Skip to content

build(deps-dev): bump the pip group across 1 directory with 5 updates#21

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/pip-7e7fb09910
Open

build(deps-dev): bump the pip group across 1 directory with 5 updates#21
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/pip-7e7fb09910

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps the pip group with 5 updates in the / directory:

Package From To
ruff 0.15.16 0.15.18
semgrep 1.165.0 1.167.0
zizmor 1.25.2 1.26.1
pytest 9.0.3 9.1.1
prek 0.4.4 0.4.5

Updates ruff from 0.15.16 to 0.15.18

Release notes

Sourced from ruff's releases.

0.15.18

Release Notes

Released on 2026-06-18.

Preview features

  • Handle nested ruff:ignore comments (#25791)
  • Stop displaying severity in output (#26050)
  • Use human-readable names in CLI output (#25937)
  • Use human-readable names in LSP and playground diagnostics (#26058)
  • [pydocstyle] Prevent property docstrings starting with verbs (D421) (#23775)
  • [flake8-pyi] Extend PYI033 to Python files (#26129)

Bug fixes

  • Detect equivalent numeric mapping keys (#26009)
  • Detect mapping keys equivalent to booleans (#25982)
  • Detect repeated signed and complex dictionary keys (#26007)

Rule changes

  • [flake8-pyi] Rename PYI033 to legacy-type-comment (#26131)

Performance

  • Use ThinVec for call keywords (#25999)
  • Inline parser recovery context checks (#26038)
  • Match parser keywords as bytes (#26037)
  • Move value parsing out of lexing (#25360)

Server

  • Render subdiagnostics and secondary annotations as related information (#26011)

Documentation

  • Update fix availability for always-fixable rules (#26091)
  • [flake8-tidy-imports] Add fix safety section (TID252) (#17491)

Parser

  • Reject __debug__ lambda parameters (#26022)
  • Reject _ as a match-pattern target (#25977)
  • Reject multiple starred names in sequence patterns (#25976)
  • Reject parenthesized star imports (#26021)
  • Reject starred comprehension targets (#26023)
  • Reject unparenthesized generator expressions in class bases (#25978)
  • Reject yield expressions after commas (#26024)
  • Validate function type parameter default order (#25981)

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.18

Released on 2026-06-18.

Preview features

  • Handle nested ruff:ignore comments (#25791)
  • Stop displaying severity in output (#26050)
  • Use human-readable names in CLI output (#25937)
  • Use human-readable names in LSP and playground diagnostics (#26058)
  • [pydocstyle] Prevent property docstrings starting with verbs (D421) (#23775)
  • [flake8-pyi] Extend PYI033 to Python files (#26129)

Bug fixes

  • Detect equivalent numeric mapping keys (#26009)
  • Detect mapping keys equivalent to booleans (#25982)
  • Detect repeated signed and complex dictionary keys (#26007)

Rule changes

  • [flake8-pyi] Rename PYI033 to legacy-type-comment (#26131)

Performance

  • Use ThinVec for call keywords (#25999)
  • Inline parser recovery context checks (#26038)
  • Match parser keywords as bytes (#26037)
  • Move value parsing out of lexing (#25360)

Server

  • Render subdiagnostics and secondary annotations as related information (#26011)

Documentation

  • Update fix availability for always-fixable rules (#26091)
  • [flake8-tidy-imports] Add fix safety section (TID252) (#17491)

Parser

  • Reject __debug__ lambda parameters (#26022)
  • Reject _ as a match-pattern target (#25977)
  • Reject multiple starred names in sequence patterns (#25976)
  • Reject parenthesized star imports (#26021)
  • Reject starred comprehension targets (#26023)
  • Reject unparenthesized generator expressions in class bases (#25978)
  • Reject yield expressions after commas (#26024)
  • Validate function type parameter default order (#25981)

... (truncated)

Commits

Updates semgrep from 1.165.0 to 1.167.0

Release notes

Sourced from semgrep's releases.

Release v1.167.0

1.167.0 - 2026-06-17

### Added

  • Added support for more operators for folding for constant propagation, including subtraction, division, bit ops, bit shifts, comparisons, and more. (const-folding)
  • Added a nosemgrep_disabled field to the scan configuration so the platform can disable nosemgrep inline ignore comments org-wide for a scan. (APPEX-1122)
  • Semgrep now skips binary files (images, archives, compiled executables, etc.) during scanning by default, detected via matching file extensions to known file-format magic bytes Pass --no-exclude-binary-files to scan binary files as before. (ENGINE-2708)

### Fixed

  • semgrep ci with --sarif now correctly populates the output's ignores field with nosemgrep-suppressed findings, in accordance with other output formatters. (gh-6651)

### Infra/Release Changes

  • Updated the ocaml-tree-sitter-core submodule to the latest upstream main, providing

    • improved thread-safety
    • bumps the tree-sitter CLI option used from 0.20.6 to 0.20.8.

    (ocaml-tree-sitter-core-bump)

Release v1.166.0

1.166.0 - 2026-06-11

### Added

  • Pro: Added experimental cross-file (interfile) analysis for Gosu, enabling taint tracking across multiple Gosu source files. (gosu-interfile)
  • Added support for more operators for folding for constant propagation, including subtraction, division, bit ops, bit shifts, comparisons, and more (ENGINE-2789)

### Fixed

  • Fixed parsing of integer literals with an underscore immediately after the radix prefix (e.g. 0x_dead_beef, 0o_755, 0b_1010_1010). (LANG-533)
  • Python parsing now preserves type parameters on def and class definitions. (LANG-536)
  • Semgrep no longer stores the API token in ~/.semgrep/settings.yml's stored token when the current scan's token is supplied via the SEMGREP_APP_TOKEN envvar. (SEC-2240)
  • semgrep ci scans originating from a pre-commit hook will no longer fail with Unable to create '<tmp>/.git/index.lock': Not a directory in certain cases. (engine-2736)

### Infra/Release Changes

  • Added parsing tests covering Python language features (Python 3.0–3.12). (LANG-531)
Changelog

Sourced from semgrep's changelog.

1.167.0 - 2026-06-17

### Added

  • Added support for more operators for folding for constant propagation, including subtraction, division, bit ops, bit shifts, comparisons, and more. (const-folding)
  • Added a nosemgrep_disabled field to the scan configuration so the platform can disable nosemgrep inline ignore comments org-wide for a scan. (APPEX-1122)
  • Semgrep now skips binary files (images, archives, compiled executables, etc.) during scanning by default, detected via matching file extensions to known file-format magic bytes Pass --no-exclude-binary-files to scan binary files as before. (ENGINE-2708)

### Fixed

  • semgrep ci with --sarif now correctly populates the output's ignores field with nosemgrep-suppressed findings, in accordance with other output formatters. (gh-6651)

### Infra/Release Changes

  • Updated the ocaml-tree-sitter-core submodule to the latest upstream main, providing

    • improved thread-safety
    • bumps the tree-sitter CLI option used from 0.20.6 to 0.20.8.

    (ocaml-tree-sitter-core-bump)

1.166.0 - 2026-06-11

### Added

  • Pro: Added experimental cross-file (interfile) analysis for Gosu, enabling taint tracking across multiple Gosu source files. (gosu-interfile)
  • Added support for more operators for folding for constant propagation, including subtraction, division, bit ops, bit shifts, comparisons, and more (ENGINE-2789)

### Fixed

  • Fixed parsing of integer literals with an underscore immediately after the radix prefix (e.g. 0x_dead_beef, 0o_755, 0b_1010_1010). (LANG-533)
  • Python parsing now preserves type parameters on def and class definitions. (LANG-536)
  • Semgrep no longer stores the API token in ~/.semgrep/settings.yml's stored token when the current scan's token is supplied via the SEMGREP_APP_TOKEN envvar. (SEC-2240)
  • semgrep ci scans originating from a pre-commit hook will no longer fail with Unable to create '<tmp>/.git/index.lock': Not a directory in certain cases. (engine-2736)

### Infra/Release Changes

  • Added parsing tests covering Python language features (Python 3.0–3.12). (LANG-531)
Commits
  • 2e64163 chore: release 1.167.0
  • 4e0501d chore(partial-scans): add atd types and cli flag for specifying partial scan ...
  • 3d1c0acsemgrep/semgrep-proprietary#6480
  • c9fee93 fix: add event trigger type to wait-for logic (semgrep/semgrep-proprietar...
  • 008fd21 chore: update ocaml-tree-sitter-core submodule to use tree-sitter 0.20.8 (sem...
  • 8d0fc8a chore: split Dockerfilesemgrep/semgrep-proprietary#6553
  • a7a6827semgrep/semgrep-proprietary#6444
  • fd6d28d feat(ci): cut osx-x86 make test to subset smoke test (semgrep/semgrep-propr...
  • b203aa2semgrep/semgrep-proprietary#6574
  • fe22e0a feat(cli): Honor nosemgrep_disabled scan config setting in semgrep ci (semg...
  • Additional commits viewable in compare view

Updates zizmor from 1.25.2 to 1.26.1

Release notes

Sourced from zizmor's releases.

v1.26.1

This is a small corrective release for 1.26.0.

v1.26.0

New Features 🌈🔗

  • New audit: typosquat-uses detects uses: clauses that reference likely typoed actions (#1985)

    Many thanks to @​andrew for proposing and implementing this improvement!

  • New audit: unsound-ternary detects pseudo-ternary expressions that don't evaluate as expected (#2085)

    Many thanks to @​terror for proposing and implementing this improvement!

  • New audit: adhoc-packages detects run: steps that install packages in an ad-hoc manner (#2061)

    Many thanks to @​connorshea for proposing and implementing this improvement!

Enhancements 🌱🔗

Performance Improvements 🚄🔗

  • Most online audits are significantly faster, thanks to more precise retry handling (#2036) Bug Fixes 🐛🔗

  • Fixed a bug where zizmor's LSP would not recognize dependabot.yaml files in its default configuration (#2026)

    Many thanks to @​fionn for implementing this fix!

  • Fixed a bug where ref-version-mismatch would fail to fully match some version comments (#2040)

  • Fixed a bug where dependabot-cooldown would fail to honor the user's configured days when performing autofixes (#2055)

  • Steps and jobs gated by statically-false if: conditions (e.g. if: false, if: ${{ false }}) are now skipped during auditing, since they cannot execute (#2059, #2069)

  • Fixed a bug where ref-version-mismatch would fail to identify some valid version comments (#2073)

  • Fixed a bug where unpinned-images would incorrectly flag empty matrix expansions as unpinned container image references (#2102)

  • Fixed a bug where unpinned-images would incorrectly flag some matrix expansions as unpinned (#2098)

  • The SARIF (--format=sarif) and GitHub Annotations (--format=github) output formats now provide more correct/useful paths, particularly when the user provides a relative path as input to zizmor rather than zizmor . (#1748, #2095)

... (truncated)

Changelog

Sourced from zizmor's changelog.

1.26.1

This is a small corrective release for 1.26.0.

1.26.0

New Features 🌈

  • New audit: [typosquat-uses] detects #!yaml uses: clauses that reference likely typoed actions (#1985)

    Many thanks to @​andrew for proposing and implementing this improvement!

  • New audit: [unsound-ternary] detects pseudo-ternary expressions that don't evaluate as expected (#2085)

    Many thanks to @​terror for proposing and implementing this improvement!

  • New audit: [adhoc-packages] detects #!yaml run: steps that install packages in an ad-hoc manner (#2061)

    Many thanks to @​connorshea for proposing and implementing this improvement!

Enhancements 🌱

  • The [cache-poisoning] audit now detects additional cache disablement heuristics (#2053)

  • The [known-vulnerable-actions] audit is now configurable. See the configuration documentation for details (#2084)

  • The [excessive-permissions] audit is now aware of the code-quality permission (#2088)

  • The [unpinned-uses] audit's auto-fix now uses the fully qualified version tag (e.g. # v6.0.2) when fixing a major-version ref (e.g. @v6) (#2127)

Performance Improvements 🚄

  • Most online audits are significantly faster, thanks to more precise retry handling (#2036)

Bug Fixes 🐛

  • Fixed a bug where zizmor's LSP would not recognize dependabot.yaml files in its default configuration (#2026)

    Many thanks to @​fionn for implementing this fix!

  • Fixed a bug where [ref-version-mismatch] would fail to fully match some version comments (#2040)

... (truncated)

Commits

Updates pytest from 9.0.3 to 9.1.1

Release notes

Sourced from pytest's releases.

9.1.1

pytest 9.1.1 (2026-06-19)

Bug fixes

  • #14220: Fixed a logic bug in pytest.RaisesGroup which would might cause it to display incorrect "It matches FooError() which was paired with BarError" messages.
  • #14591: Fixed a regression in pytest 9.1.0 which caused overriding a parametrized fixture with an indirect @​pytest.mark.parametrize to fail with "duplicate parametrization of '<fixture name>'".
  • #14606: Fixed list-item typing errors from mypy in @pytest.mark.parametrize <pytest.mark.parametrize ref> argvalues parameter.
  • #14608: Fixed a regression in pytest 9.1.0 where conftest.py files located in <invocation dir>/test* were no longer loaded as initial conftests when invoked without arguments. This could cause certain hooks (like pytest_addoption) in these files to not fire.

9.1.0

pytest 9.1.0 (2026-06-13)

Removals and backward incompatible breaking changes

  • #14533: When using --doctest-modules, autouse fixtures with module, package or session scope that are defined inline in Python test modules (not plugins or conftests) will now possibly execute twice.

    If this is undesirable, move the fixture definition to a conftest.py file if possible.

    Technical explanation for those interested: When using --doctest-modules, pytest possibly collects Python modules twice, once as pytest.Module and once as a DoctestModule (depending on the configuration). Due to improvements in pytest's fixture implementation, if e.g. the DoctestModule collects a fixture, it is now visible to it only, and not to the Module. This means that both need to register the fixtures independently.

Deprecations (removal in next major release)

  • #10819: Added a deprecation warning for class-scoped fixtures defined as instance methods (without @classmethod). Such fixtures set attributes on a different instance than the test methods use, leading to unexpected behavior. Use @classmethod decorator instead -- by yastcher.

    See 10819 and 14011.

  • #12882: Calling request.getfixturevalue() <pytest.FixtureRequest.getfixturevalue> during teardown to request a fixture that was not already requested is now deprecated and will become an error in pytest 10.

    See dynamic-fixture-request-during-teardown for details.

  • #13409: Using non-~collections.abc.Collection iterables (such as generators, iterators, or custom iterable objects) for the argvalues parameter in @pytest.mark.parametrize <pytest.mark.parametrize ref> and metafunc.parametrize <pytest.Metafunc.parametrize> is now deprecated.

    These iterables get exhausted after the first iteration, leading to tests getting unexpectedly skipped in cases such as running pytest.main() multiple times, using class-level parametrize decorators, or collecting tests multiple times.

    See parametrize-iterators for details and suggestions.

  • #13946: The private config.inicfg attribute is now deprecated. Use config.getini() <pytest.Config.getini> to access configuration values instead.

    See config-inicfg for more details.

  • #14004: Passing baseid to ~pytest.FixtureDef or nodeid strings to fixture registration APIs is now deprecated. These are internal pytest APIs that are used by some plugins.

... (truncated)

Commits
  • cf470ec Prepare release version 9.1.1
  • e0c8ce6 Merge pull request #14625 from pytest-dev/patchback/backports/9.1.x/a07c31a97...
  • 1b82d16 Merge pull request #14624 from pytest-dev/patchback/backports/9.1.x/b375b79ec...
  • 501c4bc Merge pull request #14596 from bluetech/doc-classmethod
  • b61f588 Merge pull request #14622 from chrisburr/fix-14608-initial-conftest-test-subdir
  • 9a567e0 [automated] Update plugin list (#14617) (#14618)
  • ef8b299 Merge pull request #14620 from pytest-dev/patchback/backports/9.1.x/680f9f3ed...
  • 66abd07 Merge pull request #14220 from bysiber/fix-stale-iexp-raisesgroup
  • 79fbf93 Merge pull request #14612 from pytest-dev/patchback/backports/9.1.x/974ed48b6...
  • 0d312eb Merge pull request #14611 from bluetech/parametrize-argvalues-typing
  • Additional commits viewable in compare view

Updates prek from 0.4.4 to 0.4.5

Release notes

Sourced from prek's releases.

0.4.5

Release Notes

Released on 2026-06-15.

✨Highlights

0.4.5 completes prek's pre-commit language coverage. With R, Conda, Perl, and coursier now supported, prek supports every language available in pre-commit, plus prek-only modern languages such as Bun and Deno.

This is full feature parity with pre-commit. The last major compatibility gap is closed, and prek is now on the path to 1.0.

💚 Sponsorship

If prek saves time for you or your team, please consider sponsoring the project on GitHub Sponsors. It helps keep new features, performance work, and maintenance moving.

Enhancements

  • Add Perl language support (#2201)
  • Add R language support (#2206)
  • Add Conda language support (#2203)
  • Add coursier language support (#2194)
  • Add group filters to list (#2152)
  • Remove legacy repo path support (#2150)
  • Skip cloning fully filtered remote repos (#2151)

Performance

  • Avoid building JSON trees in syntax hooks (#2156)
  • Scan mixed line endings without line vector (#2160)
  • Skip file scan for always-run no-filename hooks (#2155)
  • Use fixed buffer for EOF scan (#2163)
  • Use fixed buffer for private key scan (#2164)

Bug fixes

  • Fix pretty-format-json CRLF handling (#2210)
  • Handle missing blobs in diff snapshots (#2211)
  • Ignore coursier channel from working repo (#2202)

Contributors

Install prek 0.4.5

... (truncated)

Changelog

Sourced from prek's changelog.

0.4.5

Released on 2026-06-15.

✨Highlights

0.4.5 completes prek's pre-commit language coverage. With R, Conda, Perl, and coursier now supported, prek supports every language available in pre-commit, plus prek-only modern languages such as Bun and Deno.

This is full feature parity with pre-commit. The last major compatibility gap is closed, and prek is now on the path to 1.0.

💚 Sponsorship

If prek saves time for you or your team, please consider sponsoring the project on GitHub Sponsors. It helps keep new features, performance work, and maintenance moving.

Enhancements

  • Add Perl language support (#2201)
  • Add R language support (#2206)
  • Add Conda language support (#2203)
  • Add coursier language support (#2194)
  • Add group filters to list (#2152)
  • Remove legacy repo path support (#2150)
  • Skip cloning fully filtered remote repos (#2151)

Performance

  • Avoid building JSON trees in syntax hooks (#2156)
  • Scan mixed line endings without line vector (#2160)
  • Skip file scan for always-run no-filename hooks (#2155)
  • Use fixed buffer for EOF scan (#2163)
  • Use fixed buffer for private key scan (#2164)

Bug fixes

  • Fix pretty-format-json CRLF handling (#2210)
  • Handle missing blobs in diff snapshots (#2211)
  • Ignore coursier channel from working repo (#2202)

Contributors

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
build(deps-dev): bump the pip group across 1 directory with 5 updates
8a86875 
Bumps the pip group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [ruff](https://github.com/astral-sh/ruff) | `0.15.16` | `0.15.18` |
| [semgrep](https://github.com/semgrep/semgrep) | `1.165.0` | `1.167.0` |
| [zizmor](https://github.com/zizmorcore/zizmor) | `1.25.2` | `1.26.1` |
| [pytest](https://github.com/pytest-dev/pytest) | `9.0.3` | `9.1.1` |
| [prek](https://github.com/j178/prek) | `0.4.4` | `0.4.5` |



Updates `ruff` from 0.15.16 to 0.15.18
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ruff@0.15.16...0.15.18)

Updates `semgrep` from 1.165.0 to 1.167.0
- [Release notes](https://github.com/semgrep/semgrep/releases)
- [Changelog](https://github.com/semgrep/semgrep/blob/develop/CHANGELOG.md)
- [Commits](semgrep/semgrep@v1.165.0...v1.167.0)

Updates `zizmor` from 1.25.2 to 1.26.1
- [Release notes](https://github.com/zizmorcore/zizmor/releases)
- [Changelog](https://github.com/zizmorcore/zizmor/blob/main/docs/release-notes.md)
- [Commits](zizmorcore/zizmor@v1.25.2...v1.26.1)

Updates `pytest` from 9.0.3 to 9.1.1
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](pytest-dev/pytest@9.0.3...9.1.1)

Updates `prek` from 0.4.4 to 0.4.5
- [Release notes](https://github.com/j178/prek/releases)
- [Changelog](https://github.com/j178/prek/blob/master/CHANGELOG.md)
- [Commits](j178/prek@v0.4.4...v0.4.5)

---
updated-dependencies:
- dependency-name: ruff
  dependency-version: 0.15.18
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: pip
- dependency-name: semgrep
  dependency-version: 1.167.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: pip
- dependency-name: zizmor
  dependency-version: 1.26.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: pip
- dependency-name: pytest
  dependency-version: 9.1.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: pip
- dependency-name: prek
  dependency-version: 0.4.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants