Skip to content

build(deps): bump the test-and-lint-dependencies group with 2 updates #2847

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

build(deps): bump the test-and-lint-dependencies group with 2 updates #2847

wants to merge 1 commit into from
+2 −2

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jul 1, 2025
edited
Loading

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

Bumps the test-and-lint-dependencies group with 2 updates: ruff and zizmor.

Updates ruff from 0.12.0 to 0.12.1

Release notes

Sourced from ruff's releases.

0.12.1

Release Notes

Preview features

  • [flake8-errmsg] Extend EM101 to support byte strings (#18867)
  • [flake8-use-pathlib] Add autofix for PTH202 (#18763)
  • [pygrep-hooks] Add AsyncMock methods to invalid-mock-access (PGH005) (#18547)
  • [pylint] Ignore __init__.py files in (PLC0414) (#18400)
  • [ruff] Trigger RUF037 for empty string and byte strings (#18862)
  • [formatter] Fix missing blank lines before decorated classes in .pyi files (#18888)

Bug fixes

  • Avoid generating diagnostics with per-file ignores (#18801)
  • Handle parenthesized arguments in remove_argument (#18805)
  • [flake8-logging] Avoid false positive for exc_info=True outside logger.exception (LOG014) (#18737)
  • [flake8-pytest-style] Enforce pytest import for decorators (#18779)
  • [flake8-pytest-style] Mark autofix for PT001 and PT023 as unsafe if there's comments in the decorator (#18792)
  • [flake8-pytest-style] PT001/PT023 fix makes syntax error on parenthesized decorator (#18782)
  • [flake8-raise] Make fix unsafe if it deletes comments (RSE102) (#18788)
  • [flake8-simplify] Fix SIM911 autofix creating a syntax error (#18793)
  • [flake8-simplify] Fix false negatives for shadowed bindings (SIM910, SIM911) (#18794)
  • [flake8-simplify] Preserve original behavior for except () and bare except (SIM105) (#18213)
  • [flake8-pyi] Fix PYI041's fix causing TypeError with None | None | ... (#18637)
  • [perflint] Fix PERF101 autofix creating a syntax error and mark autofix as unsafe if there are comments in the list call expr (#18803)
  • [perflint] Fix false negative in PERF401 (#18866)
  • [pylint] Avoid flattening nested min/max when outer call has single argument (PLW3301) (#16885)
  • [pylint] Fix PLC2801 autofix creating a syntax error (#18857)
  • [pylint] Mark PLE0241 autofix as unsafe if there's comments in the base classes (#18832)
  • [pylint] Suppress PLE2510/PLE2512/PLE2513/PLE2514/PLE2515 autofix if the text contains an odd number of backslashes (#18856)
  • [refurb] Detect more exotic float literals in FURB164 (#18925)
  • [refurb] Fix FURB163 autofix creating a syntax error for yield expressions (#18756)
  • [refurb] Mark FURB129 autofix as unsafe if there's comments in the readlines call (#18858)
  • [ruff] Fix false positives and negatives in RUF010 (#18690)
  • Fix casing of analyze.direction variant names (#18892)

Rule changes

  • Fix f-string interpolation escaping in generated fixes (#18882)
  • [flake8-return] Mark RET501 fix unsafe if comments are inside (#18780)
  • [flake8-async] Fix detection for large integer sleep durations in ASYNC116 rule (#18767)
  • [flake8-async] Mark autofix for ASYNC115 as unsafe if the call expression contains comments (#18753)
  • [flake8-bugbear] Mark autofix for B004 as unsafe if the hasattr call expr contains comments (#18755)
  • [flake8-comprehension] Mark autofix for C420 as unsafe if there's comments inside the dict comprehension (#18768)
  • [flake8-comprehensions] Handle template strings for comprehension fixes (#18710)
  • [flake8-future-annotations] Add autofix (FA100) (#18903)
  • [pyflakes] Mark F504/F522/F523 autofix as unsafe if there's a call with side effect (#18839)
  • [pylint] Allow fix with comments and document performance implications (PLW3301) (#18936)
  • [pylint] Detect more exotic NaN literals in PLW0177 (#18630)

... (truncated)

Changelog

Sourced from ruff's changelog.

0.12.1

Preview features

  • [flake8-errmsg] Extend EM101 to support byte strings (#18867)
  • [flake8-use-pathlib] Add autofix for PTH202 (#18763)
  • [pygrep-hooks] Add AsyncMock methods to invalid-mock-access (PGH005) (#18547)
  • [pylint] Ignore __init__.py files in (PLC0414) (#18400)
  • [ruff] Trigger RUF037 for empty string and byte strings (#18862)
  • [formatter] Fix missing blank lines before decorated classes in .pyi files (#18888)

Bug fixes

  • Avoid generating diagnostics with per-file ignores (#18801)
  • Handle parenthesized arguments in remove_argument (#18805)
  • [flake8-logging] Avoid false positive for exc_info=True outside logger.exception (LOG014) (#18737)
  • [flake8-pytest-style] Enforce pytest import for decorators (#18779)
  • [flake8-pytest-style] Mark autofix for PT001 and PT023 as unsafe if there's comments in the decorator (#18792)
  • [flake8-pytest-style] PT001/PT023 fix makes syntax error on parenthesized decorator (#18782)
  • [flake8-raise] Make fix unsafe if it deletes comments (RSE102) (#18788)
  • [flake8-simplify] Fix SIM911 autofix creating a syntax error (#18793)
  • [flake8-simplify] Fix false negatives for shadowed bindings (SIM910, SIM911) (#18794)
  • [flake8-simplify] Preserve original behavior for except () and bare except (SIM105) (#18213)
  • [flake8-pyi] Fix PYI041's fix causing TypeError with None | None | ... (#18637)
  • [perflint] Fix PERF101 autofix creating a syntax error and mark autofix as unsafe if there are comments in the list call expr (#18803)
  • [perflint] Fix false negative in PERF401 (#18866)
  • [pylint] Avoid flattening nested min/max when outer call has single argument (PLW3301) (#16885)
  • [pylint] Fix PLC2801 autofix creating a syntax error (#18857)
  • [pylint] Mark PLE0241 autofix as unsafe if there's comments in the base classes (#18832)
  • [pylint] Suppress PLE2510/PLE2512/PLE2513/PLE2514/PLE2515 autofix if the text contains an odd number of backslashes (#18856)
  • [refurb] Detect more exotic float literals in FURB164 (#18925)
  • [refurb] Fix FURB163 autofix creating a syntax error for yield expressions (#18756)
  • [refurb] Mark FURB129 autofix as unsafe if there's comments in the readlines call (#18858)
  • [ruff] Fix false positives and negatives in RUF010 (#18690)
  • Fix casing of analyze.direction variant names (#18892)

Rule changes

  • Fix f-string interpolation escaping in generated fixes (#18882)
  • [flake8-return] Mark RET501 fix unsafe if comments are inside (#18780)
  • [flake8-async] Fix detection for large integer sleep durations in ASYNC116 rule (#18767)
  • [flake8-async] Mark autofix for ASYNC115 as unsafe if the call expression contains comments (#18753)
  • [flake8-bugbear] Mark autofix for B004 as unsafe if the hasattr call expr contains comments (#18755)
  • [flake8-comprehension] Mark autofix for C420 as unsafe if there's comments inside the dict comprehension (#18768)
  • [flake8-comprehensions] Handle template strings for comprehension fixes (#18710)
  • [flake8-future-annotations] Add autofix (FA100) (#18903)
  • [pyflakes] Mark F504/F522/F523 autofix as unsafe if there's a call with side effect (#18839)
  • [pylint] Allow fix with comments and document performance implications (PLW3301) (#18936)
  • [pylint] Detect more exotic NaN literals in PLW0177 (#18630)
  • [pylint] Fix PLC1802 autofix creating a syntax error and mark autofix as unsafe if there's comments in the len call (#18836)

... (truncated)

Commits
  • 32c5418 Bump 0.12.1 (#18969)
  • b85c219 [FastAPI] Add fix safety section to FAST002 (#18940)
  • b1d1cf1 [ty] Add regression test for leading tab mis-alignment in diagnostic renderin...
  • 1dcdf7f [ty] Resolve python environment in Options::to_program_settings (#18960)
  • d006976 [ruff] Fix false positives and negatives in RUF010 (#18690)
  • 76619b9 [ty] Fix rendering of long lines that are indented with tabs
  • 6e25cfb [ty] Add regression test for diagnostic rendering panic
  • 7638729 [ty] Move venv and conda env discovery to SearchPath::from_settings (#18938)
  • d04e63a [ty] Add regression-benchmark for attribute-assignment hang (#18957)
  • 86fd9b6 [ty] Format conflicting types as an enumeration (#18956)
  • Additional commits viewable in compare view

Updates zizmor from 1.9.0 to 1.11.0

Release notes

Sourced from zizmor's releases.

v1.11.0

New Features 🌈🔗

Enhancements 🌱🔗

Bug Fixes 🐛🔗

  • Fixed a bug where zizmor would crash when attempting to extract subfeatures from features containing non-ASCII codepoints (#989)

v1.10.0

This is a huge new release, with multiple new features, enhancements, and bugfixes!

New Features 🌈🔗

  • New audit: anonymous-definition detects unnamed workflows and actions. Definitions without a name: field appear anonymously in the GitHub Actions UI, making them harder to distinguish (#937)

    Many thanks to @​andrewpollack for implementing this audit!

  • Auto-fix mode: zizmor now experimentally supports --fix=[MODE], which enables the brand new auto-fix mode. This mode can automatically fix a subset of zizmor's findings. For this experimental release, auto-fixes are available for findings from the following audits:

    • artipacked: zizmor will attempt to add persist-credentials: false to actions/checkout steps that do not already have it.

    • template-injection: zizmor will attempt to rewrite run: blocks containing ${{ foo.bar }} to use ${FOO_BAR} instead, and will add an appropriate env: block to set FOO_BAR to the expression's evaluation.

    Read more about the new auto-fix mode in the documentation.

    Many thanks to @​mostafa for implementing this feature!

Enhancements 🌱🔗

  • The artipacked audit now produces findings on composite action definitions, rather than just workflow definitions (#896)
  • The use-trusted-publishing audit now produces findings on composite action definitions, rather than just workflow definitions (#899)
  • The bot-conditions audit now detects more spoofable actor checks, including checks against well-known user IDs for bot accounts (#905)
  • The template-injection and other audits now produce more precise findings when analyzing env context accesses for static-ness (#911)
  • The template-injection audit now produces more precise findings when analyzing inputs context accesses (#919)
  • zizmor now produces more descriptive error messages when it fails to parse a workflow or action definition (#956)
  • The bot-conditions audit now returns precise spans for flagged actor checks, instead of flagging the entire if: value (#949)
  • The template-injection audit now returns precise spans for flagged contexts and expressions, instead of flagging the entire script block (#958)
  • The obfuscation audit now returns precise spans for flagged expressions (#969)
  • The obfuscation audit now detects computed indices (e.g. inputs.foo[inputs.bar]) as a potentially obfuscatory pattern (#969)

Bug Fixes 🐛🔗

  • The template-injection audit no longer crashes when attempting to evaluate the static-ness of an environment context within a composite action uses: step (#887)
  • The bot-conditions audit now correctly analyzes index-style contexts, e.g. github['actor'] (#905)
  • Fixed a bug where zizmor would fail to parse expressions that contained >= or <= (#916)
  • Fixed a bug where zizmor would fail to parse expressions containing contexts with interstitial whitespace (#958)
Changelog

Sourced from zizmor's changelog.

1.11.0

New Features 🌈

Enhancements 🌱

  • The [bot-conditions] audit now supports auto-fixes for many findings (#921)
  • The [bot-conditions] audit now produces findings on triggers other than pull_request_target (#921)

Bug Fixes 🐛

  • Fixed a bug where zizmor would crash when attempting to extract subfeatures from features containing non-ASCII codepoints (#989)

1.10.0

This is a huge new release, with multiple new features, enhancements, and bugfixes!

New Features 🌈

  • New audit: [anonymous-definition] detects unnamed workflows and actions. Definitions without a name: field appear anonymously in the GitHub Actions UI, making them harder to distinguish (#937)

    Many thanks to @​andrewpollack for implementing this audit!

  • Auto-fix mode: zizmor now experimentally supports --fix=[MODE], which enables the brand new auto-fix mode. This mode can automatically fix a subset of zizmor's findings. For this experimental release, auto-fixes are available for findings from the following audits:

    • [artipacked]: zizmor will attempt to add #!yaml persist-credentials: false to actions/checkout steps that do not already have it.

    • [template-injection]: zizmor will attempt to rewrite #!yaml run: blocks containing ${{ foo.bar }} to use ${FOO_BAR} instead, and will add an appropriate #!yaml env: block to set FOO_BAR to the expression's evaluation.

    Read more about the new auto-fix mode in the documentation.

    Many thanks to @​mostafa for implementing this feature!

Enhancements 🌱

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
build(deps): bump the test-and-lint-dependencies group with 2 updates
f3f21af 
Bumps the test-and-lint-dependencies group with 2 updates: [ruff](https://github.com/astral-sh/ruff) and [zizmor](https://github.com/zizmorcore/zizmor).


Updates `ruff` from 0.12.0 to 0.12.1
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ruff@0.12.0...0.12.1)

Updates `zizmor` from 1.9.0 to 1.11.0
- [Release notes](https://github.com/zizmorcore/zizmor/releases)
- [Changelog](https://github.com/zizmorcore/zizmor/blob/main/docs/release-notes.md)
- [Commits](zizmorcore/zizmor@v1.9.0...v1.11.0)

---
updated-dependencies:
- dependency-name: ruff
  dependency-version: 0.12.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: test-and-lint-dependencies
- dependency-name: zizmor
  dependency-version: 1.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: test-and-lint-dependencies
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Jul 1, 2025
@dependabot dependabot bot requested a review from a team as a code owner July 1, 2025 01:08
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Jul 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file python Pull requests that update Python code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants