build(deps): bump the test-and-lint-dependencies group with 4 updates

[dependabot]

Bumps the test-and-lint-dependencies group with 4 updates: mypy, ruff, zizmor and coverage.

Updates mypy from 1.17.1 to 1.18.2

Changelog

Sourced from mypy's changelog.

Mypy 1.18.2

• Fix crash on recursive alias (Ivan Levkivskyi, PR 19845)
• Add additional guidance for stubtest errors when runtime is object.__init__ (Stephen Morton, PR 19733)
• Fix handling of None values in f-string expressions in mypyc (BobTheBuidler, PR 19846)

Acknowledgements

Thanks to all mypy contributors who contributed to this release:

• Ali Hamdan
• Anthony Sottile
• BobTheBuidler
• Brian Schubert
• Chainfire
• Charlie Denton
• Christoph Tyralla
• CoolCat467
• Daniel Hnyk
• Emily
• Emma Smith
• Ethan Sarp
• Ivan Levkivskyi
• Jahongir Qurbonov
• Jelle Zijlstra
• Joren Hammudoglu
• Jukka Lehtosalo
• Marc Mueller
• Omer Hadari
• Piotr Sawicki
• PrinceNaroliya
• Randolf Scholz
• Robsdedude
• Saul Shanabrook
• Shantanu
• Stanislav Terliakov
• Stephen Morton
• wyattscarpenter

I’d also like to thank my employer, Dropbox, for supporting mypy development.

Mypy 1.17

We’ve just uploaded mypy 1.17 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

... (truncated)

Commits

• df05f05 remove +dev from version
• 01a7a12 Update changelog for 1.18.2 (#19873)
• ca5abf0 Typeshed cherry-pick: Make type of unitest.mock.Any a subclass of Any (#1...
• 9d794b5 [mypyc] fix: inappropriate Nones in f-strings (#19846)
• 2c0510c stubtest: additional guidance on errors when runtime is object.init (#19733)
• 2f3f03c Bump version to 1.18.2+dev for point release
• 7669841 Fix crash on recursive alias in indirection.py (#19845)
• 03fbaa9 bump version to 1.18.1 due to wheels failure
• b44a1fb removed +dev from version
• 7197a99 Removed Unreleased in the Changelog for Release 1.18 (#19827)
• Additional commits viewable in compare view

Updates ruff from 0.12.12 to 0.13.1

Release notes

Sourced from ruff's releases.

0.13.1

Release Notes

Released on 2025-09-18.

Preview features

• [flake8-simplify] Detect unnecessary None default for additional key expression types (SIM910) (#20343)
• [flake8-use-pathlib] Add fix for PTH123 (#20169)
• [flake8-use-pathlib] Fix PTH101, PTH104, PTH105, PTH121 fixes (#20143)
• [flake8-use-pathlib] Make PTH111 fix unsafe because it can change behavior (#20215)
• [pycodestyle] Fix E301 to only trigger for functions immediately within a class (#19768)
• [refurb] Mark single-item-membership-test fix as always unsafe (FURB171) (#20279)

Bug fixes

• Handle t-strings for token-based rules and suppression comments (#20357)
• [flake8-bandit] Fix truthiness: dict-only ** displays not truthy for shell (S602, S604, S609) (#20177)
• [flake8-simplify] Fix diagnostic to show correct method name for str.rsplit calls (SIM905) (#20459)
• [flynt] Use triple quotes for joined raw strings with newlines (FLY002) (#20197)
• [pyupgrade] Fix false positive when class name is shadowed by local variable (UP008) (#20427)
• [pyupgrade] Prevent infinite loop with I002 and UP026 (#20327)
• [ruff] Recognize t-strings, generators, and lambdas in invalid-index-type (RUF016) (#20213)

Rule changes

• [RUF102] Respect rule redirects in invalid rule code detection (#20245)
• [flake8-bugbear] Mark the fix for unreliable-callable-check as always unsafe (B004) (#20318)
• [ruff] Allow dataclass attribute value instantiation from nested frozen dataclass (RUF009) (#20352)

CLI

• Add fixes to output-format=sarif (#20300)
• Treat panics as fatal diagnostics, sort panics last (#20258)

Documentation

• [ruff] Add analyze.string-imports-min-dots to settings (#20375)
• Update README.md with Albumentations new repository URL (#20415)

Other changes

• Bump MSRV to Rust 1.88 (#20470)
• Enable inline noqa for multiline strings in playground (#20442)

Contributors

• @​chirizxc
• @​danparizher
• @​IDrokin117

... (truncated)

Changelog

Sourced from ruff's changelog.

0.13.1

Released on 2025-09-18.

Preview features

• [flake8-simplify] Detect unnecessary None default for additional key expression types (SIM910) (#20343)
• [flake8-use-pathlib] Add fix for PTH123 (#20169)
• [flake8-use-pathlib] Fix PTH101, PTH104, PTH105, PTH121 fixes (#20143)
• [flake8-use-pathlib] Make PTH111 fix unsafe because it can change behavior (#20215)
• [pycodestyle] Fix E301 to only trigger for functions immediately within a class (#19768)
• [refurb] Mark single-item-membership-test fix as always unsafe (FURB171) (#20279)

Bug fixes

• Handle t-strings for token-based rules and suppression comments (#20357)
• [flake8-bandit] Fix truthiness: dict-only ** displays not truthy for shell (S602, S604, S609) (#20177)
• [flake8-simplify] Fix diagnostic to show correct method name for str.rsplit calls (SIM905) (#20459)
• [flynt] Use triple quotes for joined raw strings with newlines (FLY002) (#20197)
• [pyupgrade] Fix false positive when class name is shadowed by local variable (UP008) (#20427)
• [pyupgrade] Prevent infinite loop with I002 and UP026 (#20327)
• [ruff] Recognize t-strings, generators, and lambdas in invalid-index-type (RUF016) (#20213)

Rule changes

• [RUF102] Respect rule redirects in invalid rule code detection (#20245)
• [flake8-bugbear] Mark the fix for unreliable-callable-check as always unsafe (B004) (#20318)
• [ruff] Allow dataclass attribute value instantiation from nested frozen dataclass (RUF009) (#20352)

CLI

• Add fixes to output-format=sarif (#20300)
• Treat panics as fatal diagnostics, sort panics last (#20258)

Documentation

• [ruff] Add analyze.string-imports-min-dots to settings (#20375)
• Update README.md with Albumentations new repository URL (#20415)

Other changes

• Bump MSRV to Rust 1.88 (#20470)
• Enable inline noqa for multiline strings in playground (#20442)

Contributors

• @​chirizxc
• @​danparizher
• @​IDrokin117
• @​amyreese

... (truncated)

Commits

• 706be0a Add pyproject.toml to rooster config version_files and bump to 0.13.1 (#2...
• 7b40428 Bump 0.13.1 (#20473)
• b9b5755 Upgrade to the latest rooster version and include contributors in CHANGELOG (...
• b4b5d67 [flynt] Use triple quotes for joined raw strings with newlines (FLY002) (...
• 0b60584 Bump MSRV to Rust 1.88 (#20470)
• 821b2f8 [refurb] Mark single-item-membership-test fix as always unsafe (FURB171...
• 1758f26 Update rust toolchain to 1.90 (#20469)
• 2502ff7 [ty] Make TypeIs invariant in its type argument (#20428)
• 144373f [flake8-use-pathlib] Fix PTH101, PTH104, PTH105, PTH121 fixes (#20143)
• 91995aa [pyupgrade] Fix false positive when class name is shadowed by local variabl...
• Additional commits viewable in compare view

Updates zizmor from 1.12.1 to 1.13.0

Release notes

Sourced from zizmor's releases.

v1.13.0

New Features 🌈🔗

• New audit: undocumented-permissions detects explicit permission grants that lack an explanatory comment (#1131)

  Many thanks to @​johnbillion for proposing and implementing this audit!

Enhancements 🌱🔗

• zizmor's configuration discovery behavior has been significantly refactored, making it easier to audit multiple independent inputs with their own configuration files (#1094)

  For most users, this change should cause no compatibility issues. For example, the following commands will continue to load the same configuration files as before:

  zizmor .
  zizmor .github/
  

  For other users, the behavior will change, but in a way that's intended to correct a long-standing bug with configuration discovery. In particular, the following commands will now behave differently:

  # OLD: would discover config in $CWD
  # NEW: will discover two different configs, one in each of the repos
  zizmor ./repoA ./repoB
  

  Separately from these changes, zizmor continues to support --config <path> and ZIZMOR_CONFIG with the exact same behavior as before.

  See Configuration - Discovery for a detailed explanation of the new behavior.

• Audit rules can now be disabled entirely in zizmor's configuration. See rules..disable for details (#1132)

• The obfuscation audit now supports auto-fixes for many findings (#1088)

Bug Fixes 🐛🔗

• zizmor now correctly honors --strict-collection when collecting from remote inputs. This also means that the default collection strictness has changed for remote inputs to match all other inputs (#1122)

• Fixed a bug where zizmor would crash on certain UTF-8 inputs lacking an explicit final newline due to a bug in the annotate-snippets crate (#1136)

Changelog

Sourced from zizmor's changelog.

1.13.0

New Features 🌈

• New audit: [undocumented-permissions] detects explicit permission grants that lack an explanatory comment (#1131)

  Many thanks to @​johnbillion for proposing and implementing this audit!

Enhancements 🌱

• zizmor's configuration discovery behavior has been significantly refactored, making it easier to audit multiple independent inputs with their own configuration files (#1094)

  For most users, this change should cause no compatibility issues. For example, the following commands will continue to load the same configuration files as before:

  zizmor .
  zizmor .github/

  For other users, the behavior will change, but in a way that's intended to correct a long-standing bug with configuration discovery. In particular, the following commands will now behave differently:

  # OLD: would discover config in $CWD
  # NEW: will discover two different configs, one in each of the repos
  zizmor ./repoA ./repoB

  Separately from these changes, zizmor continues to support --config <path> and ZIZMOR_CONFIG with the exact same behavior as before.

  See Configuration - Discovery for a detailed explanation of the new behavior.

• Audit rules can now be disabled entirely in zizmor's configuration. See rules.<id>.disable for details (#1132)

• The [obfuscation] audit now supports auto-fixes for many findings (#1088)

Bug Fixes 🐛

• zizmor now correctly honors --strict-collection when collecting from

... (truncated)

Commits

• bcaa1bb chore: prep for v1.13.0 release (#1147)
• 8057ef2 chore(docs): add tip about pedantic persona for template-injection (#1145)
• 3656303 chore(docs): update trophy qualification to 500 stars (#1144)
• e0ec65a Introduce a rule which suggests that permissions are documented (#1131)
• 4a92dfc refactor: move expr call APIs to a new module (#1143)
• 5a4d4e5 Add Fixes for obfuscation audit rule (#1088)
• 77d549d chore(deps): bump github/codeql-action in the github-actions group (#1140)
• 7384a42 chore(deps): bump the cargo group with 4 updates (#1141)
• 4d6c747 chore(docs): remove external links section, add crates.io link to footer (#1137)
• 8b5a358 bugfix(deps): bump annotate-snippets to 0.12.2 (#1136)
• Additional commits viewable in compare view

Updates coverage from 7.10.6 to 7.10.7

Changelog

Sourced from coverage's changelog.

Version 7.10.7 — 2025-09-21

• Performance: with branch coverage in large files, generating HTML, JSON, or LCOV reports could take far too long due to some quadratic behavior when creating the function and class index pages. This is now fixed, closing issue 2048_. Thanks to Daniel Diniz for help diagnosing the problem.

• Most warnings and a few errors now have links to a page in the docs explaining the specific message. Closes issue 1921_.

.. _issue 1921: nedbat/coveragepy#1921 .. _issue 2048: nedbat/coveragepy#2048

.. _changes_7-10-6:

Commits

• 92a2af5 docs: sample HTML for 7.10.7
• 952afda docs: prep for 7.10.7
• a301761 build: riscv64 wheels (#2055)
• 5daff8d docs: now source is formatted with ruff
• 04bbc3a docs: discuss cog in the contributing docs
• c181b93 build: use cog --check-fail-msg to instruct devs
• 33c4ba1 chore: make upgrade
• 0744b73 chore: bump the action-dependencies group across 1 directory with 2 updates (...
• 0d5a112 perf: bulk narrowing to avoid N**2. #2048
• a868ed9 docs: mention Python Discord on the index page
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions