Skip to content

build(deps): bump the test-and-lint-dependencies group with 2 updates #1031

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 30, 2025
Merged

build(deps): bump the test-and-lint-dependencies group with 2 updates #1031

merged 1 commit into from
Sep 30, 2025

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 30, 2025

Bumps the test-and-lint-dependencies group with 2 updates: ruff and zizmor.

Updates ruff from 0.13.1 to 0.13.2

Release notes

Sourced from ruff's releases.

0.13.2

Release Notes

Released on 2025-09-25.

Preview features

  • [flake8-async] Implement blocking-path-method (ASYNC240) (#20264)
  • [flake8-bugbear] Implement map-without-explicit-strict (B912) (#20429)
  • [flake8-bultins] Detect class-scope builtin shadowing in decorators, default args, and attribute initializers (A003) (#20178)
  • [ruff] Implement logging-eager-conversion (RUF065) (#19942)
  • Include .pyw files by default when linting and formatting (#20458)

Bug fixes

  • Deduplicate input paths (#20105)
  • [flake8-comprehensions] Preserve trailing commas for single-element lists (C409) (#19571)
  • [flake8-pyi] Avoid syntax error from conflict with PIE790 (PYI021) (#20010)
  • [flake8-simplify] Correct fix for positive maxsplit without separator (SIM905) (#20056)
  • [pyupgrade] Fix UP008 not to apply when __class__ is a local variable (#20497)
  • [ruff] Fix B004 to skip invalid hasattr/getattr calls (#20486)
  • [ruff] Replace -nan with nan when using the value to construct a Decimal (FURB164 ) (#20391)

Documentation

  • Add 'Finding ways to help' to CONTRIBUTING.md (#20567)
  • Update import path to ruff-wasm-web (#20539)
  • [flake8-bandit] Clarify the supported hashing functions (S324) (#20534)

Other changes

  • [playground] Allow hover quick fixes to appear for overlapping diagnostics (#20527)
  • [playground] Fix non‑BMP code point handling in quick fixes and markers (#20526)

Contributors

Install ruff 0.13.2

... (truncated)

Changelog

Sourced from ruff's changelog.

0.13.2

Released on 2025-09-25.

Preview features

  • [flake8-async] Implement blocking-path-method (ASYNC240) (#20264)
  • [flake8-bugbear] Implement map-without-explicit-strict (B912) (#20429)
  • [flake8-bultins] Detect class-scope builtin shadowing in decorators, default args, and attribute initializers (A003) (#20178)
  • [ruff] Implement logging-eager-conversion (RUF065) (#19942)
  • Include .pyw files by default when linting and formatting (#20458)

Bug fixes

  • Deduplicate input paths (#20105)
  • [flake8-comprehensions] Preserve trailing commas for single-element lists (C409) (#19571)
  • [flake8-pyi] Avoid syntax error from conflict with PIE790 (PYI021) (#20010)
  • [flake8-simplify] Correct fix for positive maxsplit without separator (SIM905) (#20056)
  • [pyupgrade] Fix UP008 not to apply when __class__ is a local variable (#20497)
  • [ruff] Fix B004 to skip invalid hasattr/getattr calls (#20486)
  • [ruff] Replace -nan with nan when using the value to construct a Decimal (FURB164 ) (#20391)

Documentation

  • Add 'Finding ways to help' to CONTRIBUTING.md (#20567)
  • Update import path to ruff-wasm-web (#20539)
  • [flake8-bandit] Clarify the supported hashing functions (S324) (#20534)

Other changes

  • [playground] Allow hover quick fixes to appear for overlapping diagnostics (#20527)
  • [playground] Fix non‑BMP code point handling in quick fixes and markers (#20526)

Contributors

Commits
  • b0bdf03 Bump 0.13.2 (#20576)
  • 7331d39 Update rooster to 0.1.0 (#20575)
  • 529e5fa [ty] Ecosystem analyzer: timing report (#20571)
  • efbb80f [ty] Remove hack in protocol satisfiability check (#20568)
  • 9f3cffc Add 'Finding ways to help' to CONTRIBUTING.md (#20567)
  • 21be94a [ty] Explicitly test assignability/subtyping between unions of nominal types ...
  • b7d5dc9 [ty] Add tests for interactions of @classmethod, @staticmethod, and proto...
  • e1bb74b [ty] Match variadic argument to variadic parameter (#20511)
  • edeb458 [ty] fallback to resolve_real_module in file_to_module (#20461)
  • bea92c8 [ty] More precise type inference for dictionary literals (#20523)
  • Additional commits viewable in compare view

Updates zizmor from 1.13.0 to 1.14.2

Release notes

Sourced from zizmor's releases.

v1.14.2

Bug Fixes 🐛🔗

  • Fixed a bug where the use-trusted-publishing audit would produce-false positive findings for some run: blocks that implicitly performed trusted publishing (#1191)

v1.14.1

Bug Fixes 🐛🔗

v1.14.0

New Features 🌈🔗

Enhancements 🌱🔗

  • zizmor no longer uses the "Unknown" severity or confidence levels for any findings. All findings previously categorized at these levels are now given a more meaningful level (#1164)

  • The use-trusted-publishing audit now detects various Trusted Publishing patterns for the npm ecosystem (#1161)

    Many thanks to @​KristianGrafana for implementing this improvement!

  • The unsound-condition audit now supports auto-fixes for many findings (#1089)

    Many thanks to @​mostafa for implementing this improvement!

  • zizmor's error handling has been restructured, improving the quality of error messages and their associated suggestions (#1169)

Bug Fixes 🐛🔗

  • Fixed a bug where the cache-poisoning audit would fail to detect some cache usage variants in newer versions of actions/setup-node (#1152)

  • Fixed a bug where the obfuscation audit would incorrectly flag some subexpressions as constant-reducible when they were not (#1170)

Deprecations ⚠️🔗

  • The unknown values for --min-severity and --min-confidence are now deprecated. These values were already no-ops (and have been since introduction), and will be removed in a future release (#1164)

    Until removal, using these values will emit a warning.

Changelog

Sourced from zizmor's changelog.

1.14.2

Bug Fixes 🐛

  • Fixed a bug where the [use-trusted-publishing] audit would produce-false positive findings for some run: blocks that implicitly performed trusted publishing (#1191)

1.14.1

Bug Fixes 🐛

  • Fixed a bug where the [ref-version-mismatch] would incorrectly show the wrong commit SHAs in its findings (#1183)

1.14.0

New Features 🌈

  • New audit: [ref-version-mismatch] detects mismatches between hash-pinned action references and their version comments (#972)

    Many thanks to @​segiddins for implementing this audit!

Enhancements 🌱

  • zizmor no longer uses the "Unknown" severity or confidence levels for any findings. All findings previously categorized at these levels are now given a more meaningful level (#1164)

  • The [use-trusted-publishing] audit now detects various Trusted Publishing patterns for the npm ecosystem (#1161)

    Many thanks to @​KristianGrafana for implementing this improvement!

  • The [unsound-condition] audit now supports auto-fixes for many findings (#1089)

    Many thanks to @​mostafa for implementing this improvement!

  • zizmor's error handling has been restructured, improving the quality of error messages and their associated suggestions (#1169)

Bug Fixes 🐛

  • Fixed a bug where the [cache-poisoning] audit would fail to detect some cache usage variants in newer versions of actions/setup-node (#1152)

  • Fixed a bug where the [obfuscation] audit would incorrectly flag

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
build(deps): bump the test-and-lint-dependencies group with 2 updates
c629161 
Bumps the test-and-lint-dependencies group with 2 updates: [ruff](https://github.com/astral-sh/ruff) and [zizmor](https://github.com/zizmorcore/zizmor).


Updates `ruff` from 0.13.1 to 0.13.2
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ruff@0.13.1...0.13.2)

Updates `zizmor` from 1.13.0 to 1.14.2
- [Release notes](https://github.com/zizmorcore/zizmor/releases)
- [Changelog](https://github.com/zizmorcore/zizmor/blob/main/docs/release-notes.md)
- [Commits](zizmorcore/zizmor@v1.13.0...v1.14.2)

---
updated-dependencies:
- dependency-name: ruff
  dependency-version: 0.13.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: test-and-lint-dependencies
- dependency-name: zizmor
  dependency-version: 1.14.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: test-and-lint-dependencies
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Sep 30, 2025
@lukpueh lukpueh merged commit 1bbb946 into main Sep 30, 2025
20 checks passed
@dependabot dependabot bot deleted the dependabot/pip/test-and-lint-dependencies-6a8176b16a branch September 30, 2025 06:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lukpueh lukpueh lukpueh approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lukpueh