build(deps): bump the dependencies group across 1 directory with 4 updates

[dependabot]

Bumps the dependencies group with 4 updates in the / directory: ruff, mypy, zizmor and coverage[toml].

Updates ruff from 0.12.0 to 0.12.5

Release notes

Sourced from ruff's releases.

0.12.5

Release Notes

Preview features

• [flake8-use-pathlib] Add autofix for PTH101, PTH104, PTH105, PTH121 (#19404)
• [ruff] Support byte strings (RUF055) (#18926)

Bug fixes

• Fix unreachable panic in parser (#19183)
• [flake8-pyi] Skip fix if all Union members are None (PYI016) (#19416)
• [perflint] Parenthesize generator expressions (PERF401) (#19325)
• [pylint] Handle empty comments after line continuation (PLR2044) (#19405)

Rule changes

• [pep8-naming] Fix N802 false positives for CGIHTTPRequestHandler and SimpleHTTPRequestHandler (#19432)

Contributors

• @​AlexWaygood
• @​BurntSushi
• @​CodeMan62
• @​Gankra
• @​MichaReiser
• @​UnboundVariable
• @​chirizxc
• @​danparizher
• @​dcreager
• @​dhruvmanila
• @​dylwil3
• @​github-actions
• @​ibraheemdev
• @​ntBre
• @​oconnor663
• @​renovate
• @​sharkdp
• @​soundsonacid
• @​thejchap

Install ruff 0.12.5

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/ruff/releases/download/0.12.5/ruff-installer.sh | sh

Install prebuilt binaries via powershell script

... (truncated)

Changelog

Sourced from ruff's changelog.

0.12.5

Preview features

• [flake8-use-pathlib] Add autofix for PTH101, PTH104, PTH105, PTH121 (#19404)
• [ruff] Support byte strings (RUF055) (#18926)

Bug fixes

• Fix unreachable panic in parser (#19183)
• [flake8-pyi] Skip fix if all Union members are None (PYI016) (#19416)
• [perflint] Parenthesize generator expressions (PERF401) (#19325)
• [pylint] Handle empty comments after line continuation (PLR2044) (#19405)

Rule changes

• [pep8-naming] Fix N802 false positives for CGIHTTPRequestHandler and SimpleHTTPRequestHandler (#19432)

0.12.4

Preview features

• [flake8-type-checking, pyupgrade, ruff] Add from __future__ import annotations when it would allow new fixes (TC001, TC002, TC003, UP037, RUF013) (#19100)
• [flake8-use-pathlib] Add autofix for PTH109 (#19245)
• [pylint] Detect indirect pathlib.Path usages for unspecified-encoding (PLW1514) (#19304)

Bug fixes

• [flake8-bugbear] Fix B017 false negatives for keyword exception arguments (#19217)
• [flake8-use-pathlib] Fix false negative on direct Path() instantiation (PTH210) (#19388)
• [flake8-django] Fix DJ008 false positive for abstract models with type-annotated abstract field (#19221)
• [isort] Fix I002 import insertion after docstring with multiple string statements (#19222)
• [isort] Treat form feed as valid whitespace before a semicolon (#19343)
• [pydoclint] Fix SyntaxError from fixes with line continuations (D201, D202) (#19246)
• [refurb] FURB164 fix should validate arguments and should usually be marked unsafe (#19136)

Rule changes

• [flake8-use-pathlib] Skip single dots for invalid-pathlib-with-suffix (PTH210) on versions >= 3.14 (#19331)
• [pep8_naming] Avoid false positives on standard library functions with uppercase names (N802) (#18907)
• [pycodestyle] Handle brace escapes for t-strings in logical lines (#19358)
• [pylint] Extend invalid string character rules to include t-strings (#19355)
• [ruff] Allow strict kwarg when checking for starmap-zip (RUF058) in Python 3.14+ (#19333)

Documentation

• [flake8-type-checking] Make TC010 docs example more realistic (#19356)
• Make more documentation examples error out-of-the-box (#19288,#19272,#19291,#19296,#19292,#19295,#19297,#19309)

0.12.3

... (truncated)

Commits

• d13228a Bump 0.12.5 (#19528)
• 9461d30 [ty] Rename type_api => ty_extensions (#19523)
• 63d1d33 [ty] Added support for "go to references" in ty playground. (#19516)
• e0149cd [ty] Return a tuple spec from the iterator protocol (#19496)
• 2a00eca [ty] Exhaustiveness checking & reachability for match statements (#19508)
• 3d17897 [ty] Fix narrowing and reachability of class patterns with arguments (#19512)
• fa1df4c [ty] Implemented partial support for "find references" language server featur...
• 89258f1 [flake8-use-pathlib] Add autofix for PTH101, PTH104, PTH105, PTH121...
• 1dcef1a [perflint] Parenthesize generator expressions (PERF401) (#19325)
• ba629fe [pep8-naming] Fix N802 false positives for CGIHTTPRequestHandler and `S...
• Additional commits viewable in compare view

Updates mypy from 1.16.1 to 1.17.0

Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next Release

Mypy 1.17

We’ve just uploaded mypy 1.17 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

Optionally Check That Match Is Exhaustive

Mypy can now optionally generate an error if a match statement does not match exhaustively, without having to use assert_never(...). Enable this by using --enable-error-code exhaustive-match.

Example:

# mypy: enable-error-code=exhaustive-match
import enum
class Color(enum.Enum):
RED = 1
BLUE = 2
def show_color(val: Color) -> None:
# error: Unhandled case for values of type "Literal[Color.BLUE]"
match val:
case Color.RED:
print("red")

This feature was contributed by Donal Burns (PR 19144).

Further Improvements to Attribute Resolution

This release includes additional improvements to how attribute types and kinds are resolved. These fix many bugs and overall improve consistency.

• Handle corner case: protocol/class variable/descriptor (Ivan Levkivskyi, PR 19277)
• Fix a few inconsistencies in protocol/type object interactions (Ivan Levkivskyi, PR 19267)
• Refactor/unify access to static attributes (Ivan Levkivskyi, PR 19254)
• Remove inconsistencies in operator handling (Ivan Levkivskyi, PR 19250)
• Make protocol subtyping more consistent (Ivan Levkivskyi, PR 18943)

... (truncated)

Commits

• 0260991 Update version string
• 3901aa2 Updates to 1.17 changelog (#19436)
• 7d13396 Initial changelog for 1.17 release (#19427)
• a182dec Combine the revealed types of multiple iteration steps in a more robust manne...
• ab4fd57 Improve the handling of "iteration dependent" errors and notes in finally cla...
• 09ba1f6 [mypyc] Fix exception swallowing in async try/finally blocks with await (#19353)
• 5c65e33 [mypyc] Fix AttributeError in async try/finally with mixed return paths (#19361)
• 934ec50 Lessen dmypy suggest path limitations for Windows machines (#19337)
• a4801f9 Type ignore comments erroneously marked as unused by dmypy (#15043)
• c3bfa0d Handle corner case: protocol vs classvar vs descriptor (#19277)
• Additional commits viewable in compare view

Updates zizmor from 1.9.0 to 1.11.0

Release notes

Sourced from zizmor's releases.

v1.11.0

New Features 🌈🔗

• zizmor now has experimental support for IDE/editor integrations via zizmor --lsp; see the IDE integration documentation for more information (#984)

Enhancements 🌱🔗

• The bot-conditions audit now supports auto-fixes for many findings (#921)
• The bot-conditions audit now produces findings on triggers other than pull_request_target (#921)

Bug Fixes 🐛🔗

• Fixed a bug where zizmor would crash when attempting to extract subfeatures from features containing non-ASCII codepoints (#989)

v1.10.0

This is a huge new release, with multiple new features, enhancements, and bugfixes!

New Features 🌈🔗

• New audit: anonymous-definition detects unnamed workflows and actions. Definitions without a name: field appear anonymously in the GitHub Actions UI, making them harder to distinguish (#937)

  Many thanks to @​andrewpollack for implementing this audit!

• Auto-fix mode: zizmor now experimentally supports --fix=[MODE], which enables the brand new auto-fix mode. This mode can automatically fix a subset of zizmor's findings. For this experimental release, auto-fixes are available for findings from the following audits:

  • artipacked: zizmor will attempt to add persist-credentials: false to actions/checkout steps that do not already have it.

  • template-injection: zizmor will attempt to rewrite run: blocks containing ${{ foo.bar }} to use ${FOO_BAR} instead, and will add an appropriate env: block to set FOO_BAR to the expression's evaluation.

  Read more about the new auto-fix mode in the documentation.

  Many thanks to @​mostafa for implementing this feature!

Enhancements 🌱🔗

• The artipacked audit now produces findings on composite action definitions, rather than just workflow definitions (#896)
• The use-trusted-publishing audit now produces findings on composite action definitions, rather than just workflow definitions (#899)
• The bot-conditions audit now detects more spoofable actor checks, including checks against well-known user IDs for bot accounts (#905)
• The template-injection and other audits now produce more precise findings when analyzing env context accesses for static-ness (#911)
• The template-injection audit now produces more precise findings when analyzing inputs context accesses (#919)
• zizmor now produces more descriptive error messages when it fails to parse a workflow or action definition (#956)
• The bot-conditions audit now returns precise spans for flagged actor checks, instead of flagging the entire if: value (#949)
• The template-injection audit now returns precise spans for flagged contexts and expressions, instead of flagging the entire script block (#958)
• The obfuscation audit now returns precise spans for flagged expressions (#969)
• The obfuscation audit now detects computed indices (e.g. inputs.foo[inputs.bar]) as a potentially obfuscatory pattern (#969)

Bug Fixes 🐛🔗

• The template-injection audit no longer crashes when attempting to evaluate the static-ness of an environment context within a composite action uses: step (#887)
• The bot-conditions audit now correctly analyzes index-style contexts, e.g. github['actor'] (#905)
• Fixed a bug where zizmor would fail to parse expressions that contained >= or <= (#916)
• Fixed a bug where zizmor would fail to parse expressions containing contexts with interstitial whitespace (#958)

Changelog

Sourced from zizmor's changelog.

1.11.0

New Features 🌈

• zizmor now has experimental support for IDE/editor integrations via zizmor --lsp; see the IDE integration documentation for more information (#984)

Enhancements 🌱

• The [bot-conditions] audit now supports auto-fixes for many findings (#921)
• The [bot-conditions] audit now produces findings on triggers other than pull_request_target (#921)

Bug Fixes 🐛

• Fixed a bug where zizmor would crash when attempting to extract subfeatures from features containing non-ASCII codepoints (#989)

1.10.0

This is a huge new release, with multiple new features, enhancements, and bugfixes!

New Features 🌈

• New audit: [anonymous-definition] detects unnamed workflows and actions. Definitions without a name: field appear anonymously in the GitHub Actions UI, making them harder to distinguish (#937)

  Many thanks to @​andrewpollack for implementing this audit!

• Auto-fix mode: zizmor now experimentally supports --fix=[MODE], which enables the brand new auto-fix mode. This mode can automatically fix a subset of zizmor's findings. For this experimental release, auto-fixes are available for findings from the following audits:

  • [artipacked]: zizmor will attempt to add #!yaml persist-credentials: false to actions/checkout steps that do not already have it.

  • [template-injection]: zizmor will attempt to rewrite #!yaml run: blocks containing ${{ foo.bar }} to use ${FOO_BAR} instead, and will add an appropriate #!yaml env: block to set FOO_BAR to the expression's evaluation.

  Read more about the new auto-fix mode in the documentation.

  Many thanks to @​mostafa for implementing this feature!

Enhancements 🌱

... (truncated)

Commits

• 1cc8f93 chore: release 1.11.0 (#993)
• 44a27e2 feat: LSP skeleton code from #607 (#984)
• 5495af9 chore(deps): bump the github-actions group with 3 updates (#990)
• 86c4489 chore(deps): bump the cargo group with 3 updates (#991)
• ac6f6e2 bugfix: repro, #988 (#989)
• b98dcb1 chore: remove descriptions from fixes (#985)
• 42862eb Add Fix for bot-conditions audit rule (#921)
• b7500d1 refactor: move audit registration into AuditRegistry (#983)
• e90af3a chore(deps): bump http-cache-reqwest to 0.16.0 (#982)
• ab905e1 chore(deps): bump http-cache-reqwest to 0.15.2 (#980)
• Additional commits viewable in compare view

Updates coverage[toml] from 7.9.2 to 7.10.1

Release notes

Sourced from coverage[toml]'s releases.

7.10.1

Version 7.10.1 — 2025-07-27

• Fix: the exclusion for if TYPE_CHECKING: was wrong: it marked the branch as partial, but it should have been a line exclusion so the entire clause would be excluded. Improves issue 831.
• Fix: changed where .pth files are written for patch = subprocess, closing issue 2006.

➡️  PyPI page: coverage 7.10.1. :arrow_right:  To install: python3 -m pip install coverage==7.10.1

7.10.0

Version 7.10.0 — 2025-07-24

• A new configuration option: “[run] patch” specifies named patches to work around some limitations in coverage measurement. These patches are available:
  • patch = _exit lets coverage save its data even when https://docs.python.org/3/library/os.html#os._exit is used to abruptly end the process. This closes long-standing issue 310 as well as its duplicates: issue 312, issue 1673, issue 1845, and issue 1941.
  • patch = subprocess measures coverage in Python subprocesses created with https://docs.python.org/3/library/subprocess.html#module-subprocess, https://docs.python.org/3/library/os.html#os.system, or one of the https://docs.python.org/3/library/os.html#os.execl or https://docs.python.org/3/library/os.html#os.spawnl family of functions. Closes old issue 367 and duplicate issue 378.
  • patch = execv adjusts the https://docs.python.org/3/library/os.html#os.execl family of functions to save coverage data before ending the current program and starting the next. Not available on Windows. Closes issue 43 after 15 years!
• The HTML report now dimly colors subsequent lines in multi-line statements. They used to have no color. This gives a better indication of the amount of code missing in the report. Closes issue 1308.
• Two new exclusion patterns are part of the defaults: ... is automatically excluded as a line and if TYPE_CHECKING: is excluded as a branch. Closes issue 831.
• A new command-line option: --save-signal=USR1 specifies a signal that coverage.py will listen for. When the signal is sent, the coverage data will be saved. This makes it possible to save data from within long-running processes. Thanks, Arkady Gilinsky.
• A new configuration option: “[report] partial_also” is a list of regexes to add as pragmas for partial branches. This parallels the “[report] exclude_also” setting for adding line exclusion patterns.
• A few file path configuration settings didn’t allow for tilde expansion: [json] output, [lcov] output and [run] debug_file. This is now fixed.
• Wheels are included for 3.14 now that 3.14 rc1 is available.
• We no longer ship a PyPy-specific wheel. PyPy will install the pure-Python wheel. Closes issue 2001.
• In the very unusual situation of not having a current frame, coverage no longer crashes when using the sysmon core, fixing issue 2005.

➡️  PyPI page: coverage 7.10.0. :arrow_right:  To install: python3 -m pip install coverage==7.10.0

Changelog

Sourced from coverage[toml]'s changelog.

Version 7.10.1 — 2025-07-27

• Fix: the exclusion for if TYPE_CHECKING: was wrong: it marked the branch as partial, but it should have been a line exclusion so the entire clause would be excluded. Improves issue 831_.

• Fix: changed where .pth files are written for patch = subprocess, closing issue 2006_.

.. _issue 2006: nedbat/coveragepy#2006

.. _changes_7-10-0:

Version 7.10.0 — 2025-07-24

• A new configuration option: ":ref:config_run_patch" specifies named patches to work around some limitations in coverage measurement. These patches are available:

  • patch = _exit lets coverage save its data even when :func:os._exit() <python:os._exit> is used to abruptly end the process. This closes long-standing issue 310_ as well as its duplicates: issue 312, issue 1673, issue 1845, and issue 1941.

  • patch = subprocess measures coverage in Python subprocesses created with :mod:subprocess, :func:os.system, or one of the :func:execv <python:os.execl> or :func:spawnv <python:os.spawnl> family of functions. Closes old issue 367_ and duplicate issue 378_.

  • patch = execv adjusts the :func:execv <python:os.execl> family of functions to save coverage data before ending the current program and starting the next. Not available on Windows. Closes issue 43_ after 15 years!

• The HTML report now dimly colors subsequent lines in multi-line statements. They used to have no color. This gives a better indication of the amount of code missing in the report. Closes issue 1308_.

• Two new exclusion patterns are part of the defaults: ... is automatically excluded as a line and if TYPE_CHECKING: is excluded as a branch. Closes issue 831_.

• A new command-line option: --save-signal=USR1 specifies a signal that coverage.py will listen for. When the signal is sent, the coverage data will be saved. This makes it possible to save data from within long-running processes. Thanks, Arkady Gilinsky <pull 1998_>_.

... (truncated)

Commits

• 7fdcbeb docs: sample HTML for 7.10.1
• c9e9625 docs: prep for 7.10.1
• e8193ff chore: make upgrade
• 9aad22a test: improve the if TYPE_CHECKING: exclusion test
• 1e2f41a fix: excluding TYPE_CHECKING should have been the line not the branch
• 2134e57 fix: use getsitepackages for writing .pth files. #2006
• a4300a7 test: signal statuses are mysterious. #2008
• 2fd4961 docs: update the man page, for once
• a13607f build: comment_on_fixes should show html urls
• 0f00d49 build: bump version to 7.10.1
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.