build(deps): bump the pip group across 1 directory with 5 updates

[dependabot]

Bumps the pip group with 5 updates in the / directory:

Package	From	To
mypy	1.11.2	1.13.0
ruff	0.6.9	0.8.2
bandit	1.7.10	1.8.0
semgrep	1.90.0	1.99.0
pre-commit	4.0.0	4.0.1

Updates mypy from 1.11.2 to 1.13.0

Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next release

Change to enum membership semantics

As per the updated typing specification for enums, enum members must be left unannotated.

class Pet(Enum):
    CAT = 1  # Member attribute
    DOG = 2  # Member attribute
    WOLF: int = 3  # New error: Enum members must be left unannotated
species: str  # Considered a non-member attribute

In particular, the specification change can result in issues in type stubs (.pyi files), since historically it was common to leave the value absent:

# In a type stub (.pyi file)
class Pet(Enum):
# Change in semantics: previously considered members, now non-member attributes
CAT: int
DOG: int
# Mypy will now issue a warning if it detects this situation in type stubs:
# > Detected enum "Pet" in a type stub with zero members.
# > There is a chance this is due to a recent change in the semantics of enum membership.
# > If so, use `member = value` to mark an enum member, instead of `member: type`

class Pet(Enum):
# As per the specification, you should now do one of the following:
DOG = 1  # Member attribute with value 1 and known type
WOLF = cast(int, ...)  # Member attribute with unknown value but known type
LION = ...  # Member attribute with unknown value and unknown type

Contributed by Terence Honles in PR 17207 and Shantanu Jain in PR 18068.

Mypy 1.13

We’ve just uploaded mypy 1.13 to the Python Package Index (PyPI). Mypy is a static type checker for Python. You can install it as follows:

python3 -m pip install -U mypy

... (truncated)

Commits

• eb31034 Bump version to 1.13.0
• 2eeb588 Update changelog for 1.12.1 (#17999)
• bc0386b Changelog for 1.13 (#18000)
• 5c4d2db Add faster-cache extra, test in CI (#17978)
• 854ad18 Make is_sub_path faster (#17962)
• 50aa4ca Speed up stubs suggestions (#17965)
• 7c27808 Use orjson instead of json, when available (#17955)
• 2cd2406 Use fast path in modulefinder more often (#17950)
• e20aaee Let mypyc optimise os.path.join (#17949)
• 159974c Use sha1 for hashing (#17953)
• Additional commits viewable in compare view

Updates ruff from 0.6.9 to 0.8.2

Release notes

Sourced from ruff's releases.

0.8.2

Release Notes

Preview features

• [airflow] Avoid deprecated values (AIR302) (#14582)
• [airflow] Extend removed names for AIR302 (#14734)
• [ruff] Extend unnecessary-regular-expression to non-literal strings (RUF055) (#14679)
• [ruff] Implement used-dummy-variable (RUF052) (#14611)
• [ruff] Implement unnecessary-cast-to-int (RUF046) (#14697)

Rule changes

• [airflow] Check AIR001 from builtin or providers operators module (#14631)
• [flake8-pytest-style] Remove @ in pytest.mark.parametrize rule messages (#14770)
• [pandas-vet] Skip rules if the panda module hasn't been seen (#14671)
• [pylint] Fix false negatives for ascii and sorted in len-as-condition (PLC1802) (#14692)
• [refurb] Guard hashlib imports and mark hashlib-digest-hex fix as safe (FURB181) (#14694)

Configuration

• [flake8-import-conventions] Improve syntax check for aliases supplied in configuration for unconventional-import-alias (ICN001) (#14745)

Bug fixes

• Revert: [pyflakes] Avoid false positives in @no_type_check contexts (F821, F722) (#14615) (#14726)
• [pep8-naming] Avoid false positive for class Bar(type(foo)) (N804) (#14683)
• [pycodestyle] Handle f-strings properly for invalid-escape-sequence (W605) (#14748)
• [pylint] Ignore @overload in PLR0904 (#14730)
• [refurb] Handle non-finite decimals in verbose-decimal-constructor (FURB157) (#14596)
• [ruff] Avoid emitting assignment-in-assert when all references to the assigned variable are themselves inside asserts (RUF018) (#14661)

Documentation

• Improve docs for flake8-use-pathlib rules (#14741)
• Improve error messages and docs for flake8-comprehensions rules (#14729)
• [flake8-type-checking] Expands TC006 docs to better explain itself (#14749)

Contributors

• @​AlexWaygood
• @​Daverball
• @​InSyncWithFoo
• @​Lee-W
• @​Lokejoke
• @​Matt-Ord
• @​MichaReiser
• @​Well2333
• @​connorskees
• @​dcreager
• @​dhruvmanila

... (truncated)

Changelog

Sourced from ruff's changelog.

0.8.2

Preview features

• [airflow] Avoid deprecated values (AIR302) (#14582)
• [airflow] Extend removed names for AIR302 (#14734)
• [ruff] Extend unnecessary-regular-expression to non-literal strings (RUF055) (#14679)
• [ruff] Implement used-dummy-variable (RUF052) (#14611)
• [ruff] Implement unnecessary-cast-to-int (RUF046) (#14697)

Rule changes

• [airflow] Check AIR001 from builtin or providers operators module (#14631)
• [flake8-pytest-style] Remove @ in pytest.mark.parametrize rule messages (#14770)
• [pandas-vet] Skip rules if the panda module hasn't been seen (#14671)
• [pylint] Fix false negatives for ascii and sorted in len-as-condition (PLC1802) (#14692)
• [refurb] Guard hashlib imports and mark hashlib-digest-hex fix as safe (FURB181) (#14694)

Configuration

• [flake8-import-conventions] Improve syntax check for aliases supplied in configuration for unconventional-import-alias (ICN001) (#14745)

Bug fixes

• Revert: [pyflakes] Avoid false positives in @no_type_check contexts (F821, F722) (#14615) (#14726)
• [pep8-naming] Avoid false positive for class Bar(type(foo)) (N804) (#14683)
• [pycodestyle] Handle f-strings properly for invalid-escape-sequence (W605) (#14748)
• [pylint] Ignore @overload in PLR0904 (#14730)
• [refurb] Handle non-finite decimals in verbose-decimal-constructor (FURB157) (#14596)
• [ruff] Avoid emitting assignment-in-assert when all references to the assigned variable are themselves inside asserts (RUF018) (#14661)

Documentation

• Improve docs for flake8-use-pathlib rules (#14741)
• Improve error messages and docs for flake8-comprehensions rules (#14729)
• [flake8-type-checking] Expands TC006 docs to better explain itself (#14749)

0.8.1

Preview features

• Formatter: Avoid invalid syntax for format-spec with quotes for all Python versions (#14625)
• Formatter: Consider quotes inside format-specs when choosing the quotes for an f-string (#14493)
• Formatter: Do not consider f-strings with escaped newlines as multiline (#14624)
• Formatter: Fix f-string formatting in assignment statement (#14454)
• Formatter: Fix unnecessary space around power operator (**) in overlong f-string expressions (#14489)
• [airflow] Avoid implicit schedule argument to DAG and @dag (AIR301) (#14581)
• [flake8-builtins] Exempt private built-in modules (A005) (#14505)
• [flake8-pytest-style] Fix pytest.mark.parametrize rules to check calls instead of decorators (#14515)
• [flake8-type-checking] Implement runtime-cast-value (TC006) (#14511)

... (truncated)

Commits

• b0e26e6 Bump version to 0.8.2 (#14789)
• e9941cd [red-knot] Move standalone expr inference to for non-name target (#14788)
• 43bf1a8 Add tests for "keyword as identifier" syntax errors (#14754)
• fda8b1f [ruff] Unnecessary cast to int (RUF046) (#14697)
• 2d3f557 [red-knot] Fallback for typing._NoDefaultType (#14783)
• bd27bfa [red-knot] Unify setup_db() functions, add TestDb builder (#14777)
• 155d34b [red-knot] Infer precise types for len() calls (#14599)
• 04c887c Fix references for async-busy-wait (#14775)
• af43bd4 [red-knot] Gradual forms do not participate in equivalence/subtyping (#14758)
• 6149177 Remove @ in pytest.mark.parametrize rule messages (#14770)
• Additional commits viewable in compare view

Updates bandit from 1.7.10 to 1.8.0

Release notes

Sourced from bandit's releases.

1.8.0

What's Changed

• Bump docker/build-push-action from 6.7.0 to 6.9.0 by @​dependabot in PyCQA/bandit#1178
• Rename doc file to match proper bandit ID by @​ericwb in PyCQA/bandit#1183
• Removal of Python 3.8 support by @​ericwb in PyCQA/bandit#1174
• Add more insecure cryptography cipher algorithms by @​ericwb in PyCQA/bandit#1185
• Bump docker/setup-buildx-action from 3.6.1 to 3.7.1 by @​dependabot in PyCQA/bandit#1186
• Bump sigstore/cosign-installer from 3.6.0 to 3.7.0 by @​dependabot in PyCQA/bandit#1187
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in PyCQA/bandit#1162
• No need to check httpx client without timeout defined by @​ericwb in PyCQA/bandit#1177
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in PyCQA/bandit#1191
• Mark Python 3.13 as officially supported by @​ericwb in PyCQA/bandit#1192
• Update project urls with added links by @​ericwb in PyCQA/bandit#1193
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in PyCQA/bandit#1196
• Add a JSON to seek funding from the FLOSS/fund by @​ericwb in PyCQA/bandit#1194
• Remove Sentry as a sponsor by @​ericwb in PyCQA/bandit#1198
• Remove more leftover OpenStack references by @​ericwb in PyCQA/bandit#1195

Full Changelog: PyCQA/bandit@1.7.10...1.8.0

Commits

• 8fd258a Remove more leftover OpenStack references (#1195)
• a19b072 Remove Sentry as a sponsor (#1198)
• 48e0258 Add a JSON to seek funding from the FLOSS/fund (#1194)
• 5300a21 [pre-commit.ci] pre-commit autoupdate (#1196)
• 0b249d9 Update project urls with added links (#1193)
• 4be653d Mark Python 3.13 as officially supported (#1192)
• 8e6dc1b [pre-commit.ci] pre-commit autoupdate (#1191)
• 071386b No need to check httpx client without timeout defined (#1177)
• 9b4d480 [pre-commit.ci] pre-commit autoupdate (#1162)
• ddf9b48 Bump sigstore/cosign-installer from 3.6.0 to 3.7.0 (#1187)
• Additional commits viewable in compare view

Updates semgrep from 1.90.0 to 1.99.0

Release notes

Sourced from semgrep's releases.

Release v1.99.0

1.99.0 - 2024-12-05

Fixed

• Fix the date format used in --gitlab-sast option to match the spec and not use the RFC 3339. Thanks to Elias Haeussler for the fix. (saf-1755)

Release v1.97.0

1.97.0 - 2024-11-19

Added

• Improved logic for interfile analysis in TypeScript projects using project references. (code-7677)
• Semgrep Pro engine now resolves method invocations on abstract classes. In addition to the existing resolution for interface method invocations, this change further enhances dataflow tracking accuracy for dynamic method invocations. (code-7750)
• Added the ability to validate temporary AWS tokens in the secrets product. (gh-2554)
• Poetry.lock & Pyproject.toml parsers can now handle multiline strings. (ssc-1942)

Fixed

• Improved error handling for some networking errors (e.g., premature server disconnection). In some cases this would previously cause a fatal error, but we should instead be able to recover in most instances (and now can). (code-7715)
• Target file selection in git projects: files containing special characters (according to git) are now scanned correctly instead of being ignored. (saf-1687)
• Swift: Ellipses and metavariable ellipses can now be used as function parameters in patterns. (saf-1721)
• Semgrep will no longer freeze when tracing is enabled and it has a low memory limit (saf-1722)
• osemgrep-pro: Autofix and nosemgrep now work properly (saf-1724)

Release v1.96.0

1.96.0 - 2024-11-07

Added

• The pro engine now handles duplicate function names in C. When duplicate functions are found, we assume that any of the duplicated functions could be called. For example, if the function foo is defined in two different files,

... (truncated)

Changelog

Sourced from semgrep's changelog.

1.99.0 - 2024-12-05

Fixed

• Fix the date format used in --gitlab-sast option to match the spec and not use the RFC 3339. Thanks to Elias Haeussler for the fix. (saf-1755)

1.98.0 - 2024-12-04

Added

• taint-mode: Semgrep will now track invididual fields/keys in record/dict expressions.

  For example, in Semgrep Pro:

  def foo():
      return { 0: "safe", 1: taint }
  def test():
  t = foo()
  sink(t[0]) # safe thus NO finding
  sink(t[1]) # finding (code-7781)
  

• The TypeScript parser now supports ellipses in function parameters. For example, the following code is TypeScript (as opposed to pure JavaScript) because it uses decorators on function parameters:

  foo(x, @Bar() y, z): string { return ''; }
  

  You can match this method using the following pattern:

  function $FN(..., @Bar(...) $X, ...) { ... }
  ``` (code-7800)
  

• [Pro only] Patterns such as new $T(...) will now match C# target-typed new expressions such as new (). (csharp-new)

• Symbolic propagation will now propagate record expressions. (flow-86)

• Adds support for SwiftPM Package.resolved version 3 to Supply Chain (sc-1964)

Changed

... (truncated)

Commits

• 2bbd0a5 chore: release version 1.99.0
• 8f80dbfsemgrep/semgrep-proprietary#2744
• dff3890semgrep/semgrep-proprietary#2743
• d1f99e0semgrep/semgrep-proprietary#2742
• 978fe59semgrep/semgrep-proprietary#2741
• 289f1a7semgrep/semgrep-proprietary#2740
• 7b0ff7e capabilities: use more <caps; ..> at def site to remove boilerplate (semgrep/...
• 8309689 capabilities: new CapExec.ml and forbid all UCmd functions in SCA code and el...
• 7eb4369 Cron - update semgrep-rules and semgrep-rules-pro submodules (semgrep/semgrep...
• b219159semgrep/semgrep-proprietary#2734
• Additional commits viewable in compare view

Updates pre-commit from 4.0.0 to 4.0.1

Release notes

Sourced from pre-commit's releases.

pre-commit v4.0.1

Fixes

• Fix pre-commit migrate-config for unquoted deprecated stages names with purelib pyyaml.
  • #3324 PR by @​asottile.
  • pre-commit-ci/issues#234 issue by @​lorenzwalthert.

Changelog

Sourced from pre-commit's changelog.

4.0.1 - 2024-10-08

Fixes

• Fix pre-commit migrate-config for unquoted deprecated stages names with purelib pyyaml.
  • #3324 PR by @​asottile.
  • pre-commit-ci/issues#234 issue by @​lorenzwalthert.

Commits

• cc4a522 v4.0.1
• 772d7d4 Merge pull request #3324 from pre-commit/migrate-config-purelib
• 222c62b fix migrate-config for purelib yaml
• 3d5548b Merge pull request #3323 from pre-commit/pre-commit-ci-update-config
• 4235a87 [pre-commit.ci] pre-commit autoupdate
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Superseded by #10.