Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

build(deps): bump the test-and-lint-dependencies group with 3 updates

Merged
Number: #2839
Type: Pull Request
State: Merged
Author: dependabot[bot] dependabot[bot]
Association: Contributor
Comments: 0
Created: June 02, 2025 at 09:52 PM UTC
(about 1 year ago)
Updated: June 03, 2025 at 09:34 AM UTC
(about 1 year ago)
Merged: June 03, 2025 at 09:34 AM UTC
(about 1 year ago)
by jku
Time to Close: about 12 hours
Labels:
dependencies python
Description:

Bumps the test-and-lint-dependencies group with 3 updates: ruff, mypy and zizmor.

Updates ruff from 0.11.11 to 0.11.12

Release notes

Sourced from ruff's releases.

0.11.12

Release Notes

Preview features

  • [airflow] Revise fix titles (AIR3) (#18215)
  • [pylint] Implement missing-maxsplit-arg (PLC0207) (#17454)
  • [pyupgrade] New rule UP050 (useless-class-metaclass-type) (#18334)
  • [flake8-use-pathlib] Replace os.symlink with Path.symlink_to (PTH211) (#18337)

Bug fixes

  • [flake8-bugbear] Ignore __debug__ attribute in B010 (#18357)
  • [flake8-async] Fix anyio.sleep argument name (ASYNC115, ASYNC116) (#18262)
  • [refurb] Fix FURB129 autofix generating invalid syntax (#18235)

Rule changes

  • [flake8-implicit-str-concat] Add autofix for ISC003 (#18256)
  • [pycodestyle] Improve the diagnostic message for E712 (#18328)
  • [flake8-2020] Fix diagnostic message for != comparisons (YTT201) (#18293)
  • [pyupgrade] Make fix unsafe if it deletes comments (UP010) (#18291)

Documentation

  • Simplify rules table to improve readability (#18297)
  • Update editor integrations link in README (#17977)
  • [flake8-bugbear] Add fix safety section (B006) (#17652)

Contributors

... (truncated)

Changelog

Sourced from ruff's changelog.

0.11.12

Preview features

  • [airflow] Revise fix titles (AIR3) (#18215)
  • [pylint] Implement missing-maxsplit-arg (PLC0207) (#17454)
  • [pyupgrade] New rule UP050 (useless-class-metaclass-type) (#18334)
  • [flake8-use-pathlib] Replace os.symlink with Path.symlink_to (PTH211) (#18337)

Bug fixes

  • [flake8-bugbear] Ignore __debug__ attribute in B010 (#18357)
  • [flake8-async] Fix anyio.sleep argument name (ASYNC115, ASYNC116) (#18262)
  • [refurb] Fix FURB129 autofix generating invalid syntax (#18235)

Rule changes

  • [flake8-implicit-str-concat] Add autofix for ISC003 (#18256)
  • [pycodestyle] Improve the diagnostic message for E712 (#18328)
  • [flake8-2020] Fix diagnostic message for != comparisons (YTT201) (#18293)
  • [pyupgrade] Make fix unsafe if it deletes comments (UP010) (#18291)

Documentation

  • Simplify rules table to improve readability (#18297)
  • Update editor integrations link in README (#17977)
  • [flake8-bugbear] Add fix safety section (B006) (#17652)
Commits
  • aee3af0 Bump 0.11.12 (#18369)
  • 04dc48e [refurb] Fix FURB129 autofix generating invalid syntax (#18235)
  • 27743ef [pylint] Implement missing-maxsplit-arg (PLC0207) (#17454)
  • c60b4d7 [ty] Add subtyping between Callable types and class literals with __init__ ...
  • 16621fa [flake8-bugbear ] Add fix safety section (B006) (#17652)
  • e23d4ea [flake8-bugbear] Ignore __debug__ attribute in B010 (#18357)
  • 452f992 [ty] Simplify signature types, use them in CallableType (#18344)
  • a5ebb3f [ty] Support ephemeral uv virtual environments (#18335)
  • 9925910 Add a ViolationMetadata::rule method (#18234)
  • a3ee6bb Return DiagnosticGuard from Checker::report_diagnostic (#18232)
  • Additional commits viewable in compare view

Updates mypy from 1.15.0 to 1.16.0

Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next Release

Mypy 1.16

We’ve just uploaded mypy 1.16 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

Different Property Getter and Setter Types

Mypy now supports using different types for a property getter and setter:

class A:
    _value: int

@property
def foo(self) -> int:
    return self._value

@foo.setter

def foo(self, x: str | int) -> None:

try:

self._value = int(x)

except ValueError:

raise Exception(f"'{x}' is not a valid value for 'foo'")

This was contributed by Ivan Levkivskyi (PR 18510).

Flexible Variable Redefinitions (Experimental)

Mypy now allows unannotated variables to be freely redefined with different types when using the experimental --allow-redefinition-new flag. You will also need to enable --local-partial-types. Mypy will now infer a union type when different types are assigned to a variable:

# mypy: allow-redefinition-new, local-partial-types

def f(n: int, b: bool) -> int | str:
if b:
x = n
else:
</tr></table>

... (truncated)

Commits
  • 9e72e96 Update version to 1.16.0
  • 8fe719f Add changelog for 1.16 (#19138)
  • 2a036e7 Revert "Infer correct types with overloads of Type[Guard | Is] (#19161)
  • b6da4fc Allow enum members to have type objects as values (#19160)
  • 334469f [mypyc] Improve documentation of native and non-native classes (#19154)
  • a499d9f Document --allow-redefinition-new (#19153)
  • 96525a2 Merge commit '9e45dadcf6d8dbab36f83d9df94a706c0b4f9207' into release-1.16
  • 9e45dad Clear more data in TypeChecker.reset() instead of asserting (#19087)
  • 772cd0c Add --strict-bytes to --strict (#19049)
  • 0b65f21 Admit that Final variables are never redefined (#19083)
  • Additional commits viewable in compare view

Updates zizmor from 1.7.0 to 1.9.0

Release notes

Sourced from zizmor's releases.

v1.9.0

New Features 🌈🔗

  • zizmor now supports generating completions for Nushell (#838)

Enhancements 🌱🔗

  • The template-injection audit has been rewritten, and is now significantly more precise and general over contexts supplied via GitHub's webhook payloads (i.e. github.event.*) (#745)
  • The template-injection audit now detects vulnerable template injections in more actions inputs, thanks to an integration with CodeQL's sink metadata (#849)

Bug Fixes 🐛🔗

  • The insecure-commands now correctly detects different truthy values in ACTIONS_ALLOW_UNSECURE_COMMANDS (#840)
  • The template-injection audit now correctly emits pedantic findings in a blanket manner, rather than filtering them based on the presence of other findings (#745)
  • CLI: Fixed a misleading error message when zizmor is used with a GitHub host other than github.com (#863)

v1.8.0

Announcements 📣🔗

  • zizmor's website has changed! The new website is hosted at docs.zizmor.sh. The old website will redirect to the new one for a while, but users should update any old links in preparation for the v1.8.0 release, which will likely remove the redirects entirely (#769)

  • zizmor is now hosted under the @​zizmorcore GitHub organization as zizmorcore/zizmor. The old repository at woodruffw/zizmor will redirect to the new one, but users should update any old links to limit confusion

New Features 🌈🔗

  • zizmor now supports the ZIZMOR_CONFIG environment variable as an alternative to --config (#789)

Bug Fixes 🐛🔗

v1.8.0-rc3

No release notes provided.

v1.8.0-rc1

No release notes provided.

v1.8.0-rc0

No release notes provided.

Changelog

Sourced from zizmor's changelog.

1.9.0

New Features 🌈

  • zizmor now supports generating completions for Nushell (#838)

Enhancements 🌱

  • The [template-injection] audit has been rewritten, and is now significantly more precise and general over contexts supplied via GitHub's webhook payloads (i.e. github.event.*) (#745)
  • The [template-injection] audit now detects vulnerable template injections in more actions inputs, thanks to an integration with CodeQL's sink metadata (#849)

Bug Fixes 🐛

  • The [insecure-commands] now correctly detects different truthy values in ACTIONS_ALLOW_UNSECURE_COMMANDS (#840)
  • The [template-injection] audit now correctly emits pedantic findings in a blanket manner, rather than filtering them based on the presence of other findings (#745)
  • CLI: Fixed a misleading error message when zizmor is used with a GitHub host other than github.com (#863)

v1.8.0

Announcements 📣

  • zizmor's website has changed! The new website is hosted at docs.zizmor.sh. The old website will redirect to the new one for a while, but users should update any old links in preparation for the v1.8.0 release, which will likely remove the redirects entirely (#769)

  • zizmor is now hosted under the @​zizmorcore GitHub organization as @​zizmorcore/zizmor. The old repository at @​woodruffw/zizmor will redirect to the new one, but users should update any old links to limit confusion

New Features 🌈

  • zizmor now supports the ZIZMOR_CONFIG environment variable as an alternative to --config (#789)

Bug Fixes 🐛

  • The [template-injection] audit no longer produces false positive findings on alternative representations of the same context pattern. For example, github.event.pull_request.head.sha is considered safe

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
Pull Request Statistics
Commits:
1
Files Changed:
1
Additions:
+3
Deletions:
-3
Package Dependencies
Package:
mypy
Ecosystem:
pip
Version Change:
1.15.0 → 1.16.0
Update Type:
Minor
Package:
ruff
Ecosystem:
pip
Version Change:
0.11.11 → 0.11.12
Update Type:
Patch
Package:
zizmor
Ecosystem:
pip
Version Change:
1.7.0 → 1.9.0
Update Type:
Minor
Actions
View on GitHub View Repository All Dependabot PRs
Technical Details
ID: 1249944
UUID: 2562029390
Node ID: PR_kwDOAHkylc6YtXdO
Host: GitHub
Repository: theupdateframework/python-tuf
Merge State: Unknown