well-known user IDs for bot accounts (#905)
  • The template-injection and other audits now produce more precise findings when analyzing env context accesses for static-ness (#911)
  • The template-injection audit now produces more precise findings when analyzing inputs context accesses (#919)
  • zizmor now produces more descriptive error messages when it fails to parse a workflow or action definition (#956)
  • The bot-conditions audit now returns precise spans for flagged actor checks, instead of flagging the entire if: value (#949)
  • The template-injection audit now returns precise spans for flagged contexts and expressions, instead of flagging the entire script block (#958)
  • The obfuscation audit now returns precise spans for flagged expressions (#969)
  • The obfuscation audit now detects computed indices (e.g. inputs.foo[inputs.bar]) as a potentially obfuscatory pattern (#969)

Bug Fixes 🐛🔗

  • The template-injection audit no longer crashes when attempting to evaluate the static-ness of an environment context within a composite action uses: step (#887)
  • The bot-conditions audit now correctly analyzes index-style contexts, e.g. github['actor'] (#905)
  • Fixed a bug where zizmor would fail to parse expressions that contained >= or <= (#916)
  • Fixed a bug where zizmor would fail to parse expressions containing contexts with interstitial whitespace (#958)
Changelog

Sourced from zizmor's changelog.

1.11.0

New Features 🌈

Enhancements 🌱

  • The [bot-conditions] audit now supports auto-fixes for many findings (#921)
  • The [bot-conditions] audit now produces findings on triggers other than pull_request_target (#921)

Bug Fixes 🐛

  • Fixed a bug where zizmor would crash when attempting to extract subfeatures from features containing non-ASCII codepoints (#989)

1.10.0

This is a huge new release, with multiple new features, enhancements, and bugfixes!

New Features 🌈

  • New audit: [anonymous-definition] detects unnamed workflows and actions. Definitions without a name: field appear anonymously in the GitHub Actions UI, making them harder to distinguish (#937)

    Many thanks to @​andrewpollack for implementing this audit!

  • Auto-fix mode: zizmor now experimentally supports --fix=[MODE], which enables the brand new auto-fix mode. This mode can automatically fix a subset of zizmor's findings. For this experimental release, auto-fixes are available for findings from the following audits:

    • [artipacked]: zizmor will attempt to add #!yaml persist-credentials: false to actions/checkout steps that do not already have it.

    • [template-injection]: zizmor will attempt to rewrite #!yaml run: blocks containing ${{ foo.bar }} to use ${FOO_BAR} instead, and will add an appropriate #!yaml env: block to set FOO_BAR to the expression's evaluation.

    Read more about the new auto-fix mode in the documentation.

    Many thanks to @​mostafa for implementing this feature!

Enhancements 🌱

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Jul 15, 2025
@dependabot dependabot bot requested a review from a team as a code owner July 15, 2025 01:39
@dependabot dependabot bot added the python Pull requests that update Python code label Jul 15, 2025
@jku
Copy link
Member

jku commented Jul 15, 2025

zizmor complains in several places:

workflow or action definition without a name

Explicit names would make sense I suppose.

@jku jku added enhancement good first issue Bite-sized items for first time contributors github_actions Pull requests that update GitHub Actions code labels Jul 15, 2025
@dependabot
build(deps): bump the test-and-lint-dependencies group across 1 direc…
e6dd3bf 
…tory with 3 updates

Bumps the test-and-lint-dependencies group with 3 updates in the / directory: [ruff](https://github.com/astral-sh/ruff), [mypy](https://github.com/python/mypy) and [zizmor](https://github.com/zizmorcore/zizmor).


Updates `ruff` from 0.12.0 to 0.12.3
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ruff@0.12.0...0.12.3)

Updates `mypy` from 1.16.1 to 1.17.0
- [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md)
- [Commits](python/mypy@v1.16.1...v1.17.0)

Updates `zizmor` from 1.9.0 to 1.11.0
- [Release notes](https://github.com/zizmorcore/zizmor/releases)
- [Changelog](https://github.com/zizmorcore/zizmor/blob/main/docs/release-notes.md)
- [Commits](zizmorcore/zizmor@v1.9.0...v1.11.0)

---
updated-dependencies:
- dependency-name: ruff
  dependency-version: 0.12.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: test-and-lint-dependencies
- dependency-name: mypy
  dependency-version: 1.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: test-and-lint-dependencies
- dependency-name: zizmor
  dependency-version: 1.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: test-and-lint-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/pip/test-and-lint-dependencies-4f69b8e59e branch from a172dca to e6dd3bf Compare July 15, 2025 06:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file enhancement github_actions Pull requests that update GitHub Actions code good first issue Bite-sized items for first time contributors python Pull requests that update Python code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jku