Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Deps: Bump the python-packages group with 3 updates #1216

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
greenbonebot merged 1 commit into from
Apr 7, 2025
Merged

Deps: Bump the python-packages group with 3 updates #1216

greenbonebot merged 1 commit into from
Apr 7, 2025

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Apr 7, 2025
edited
Loading

Bumps the python-packages group with 3 updates: lxml, ruff and typing-extensions.

Updates lxml from 5.3.1 to 5.3.2

Changelog

Sourced from lxml's changelog.

5.3.2 (2025-04-05)

This release resolves CVE-2025-24928 as described in https://gitlab.gnome.org/GNOME/libxml2/-/issues/847

Bugs fixed

  • Binary wheels use libxml2 2.12.10 and libxslt 1.1.42.

  • Binary wheels for Windows use a patched libxml2 2.11.9 and libxslt 1.1.39.

Commits
  • 820db89 CI: Allow Py3.14 jobs to fail.
  • 93ad02a docs: Add a note about C compiler installation to error message (GH-454)
  • 16878da Add some hints to the documentation on how to build lxml (GH-453)
  • 6ff7ed9 Fix contact email address on PyPI.
  • 09c2cb2 Prepare release of lxml 5.3.2.
  • a7d30eb Update changelog.
  • 9160a04 Switch to libxml2 2.12.10.
  • 9446c31 Remove outdated link.
  • d25404f Build: Prevent using Cython 3.1 alpha.
  • See full diff in compare view

Updates ruff from 0.11.2 to 0.11.4

Release notes

Sourced from ruff's releases.

0.11.4

Release Notes

Preview features

  • [ruff] Implement invalid-rule-code as RUF102 (#17138)
  • [syntax-errors] Detect duplicate keys in match mapping patterns (#17129)
  • [syntax-errors] Detect duplicate attributes in match class patterns (#17186)
  • [syntax-errors] Detect invalid syntax in annotations (#17101)

Bug fixes

  • [syntax-errors] Fix multiple assignment error for class fields in match patterns (#17184)
  • Don't skip visiting non-tuple slice in typing.Annotated subscripts (#17201)

Contributors

Install ruff 0.11.4

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/ruff/releases/download/0.11.4/ruff-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/astral-sh/ruff/releases/download/0.11.4/ruff-installer.ps1 | iex"

Download ruff 0.11.4

File Platform Checksum
ruff-aarch64-apple-darwin.tar.gz Apple Silicon macOS checksum
ruff-x86_64-apple-darwin.tar.gz Intel macOS checksum
ruff-aarch64-pc-windows-msvc.zip ARM64 Windows checksum
ruff-i686-pc-windows-msvc.zip x86 Windows checksum

... (truncated)

Changelog

Sourced from ruff's changelog.

0.11.4

Preview features

  • [ruff] Implement invalid-rule-code as RUF102 (#17138)
  • [syntax-errors] Detect duplicate keys in match mapping patterns (#17129)
  • [syntax-errors] Detect duplicate attributes in match class patterns (#17186)
  • [syntax-errors] Detect invalid syntax in annotations (#17101)

Bug fixes

  • [syntax-errors] Fix multiple assignment error for class fields in match patterns (#17184)
  • Don't skip visiting non-tuple slice in typing.Annotated subscripts (#17201)

0.11.3

Preview features

  • [airflow] Add more autofixes for AIR302 (#16876, #16977, #16976, #16965)
  • [airflow] Move AIR301 to AIR002 (#16978)
  • [airflow] Move AIR302 to AIR301 and AIR303 to AIR302 (#17151)
  • [flake8-bandit] Mark str and list[str] literals as trusted input (S603) (#17136)
  • [ruff] Support slices in RUF005 (#17078)
  • [syntax-errors] Start detecting compile-time syntax errors (#16106)
  • [syntax-errors] Duplicate type parameter names (#16858)
  • [syntax-errors] Irrefutable case pattern before final case (#16905)
  • [syntax-errors] Multiple assignments in case pattern (#16957)
  • [syntax-errors] Single starred assignment target (#17024)
  • [syntax-errors] Starred expressions in return, yield, and for (#17134)
  • [syntax-errors] Store to or delete __debug__ (#16984)

Bug fixes

  • Error instead of panic! when running Ruff from a deleted directory (#16903) (#17054)
  • [syntax-errors] Fix false positive for parenthesized tuple index (#16948)

CLI

  • Check pyproject.toml correctly when it is passed via stdin (#16971)

Configuration

  • [flake8-import-conventions] Add import numpy.typing as npt to default flake8-import-conventions.aliases (#17133)

Documentation

  • [refurb] Document why UserDict, UserList, and UserString are preferred over dict, list, and str (FURB189) (#16927)
Commits
  • 95d6ed4 Bump 0.11.4 (#17212)
  • acc5662 [syntax-errors] Allow yield in base classes and annotations (#17206)
  • 33a56f1 Don't skip visiting non-tuple slice in typing.Annotated subscripts (#17201)
  • 5cee346 [red-knot] mypy_primer: do not specify Python version (#17200)
  • ffa824e [red-knot] Add Type.definition method (#17153)
  • 98b95c9 Implement Invalid rule provided as rule RUF102 with --fix (#17138)
  • a4ba10f [red-knot] Add basic on-hover to playground and LSP (#17057)
  • bf03068 [red-knot] don't remove negations when simplifying constrained typevars (#17189)
  • 4f924bb [minor] Fix extra semicolon for clippy (#17188)
  • c2b2e42 [syntax-errors] Invalid syntax in annotations (#17101)
  • Additional commits viewable in compare view

Updates typing-extensions from 4.12.2 to 4.13.1

Release notes

Sourced from typing-extensions's releases.

4.13.1

This is a bugfix release fixing two edge cases that appear on old bugfix releases of CPython.

Bugfixes:

  • Fix regression in 4.13.0 on Python 3.10.2 causing a TypeError when using Concatenate. Patch by Daraan.
  • Fix TypeError when using evaluate_forward_ref on Python 3.10.1-2 and 3.9.8-10. Patch by Daraan.

4.13.0

New features:

  • Add typing_extensions.TypeForm from PEP 747. Patch by Jelle Zijlstra.
  • Add typing_extensions.get_annotations, a backport of inspect.get_annotations that adds features specified by PEP 649. Patches by Jelle Zijlstra and Alex Waygood.
  • Backport evaluate_forward_ref from CPython PR #119891 to evaluate ForwardRefs. Patch by Daraan, backporting a CPython PR by Jelle Zijlstra.

Bugfixes and changed features:

  • Update PEP 728 implementation to a newer version of the PEP. Patch by Jelle Zijlstra.
  • Copy the coroutine status of functions and methods wrapped with @typing_extensions.deprecated. Patch by Sebastian Rittau.
  • Fix bug where TypeAliasType instances could be subscripted even where they were not generic. Patch by Daraan.
  • Fix bug where a subscripted TypeAliasType instance did not have all attributes of the original TypeAliasType instance on older Python versions. Patch by Daraan and Alex Waygood.
  • Fix bug where subscripted TypeAliasType instances (and some other subscripted objects) had wrong parameters if they were directly subscripted with an Unpack object. Patch by Daraan.
  • Backport to Python 3.10 the ability to substitute ... in generic Callable aliases that have a Concatenate special form as their argument. Patch by Daraan.
  • Extended the Concatenate backport for Python 3.8-3.10 to now accept Ellipsis as an argument. Patch by Daraan.
  • Fix backport of get_type_hints to reflect Python 3.11+ behavior which does not add Union[..., NoneType] to annotations that have a None default value anymore. This fixes wrapping of Annotated in an unwanted Optional in such cases. Patch by Daraan.
  • Fix error in subscription of Unpack aliases causing nested Unpacks to not be resolved correctly. Patch by Daraan.
  • Backport CPython PR #124795: fix TypeAliasType not raising an error on non-tuple inputs for type_params. Patch by Daraan.
  • Fix that lists and ... could not be used for parameter expressions for TypeAliasType

... (truncated)

Changelog

Sourced from typing-extensions's changelog.

Release 4.13.1 (April 3, 2025)

Bugfixes:

  • Fix regression in 4.13.0 on Python 3.10.2 causing a TypeError when using Concatenate. Patch by Daraan.
  • Fix TypeError when using evaluate_forward_ref on Python 3.10.1-2 and 3.9.8-10. Patch by Daraan.

Release 4.13.0 (March 25, 2025)

No user-facing changes since 4.13.0rc1.

Release 4.13.0rc1 (March 18, 2025)

New features:

  • Add typing_extensions.TypeForm from PEP 747. Patch by Jelle Zijlstra.
  • Add typing_extensions.get_annotations, a backport of inspect.get_annotations that adds features specified by PEP 649. Patches by Jelle Zijlstra and Alex Waygood.
  • Backport evaluate_forward_ref from CPython PR #119891 to evaluate ForwardRefs. Patch by Daraan, backporting a CPython PR by Jelle Zijlstra.

Bugfixes and changed features:

  • Update PEP 728 implementation to a newer version of the PEP. Patch by Jelle Zijlstra.
  • Copy the coroutine status of functions and methods wrapped with @typing_extensions.deprecated. Patch by Sebastian Rittau.
  • Fix bug where TypeAliasType instances could be subscripted even where they were not generic. Patch by Daraan.
  • Fix bug where a subscripted TypeAliasType instance did not have all attributes of the original TypeAliasType instance on older Python versions. Patch by Daraan and Alex Waygood.
  • Fix bug where subscripted TypeAliasType instances (and some other subscripted objects) had wrong parameters if they were directly subscripted with an Unpack object. Patch by Daraan.
  • Backport to Python 3.10 the ability to substitute ... in generic Callable aliases that have a Concatenate special form as their argument. Patch by Daraan.
  • Extended the Concatenate backport for Python 3.8-3.10 to now accept Ellipsis as an argument. Patch by Daraan.
  • Fix backport of get_type_hints to reflect Python 3.11+ behavior which does not add Union[..., NoneType] to annotations that have a None default value anymore. This fixes wrapping of Annotated in an unwanted Optional in such cases. Patch by Daraan.
  • Fix error in subscription of Unpack aliases causing nested Unpacks to not be resolved correctly. Patch by Daraan.

... (truncated)

Commits
  • 45a8847 Prepare release 4.13.1 (#573)
  • f264e58 Move CI to "ubuntu-latest" (round 2) (#570)
  • 5ce0e69 Fix TypeError with evaluate_forward_ref on some 3.10 and 3.9 versions (#558)
  • 304f5cb Add SQLAlchemy to third-party daily tests (#561)
  • ebe2b94 Fix duplicated keywords for typing._ConcatenateGenericAlias in 3.10.2 (#557)
  • 9f93d6f Add intersphinx links for 3.13 typing features (#550)
  • c893401 Prepare release 4.13.0 (#555)
  • 6239d86 Use latest Python docs as intersphinx base rather than 3.12 docs (#549)
  • 671a337 Fix 'Test and lint' workflow running on forks (#551)
  • e77e8e2 Disable pyanalyze tests for now (#554)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Deps: Bump the python-packages group with 3 updates
b3b4d91 
Bumps the python-packages group with 3 updates: [lxml](https://github.com/lxml/lxml), [ruff](https://github.com/astral-sh/ruff) and [typing-extensions](https://github.com/python/typing_extensions).


Updates `lxml` from 5.3.1 to 5.3.2
- [Release notes](https://github.com/lxml/lxml/releases)
- [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt)
- [Commits](lxml/lxml@lxml-5.3.1...lxml-5.3.2)

Updates `ruff` from 0.11.2 to 0.11.4
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ruff@0.11.2...0.11.4)

Updates `typing-extensions` from 4.12.2 to 4.13.1
- [Release notes](https://github.com/python/typing_extensions/releases)
- [Changelog](https://github.com/python/typing_extensions/blob/main/CHANGELOG.md)
- [Commits](python/typing_extensions@4.12.2...4.13.1)

---
updated-dependencies:
- dependency-name: lxml
  dependency-version: 5.3.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-packages
- dependency-name: ruff
  dependency-version: 0.11.4
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: python-packages
- dependency-name: typing-extensions
  dependency-version: 4.13.1
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: python-packages
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Apr 7, 2025
@dependabot dependabot bot requested review from a team as code owners April 7, 2025 04:49
@greenbonebot greenbonebot enabled auto-merge (rebase) April 7, 2025 04:49
@github-actions
Copy link

github-actions bot commented Apr 7, 2025

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ❌ 1 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 2 package(s) with unknown licenses.
See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA b3b4d91.
Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

poetry.lock

PackageVersionLicenseIssue Type
ruff0.11.40BSD AND Apache-2.0 AND BSD-3-Clause AND MITIncompatible License
lxml5.3.2NullUnknown License
typing-extensions4.13.1NullUnknown License
Allowed Licenses: 0BSD, AGPL-3.0-or-later, Apache-2.0, BlueOak-1.0.0, BSD-2-Clause, BSD-3-Clause-Clear, BSD-3-Clause, BSL-1.0, CAL-1.0, CC-BY-3.0, CC-BY-4.0, CC-BY-SA-4.0, CC0-1.0, EPL-2.0, GPL-1.0-or-later, GPL-2.0-only, GPL-2.0-or-later, GPL-2.0, GPL-3.0-only, GPL-3.0-or-later, GPL-3.0, ISC, LGPL-2.0-only, LGPL-2.0-or-later, LGPL-2.1-only, LGPL-2.1-or-later, LGPL-2.1, LGPL-3.0-only, LGPL-3.0, LGPL-3.0-or-later, MIT, MIT-CMU, MPL-1.1, MPL-2.0, OFL-1.1, PSF-2.0, Python-2.0, Python-2.0.1, Unicode-DFS-2016, Unlicense, Zlib, ZPL-2.1

OpenSSF Scorecard

PackageVersionScoreDetails
pip/lxml 5.3.2 🟢 6.6
Details
CheckScoreReason
Code-Review⚠️ 0Found 1/28 approved changesets -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Security-Policy🟢 10security policy file detected
Maintained🟢 1030 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Fuzzing🟢 10project is fuzzed
Vulnerabilities🟢 100 existing vulnerabilities detected
Binary-Artifacts🟢 10no binaries found in the repo
License🟢 9license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Pinned-Dependencies⚠️ 1dependency not pinned by hash detected -- score normalized to 1
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
pip/ruff 0.11.4 UnknownUnknown
pip/typing-extensions 4.13.1 🟢 6.6
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Code-Review🟢 8Found 26/30 approved changesets -- score normalized to 8
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 1019 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing⚠️ 0project is not fuzzed
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy🟢 10security policy file detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities🟢 37 existing vulnerabilities detected

Scanned Files

  • poetry.lock

@github-actions
Copy link

github-actions bot commented Apr 7, 2025

Conventional Commits Report

Type Number
Dependencies 1

🚀 Conventional commits found.

@greenbonebot greenbonebot merged commit ddd71ec into main Apr 7, 2025
24 of 25 checks passed
@greenbonebot greenbonebot deleted the dependabot/pip/python-packages-b86899291f branch April 7, 2025 06:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bjoernricks bjoernricks bjoernricks approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bjoernricks @greenbonebot