Deps: Bump the python-packages group with 6 updates

[dependabot]

Bumps the python-packages group with 6 updates:

Package	From	To
furo	2025.9.25	2025.12.19
importlib-metadata	8.7.0	8.7.1
librt	0.7.3	0.7.4
mypy	1.19.0	1.19.1
ruff	0.14.9	0.14.10
soupsieve	2.8	2.8.1

Updates furo from 2025.9.25 to 2025.12.19

Release notes

Sourced from furo's releases.

2025.12.19

• Bump the supported Sphinx version range

Full Changelog: pradyunsg/furo@2025.09.25...2025.12.19

Changelog

Sourced from furo's changelog.

2025.12.19 -- Harmonious Honeydew

• ✨ Add support for Sphinx 9.
• Drop support for Sphinx 6.

2025.09.25 -- Gleaming Green

• Change the dark mode code back to native.

2025.07.19 -- Frozen Flame

• ✨ Switch to accessible-pygments themes
• ✨ Prefetch the sidebar logos
• ✨ Fix flickering header drop shadow on Safari
• Add rel=edit attribute to "Edit this page" link/icon
• Bump NodeJS and npm dependency versions
• Bump Saas & Webpack major versions
• Improve current page detection to be resilient to sticky elements above header
• Modernise Sass and use @use + @forward
• Remove top of code border-radius with captions
• Remove "debug printf" for headerTop value
• Use distinct images for light and dark mode in the documentation
• Use the modern Saas Modules

2024.08.06 -- Energetic Eminence

• ✨ Add support for Sphinx 8
• ✨ Add smoother transitions between breakpoints
• Increase specificity of table-wrapper selector
• Avoid page breaks inside paragraphs

2024.07.18 -- Dull Denim

• Improve how icons are handled and aligned.
• Improve scroll event handler.
• Hide the copybutton by default.
• Fix source_view_link configuration handling.
• Fix close tag on pencil icon.

2024.05.06 -- Cheerful Cerulean

• ✨ Add new custom icons for auto mode, reflecting the currently active theme.
• ✨ Add a view this page button.
• ✨ Add colours and highlighting to "version modified" API helpers.
• ✨ Add release information to various customisation knobs.
• Make all icons bigger and use a thinner stroke with them.

2024.04.27 -- Bold Burgundy

• Add a skip to content link.

... (truncated)

Commits

• dd9e9f9 Prepare release: 2025.12.19
• d43f7e9 Update changelog
• d27cab5 Bump the supported Sphinx version range
• 12f288e Back to development
• See full diff in compare view

Updates importlib-metadata from 8.7.0 to 8.7.1

Changelog

Sourced from importlib-metadata's changelog.

v8.7.1

Bugfixes

• Fixed errors in FastPath under fork-multiprocessing. (#520)
• Removed cruft from Python 3.8. (#524)

Commits

• 84e9028 Finalize
• 36ed6f6 Merge pull request #521 from 2xB/fix520
• f6eee56 Rely on passthrough to designate a wrapper for its side effect.
• 3c9510b Prefer noop for degenerate behavior.
• a36bab9 Avoid if block.
• 8dd2937 Decouple clear_after_fork from lru_cache and then compose.
• 1da3f45 Add news fragment.
• a1c25d8 🧎‍♀️ Genuflect to the types.
• 4e962a8 👹 Feed the hobgoblins (delint).
• 6a30ab9 Allow initial currsize to be greater than one (as happens when running the te...
• Additional commits viewable in compare view

Updates librt from 0.7.3 to 0.7.4

Commits

• 87e3647 Sync mypy and bump version to 0.7.4
• 62e0564 Add some badges to README (#25)
• See full diff in compare view

Updates mypy from 1.19.0 to 1.19.1

Changelog

Sourced from mypy's changelog.

Mypy 1.19.1

• Fix noncommutative joins with bounded TypeVars (Shantanu, PR 20345)
• Respect output format for cached runs by serializing raw errors in cache metas (Ivan Levkivskyi, PR 20372)
• Allow types.NoneType in match cases (A5rocks, PR 20383)
• Fix mypyc generator regression with empty tuple (BobTheBuidler, PR 20371)
• Fix crash involving Unpack-ed TypeVarTuple (Shantanu, PR 20323)
• Fix crash on star import of redefinition (Ivan Levkivskyi, PR 20333)
• Fix crash on typevar with forward ref used in other module (Ivan Levkivskyi, PR 20334)
• Fail with an explicit error on PyPy (Ivan Levkivskyi, PR 20389)

Acknowledgements

Thanks to all mypy contributors who contributed to this release:

• A5rocks
• BobTheBuidler
• bzoracler
• Chainfire
• Christoph Tyralla
• David Foster
• Frank Dana
• Guo Ci
• iap
• Ivan Levkivskyi
• James Hilton-Balfe
• jhance
• Joren Hammudoglu
• Jukka Lehtosalo
• KarelKenens
• Kevin Kannammalil
• Marc Mueller
• Michael Carlstrom
• Michael J. Sullivan
• Piotr Sawicki
• Randolf Scholz
• Shantanu
• Sigve Sebastian Farstad
• sobolevn
• Stanislav Terliakov
• Stephen Morton
• Theodore Ando
• Thiago J. Barbalho
• wyattscarpenter

I’d also like to thank my employer, Dropbox, for supporting mypy development.

Mypy 1.18

We’ve just uploaded mypy 1.18.1 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features, performance

... (truncated)

Commits

• 412c19a Bump version to 1.19.1
• 20aea0a Update changelog for 1.19.1 (#20414)
• 2b23b50 Serialize raw errors in cache metas (#20372)
• f60f90f Fail on PyPy in main instead of setup.py (#20389)
• 58d485b Fail with an explicit error on PyPy (#20384)
• a4b31a2 Allow types.NoneType in match cases (#20383)
• 8a6eff4 [mypyc] fix generator regression with empty tuple (#20371)
• 70eceea Fix noncommutative joins with bounded TypeVars (#20345)
• 3890fc4 Fix crash involving Unpack-ed TypeVarTuple (#20323)
• c93d917 Fix crash on star import of redefinition (#20333)
• Additional commits viewable in compare view

Updates ruff from 0.14.9 to 0.14.10

Release notes

Sourced from ruff's releases.

0.14.10

Release Notes

Released on 2025-12-18.

Preview features

• [formatter] Fluent formatting of method chains (#21369)
• [formatter] Keep lambda parameters on one line and parenthesize the body if it expands (#21385)
• [flake8-implicit-str-concat] New rule to prevent implicit string concatenation in collections (ISC004) (#21972)
• [flake8-use-pathlib] Make fixes unsafe when types change in compound statements (PTH104, PTH105, PTH109, PTH115) (#22009)
• [refurb] Extend support for Path.open (FURB101, FURB103) (#21080)

Bug fixes

• [pyupgrade] Fix parsing named Unicode escape sequences (UP032) (#21901)

Rule changes

• [eradicate] Ignore ruff:disable and ruff:enable comments in ERA001 (#22038)
• [flake8-pytest-style] Allow match and check keyword arguments without an expected exception type (PT010) (#21964)
• [syntax-errors] Annotated name cannot be global (#20868)

Documentation

• Add uv and ty to the Ruff README (#21996)
• Document known lambda formatting deviations from Black (#21954)
• Update setup.md (#22024)
• [flake8-bandit] Fix broken link (S704) (#22039)

Other changes

• Fix playground Share button showing "Copied!" before clipboard copy completes (#21942)

Contributors

• @​dylwil3
• @​charliecloudberry
• @​charliermarsh
• @​chirizxc
• @​ntBre
• @​zanieb
• @​amyreese
• @​hauntsaninja
• @​11happy
• @​mahiro72
• @​MichaReiser
• @​phongddo
• @​PeterJCLaw

... (truncated)

Changelog

Sourced from ruff's changelog.

0.14.10

Released on 2025-12-18.

Preview features

• [formatter] Fluent formatting of method chains (#21369)
• [formatter] Keep lambda parameters on one line and parenthesize the body if it expands (#21385)
• [flake8-implicit-str-concat] New rule to prevent implicit string concatenation in collections (ISC004) (#21972)
• [flake8-use-pathlib] Make fixes unsafe when types change in compound statements (PTH104, PTH105, PTH109, PTH115) (#22009)
• [refurb] Extend support for Path.open (FURB101, FURB103) (#21080)

Bug fixes

• [pyupgrade] Fix parsing named Unicode escape sequences (UP032) (#21901)

Rule changes

• [eradicate] Ignore ruff:disable and ruff:enable comments in ERA001 (#22038)
• [flake8-pytest-style] Allow match and check keyword arguments without an expected exception type (PT010) (#21964)
• [syntax-errors] Annotated name cannot be global (#20868)

Documentation

• Add uv and ty to the Ruff README (#21996)
• Document known lambda formatting deviations from Black (#21954)
• Update setup.md (#22024)
• [flake8-bandit] Fix broken link (S704) (#22039)

Other changes

• Fix playground Share button showing "Copied!" before clipboard copy completes (#21942)

Contributors

• @​dylwil3
• @​charliecloudberry
• @​charliermarsh
• @​chirizxc
• @​ntBre
• @​zanieb
• @​amyreese
• @​hauntsaninja
• @​11happy
• @​mahiro72
• @​MichaReiser
• @​phongddo
• @​PeterJCLaw

Commits

• 45bbb4c Bump 0.14.10 (#22058)
• 42b9727 [ty] Use datatest instead of dirtest (#21937)
• f7ec178 [ty] Gracefully handle client requests that can't be deserialized (#22051)
• c315164 [ty] Don't suggest keyword statements when only expressions are valid
• bb1955e [ty] Use cursor context in a few more places...
• 070e08a [ty] Move completion function to the top
• bab3924 [ty] Refactor completion generation
• 10748b2 [flake8-pytest-style] Allow match and check keyword arguments without a...
• 56539db [ty] Fix some configuration panics in the LSP (#22040)
• 8d32ad1 [ty] Add support for attribute docstrings (#22036)
• Additional commits viewable in compare view

Updates soupsieve from 2.8 to 2.8.1

Release notes

Sourced from soupsieve's releases.

2.8.1

• FIX: Changes in tests to accommodate latest Python HTML parser changes.

Commits

• f899797 Adjust changelog
• 1b964a8 Switch to using Zensical for documents (#286)
• 046ce54 Adjustments for changes in HTML parser (#285)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 23efc27.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

poetry.lock

Package	Version	License	Issue Type
librt	0.7.4	Null	Unknown License
mypy	1.19.1	Null	Unknown License

Allowed Licenses:

0BSD, AGPL-3.0-or-later, Apache-2.0, BlueOak-1.0.0, BSD-2-Clause, BSD-3-Clause-Clear, BSD-3-Clause, BSL-1.0, CAL-1.0, CC-BY-3.0, CC-BY-4.0, CC-BY-SA-4.0, CC0-1.0, EPL-2.0, GPL-1.0-or-later, GPL-2.0-only, GPL-2.0-or-later, GPL-2.0, GPL-3.0-only, GPL-3.0-or-later, GPL-3.0, ISC, LGPL-2.0-only, LGPL-2.0-or-later, LGPL-2.1-only, LGPL-2.1-or-later, LGPL-2.1, LGPL-3.0-only, LGPL-3.0, LGPL-3.0-or-later, MIT, MIT-CMU, MPL-1.1, MPL-2.0, OFL-1.1, PSF-2.0, Python-2.0, Python-2.0.1, Unicode-3.0, Unicode-DFS-2016, Unlicense, Zlib, ZPL-2.1

OpenSSF Scorecard

Package	Version	Score	Details
pip/furo	2025.12.19	🟢 4.4	Details Check Score Reason Maintained 🟢 5 5 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Code-Review ⚠️ 2 Found 7/27 approved changesets -- score normalized to 2 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 9 1 existing vulnerabilities detected Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/importlib-metadata	8.7.1	🟢 5.1	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Maintained ⚠️ 0 0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0 Code-Review ⚠️ 0 Found 0/22 approved changesets -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 8 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected License ⚠️ 0 license file not detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/librt	0.7.4	Unknown	Unknown
pip/mypy	1.19.1	🟢 7.2	Details Check Score Reason Code-Review 🟢 8 Found 24/29 approved changesets -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Fuzzing ⚠️ 0 project is not fuzzed Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 9 1 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/ruff	0.14.10	Unknown	Unknown
pip/soupsieve	2.8.1	🟢 5.6	Details Check Score Reason Code-Review ⚠️ 1 Found 4/27 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Packaging 🟢 10 packaging workflow detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• poetry.lock

[greenbonebot]

Scan: 'poetry.lock'

Nothing detected in poetry.lock
Scan took 0.02 seconds

[github-actions]

Conventional Commits Report

Type	Number
Dependencies	1

🚀 Conventional commits found.