chore(deps): bump the pip group with 6 updates

[dependabot]

Bumps the pip group with 6 updates:

Package	From	To
ruff	0.8.6	0.9.1
bandit	1.8.0	1.8.2
semgrep	1.101.0	1.102.0
coverage[toml]	7.6.1	7.6.10
pytest-asyncio	0.24.0	0.25.2
dirty-equals	0.8.0	0.9.0

Updates ruff from 0.8.6 to 0.9.1

Release notes

Sourced from ruff's releases.

0.9.1

Release Notes

Preview features

• [pycodestyle] Run too-many-newlines-at-end-of-file on each cell in notebooks (W391) (#15308)
• [ruff] Omit diagnostic for shadowed private function parameters in used-dummy-variable (RUF052) (#15376)

Rule changes

• [flake8-bugbear] Improve assert-raises-exception message (B017) (#15389)

Formatter

• Preserve trailing end-of line comments for the last string literal in implicitly concatenated strings (#15378)

Server

• Fix a bug where the server and client notebooks were out of sync after reordering cells (#15398)

Bug fixes

• [flake8-pie] Correctly remove wrapping parentheses (PIE800) (#15394)
• [pyupgrade] Handle comments and multiline expressions correctly (UP037) (#15337)

Contributors

• @​AntoineD
• @​InSyncWithFoo
• @​MichaReiser
• @​calumy
• @​dcreager
• @​dhruvmanila
• @​dylwil3
• @​sharkdp
• @​tjkuson

Install ruff 0.9.1

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/ruff/releases/download/0.9.1/ruff-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy ByPass -c "irm https://github.com/astral-sh/ruff/releases/download/0.9.1/ruff-installer.ps1 | iex"

... (truncated)

Changelog

Sourced from ruff's changelog.

0.9.1

Preview features

• [pycodestyle] Run too-many-newlines-at-end-of-file on each cell in notebooks (W391) (#15308)
• [ruff] Omit diagnostic for shadowed private function parameters in used-dummy-variable (RUF052) (#15376)

Rule changes

• [flake8-bugbear] Improve assert-raises-exception message (B017) (#15389)

Formatter

• Preserve trailing end-of line comments for the last string literal in implicitly concatenated strings (#15378)

Server

• Fix a bug where the server and client notebooks were out of sync after reordering cells (#15398)

Bug fixes

• [flake8-pie] Correctly remove wrapping parentheses (PIE800) (#15394)
• [pyupgrade] Handle comments and multiline expressions correctly (UP037) (#15337)

0.9.0

Check out the blog post for a migration guide and overview of the changes!

Breaking changes

Ruff now formats your code according to the 2025 style guide. As a result, your code might now get formatted differently. See the formatter section for a detailed list of changes.

This release doesn’t remove or remap any existing stable rules.

Stabilization

The following rules have been stabilized and are no longer in preview:

• stdlib-module-shadowing (A005). This rule has also been renamed: previously, it was called builtin-module-shadowing.
• builtin-lambda-argument-shadowing (A006)
• slice-to-remove-prefix-or-suffix (FURB188)
• boolean-chained-comparison (PLR1716)
• decimal-from-float-literal (RUF032)
• post-init-default (RUF033)
• useless-if-else (RUF034)

The following behaviors have been stabilized:

• pytest-parametrize-names-wrong-type (PT006): Detect pytest.parametrize calls outside decorators and calls with keyword arguments.

... (truncated)

Commits

• 12f86f3 Ruff 0.9.1 (#15407)
• 2b28d56 Associate a trailing end-of-line comment in a parenthesized implicit concaten...
• adca7bd Remove pygments pin (#15404)
• 6b98a26 [red-knot] Support assert_type (#15194)
• c874638 [red-knot] Move tuple-containing-Never tests to Markdown (#15402)
• c364b58 [flake8-pie] Correctly remove wrapping parentheses (PIE800) (#15394)
• 73d424e Fix outdated doc for handling the default file types with the pre-commit hook...
• 6e9ff44 Insert the cells from the start position (#15398)
• f2c3ddc [red-knot] Move intersection type tests to Markdown (#15396)
• b861551 Remove unnecessary backticks (#15393)
• Additional commits viewable in compare view

Updates bandit from 1.8.0 to 1.8.2

Release notes

Sourced from bandit's releases.

1.8.2

What's Changed

• Revert "Start testing with 3.14 alphas" by @​ericwb in PyCQA/bandit#1217

Full Changelog: PyCQA/bandit@1.8.1...1.8.2

1.8.1

What's Changed

• Bump docker/build-push-action from 6.9.0 to 6.10.0 by @​dependabot in PyCQA/bandit#1209
• Update the bug template with latest bandit version by @​ericwb in PyCQA/bandit#1208
• Add Mercedes-Benz to sponsor list by @​ericwb in PyCQA/bandit#1210
• Bump docker/setup-buildx-action from 3.7.1 to 3.8.0 by @​dependabot in PyCQA/bandit#1211
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in PyCQA/bandit#1213
• Start testing with 3.14 alphas by @​ericwb in PyCQA/bandit#1189
• Remove lxml (B320 & B410) from blacklist by @​djbrown in PyCQA/bandit#1212
• Clarify "getting started" docs by @​Flimm in PyCQA/bandit#963

New Contributors

• @​djbrown made their first contribution in PyCQA/bandit#1212
• @​Flimm made their first contribution in PyCQA/bandit#963

Full Changelog: PyCQA/bandit@1.8.0...1.8.1

Commits

• c2c336d Revert "Start testing with 3.14 alphas" (#1217)
• e58379c Clarify "getting started" docs (#963)
• e4da0b3 Remove lxml (B320 & B410) from blacklist (#1212)
• 13d3406 Start testing with 3.14 alphas (#1189)
• 1abd1d7 [pre-commit.ci] pre-commit autoupdate (#1213)
• 8e3c928 Bump docker/setup-buildx-action from 3.7.1 to 3.8.0 (#1211)
• 929d597 Add Mercedes-Benz to sponsor list (#1210)
• ead6717 Update the bug template with latest bandit version (#1208)
• 65ddf8f Bump docker/build-push-action from 6.9.0 to 6.10.0 (#1209)
• See full diff in compare view

Updates semgrep from 1.101.0 to 1.102.0

Release notes

Sourced from semgrep's releases.

Release v1.102.0

1.102.0 - 2025-01-08

Added

• Added pro-only support for parsing a dependency graph from package-lock.json v1 files (SC-1858)
• Added pro-only support for parsing a dependency graph from package-lock.json v2 and v3 files (SC-1991)
• The poetry.lock parser can now parse dependency relationships (ssc-1970)
• The Yarn.lock V1 and V2 parsers can parse dependency relationships. (ssc-1988)

Fixed

• The semgrep test and semgrep validate commands have been correctly documented as EXPERIMENTAL (in semgrep --help). Those commands are not GA yet and people should still use the semgrep scan --test and semgrep scan --validate (or the variants without the implicit "scan") commands (unless they want to experiment with getting results faster and are ok with incomplete coverage of the legacy semgrep --test and semgrep --validate). (experimental)
• Improve error handling for functionality ancillary to a scan (such as looking for nosemgrep comments and rendering autofixes) to reduce the likelihood of an unexpected error in such a component bringing down the entire scan. (saf-1737)
• Fix the behavior of semgrep when running into broken symlinks. If such a path is passed explicitly as a scanning root on the command line, it results in an error. Otherwise if it's a file discovered while scanning the file system, it's a warning. (saf-1776)
• Fixed another crash due to exception in lines_of_file. The code should now be more robust and not abort the whole scan when an out of bound line access happens during the nosemgrep analysis or when outputing the lines of a match. (saf-1778)
• Direct dev dependencies in yarn/npm lockfiles are now correctly marked as direct (sc-1996)

Changelog

Sourced from semgrep's changelog.

1.102.0 - 2025-01-08

Added

• Added pro-only support for parsing a dependency graph from package-lock.json v1 files (SC-1858)
• Added pro-only support for parsing a dependency graph from package-lock.json v2 and v3 files (SC-1991)
• The poetry.lock parser can now parse dependency relationships (ssc-1970)
• The Yarn.lock V1 and V2 parsers can parse dependency relationships. (ssc-1988)

Fixed

• The semgrep test and semgrep validate commands have been correctly documented as EXPERIMENTAL (in semgrep --help). Those commands are not GA yet and people should still use the semgrep scan --test and semgrep scan --validate (or the variants without the implicit "scan") commands (unless they want to experiment with getting results faster and are ok with incomplete coverage of the legacy semgrep --test and semgrep --validate). (experimental)
• Improve error handling for functionality ancillary to a scan (such as looking for nosemgrep comments and rendering autofixes) to reduce the likelihood of an unexpected error in such a component bringing down the entire scan. (saf-1737)
• Fix the behavior of semgrep when running into broken symlinks. If such a path is passed explicitly as a scanning root on the command line, it results in an error. Otherwise if it's a file discovered while scanning the file system, it's a warning. (saf-1776)
• Fixed another crash due to exception in lines_of_file. The code should now be more robust and not abort the whole scan when an out of bound line access happens during the nosemgrep analysis or when outputing the lines of a match. (saf-1778)
• Direct dev dependencies in yarn/npm lockfiles are now correctly marked as direct (sc-1996)

Commits

• f946d54 chore: release version 1.102.0
• bb96163semgrep/semgrep-proprietary#2849
• 708520a Dogfood: new rule to forbid the use of Fmt and ANSITerminal (semgrep/semgrep-...
• db9cac2semgrep/semgrep-proprietary#2846
• b07587dsemgrep/semgrep-proprietary#2
• 80b66dcsemgrep/semgrep-proprietary#2844
• 0401f65semgrep/semgrep-proprietary#2843
• 1d95556 cleanup: rename Matches_report.ml to Text_output.ml and unppize it (semgrep/s...
• 315f214semgrep/semgrep-proprietary#2824
• 64bf74d fix: Parse direct devDeps in in package.jsonsemgrep/semgrep-proprietary#2
• Additional commits viewable in compare view

Updates coverage[toml] from 7.6.1 to 7.6.10

Release notes

Sourced from coverage[toml]'s releases.

7.6.10

Version 7.6.10 — 2024-12-26

• Fix: some descriptions of missing branches in HTML and LCOV reports were incorrect when multi-line statements were involved (issue 1874 and issue 1875). These are now fixed.
• Fix: Python 3.14 defers evaluation of annotations by moving them into separate code objects. That code is rarely executed, so coverage.py would mark them as missing, as reported in issue 1908. Now they are ignored by coverage automatically.
• Fixed an obscure and mysterious problem on PyPy 3.10 seemingly involving mocks, imports, and trace functions: issue 1902. To be honest, I don’t understand the problem or the solution, but git bisect helped find it, and now it’s fixed.
• Docs: re-wrote the Measuring subprocesses page to put multiprocessing first and to highlight the correct use of https://docs.python.org/3/library/multiprocessing.html#multiprocessing.pool.Pool.

➡️  PyPI page: coverage 7.6.10. :arrow_right:  To install: python3 -m pip install coverage==7.6.10

7.6.9

Version 7.6.9 — 2024-12-06

• Fix: Tomas Uribe fixed a performance problem in the XML report. Large code bases should produce XML reports much faster now.

➡️  PyPI page: coverage 7.6.9. :arrow_right:  To install: python3 -m pip install coverage==7.6.9

7.6.8

Version 7.6.8 — 2024-11-23

• Fix: the LCOV report code assumed that a branch line that took no branches meant that the entire line was unexecuted. This isn’t true in a few cases: the line might always raise an exception, or might have been optimized away. Fixes issue 1896.
• Fix: similarly, the HTML report will now explain that a line that jumps to none of its expected destinations must have always raised an exception. Previously, it would say something nonsensical like, “line 4 didn’t jump to line 5 because line 4 was never true, and it didn’t jump to line 7 because line 4 was always true.” This was also shown in issue 1896.

➡️  PyPI page: coverage 7.6.8. :arrow_right:  To install: python3 -m pip install coverage==7.6.8

7.6.7

Version 7.6.7 — 2024-11-15

• Fix: ugh, the other assert from 7.6.5 can also be encountered in the wild, so it’s been restored to a conditional. Sorry for the churn.

➡️  PyPI page: coverage 7.6.7. :arrow_right:  To install: python3 -m pip install coverage==7.6.7

7.6.6

Version 7.6.6 — 2024-11-15

• One of the new asserts from 7.6.5 caused problems in real projects, as reported in issue 1891. The assert has been removed.

➡️  PyPI page: coverage 7.6.6. :arrow_right:  To install: python3 -m pip install coverage==7.6.6

7.6.5

Version 7.6.5 — 2024-11-14

• Fix: fine-tuned the exact Python version (3.12.6) when exiting from with statements changed how they traced. This affected whether people saw the fix for issue 1880.
• Fix: isolate our code more from mocking in the os module that in rare cases can cause bizarre behavior.
• Refactor: some code unreachable code paths in parser.py were changed to asserts. If you encounter any of these, please let me know!

... (truncated)

Changelog

Sourced from coverage[toml]'s changelog.

Commits

• f0dcf65 docs: sample HTML for 7.6.10
• 0f26f35 docs: prep for 7.6.10
• 81c5e43 docs: rewrite the subprocess page
• 878410c chore: make doc_upgrade
• f1d320d chore: make upgrade
• 67f1440 debug: this condition is never true. really?
• c85eaba fix: multi-line statements no longer confuse branch target descriptions. #187...
• 73e58fa refactor: clarify the code that fixes with-statement exits
• e16c9cc typo: backslask
• 865fd7f chore: bump the action-dependencies group with 4 updates (#1909)
• Additional commits viewable in compare view

Updates pytest-asyncio from 0.24.0 to 0.25.2

Release notes

Sourced from pytest-asyncio's releases.

pytest-asyncio 0.25.2

• Call loop.shutdown_asyncgens() before closing the event loop to ensure async generators are closed in the same manner as asyncio.run does #1034

pytest-asyncio 0.25.1

• Fixes an issue that caused a broken event loop when a function-scoped test was executed in between two tests with wider loop scope #950
• Improves test collection speed in auto mode #1020
• Corrects the warning that is emitted upon redefining the event_loop fixture

pytest-asyncio 0.25.0

0.25.0 (2024-12-13)

• Deprecated: Added warning when asyncio test requests async @pytest.fixture in strict mode. This will become an error in a future version of flake8-asyncio. #979
• Updates the error message about pytest.mark.asyncio's scope keyword argument to say loop_scope instead. #1004
• Verbose log displays correct parameter name: asyncio_default_fixture_loop_scope #990
• Propagates contextvars set in async fixtures to other fixtures and tests on Python 3.11 and above. #1008

Commits

• 2188cdb build: Prepare release of v0.25.2.
• c3ad634 fix: Shutdown generators before closing event loops.
• e8ffb10 [pre-commit.ci] pre-commit autoupdate
• aae43d4 Build(deps): Bump hypothesis in /dependencies/default
• 941e8b5 Build(deps): Bump pygments from 2.18.0 to 2.19.1 in /dependencies/docs
• 623ab74 docs: Prepare release of v0.25.1.
• c236550 docs: Fix broken link to the pytest.mark.asyncio reference.
• 41c645b fix: Correct warning message when redefining the event_loop fixture.
• 2fd10f8 docs: Clarify deprecation of event_loop fixture.
• a4e82ab docs: Added changelog entry for #1020.
• Additional commits viewable in compare view

Updates dirty-equals from 0.8.0 to 0.9.0

Release notes

Sourced from dirty-equals's releases.

v0.9.0 2025-01-11

What's Changed

• fix problem with functools.singledispatch (#104) by @​15r10nk in samuelcolvin/dirty-equals#105
• uprev to v0.9 by @​samuelcolvin in samuelcolvin/dirty-equals#111

New Contributors

• @​15r10nk made their first contribution in samuelcolvin/dirty-equals#105

Full Changelog: samuelcolvin/dirty-equals@v0.8.0...v0.9.0

Commits

• 9e6f0be uprev to v0.9 (#111)
• 065162a fix problem with functools.singledispatch (#104) (#105)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions