build(deps): bump the pip group across 1 directory with 5 updates

[dependabot]

Bumps the pip group with 5 updates in the / directory:

Package	From	To
mypy	1.11.2	1.14.1
ruff	0.6.9	0.8.6
bandit	1.7.10	1.8.0
semgrep	1.90.0	1.101.0
pre-commit	4.0.0	4.0.1

Updates mypy from 1.11.2 to 1.14.1

Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next release

Drop Support for Python 3.8

Mypy no longer supports running with Python 3.8, which has reached end-of-life. When running mypy with Python 3.9+, it is still possible to type check code that needs to support Python 3.8 with the --python-version 3.8 argument. Support for this will be dropped in the first half of 2025!

Contributed by Marc Mueller (PR 17492).

Mypyc accelerated mypy wheels for aarch64

Mypy can compile itself to C extension modules using mypyc. This makes mypy 3-5x faster than if mypy is interpreted with pure Python. We now build and upload mypyc accelerated mypy wheels for manylinux_aarch64 to PyPI, making it easy for users on such platforms to realise this speedup.

Contributed by Christian Bundy (PR mypy_mypyc-wheels#76)

--strict-bytes

By default, mypy treats an annotation of bytes as permitting bytearray and memoryview. PEP 688 specified the removal of this special case. Use this flag to disable this behavior. --strict-bytes will be enabled by default in mypy 2.0.

Contributed by Ali Hamdan (PR 18137) and Shantanu Jain (PR 13952).

Improvements to partial type handling in loops

This change results in mypy better modelling control flow within loops and hence detecting several issues it previously did not detect. In some cases, this change may require use of an additional explicit annotation of a variable.

Contributed by Christoph Tyralla (PR 18180).

(Speaking of partial types, another reminder that mypy plans on enabling --local-partial-types by default in mypy 2.0).

Mypy 1.14

We’ve just uploaded mypy 1.14 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

... (truncated)

Commits

• 251d12f Remove +dev from version for release 1.14.1
• 667e5f7 Revert "Remove redundant inheritances from Iterator in builtins" (#18324)
• 67f673a Fix enum truthiness for StrEnum (#18379)
• 3755abb Fix getargs argument passing (#18350)
• b9fa8ee Update version to 1.14.1+dev for point release
• 6f37859 Remove +dev from version for release 1.14
• 5a6a754 Minor updates to 1.14 changelog (#18310)
• 9772d48 Update changelog for release 1.14 (#18301)
• 92473c8 Warn about --follow-untyped-imports (#18249)
• e6ce8be PEP 702 (@​deprecated): descriptors (#18090)
• Additional commits viewable in compare view

Updates ruff from 0.6.9 to 0.8.6

Release notes

Sourced from ruff's releases.

0.8.6

Release Notes

Preview features

• [format]: Preserve multiline implicit concatenated strings in docstring positions (#15126)
• [ruff] Add rule to detect empty literal in deque call (RUF025) (#15104)
• [ruff] Avoid reporting when ndigits is possibly negative (RUF057) (#15234)

Rule changes

• [flake8-todos] remove issue code length restriction (TD003) (#15175)
• [pyflakes] Ignore errors in @no_type_check string annotations (F722, F821) (#15215)

CLI

• Show errors for attempted fixes only when passed --verbose (#15237)

Bug fixes

• [ruff] Avoid syntax error when removing int over multiple lines (RUF046) (#15230)
• [pyupgrade] Revert "Add all PEP-585 names to UP006 rule" (#15250)

Contributors

• @​AlexWaygood
• @​InSyncWithFoo
• @​Lee-W
• @​MichaReiser
• @​augustelalande
• @​charliermarsh
• @​dcreager
• @​dylwil3
• @​mdbernard
• @​sharkdp
• @​w0nder1ng

Install ruff 0.8.6

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/ruff/releases/download/0.8.6/ruff-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy ByPass -c "irm https://github.com/astral-sh/ruff/releases/download/0.8.6/ruff-installer.ps1 | iex"

... (truncated)

Changelog

Sourced from ruff's changelog.

0.8.6

Preview features

• [format]: Preserve multiline implicit concatenated strings in docstring positions (#15126)
• [ruff] Add rule to detect empty literal in deque call (RUF025) (#15104)
• [ruff] Avoid reporting when ndigits is possibly negative (RUF057) (#15234)

Rule changes

• [flake8-todos] remove issue code length restriction (TD003) (#15175)
• [pyflakes] Ignore errors in @no_type_check string annotations (F722, F821) (#15215)

CLI

• Show errors for attempted fixes only when passed --verbose (#15237)

Bug fixes

• [ruff] Avoid syntax error when removing int over multiple lines (RUF046) (#15230)
• [pyupgrade] Revert "Add all PEP-585 names to UP006 rule" (#15250)

0.8.5

Preview features

• [airflow] Extend names moved from core to provider (AIR303) (#15145, #15159, #15196, #15216)
• [airflow] Extend rule to check class attributes, methods, arguments (AIR302) (#15054, #15083)
• [fastapi] Update FAST002 to check keyword-only arguments (#15119)
• [flake8-type-checking] Disable TC006 and TC007 in stub files (#15179)
• [pylint] Detect nested methods correctly (PLW1641) (#15032)
• [ruff] Detect more strict-integer expressions (RUF046) (#14833)
• [ruff] Implement falsy-dict-get-fallback (RUF056) (#15160)
• [ruff] Implement unnecessary-round (RUF057) (#14828)

Rule changes

• Visit PEP 764 inline TypedDict keys as non-type-expressions (#15073)
• [flake8-comprehensions] Skip C416 if comprehension contains unpacking (#14909)
• [flake8-pie] Allow cast(SomeType, ...) (PIE796) (#15141)
• [flake8-simplify] More precise inference for dictionaries (SIM300) (#15164)
• [flake8-use-pathlib] Catch redundant joins in PTH201 and avoid syntax errors (#15177)
• [pycodestyle] Preserve original value format (E731) (#15097)
• [pydocstyle] Split on first whitespace character (D403) (#15082)
• [pyupgrade] Add all PEP-585 names to UP006 rule (#5454)

Configuration

• [flake8-type-checking] Improve flexibility of runtime-evaluated-decorators (#15204)
• [pydocstyle] Add setting to ignore missing documentation for *args and **kwargs parameters (D417) (#15210)

... (truncated)

Commits

• 6b907c1 Ruff 0.8.6 (#15253)
• f319531 Make unreachable a test rule for now (#15252)
• e4d9fe0 Revert "Add all PEP-585 names to UP006 rule" (#15250)
• baf0d66 Update salsa (#15243)
• bde8ecd [red-knot] Remove unneeded branch in Type::is_equivalent_to() (#15242)
• 842f882 [ruff] Avoid reporting when ndigits is possibly negative (RUF057) (#15234)
• 75015b0 Attribute panics to the mdtests that cause them (#15241)
• 706d87f Show errors for attempted fixes only when passed --verbose (#15237)
• 0837cdd [RUF] Add rule to detect empty literal in deque call (RUF025) (#15104)
• 0dbfa8d TD003: remove issue code length restriction (#15175)
• Additional commits viewable in compare view

Updates bandit from 1.7.10 to 1.8.0

Release notes

Sourced from bandit's releases.

1.8.0

What's Changed

• Bump docker/build-push-action from 6.7.0 to 6.9.0 by @​dependabot in PyCQA/bandit#1178
• Rename doc file to match proper bandit ID by @​ericwb in PyCQA/bandit#1183
• Removal of Python 3.8 support by @​ericwb in PyCQA/bandit#1174
• Add more insecure cryptography cipher algorithms by @​ericwb in PyCQA/bandit#1185
• Bump docker/setup-buildx-action from 3.6.1 to 3.7.1 by @​dependabot in PyCQA/bandit#1186
• Bump sigstore/cosign-installer from 3.6.0 to 3.7.0 by @​dependabot in PyCQA/bandit#1187
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in PyCQA/bandit#1162
• No need to check httpx client without timeout defined by @​ericwb in PyCQA/bandit#1177
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in PyCQA/bandit#1191
• Mark Python 3.13 as officially supported by @​ericwb in PyCQA/bandit#1192
• Update project urls with added links by @​ericwb in PyCQA/bandit#1193
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in PyCQA/bandit#1196
• Add a JSON to seek funding from the FLOSS/fund by @​ericwb in PyCQA/bandit#1194
• Remove Sentry as a sponsor by @​ericwb in PyCQA/bandit#1198
• Remove more leftover OpenStack references by @​ericwb in PyCQA/bandit#1195

Full Changelog: PyCQA/bandit@1.7.10...1.8.0

Commits

• 8fd258a Remove more leftover OpenStack references (#1195)
• a19b072 Remove Sentry as a sponsor (#1198)
• 48e0258 Add a JSON to seek funding from the FLOSS/fund (#1194)
• 5300a21 [pre-commit.ci] pre-commit autoupdate (#1196)
• 0b249d9 Update project urls with added links (#1193)
• 4be653d Mark Python 3.13 as officially supported (#1192)
• 8e6dc1b [pre-commit.ci] pre-commit autoupdate (#1191)
• 071386b No need to check httpx client without timeout defined (#1177)
• 9b4d480 [pre-commit.ci] pre-commit autoupdate (#1162)
• ddf9b48 Bump sigstore/cosign-installer from 3.6.0 to 3.7.0 (#1187)
• Additional commits viewable in compare view

Updates semgrep from 1.90.0 to 1.101.0

Release notes

Sourced from semgrep's releases.

Release v1.101.0

1.101.0 - 2024-12-18

Added

• Improved pnpm-lock.yaml parsing. (gh-2663)

Changed

• Re-ordered some terminal output of semgrep ci to allow semgrep-app to block scans based on specific findings (SECW-2740)
• A few fields in the JSON output (e.g., "fingerprint", "metavars") require now the user to be logged in to see them. See https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#json for more information. (json)
• We're renaming semgrep OSS to Semgrep Community Edition. See https://semgrep.dev/blog/2024/important-updates-to-semgrep-oss/ for more information. (rename)
• A few fields in the SARIF output (e.g., "fingerprints") require now the user to be logged in to see them. See https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#sarif for more information. (sarif)

Fixed

• pro: Improved inter-file tracking of tainted global variables. (code-7054)

• Python (pro-only): Taint now correctly tracks through calls to class methods within a class, via the cls parameter.

  So for instance, we would be able to determine a source-to-sink vulnerability in the following code snippet:

  class A:
    def foo(self, x):
      sink(x)
  @​classmethod
  
  def bar(cls):
  
  cls.foo(source)
  </code></pre>
  </li>
  <li>
  <p>pro: Fixed bug when generating inter-procedural taint traces, that it could
  cause a call-step to be missing in the trace. (saf-1783)</p>
  </li>
  <li>
  <p>Restored the &quot;rules&quot; field in the SARIF output, even when logged out. (saf-1794)</p>
  </li>
  </ul>
  <h2>Release v1.100.0</h2>
  <!-- raw HTML omitted -->
  </blockquote>
  <p>... (truncated)</p>
  </details>
  <details>
  <summary>Changelog</summary>
  <p><em>Sourced from <a href="https://github.com/semgrep/semgrep/blob/develop/CHANGELOG.md&quot;&gt;semgrep's changelog</a>.</em></p>
  
  <blockquote>
  
  <h2><a href="https://github.com/semgrep/semgrep/releases/tag/v1.101.0&quot;&gt;1.101.0&lt;/a> - 2024-12-18</h2>
  
  <h3>Added</h3>
  
  <ul>
  
  <li>Improved pnpm-lock.yaml parsing. (<a href="https://redirect.github.com/returntocorp/semgrep/issues/2663&quot;&gt;gh-2663&lt;/a&gt;)&lt;/li>
  
  </ul>
  
  <h3>Changed</h3>
  
  <ul>
  
  <li>Re-ordered some terminal output of <code>semgrep ci</code> to allow semgrep-app to block scans based on specific findings (SECW-2740)</li>
  
  <li>A few fields in the JSON output (e.g., &quot;fingerprint&quot;, &quot;metavars&quot;) require now
  
  the user to be logged in to see them.
  
  See <a href="https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#json&quot;&gt;https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#json&lt;/a>
  
  for more information. (json)</li>
  
  <li>We're renaming semgrep OSS to Semgrep Community Edition.
  
  See <a href="https://semgrep.dev/blog/2024/important-updates-to-semgrep-oss/&quot;&gt;https://semgrep.dev/blog/2024/important-updates-to-semgrep-oss/&lt;/a>
  
  for more information. (rename)</li>
  
  <li>A few fields in the SARIF output (e.g., &quot;fingerprints&quot;) require now
  
  the user to be logged in to see them.
  
  See <a href="https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#sarif&quot;&gt;https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#sarif&lt;/a>
  
  for more information. (sarif)</li>
  
  </ul>
  
  <h3>Fixed</h3>
  
  <ul>
  
  <li>
  
  <p>pro: Improved inter-file tracking of tainted global variables. (code-7054)</p>
  
  </li>
  
  <li>
  
  <p>Python (pro-only): Taint now correctly tracks through calls to class methods
  
  within a class, via the <code>cls</code> parameter.</p>
  
  <p>So for instance, we would be able to determine a source-to-sink
  
  vulnerability in the following code snippet:</p>
  
  <pre><code>class A:
  
  def foo(self, x):
  
  sink(x)
  @classmethod
  
  def bar(cls):
  
  cls.foo(source)
  &lt;/code&gt;&lt;/pre&gt;
  &lt;/li&gt;
  &lt;li&gt;
  &lt;p&gt;pro: Fixed bug when generating inter-procedural taint traces, that it could
  cause a call-step to be missing in the trace. (saf-1783)&lt;/p&gt;
  &lt;/li&gt;
  &lt;li&gt;
  &lt;p&gt;Restored the &amp;quot;rules&amp;quot; field in the SARIF output, even when logged out. (saf-1794)&lt;/p&gt;
  &lt;/li&gt;
  &lt;/ul&gt;
  &lt;h2&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/releases/tag/v1.100.0&quot;&gt;1.100.0&lt;/a&gt; - 2024-12-12&lt;/h2&gt;
  &lt;!-- raw HTML omitted --&gt;
  &lt;/blockquote&gt;
  &lt;p&gt;... (truncated)&lt;/p&gt;
  &lt;/details&gt;
  &lt;details&gt;
  &lt;summary&gt;Commits&lt;/summary&gt;
  
  &lt;ul&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/da1124acb54b20c57ba454b49cb7ea65be7bac00&quot;&gt;&lt;code&gt;da1124a&lt;/code&gt;&lt;/a&gt; chore: release version 1.101.0&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/611bdbd15026dfdd38fa30b93889925fa50e444e&quot;&gt;&lt;code&gt;611bdbd&lt;/code&gt;&lt;/a&gt;&lt;code&gt;semgrep/semgrep-proprietary#2800&lt;/code&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/c04cd3859d74839950e7f4bce522b76871123533&quot;&gt;&lt;code&gt;c04cd38&lt;/code&gt;&lt;/a&gt; SARIF: restore the &amp;quot;rules&amp;quot; field even when logged out (semgrep/semgrep-propri...&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/ac656ed70771e53ac85ca89d8d02331427f4d0e3&quot;&gt;&lt;code&gt;ac656ed&lt;/code&gt;&lt;/a&gt; osemgrep: Remove use of Fmt for Xxx_report.ml and consolidate in Text_reports...&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/9dc60c18cdba6eb6925b240456f93363fc3bfe54&quot;&gt;&lt;code&gt;9dc60c1&lt;/code&gt;&lt;/a&gt;&lt;code&gt;semgrep/semgrep-proprietary#2&lt;/code&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/bfd1c717c66602912bc0c1d5dd4d6d8946531df8&quot;&gt;&lt;code&gt;bfd1c71&lt;/code&gt;&lt;/a&gt;&lt;code&gt;semgrep/semgrep-proprietary#2745&lt;/code&gt;&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/eeb85e609c7382f6b09230c048500d3fb2eba18d&quot;&gt;&lt;code&gt;eeb85e6&lt;/code&gt;&lt;/a&gt; feat: Reorder output of &lt;code&gt;semgrep ci&lt;/code&gt; to allow the app to mark specific findin...&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/f74a69d9b124baf7c7745747605d2199a8c8a9c1&quot;&gt;&lt;code&gt;f74a69d&lt;/code&gt;&lt;/a&gt; tainting: Fix missing call-steps in taint traces (semgrep/semgrep-proprietary...&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/81a65de263260978efd9c75dfeac13d333587666&quot;&gt;&lt;code&gt;81a65de&lt;/code&gt;&lt;/a&gt; Add changelog entries for the gated loggedin fields (semgrep/semgrep-propriet...&lt;/li&gt;
  &lt;li&gt;&lt;a href=&quot;https://github.com/semgrep/semgrep/commit/dc6f9b2971283110066b9703beabaed2f0936bc8&quot;&gt;&lt;code&gt;dc6f9b2&lt;/code&gt;&lt;/a&gt;&lt;code&gt;semgrep/semgrep-proprietary#2756&lt;/code&gt;&lt;/li&gt;
  &lt;li&gt;Additional commits viewable in &lt;a href=&quot;https://github.com/returntocorp/semgrep/compare/v1.90.0...v1.101.0&quot;&gt;compare view&lt;/a&gt;&lt;/li&gt;
  &lt;/ul&gt;
  &lt;/details&gt;
  
  &lt;br /&gt;
  </code></pre>
  
  Updates `pre-commit` from 4.0.0 to 4.0.1
  <details>
  <summary>Release notes</summary>
  <p><em>Sourced from <a href="https://github.com/pre-commit/pre-commit/releases">pre-commit's releases</a>.</em></p>
  <blockquote>
  <h2>pre-commit v4.0.1</h2>
  <h3>Fixes</h3>
  <ul>
  <li>Fix <code>pre-commit migrate-config</code> for unquoted deprecated stages names with
  purelib <code>pyyaml</code>.
  <ul>
  <li><a href="https://redirect.github.com/pre-commit/pre-commit/issues/3324">#3324</a> PR by <a href="https://github.com/asottile"><code>@​asottile</code></a>.</li>
  <li><a href="https://redirect.github.com/pre-commit-ci/issues/issues/234">pre-commit-ci/issues#234</a> issue by <a href="https://github.com/lorenzwalthert"><code>@​lorenzwalthert</code></a>.</li>
  </ul>
  </li>
  </ul>
  </blockquote>
  </details>
  <details>
  <summary>Changelog</summary>
  <p><em>Sourced from <a href="https://github.com/pre-commit/pre-commit/blob/main/CHANGELOG.md">pre-commit's changelog</a>.</em></p>
  <blockquote>
  <h1>4.0.1 - 2024-10-08</h1>
  <h3>Fixes</h3>
  <ul>
  <li>Fix <code>pre-commit migrate-config</code> for unquoted deprecated stages names with
  purelib <code>pyyaml</code>.
  <ul>
  <li><a href="https://redirect.github.com/pre-commit/pre-commit/issues/3324">#3324</a> PR by <a href="https://github.com/asottile"><code>@​asottile</code></a>.</li>
  <li><a href="https://redirect.github.com/pre-commit-ci/issues/issues/234">pre-commit-ci/issues#234</a> issue by <a href="https://github.com/lorenzwalthert"><code>@​lorenzwalthert</code></a>.</li>
  </ul>
  </li>
  </ul>
  </blockquote>
  </details>
  <details>
  <summary>Commits</summary>
  <ul>
  <li><a href="https://github.com/pre-commit/pre-commit/commit/cc4a52241565440ce200666799eef70626457488"><code>cc4a522</code></a> v4.0.1</li>
  <li><a href="https://github.com/pre-commit/pre-commit/commit/772d7d45d38b45a52355d8da708c068a0f242b00"><code>772d7d4</code></a> Merge pull request <a href="https://redirect.github.com/pre-commit/pre-commit/issues/3324">#3324</a> from pre-commit/migrate-config-purelib</li>
  <li><a href="https://github.com/pre-commit/pre-commit/commit/222c62bc5d2907efbd6052c5fb89c4c027400044"><code>222c62b</code></a> fix migrate-config for purelib yaml</li>
  <li><a href="https://github.com/pre-commit/pre-commit/commit/3d5548b487c4133181998a0a99148682625af8d1"><code>3d5548b</code></a> Merge pull request <a href="https://redirect.github.com/pre-commit/pre-commit/issues/3323">#3323</a> from pre-commit/pre-commit-ci-update-config</li>
  <li><a href="https://github.com/pre-commit/pre-commit/commit/4235a877f3ac4998b41e9cce8a709ac13de159b5"><code>4235a87</code></a> [pre-commit.ci] pre-commit autoupdate</li>
  <li>See full diff in <a href="https://github.com/pre-commit/pre-commit/compare/v4.0.0...v4.0.1">compare view</a></li>
  </ul>
  </details>
  <br />
  
  
  Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
  
  [//]: # (dependabot-automerge-start)
  [//]: # (dependabot-automerge-end)
  
  ---
  
  <details>
  <summary>Dependabot commands and options</summary>
  <br />
  
  You can trigger Dependabot actions by commenting on this PR:
  - `@dependabot rebase` will rebase this PR
  - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
  - `@dependabot merge` will merge this PR after your CI passes on it
  - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
  - `@dependabot cancel merge` will cancel a previously requested merge and block automerging
  - `@dependabot reopen` will reopen this PR if it is closed
  - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
  - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency
  - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions
  
  
  </details>