Sourced from ruff's releases.

0.12.9

Release Notes

Preview features

• [airflow] Add check for airflow.secrets.cache.SecretCache (AIR301) (#17707)
• [ruff] Offer a safe fix for multi-digit zeros (RUF064) (#19847)

Bug fixes

• [flake8-blind-except] Fix BLE001 false-positive on raise ... from None (#19755)
• [flake8-comprehensions] Fix false positive for C420 with attribute, subscript, or slice assignment targets (#19513)
• [flake8-simplify] Fix handling of U+001C..U+001F whitespace (SIM905) (#19849)

Rule changes

• [pylint] Use lowercase hex characters to match the formatter (PLE2513) (#19808)

Documentation

• Fix lint.future-annotations link (#19876)

Other changes

• Build riscv64 binaries for release (#19819)

• Add rule code to error description in GitLab output (#19896)

• Improve rendering of the full output format (#19415)

  Below is an example diff for F401:

  -unused.py:8:19: F401 [*] `pathlib` imported but unused
  +F401 [*] `pathlib` imported but unused
  +  --> unused.py:8:19
      |
    7 | # Unused, _not_ marked as required (due to the alias).
    8 | import pathlib as non_alias
  -   |                   ^^^^^^^^^ F401
  +   |                   ^^^^^^^^^
    9 |
   10 | # Unused, marked as required.
      |
  -   = help: Remove unused import: `pathlib`
  +help: Remove unused import: `pathlib`
  

  For now, the primary difference is the movement of the filename, line number, and column information to a second line in the header. This new representation will allow us to make further additions to Ruff's diagnostics, such as adding sub-diagnostics and multiple annotations to the same snippet.

... (truncated)

Sourced from ruff's changelog.

0.12.9

Preview features

• [airflow] Add check for airflow.secrets.cache.SecretCache (AIR301) (#17707)
• [ruff] Offer a safe fix for multi-digit zeros (RUF064) (#19847)

Bug fixes

• [flake8-blind-except] Fix BLE001 false-positive on raise ... from None (#19755)
• [flake8-comprehensions] Fix false positive for C420 with attribute, subscript, or slice assignment targets (#19513)
• [flake8-simplify] Fix handling of U+001C..U+001F whitespace (SIM905) (#19849)

Rule changes

• [pylint] Use lowercase hex characters to match the formatter (PLE2513) (#19808)

Documentation

• Fix lint.future-annotations link (#19876)

Other changes

• Build riscv64 binaries for release (#19819)

• Add rule code to error description in GitLab output (#19896)

• Improve rendering of the full output format (#19415)

  Below is an example diff for F401:

  -unused.py:8:19: F401 [*] `pathlib` imported but unused
  +F401 [*] `pathlib` imported but unused
  +  --> unused.py:8:19
      |
    7 | # Unused, _not_ marked as required (due to the alias).
    8 | import pathlib as non_alias
  -   |                   ^^^^^^^^^ F401
  +   |                   ^^^^^^^^^
    9 |
   10 | # Unused, marked as required.
      |
  -   = help: Remove unused import: `pathlib`
  +help: Remove unused import: `pathlib`
  

  For now, the primary difference is the movement of the filename, line number, and column information to a second line in the header. This new representation will allow us to make further additions to Ruff's diagnostics, such as adding sub-diagnostics and multiple annotations to the same snippet.

• ef42246 Bump 0.12.9 (#19917)
• dc2e8ab [ty] support kw_only=True for dataclass() and field() (#19677)
• 9aaa82d Feature/build riscv64 bin (#19819)
• 3288ac2 [ty] Add caching to CodeGeneratorKind::matches() (#19912)
• 1167ed6 [ty] Rename functionArgumentNames to callArgumentNames inlay hint setting...
• 2ee47d8 [ty] Default ty.inlayHints.* server settings to true (#19910)
• d324ced [ty] Remove py-fuzzer skips for seeds that are no longer slow (#19906)
• 5a570c8 [ty] fix deferred name loading in PEP695 generic classes/functions (#19888)
• baadb5a [ty] Add some additional type safety to CycleDetector (#19903)
• df0648a [flake8-blind-except] Fix BLE001 false-positive on raise ... from None ...
• Additional commits viewable in compare view

Sourced from zizmor's releases.

v1.12.1

Bug Fixes 🐛🔗

• Fixed a bug where the cache-poisoning would incorrectly detect the opposite cases for cache enablement (#1081)

v1.12.0

New Features 🌈🔗

• New audit: unsound-condition detects if: conditions that inadvertently always evaluate to true (#1053)

Enhancements 🌱🔗

• The cache-poisoning audit now supports auto-fixes for many findings (#923)
• The known-vulnerable-actions audit now supports auto-fixes for many findings (#1019)
• zizmor is now stricter about parsing uses: clauses. In particular, zizmor will no longer accept uses: org/repo without a trailing @ref, as GitHub Actions itself does not accept this syntax (#1019)
• The use-trusted-publishing audit now detects many more patterns, including cargo publish and other run: blocks that make use of publishing commands directly (#1042)
• The insecure-commands audit now supports auto-fixes for many findings (#1045)
• The template-injection audit now detects more action injection sinks (#1059)

Bug Fixes 🐛🔗

• Fixed a bug where --fix would fail to preserve comments when modifying block-style YAML mappings (#995)
• Fixed a bug where zizmor would crash when given a GitHub API token with leading or trailing whitespace (#1027)
• Fixed a bug where template-injection findings in --fix mode would be incorrectly patched when referencing an env.* context (#1052)
• Fixed a bug where template-injection findings in --fix mode would be patched with shell syntax that didn't match the step's actual shell (#1064)

v1.11.1-rc1

No release notes provided.

Sourced from zizmor's changelog.

1.12.1

Bug Fixes 🐛

• Fixed a bug where the [cache-poisoning] would incorrectly detect the opposite cases for cache enablement (#1081)

1.12.0

New Features 🌈

• New audit: [unsound-condition] detects if: conditions that inadvertently always evaluate to true (#1053)

Enhancements 🌱

• The [cache-poisoning] audit now supports auto-fixes for many findings (#923)
• The [known-vulnerable-actions] audit now supports auto-fixes for many findings (#1019)
• zizmor is now stricter about parsing uses: clauses. In particular, zizmor will no longer accept uses: org/repo without a trailing @ref, as GitHub Actions itself does not accept this syntax (#1019)
• The [use-trusted-publishing] audit now detects many more patterns, including cargo publish and other #!yaml run: blocks that make use of publishing commands directly (#1042)
• The [insecure-commands] audit now supports auto-fixes for many findings (#1045)
• The [template-injection] audit now detects more action injection sinks (#1059)

Bug Fixes 🐛

• Fixed a bug where --fix would fail to preserve comments when modifying block-style YAML mappings (#995)
• Fixed a bug where zizmor would crash when given a GitHub API token with leading or trailing whitespace (#1027)
• Fixed a bug where [template-injection] findings in --fix mode would be incorrectly patched when referencing an env.* context (#1052)
• Fixed a bug where [template-injection] findings in --fix mode would be patched with shell syntax that didn't match the step's actual shell (#1064)

• dbc12d4 chore: prep release v1.12.1 (#1083)
• 3113922 fix: flip setup-uv coordinate toggle (#1082)
• 703e9d9 fix(ci): fix release-binaries workflow (#1079)
• ad779b7 chore: bump MSRV (#1076)
• 6c13403 chore: fix warnings in latest Rust (#1075)
• 982be23 chore: prep for release v1.12.0 (#1073)
• d306c4a chore: bump github-actions-expressions to 0.0.9 (#1074)
• 42b0346 chore(deps): bump the github-actions group with 6 updates (#1071)
• 9f7bcae chore(deps): bump the cargo group with 7 updates (#1072)
• 2b036da chore(docs): fix indentation in workflow samples (#1068)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions