Sourced from ruff's releases.

0.12.1

Release Notes

Preview features

• [flake8-errmsg] Extend EM101 to support byte strings (#18867)
• [flake8-use-pathlib] Add autofix for PTH202 (#18763)
• [pygrep-hooks] Add AsyncMock methods to invalid-mock-access (PGH005) (#18547)
• [pylint] Ignore __init__.py files in (PLC0414) (#18400)
• [ruff] Trigger RUF037 for empty string and byte strings (#18862)
• [formatter] Fix missing blank lines before decorated classes in .pyi files (#18888)

Bug fixes

• Avoid generating diagnostics with per-file ignores (#18801)
• Handle parenthesized arguments in remove_argument (#18805)
• [flake8-logging] Avoid false positive for exc_info=True outside logger.exception (LOG014) (#18737)
• [flake8-pytest-style] Enforce pytest import for decorators (#18779)
• [flake8-pytest-style] Mark autofix for PT001 and PT023 as unsafe if there's comments in the decorator (#18792)
• [flake8-pytest-style] PT001/PT023 fix makes syntax error on parenthesized decorator (#18782)
• [flake8-raise] Make fix unsafe if it deletes comments (RSE102) (#18788)
• [flake8-simplify] Fix SIM911 autofix creating a syntax error (#18793)
• [flake8-simplify] Fix false negatives for shadowed bindings (SIM910, SIM911) (#18794)
• [flake8-simplify] Preserve original behavior for except () and bare except (SIM105) (#18213)
• [flake8-pyi] Fix PYI041's fix causing TypeError with None | None | ... (#18637)
• [perflint] Fix PERF101 autofix creating a syntax error and mark autofix as unsafe if there are comments in the list call expr (#18803)
• [perflint] Fix false negative in PERF401 (#18866)
• [pylint] Avoid flattening nested min/max when outer call has single argument (PLW3301) (#16885)
• [pylint] Fix PLC2801 autofix creating a syntax error (#18857)
• [pylint] Mark PLE0241 autofix as unsafe if there's comments in the base classes (#18832)
• [pylint] Suppress PLE2510/PLE2512/PLE2513/PLE2514/PLE2515 autofix if the text contains an odd number of backslashes (#18856)
• [refurb] Detect more exotic float literals in FURB164 (#18925)
• [refurb] Fix FURB163 autofix creating a syntax error for yield expressions (#18756)
• [refurb] Mark FURB129 autofix as unsafe if there's comments in the readlines call (#18858)
• [ruff] Fix false positives and negatives in RUF010 (#18690)
• Fix casing of analyze.direction variant names (#18892)

Rule changes

• Fix f-string interpolation escaping in generated fixes (#18882)
• [flake8-return] Mark RET501 fix unsafe if comments are inside (#18780)
• [flake8-async] Fix detection for large integer sleep durations in ASYNC116 rule (#18767)
• [flake8-async] Mark autofix for ASYNC115 as unsafe if the call expression contains comments (#18753)
• [flake8-bugbear] Mark autofix for B004 as unsafe if the hasattr call expr contains comments (#18755)
• [flake8-comprehension] Mark autofix for C420 as unsafe if there's comments inside the dict comprehension (#18768)
• [flake8-comprehensions] Handle template strings for comprehension fixes (#18710)
• [flake8-future-annotations] Add autofix (FA100) (#18903)
• [pyflakes] Mark F504/F522/F523 autofix as unsafe if there's a call with side effect (#18839)
• [pylint] Allow fix with comments and document performance implications (PLW3301) (#18936)
• [pylint] Detect more exotic NaN literals in PLW0177 (#18630)

... (truncated)

Sourced from ruff's changelog.

0.12.1

Preview features

• [flake8-errmsg] Extend EM101 to support byte strings (#18867)
• [flake8-use-pathlib] Add autofix for PTH202 (#18763)
• [pygrep-hooks] Add AsyncMock methods to invalid-mock-access (PGH005) (#18547)
• [pylint] Ignore __init__.py files in (PLC0414) (#18400)
• [ruff] Trigger RUF037 for empty string and byte strings (#18862)
• [formatter] Fix missing blank lines before decorated classes in .pyi files (#18888)

Bug fixes

• Avoid generating diagnostics with per-file ignores (#18801)
• Handle parenthesized arguments in remove_argument (#18805)
• [flake8-logging] Avoid false positive for exc_info=True outside logger.exception (LOG014) (#18737)
• [flake8-pytest-style] Enforce pytest import for decorators (#18779)
• [flake8-pytest-style] Mark autofix for PT001 and PT023 as unsafe if there's comments in the decorator (#18792)
• [flake8-pytest-style] PT001/PT023 fix makes syntax error on parenthesized decorator (#18782)
• [flake8-raise] Make fix unsafe if it deletes comments (RSE102) (#18788)
• [flake8-simplify] Fix SIM911 autofix creating a syntax error (#18793)
• [flake8-simplify] Fix false negatives for shadowed bindings (SIM910, SIM911) (#18794)
• [flake8-simplify] Preserve original behavior for except () and bare except (SIM105) (#18213)
• [flake8-pyi] Fix PYI041's fix causing TypeError with None | None | ... (#18637)
• [perflint] Fix PERF101 autofix creating a syntax error and mark autofix as unsafe if there are comments in the list call expr (#18803)
• [perflint] Fix false negative in PERF401 (#18866)
• [pylint] Avoid flattening nested min/max when outer call has single argument (PLW3301) (#16885)
• [pylint] Fix PLC2801 autofix creating a syntax error (#18857)
• [pylint] Mark PLE0241 autofix as unsafe if there's comments in the base classes (#18832)
• [pylint] Suppress PLE2510/PLE2512/PLE2513/PLE2514/PLE2515 autofix if the text contains an odd number of backslashes (#18856)
• [refurb] Detect more exotic float literals in FURB164 (#18925)
• [refurb] Fix FURB163 autofix creating a syntax error for yield expressions (#18756)
• [refurb] Mark FURB129 autofix as unsafe if there's comments in the readlines call (#18858)
• [ruff] Fix false positives and negatives in RUF010 (#18690)
• Fix casing of analyze.direction variant names (#18892)

Rule changes

• Fix f-string interpolation escaping in generated fixes (#18882)
• [flake8-return] Mark RET501 fix unsafe if comments are inside (#18780)
• [flake8-async] Fix detection for large integer sleep durations in ASYNC116 rule (#18767)
• [flake8-async] Mark autofix for ASYNC115 as unsafe if the call expression contains comments (#18753)
• [flake8-bugbear] Mark autofix for B004 as unsafe if the hasattr call expr contains comments (#18755)
• [flake8-comprehension] Mark autofix for C420 as unsafe if there's comments inside the dict comprehension (#18768)
• [flake8-comprehensions] Handle template strings for comprehension fixes (#18710)
• [flake8-future-annotations] Add autofix (FA100) (#18903)
• [pyflakes] Mark F504/F522/F523 autofix as unsafe if there's a call with side effect (#18839)
• [pylint] Allow fix with comments and document performance implications (PLW3301) (#18936)
• [pylint] Detect more exotic NaN literals in PLW0177 (#18630)
• [pylint] Fix PLC1802 autofix creating a syntax error and mark autofix as unsafe if there's comments in the len call (#18836)

... (truncated)

• 32c5418 Bump 0.12.1 (#18969)
• b85c219 [FastAPI] Add fix safety section to FAST002 (#18940)
• b1d1cf1 [ty] Add regression test for leading tab mis-alignment in diagnostic renderin...
• 1dcdf7f [ty] Resolve python environment in Options::to_program_settings (#18960)
• d006976 [ruff] Fix false positives and negatives in RUF010 (#18690)
• 76619b9 [ty] Fix rendering of long lines that are indented with tabs
• 6e25cfb [ty] Add regression test for diagnostic rendering panic
• 7638729 [ty] Move venv and conda env discovery to SearchPath::from_settings (#18938)
• d04e63a [ty] Add regression-benchmark for attribute-assignment hang (#18957)
• 86fd9b6 [ty] Format conflicting types as an enumeration (#18956)
• Additional commits viewable in compare view

Sourced from zizmor's releases.

v1.11.0

New Features 🌈🔗

• zizmor now has experimental support for IDE/editor integrations via zizmor --lsp; see the IDE integration documentation for more information (#984)

Enhancements 🌱🔗

• The bot-conditions audit now supports auto-fixes for many findings (#921)
• The bot-conditions audit now produces findings on triggers other than pull_request_target (#921)

Bug Fixes 🐛🔗

• Fixed a bug where zizmor would crash when attempting to extract subfeatures from features containing non-ASCII codepoints (#989)

v1.10.0

This is a huge new release, with multiple new features, enhancements, and bugfixes!

New Features 🌈🔗

• New audit: anonymous-definition detects unnamed workflows and actions. Definitions without a name: field appear anonymously in the GitHub Actions UI, making them harder to distinguish (#937)

  Many thanks to @​andrewpollack for implementing this audit!

• Auto-fix mode: zizmor now experimentally supports --fix=[MODE], which enables the brand new auto-fix mode. This mode can automatically fix a subset of zizmor's findings. For this experimental release, auto-fixes are available for findings from the following audits:

  • artipacked: zizmor will attempt to add persist-credentials: false to actions/checkout steps that do not already have it.

  • template-injection: zizmor will attempt to rewrite run: blocks containing ${{ foo.bar }} to use ${FOO_BAR} instead, and will add an appropriate env: block to set FOO_BAR to the expression's evaluation.

  Read more about the new auto-fix mode in the documentation.

  Many thanks to @​mostafa for implementing this feature!

Enhancements 🌱🔗

• The artipacked audit now produces findings on composite action definitions, rather than just workflow definitions (#896)
• The use-trusted-publishing audit now produces findings on composite action definitions, rather than just workflow definitions (#899)
• The bot-conditions audit now detects more spoofable actor checks, including checks against well-known user IDs for bot accounts (#905)
• The template-injection and other audits now produce more precise findings when analyzing env context accesses for static-ness (#911)
• The template-injection audit now produces more precise findings when analyzing inputs context accesses (#919)
• zizmor now produces more descriptive error messages when it fails to parse a workflow or action definition (#956)
• The bot-conditions audit now returns precise spans for flagged actor checks, instead of flagging the entire if: value (#949)
• The template-injection audit now returns precise spans for flagged contexts and expressions, instead of flagging the entire script block (#958)
• The obfuscation audit now returns precise spans for flagged expressions (#969)
• The obfuscation audit now detects computed indices (e.g. inputs.foo[inputs.bar]) as a potentially obfuscatory pattern (#969)

Bug Fixes 🐛🔗

• The template-injection audit no longer crashes when attempting to evaluate the static-ness of an environment context within a composite action uses: step (#887)
• The bot-conditions audit now correctly analyzes index-style contexts, e.g. github['actor'] (#905)
• Fixed a bug where zizmor would fail to parse expressions that contained >= or <= (#916)
• Fixed a bug where zizmor would fail to parse expressions containing contexts with interstitial whitespace (#958)

Sourced from zizmor's changelog.

1.11.0

New Features 🌈

• zizmor now has experimental support for IDE/editor integrations via zizmor --lsp; see the IDE integration documentation for more information (#984)

Enhancements 🌱

• The [bot-conditions] audit now supports auto-fixes for many findings (#921)
• The [bot-conditions] audit now produces findings on triggers other than pull_request_target (#921)

Bug Fixes 🐛

• Fixed a bug where zizmor would crash when attempting to extract subfeatures from features containing non-ASCII codepoints (#989)

1.10.0

This is a huge new release, with multiple new features, enhancements, and bugfixes!

New Features 🌈

• New audit: [anonymous-definition] detects unnamed workflows and actions. Definitions without a name: field appear anonymously in the GitHub Actions UI, making them harder to distinguish (#937)

  Many thanks to @​andrewpollack for implementing this audit!

• Auto-fix mode: zizmor now experimentally supports --fix=[MODE], which enables the brand new auto-fix mode. This mode can automatically fix a subset of zizmor's findings. For this experimental release, auto-fixes are available for findings from the following audits:

  • [artipacked]: zizmor will attempt to add #!yaml persist-credentials: false to actions/checkout steps that do not already have it.

  • [template-injection]: zizmor will attempt to rewrite #!yaml run: blocks containing ${{ foo.bar }} to use ${FOO_BAR} instead, and will add an appropriate #!yaml env: block to set FOO_BAR to the expression's evaluation.

  Read more about the new auto-fix mode in the documentation.

  Many thanks to @​mostafa for implementing this feature!

Enhancements 🌱

... (truncated)

• 1cc8f93 chore: release 1.11.0 (#993)
• 44a27e2 feat: LSP skeleton code from #607 (#984)
• 5495af9 chore(deps): bump the github-actions group with 3 updates (#990)
• 86c4489 chore(deps): bump the cargo group with 3 updates (#991)
• ac6f6e2 bugfix: repro, #988 (#989)
• b98dcb1 chore: remove descriptions from fixes (#985)
• 42862eb Add Fix for bot-conditions audit rule (#921)
• b7500d1 refactor: move audit registration into AuditRegistry (#983)
• e90af3a chore(deps): bump http-cache-reqwest to 0.16.0 (#982)
• ab905e1 chore(deps): bump http-cache-reqwest to 0.15.2 (#980)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions