Skip to content

build(deps): bump the test-and-lint-dependencies group with 2 updates #2858

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 19, 2025
Merged

build(deps): bump the test-and-lint-dependencies group with 2 updates #2858

merged 1 commit into from
Aug 19, 2025

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Aug 19, 2025

Bumps the test-and-lint-dependencies group with 2 updates: ruff and zizmor.

Updates ruff from 0.12.8 to 0.12.9

Release notes

Sourced from ruff's releases.

0.12.9

Release Notes

Preview features

  • [airflow] Add check for airflow.secrets.cache.SecretCache (AIR301) (#17707)
  • [ruff] Offer a safe fix for multi-digit zeros (RUF064) (#19847)

Bug fixes

  • [flake8-blind-except] Fix BLE001 false-positive on raise ... from None (#19755)
  • [flake8-comprehensions] Fix false positive for C420 with attribute, subscript, or slice assignment targets (#19513)
  • [flake8-simplify] Fix handling of U+001C..U+001F whitespace (SIM905) (#19849)

Rule changes

  • [pylint] Use lowercase hex characters to match the formatter (PLE2513) (#19808)

Documentation

  • Fix lint.future-annotations link (#19876)

Other changes

  • Build riscv64 binaries for release (#19819)

  • Add rule code to error description in GitLab output (#19896)

  • Improve rendering of the full output format (#19415)

    Below is an example diff for F401:

    -unused.py:8:19: F401 [*] `pathlib` imported but unused
+F401 [*] `pathlib` imported but unused
+  --> unused.py:8:19
    |
  7 | # Unused, _not_ marked as required (due to the alias).
  8 | import pathlib as non_alias
-   |                   ^^^^^^^^^ F401
+   |                   ^^^^^^^^^
  9 |
 10 | # Unused, marked as required.
    |
-   = help: Remove unused import: `pathlib`
+help: Remove unused import: `pathlib`

    For now, the primary difference is the movement of the filename, line number, and column information to a second line in the header. This new representation will allow us to make further additions to Ruff's diagnostics, such as adding sub-diagnostics and multiple annotations to the same snippet.

... (truncated)

Changelog

Sourced from ruff's changelog.

0.12.9

Preview features

  • [airflow] Add check for airflow.secrets.cache.SecretCache (AIR301) (#17707)
  • [ruff] Offer a safe fix for multi-digit zeros (RUF064) (#19847)

Bug fixes

  • [flake8-blind-except] Fix BLE001 false-positive on raise ... from None (#19755)
  • [flake8-comprehensions] Fix false positive for C420 with attribute, subscript, or slice assignment targets (#19513)
  • [flake8-simplify] Fix handling of U+001C..U+001F whitespace (SIM905) (#19849)

Rule changes

  • [pylint] Use lowercase hex characters to match the formatter (PLE2513) (#19808)

Documentation

  • Fix lint.future-annotations link (#19876)

Other changes

  • Build riscv64 binaries for release (#19819)

  • Add rule code to error description in GitLab output (#19896)

  • Improve rendering of the full output format (#19415)

    Below is an example diff for F401:

    -unused.py:8:19: F401 [*] `pathlib` imported but unused
+F401 [*] `pathlib` imported but unused
+  --> unused.py:8:19
    |
  7 | # Unused, _not_ marked as required (due to the alias).
  8 | import pathlib as non_alias
-   |                   ^^^^^^^^^ F401
+   |                   ^^^^^^^^^
  9 |
 10 | # Unused, marked as required.
    |
-   = help: Remove unused import: `pathlib`
+help: Remove unused import: `pathlib`

    For now, the primary difference is the movement of the filename, line number, and column information to a second line in the header. This new representation will allow us to make further additions to Ruff's diagnostics, such as adding sub-diagnostics and multiple annotations to the same snippet.

Commits
  • ef42246 Bump 0.12.9 (#19917)
  • dc2e8ab [ty] support kw_only=True for dataclass() and field() (#19677)
  • 9aaa82d Feature/build riscv64 bin (#19819)
  • 3288ac2 [ty] Add caching to CodeGeneratorKind::matches() (#19912)
  • 1167ed6 [ty] Rename functionArgumentNames to callArgumentNames inlay hint setting...
  • 2ee47d8 [ty] Default ty.inlayHints.* server settings to true (#19910)
  • d324ced [ty] Remove py-fuzzer skips for seeds that are no longer slow (#19906)
  • 5a570c8 [ty] fix deferred name loading in PEP695 generic classes/functions (#19888)
  • baadb5a [ty] Add some additional type safety to CycleDetector (#19903)
  • df0648a [flake8-blind-except] Fix BLE001 false-positive on raise ... from None ...
  • Additional commits viewable in compare view

Updates zizmor from 1.11.0 to 1.12.1

Release notes

Sourced from zizmor's releases.

v1.12.1

Bug Fixes 🐛🔗

  • Fixed a bug where the cache-poisoning would incorrectly detect the opposite cases for cache enablement (#1081)

v1.12.0

New Features 🌈🔗

Enhancements 🌱🔗

  • The cache-poisoning audit now supports auto-fixes for many findings (#923)
  • The known-vulnerable-actions audit now supports auto-fixes for many findings (#1019)
  • zizmor is now stricter about parsing uses: clauses. In particular, zizmor will no longer accept uses: org/repo without a trailing @ref, as GitHub Actions itself does not accept this syntax (#1019)
  • The use-trusted-publishing audit now detects many more patterns, including cargo publish and other run: blocks that make use of publishing commands directly (#1042)
  • The insecure-commands audit now supports auto-fixes for many findings (#1045)
  • The template-injection audit now detects more action injection sinks (#1059)

Bug Fixes 🐛🔗

  • Fixed a bug where --fix would fail to preserve comments when modifying block-style YAML mappings (#995)
  • Fixed a bug where zizmor would crash when given a GitHub API token with leading or trailing whitespace (#1027)
  • Fixed a bug where template-injection findings in --fix mode would be incorrectly patched when referencing an env.* context (#1052)
  • Fixed a bug where template-injection findings in --fix mode would be patched with shell syntax that didn't match the step's actual shell (#1064)

v1.11.1-rc1

No release notes provided.

Changelog

Sourced from zizmor's changelog.

1.12.1

Bug Fixes 🐛

  • Fixed a bug where the [cache-poisoning] would incorrectly detect the opposite cases for cache enablement (#1081)

1.12.0

New Features 🌈

  • New audit: [unsound-condition] detects if: conditions that inadvertently always evaluate to true (#1053)

Enhancements 🌱

  • The [cache-poisoning] audit now supports auto-fixes for many findings (#923)
  • The [known-vulnerable-actions] audit now supports auto-fixes for many findings (#1019)
  • zizmor is now stricter about parsing uses: clauses. In particular, zizmor will no longer accept uses: org/repo without a trailing @ref, as GitHub Actions itself does not accept this syntax (#1019)
  • The [use-trusted-publishing] audit now detects many more patterns, including cargo publish and other #!yaml run: blocks that make use of publishing commands directly (#1042)
  • The [insecure-commands] audit now supports auto-fixes for many findings (#1045)
  • The [template-injection] audit now detects more action injection sinks (#1059)

Bug Fixes 🐛

  • Fixed a bug where --fix would fail to preserve comments when modifying block-style YAML mappings (#995)
  • Fixed a bug where zizmor would crash when given a GitHub API token with leading or trailing whitespace (#1027)
  • Fixed a bug where [template-injection] findings in --fix mode would be incorrectly patched when referencing an env.* context (#1052)
  • Fixed a bug where [template-injection] findings in --fix mode would be patched with shell syntax that didn't match the step's actual shell (#1064)
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
build(deps): bump the test-and-lint-dependencies group with 2 updates
3761717 
Bumps the test-and-lint-dependencies group with 2 updates: [ruff](https://github.com/astral-sh/ruff) and [zizmor](https://github.com/zizmorcore/zizmor).


Updates `ruff` from 0.12.8 to 0.12.9
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ruff@0.12.8...0.12.9)

Updates `zizmor` from 1.11.0 to 1.12.1
- [Release notes](https://github.com/zizmorcore/zizmor/releases)
- [Changelog](https://github.com/zizmorcore/zizmor/blob/main/docs/release-notes.md)
- [Commits](zizmorcore/zizmor@v1.11.0...v1.12.1)

---
updated-dependencies:
- dependency-name: ruff
  dependency-version: 0.12.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: test-and-lint-dependencies
- dependency-name: zizmor
  dependency-version: 1.12.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: test-and-lint-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Aug 19, 2025
@dependabot dependabot bot requested a review from a team as a code owner August 19, 2025 10:31
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Aug 19, 2025
@coveralls
Copy link

Coverage Status

coverage: 96.603%. remained the same
when pulling 3761717 on dependabot/pip/test-and-lint-dependencies-a84058891b
into ca979a6 on develop.

@jku jku merged commit e4e841f into develop Aug 19, 2025
17 checks passed
@dependabot dependabot bot deleted the dependabot/pip/test-and-lint-dependencies-a84058891b branch August 19, 2025 11:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jku jku jku approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file python Pull requests that update Python code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@coveralls @jku