Sourced from ruff's releases.

0.12.3

Release Notes

Preview features

• [flake8-bugbear] Support non-context-manager calls in B017 (#19063)
• [flake8-use-pathlib] Add autofixes for PTH100, PTH106, PTH107, PTH108, PTH110, PTH111, PTH112, PTH113, PTH114, PTH115, PTH117, PTH119, PTH120 (#19213)
• [flake8-use-pathlib] Add autofixes for PTH203, PTH204, PTH205 (#18922)

Bug fixes

• [flake8-return] Fix false-positive for variables used inside nested functions in RET504 (#18433)
• Treat form feed as valid whitespace before a line continuation (#19220)
• [flake8-type-checking] Fix syntax error introduced by fix (TC008) (#19150)
• [pyupgrade] Keyword arguments in super should suppress the UP008 fix (#19131)

Documentation

• [flake8-pyi] Make example error out-of-the-box (PYI007, PYI008) (#19103)
• [flake8-simplify] Make example error out-of-the-box (SIM116) (#19111)
• [flake8-type-checking] Make example error out-of-the-box (TC001) (#19151)
• [flake8-use-pathlib] Make example error out-of-the-box (PTH210) (#19189)
• [pycodestyle] Make example error out-of-the-box (E272) (#19191)
• [pycodestyle] Make example not raise unnecessary SyntaxError (E114) (#19190)
• [pydoclint] Make example error out-of-the-box (DOC501) (#19218)
• [pylint, pyupgrade] Fix syntax errors in examples (PLW1501, UP028) (#19127)
• [pylint] Update missing-maxsplit-arg docs and error to suggest proper usage (PLC0207) (#18949)
• [flake8-bandit] Make example error out-of-the-box (S412) (#19241)

Contributors

• @​AlexWaygood
• @​BurntSushi
• @​Gankra
• @​InSyncWithFoo
• @​LaBatata101
• @​MatthewMckee4
• @​MeGaGiGaGon
• @​MichaReiser
• @​NamelessGO
• @​UnboundVariable
• @​abhijeetbodas2001
• @​carljm
• @​charliermarsh
• @​chirizxc
• @​danparizher
• @​dhruvmanila
• @​fdosani
• @​github-actions
• @​ibraheemdev

... (truncated)

Sourced from ruff's changelog.

0.12.3

Preview features

• [flake8-bugbear] Support non-context-manager calls in B017 (#19063)
• [flake8-use-pathlib] Add autofixes for PTH100, PTH106, PTH107, PTH108, PTH110, PTH111, PTH112, PTH113, PTH114, PTH115, PTH117, PTH119, PTH120 (#19213)
• [flake8-use-pathlib] Add autofixes for PTH203, PTH204, PTH205 (#18922)

Bug fixes

• [flake8-return] Fix false-positive for variables used inside nested functions in RET504 (#18433)
• Treat form feed as valid whitespace before a line continuation (#19220)
• [flake8-type-checking] Fix syntax error introduced by fix (TC008) (#19150)
• [pyupgrade] Keyword arguments in super should suppress the UP008 fix (#19131)

Documentation

• [flake8-pyi] Make example error out-of-the-box (PYI007, PYI008) (#19103)
• [flake8-simplify] Make example error out-of-the-box (SIM116) (#19111)
• [flake8-type-checking] Make example error out-of-the-box (TC001) (#19151)
• [flake8-use-pathlib] Make example error out-of-the-box (PTH210) (#19189)
• [pycodestyle] Make example error out-of-the-box (E272) (#19191)
• [pycodestyle] Make example not raise unnecessary SyntaxError (E114) (#19190)
• [pydoclint] Make example error out-of-the-box (DOC501) (#19218)
• [pylint, pyupgrade] Fix syntax errors in examples (PLW1501, UP028) (#19127)
• [pylint] Update missing-maxsplit-arg docs and error to suggest proper usage (PLC0207) (#18949)
• [flake8-bandit] Make example error out-of-the-box (S412) (#19241)

0.12.2

Preview features

• [flake8-pyi] Expand Optional[A] to A | None (PYI016) (#18572)
• [pyupgrade] Mark UP008 fix safe if no comments are in range (#18683)

Bug fixes

• [flake8-comprehensions] Fix C420 to prepend whitespace when needed (#18616)
• [perflint] Fix PERF403 panic on attribute or subscription loop variable (#19042)
• [pydocstyle] Fix D413 infinite loop for parenthesized docstring (#18930)
• [pylint] Fix PLW0108 autofix introducing a syntax error when the lambda's body contains an assignment expression (#18678)
• [refurb] Fix false positive on empty tuples (FURB168) (#19058)
• [ruff] Allow more field calls from attrs (RUF009) (#19021)
• [ruff] Fix syntax error introduced for an empty string followed by a u-prefixed string (UP025) (#18899)

Rule changes

• [flake8-executable] Allow uvx in shebang line (EXE003) (#18967)
• [pandas] Avoid flagging PD002 if pandas is not imported (#18963)
• [pyupgrade] Avoid PEP-604 unions with typing.NamedTuple (UP007, UP045) (#18682)

... (truncated)

• 5bc81f2 Bump 0.12.3 (#19279)
• 6908e26 Filter ruff_linter::VERSION out of SARIF output tests (#19280)
• 25c4295 [ty] Avoid stale diagnostics for open files diagnostic mode (#19273)
• 426fa4b [ty] Add signature help provider to playground (#19276)
• b0b65c2 [ty] Initial implementation of signature help provider (#19194)
• 08bc6d2 Add simple integration tests for all output formats (#19265)
• f2ae12b [flake8-return] Fix false-positive for variables used inside nested functio...
• 965f415 [ty] Add a --quiet mode (#19233)
• 83b5bbf Treat form feed as valid whitespace before a line continuation (#19220)
• 87f6f08 [ty] Make check_file a salsa query (#19255)
• Additional commits viewable in compare view

Sourced from mypy's changelog.

Mypy Release Notes

Next Release

Mypy 1.17

We’ve just uploaded mypy 1.17 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

Optionally Check That Match Is Exhaustive

Mypy can now optionally generate an error if a match statement does not match exhaustively, without having to use assert_never(...). Enable this by using --enable-error-code exhaustive-match.

Example:

# mypy: enable-error-code=exhaustive-match
import enum
class Color(enum.Enum):
RED = 1
BLUE = 2
def show_color(val: Color) -> None:
# error: Unhandled case for values of type "Literal[Color.BLUE]"
match val:
case Color.RED:
print("red")

This feature was contributed by Donal Burns (PR 19144).

Further Improvements to Attribute Resolution

This release includes additional improvements to how attribute types and kinds are resolved. These fix many bugs and overall improve consistency.

• Handle corner case: protocol/class variable/descriptor (Ivan Levkivskyi, PR 19277)
• Fix a few inconsistencies in protocol/type object interactions (Ivan Levkivskyi, PR 19267)
• Refactor/unify access to static attributes (Ivan Levkivskyi, PR 19254)
• Remove inconsistencies in operator handling (Ivan Levkivskyi, PR 19250)
• Make protocol subtyping more consistent (Ivan Levkivskyi, PR 18943)

... (truncated)

• 0260991 Update version string
• 3901aa2 Updates to 1.17 changelog (#19436)
• 7d13396 Initial changelog for 1.17 release (#19427)
• a182dec Combine the revealed types of multiple iteration steps in a more robust manne...
• ab4fd57 Improve the handling of "iteration dependent" errors and notes in finally cla...
• 09ba1f6 [mypyc] Fix exception swallowing in async try/finally blocks with await (#19353)
• 5c65e33 [mypyc] Fix AttributeError in async try/finally with mixed return paths (#19361)
• 934ec50 Lessen dmypy suggest path limitations for Windows machines (#19337)
• a4801f9 Type ignore comments erroneously marked as unused by dmypy (#15043)
• c3bfa0d Handle corner case: protocol vs classvar vs descriptor (#19277)
• Additional commits viewable in compare view

Sourced from zizmor's releases.

v1.11.0

New Features 🌈🔗

• zizmor now has experimental support for IDE/editor integrations via zizmor --lsp; see the IDE integration documentation for more information (#984)

Enhancements 🌱🔗

• The bot-conditions audit now supports auto-fixes for many findings (#921)
• The bot-conditions audit now produces findings on triggers other than pull_request_target (#921)

Bug Fixes 🐛🔗

• Fixed a bug where zizmor would crash when attempting to extract subfeatures from features containing non-ASCII codepoints (#989)

v1.10.0

This is a huge new release, with multiple new features, enhancements, and bugfixes!

New Features 🌈🔗

• New audit: anonymous-definition detects unnamed workflows and actions. Definitions without a name: field appear anonymously in the GitHub Actions UI, making them harder to distinguish (#937)

  Many thanks to @​andrewpollack for implementing this audit!

• Auto-fix mode: zizmor now experimentally supports --fix=[MODE], which enables the brand new auto-fix mode. This mode can automatically fix a subset of zizmor's findings. For this experimental release, auto-fixes are available for findings from the following audits:

  • artipacked: zizmor will attempt to add persist-credentials: false to actions/checkout steps that do not already have it.

  • template-injection: zizmor will attempt to rewrite run: blocks containing ${{ foo.bar }} to use ${FOO_BAR} instead, and will add an appropriate env: block to set FOO_BAR to the expression's evaluation.

  Read more about the new auto-fix mode in the documentation.

  Many thanks to @​mostafa for implementing this feature!

Enhancements 🌱🔗

• The artipacked audit now produces findings on composite action definitions, rather than just workflow definitions (#896)
• The use-trusted-publishing audit now produces findings on composite action definitions, rather than just workflow definitions (#899)
• The bot-conditions audit now detects more spoofable actor checks, including checks against well-known user IDs for bot accounts (#905)
• The template-injection and other audits now produce more precise findings when analyzing env context accesses for static-ness (#911)
• The template-injection audit now produces more precise findings when analyzing inputs context accesses (#919)
• zizmor now produces more descriptive error messages when it fails to parse a workflow or action definition (#956)
• The bot-conditions audit now returns precise spans for flagged actor checks, instead of flagging the entire if: value (#949)
• The template-injection audit now returns precise spans for flagged contexts and expressions, instead of flagging the entire script block (#958)
• The obfuscation audit now returns precise spans for flagged expressions (#969)
• The obfuscation audit now detects computed indices (e.g. inputs.foo[inputs.bar]) as a potentially obfuscatory pattern (#969)

Bug Fixes 🐛🔗

• The template-injection audit no longer crashes when attempting to evaluate the static-ness of an environment context within a composite action uses: step (#887)
• The bot-conditions audit now correctly analyzes index-style contexts, e.g. github['actor'] (#905)
• Fixed a bug where zizmor would fail to parse expressions that contained >= or <= (#916)
• Fixed a bug where zizmor would fail to parse expressions containing contexts with interstitial whitespace (#958)

Sourced from zizmor's changelog.

1.11.0

New Features 🌈

• zizmor now has experimental support for IDE/editor integrations via zizmor --lsp; see the IDE integration documentation for more information (#984)

Enhancements 🌱

• The [bot-conditions] audit now supports auto-fixes for many findings (#921)
• The [bot-conditions] audit now produces findings on triggers other than pull_request_target (#921)

Bug Fixes 🐛

• Fixed a bug where zizmor would crash when attempting to extract subfeatures from features containing non-ASCII codepoints (#989)

1.10.0

This is a huge new release, with multiple new features, enhancements, and bugfixes!

New Features 🌈

• New audit: [anonymous-definition] detects unnamed workflows and actions. Definitions without a name: field appear anonymously in the GitHub Actions UI, making them harder to distinguish (#937)

  Many thanks to @​andrewpollack for implementing this audit!

• Auto-fix mode: zizmor now experimentally supports --fix=[MODE], which enables the brand new auto-fix mode. This mode can automatically fix a subset of zizmor's findings. For this experimental release, auto-fixes are available for findings from the following audits:

  • [artipacked]: zizmor will attempt to add #!yaml persist-credentials: false to actions/checkout steps that do not already have it.

  • [template-injection]: zizmor will attempt to rewrite #!yaml run: blocks containing ${{ foo.bar }} to use ${FOO_BAR} instead, and will add an appropriate #!yaml env: block to set FOO_BAR to the expression's evaluation.

  Read more about the new auto-fix mode in the documentation.

  Many thanks to @​mostafa for implementing this feature!

Enhancements 🌱

... (truncated)

• 1cc8f93 chore: release 1.11.0 (#993)
• 44a27e2 feat: LSP skeleton code from #607 (#984)
• 5495af9 chore(deps): bump the github-actions group with 3 updates (#990)
• 86c4489 chore(deps): bump the cargo group with 3 updates (#991)
• ac6f6e2 bugfix: repro, #988 (#989)
• b98dcb1 chore: remove descriptions from fixes (#985)
• 42862eb Add Fix for bot-conditions audit rule (#921)
• b7500d1 refactor: move audit registration into AuditRegistry (#983)
• e90af3a chore(deps): bump http-cache-reqwest to 0.16.0 (#982)
• ab905e1 chore(deps): bump http-cache-reqwest to 0.15.2 (#980)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions