Sourced from ruff's releases.

0.13.2

Release Notes

Released on 2025-09-25.

Preview features

• [flake8-async] Implement blocking-path-method (ASYNC240) (#20264)
• [flake8-bugbear] Implement map-without-explicit-strict (B912) (#20429)
• [flake8-bultins] Detect class-scope builtin shadowing in decorators, default args, and attribute initializers (A003) (#20178)
• [ruff] Implement logging-eager-conversion (RUF065) (#19942)
• Include .pyw files by default when linting and formatting (#20458)

Bug fixes

• Deduplicate input paths (#20105)
• [flake8-comprehensions] Preserve trailing commas for single-element lists (C409) (#19571)
• [flake8-pyi] Avoid syntax error from conflict with PIE790 (PYI021) (#20010)
• [flake8-simplify] Correct fix for positive maxsplit without separator (SIM905) (#20056)
• [pyupgrade] Fix UP008 not to apply when __class__ is a local variable (#20497)
• [ruff] Fix B004 to skip invalid hasattr/getattr calls (#20486)
• [ruff] Replace -nan with nan when using the value to construct a Decimal (FURB164 ) (#20391)

Documentation

• Add 'Finding ways to help' to CONTRIBUTING.md (#20567)
• Update import path to ruff-wasm-web (#20539)
• [flake8-bandit] Clarify the supported hashing functions (S324) (#20534)

Other changes

• [playground] Allow hover quick fixes to appear for overlapping diagnostics (#20527)
• [playground] Fix non‑BMP code point handling in quick fixes and markers (#20526)

Contributors

• @​BurntSushi
• @​mtshiba
• @​second-ed
• @​danparizher
• @​ShikChen
• @​PieterCK
• @​GDYendell
• @​RazerM
• @​TaKO8Ki
• @​amyreese
• @​ntbre
• @​MichaReiser

Install ruff 0.13.2

... (truncated)

Sourced from ruff's changelog.

0.13.2

Released on 2025-09-25.

Preview features

• [flake8-async] Implement blocking-path-method (ASYNC240) (#20264)
• [flake8-bugbear] Implement map-without-explicit-strict (B912) (#20429)
• [flake8-bultins] Detect class-scope builtin shadowing in decorators, default args, and attribute initializers (A003) (#20178)
• [ruff] Implement logging-eager-conversion (RUF065) (#19942)
• Include .pyw files by default when linting and formatting (#20458)

Bug fixes

• Deduplicate input paths (#20105)
• [flake8-comprehensions] Preserve trailing commas for single-element lists (C409) (#19571)
• [flake8-pyi] Avoid syntax error from conflict with PIE790 (PYI021) (#20010)
• [flake8-simplify] Correct fix for positive maxsplit without separator (SIM905) (#20056)
• [pyupgrade] Fix UP008 not to apply when __class__ is a local variable (#20497)
• [ruff] Fix B004 to skip invalid hasattr/getattr calls (#20486)
• [ruff] Replace -nan with nan when using the value to construct a Decimal (FURB164 ) (#20391)

Documentation

• Add 'Finding ways to help' to CONTRIBUTING.md (#20567)
• Update import path to ruff-wasm-web (#20539)
• [flake8-bandit] Clarify the supported hashing functions (S324) (#20534)

Other changes

• [playground] Allow hover quick fixes to appear for overlapping diagnostics (#20527)
• [playground] Fix non‑BMP code point handling in quick fixes and markers (#20526)

Contributors

• @​BurntSushi
• @​mtshiba
• @​second-ed
• @​danparizher
• @​ShikChen
• @​PieterCK
• @​GDYendell
• @​RazerM
• @​TaKO8Ki
• @​amyreese
• @​ntbre
• @​MichaReiser

• b0bdf03 Bump 0.13.2 (#20576)
• 7331d39 Update rooster to 0.1.0 (#20575)
• 529e5fa [ty] Ecosystem analyzer: timing report (#20571)
• efbb80f [ty] Remove hack in protocol satisfiability check (#20568)
• 9f3cffc Add 'Finding ways to help' to CONTRIBUTING.md (#20567)
• 21be94a [ty] Explicitly test assignability/subtyping between unions of nominal types ...
• b7d5dc9 [ty] Add tests for interactions of @classmethod, @staticmethod, and proto...
• e1bb74b [ty] Match variadic argument to variadic parameter (#20511)
• edeb458 [ty] fallback to resolve_real_module in file_to_module (#20461)
• bea92c8 [ty] More precise type inference for dictionary literals (#20523)
• Additional commits viewable in compare view

Sourced from zizmor's releases.

v1.14.2

Bug Fixes 🐛🔗

• Fixed a bug where the use-trusted-publishing audit would produce-false positive findings for some run: blocks that implicitly performed trusted publishing (#1191)

v1.14.1

Bug Fixes 🐛🔗

• Fixed a bug where the ref-version-mismatch would incorrectly show the wrong commit SHAs in its findings (#1183)

v1.14.0

New Features 🌈🔗

• New audit: ref-version-mismatch detects mismatches between hash-pinned action references and their version comments (#972)

  Many thanks to @​segiddins for implementing this audit!

Enhancements 🌱🔗

• zizmor no longer uses the "Unknown" severity or confidence levels for any findings. All findings previously categorized at these levels are now given a more meaningful level (#1164)

• The use-trusted-publishing audit now detects various Trusted Publishing patterns for the npm ecosystem (#1161)

  Many thanks to @​KristianGrafana for implementing this improvement!

• The unsound-condition audit now supports auto-fixes for many findings (#1089)

  Many thanks to @​mostafa for implementing this improvement!

• zizmor's error handling has been restructured, improving the quality of error messages and their associated suggestions (#1169)

Bug Fixes 🐛🔗

• Fixed a bug where the cache-poisoning audit would fail to detect some cache usage variants in newer versions of actions/setup-node (#1152)

• Fixed a bug where the obfuscation audit would incorrectly flag some subexpressions as constant-reducible when they were not (#1170)

Deprecations ⚠️🔗

• The unknown values for --min-severity and --min-confidence are now deprecated. These values were already no-ops (and have been since introduction), and will be removed in a future release (#1164)

  Until removal, using these values will emit a warning.

Sourced from zizmor's changelog.

1.14.2

Bug Fixes 🐛

• Fixed a bug where the [use-trusted-publishing] audit would produce-false positive findings for some run: blocks that implicitly performed trusted publishing (#1191)

1.14.1

Bug Fixes 🐛

• Fixed a bug where the [ref-version-mismatch] would incorrectly show the wrong commit SHAs in its findings (#1183)

1.14.0

New Features 🌈

• New audit: [ref-version-mismatch] detects mismatches between hash-pinned action references and their version comments (#972)

  Many thanks to @​segiddins for implementing this audit!

Enhancements 🌱

• zizmor no longer uses the "Unknown" severity or confidence levels for any findings. All findings previously categorized at these levels are now given a more meaningful level (#1164)

• The [use-trusted-publishing] audit now detects various Trusted Publishing patterns for the npm ecosystem (#1161)

  Many thanks to @​KristianGrafana for implementing this improvement!

• The [unsound-condition] audit now supports auto-fixes for many findings (#1089)

  Many thanks to @​mostafa for implementing this improvement!

• zizmor's error handling has been restructured, improving the quality of error messages and their associated suggestions (#1169)

Bug Fixes 🐛

• Fixed a bug where the [cache-poisoning] audit would fail to detect some cache usage variants in newer versions of actions/setup-node (#1152)

• Fixed a bug where the [obfuscation] audit would incorrectly flag

... (truncated)

• 03af241 prep release 1.14.2 (#1193)
• 0b8b2b0 fix(use-trusted-publishing): eliminate FPs (#1192)
• 6c8b251 prep 1.14.1 (#1185)
• 15784e6 fix(ref-version-mismatch): correct commit SHA in audit message (#1183)
• cc88277 docs: bump trophies (#1182)
• b5334ce prep for 1.14.0 release (#1180)
• 48b8ece docs: document ref-version-mismatch audit (#1179)
• 9ed3607 fix(obfuscation): don't consider fromJSON(...) constant-reducible (#1178)
• ffd91b1 refactor: formalize input collection errors (#1169)
• 896470e docs: bump trophies (#1173)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions