Bump the uv group across 1 directory with 5 updates

[dependabot]

Bumps the uv group with 5 updates in the / directory:

Package	From	To
tqdm	4.67.3	4.68.2
pysentry-rs	0.4.5	0.4.6
ruff	0.15.14	0.15.16
ty	0.0.40	0.0.46
mkdocstrings-python	2.0.3	2.0.4

Updates tqdm from 4.67.3 to 4.68.2

Release notes

Sourced from tqdm's releases.

tqdm v4.68.2 stable

• revert accidental change to ascii default (fixes #1760)
  • UnicodeEncodeError: 'charmap' codec can't encode characters in position 6-7: character maps to <undefined> can be fixed by installing tqdm!=4.68.0,!=4.68.1
• misc docs updates
  • fix links
  • replace stray rst -> md syntax
  • consistent "progress bar" terminology (#1737)
• tests: fix coverage (fixes #1760)

tqdm v4.68.1 stable

• set name of monitor thread (#1669, #1752 <- #1435)
• fix monitor thread atexit deadlock (#1751 <- #528, #627, #1435, #1564)
• docs: minor copyediting

tqdm v4.68.0 stable

• utils: simplify terminal size detection (#1760)
• contrib
  • itertools (#1760)
    • add chain, permutations, combinations, combinations_with_replacement, batched
    • add product(repeat=1) keyword argument (#1428)
  • fix discord, telegram error handling
  • fix discord, slack, telegram format for total=None
• soft-deprecate tqdm.utils.envwrap -> envwrap
• benchmarks: fix asv
• misc linting
• misc framework updates
  • CI: migrate manual job to pre-commit.ci
  • bump workflow actions & pre-commit hooks

Commits

• 4b33952 revert accidental change to tqdm(ascii) default
• b10848f docs: fix links
• 85b62dd docs: replace stray rst -> md
• d2fb04a docs: mention OpenAI sponsorship
• 85940f9 docs: consistent progress bar terminology
• 9dbb36b tests: fix coverage
• 67cf355 Merge pull request #1751 from jaltmayerpizzorno/fix-atexit-monitor-deadlock
• cfa4a85 minor docstring updates
• f83290c Fix TMonitor deadlock at interpreter shutdown
• 59029c3 Set name for tqdm monitor thread (#1752)
• Additional commits viewable in compare view

Updates pysentry-rs from 0.4.5 to 0.4.6

Release notes

Sourced from pysentry-rs's releases.

v0.4.6

✨ New Features

Audit a Single Dependency Group (--group)

The new --group flag scopes an audit to specific dependency groups instead of the whole dependency tree. It is supported for uv (uv.lock), Poetry (poetry.lock), and PEP 751 (pylock.toml) projects. PySentry audits your main dependencies ([project].dependencies / [tool.poetry.dependencies]) plus the selected group(s) and their transitive closure, leaving the rest out:

# Audit main dependencies + the "dev" group only
pysentry-rs --group dev
Multiple groups (repeatable or comma-separated)
pysentry-rs --group dev --group docs
pysentry-rs --group dev,docs

Group names are read from any of the standard locations:

• PEP 735 [dependency-groups] (with include-group recursion)
• PEP 621 [project.optional-dependencies]
• Poetry [tool.poetry.group.*]

Names are matched using PEP 735 normalization, so --group typing-test matches a declared typing_test. An unknown name fails with the list of available groups.

--group requires a lock file. Group filtering relies on a group-aware lock file — uv.lock, poetry.lock, or pylock.toml (including named pylock.<name>.toml variants) — alongside your pyproject.toml. On a project without one, PySentry fails fast with a clear error instead of silently auditing the full dependency set. (Pipfile.lock is not supported — Pipfile has no dependency-group concept.)

--group cannot be combined with --exclude-extra (or config scope = "main"), --requirements-files, or --no-resolver. It can also be set in config:

# .pysentry.toml
[defaults]
groups = ["dev", "docs"]

Resolves #151.

🐛 Bug Fixes

fail_on Silently Hid Vulnerabilities Below Its Threshold

fail_on (CLI --fail-on, config defaults.fail_on) is meant to control only the exit code — the severity at which an audit is considered a failure. A regression in v0.4.5 instead wired it into the matcher as a minimum-severity filter, so any vulnerability below the fail_on level was dropped from the report entirely rather than just being excluded from the pass/fail decision.

The effect scaled with the threshold. With the default fail_on = "medium", low-severity findings disappeared from the report. With fail_on = "critical", a project could contain many real high- and medium-severity vulnerabilities and still print ✓ No vulnerabilities found! with a clean exit. On one real uv.lock project (90 packages), v0.4.5 reported 0 vulnerabilities under fail_on = "critical" while the project actually had 31, several of them high severity.

PySentry now reports every matched vulnerability regardless of fail_on, and uses fail_on strictly to decide the exit code.

:::warning If you run PySentry with fail_on set above low (via --fail-on or config), affected vulnerabilities were missing from your reports while the audit may have exited successfully. Re-run your audit on this release. :::

... (truncated)

Commits

• a61cbfc Merge pull request #159 from nyudenkov/dev
• d22bc87 refactor: dedupe pyproject dependency parsing
• d107e06 v0.4.6
• 6f31945 readme: trying to make logo look okay
• 82a299c fix: bump rustls-webpki to 0.103.13 to clear RUSTSEC-2026-0098/0099/0104
• 89ba462 fix: version PyPA cache key to prevent cross-version EOCD crash
• 17f20b1 fix: stop fail_on from filtering reported vulnerabilities
• 48e800a ai: linked CLAUDE.md to AGENTS.md
• e8de12b docs: document dependency group auditing
• 418f3d4 feat: add dependency group audit scope
• Additional commits viewable in compare view

Updates ruff from 0.15.14 to 0.15.16

Release notes

Sourced from ruff's releases.

0.15.16

Release Notes

Released on 2026-06-04.

Preview features

• [flake8-async] Implement yield-in-context-manager-in-async-generator (ASYNC119) (#24644)
• [pylint] Narrow diagnostic range and exclude cases without exception handlers (PLW0717) (#25440)
• [ruff] Treat yield before break from a terminal loop as terminal (RUF075) (#25447)

Bug fixes

• [eradicate] Avoid flagging ruff:ignore comments as code (ERA001) (#25537)
• [eradicate] Fix ERA001/RUF100 conflict when noqa is on commented-out code (#25414)
• [pyflakes] Avoid removing the format call when it would change behavior (F523) (#25320)
• [pylint] Avoid syntax errors in invalid character replacements in f-strings before Python 3.12 (PLE2510, PLE2512, PLE2513, PLE2514, PLE2515) (#25544)
• [pyupgrade] Avoid converting format calls with more kinds of side effects (UP032) (#25484)

Rule changes

• [flake8-pytest-style] Avoid fixes for ambiguous argnames and argvalues combinations (PT006) (#24776)

Performance

• Drop excess capacity from statement suites during parsing (#25368)

Documentation

• [pydocstyle] Improve discoverability of rules enabled for each convention (#24973)
• [ruff] Restore example code for Python versions before 3.15 (RUF017) (#25439)
• Fix typo bin/active → bin/activate in tutorial (#25473)

Other changes

• Shrink additional parser AST collections (#25465)

Contributors

• @​Redslayer112
• @​koriyoshi2041
• @​George-Ogden
• @​TejasAmle
• @​anishgirianish
• @​ntBre
• @​MichaReiser
• @​loganrosen
• @​RafaelJohn9
• @​adityasingh2400

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.16

Released on 2026-06-04.

Preview features

• [flake8-async] Implement yield-in-context-manager-in-async-generator (ASYNC119) (#24644)
• [pylint] Narrow diagnostic range and exclude cases without exception handlers (PLW0717) (#25440)
• [ruff] Treat yield before break from a terminal loop as terminal (RUF075) (#25447)

Bug fixes

• [eradicate] Avoid flagging ruff:ignore comments as code (ERA001) (#25537)
• [eradicate] Fix ERA001/RUF100 conflict when noqa is on commented-out code (#25414)
• [pyflakes] Avoid removing the format call when it would change behavior (F523) (#25320)
• [pylint] Avoid syntax errors in invalid character replacements in f-strings before Python 3.12 (PLE2510, PLE2512, PLE2513, PLE2514, PLE2515) (#25544)
• [pyupgrade] Avoid converting format calls with more kinds of side effects (UP032) (#25484)

Rule changes

• [flake8-pytest-style] Avoid fixes for ambiguous argnames and argvalues combinations (PT006) (#24776)

Performance

• Drop excess capacity from statement suites during parsing (#25368)

Documentation

• [pydocstyle] Improve discoverability of rules enabled for each convention (#24973)
• [ruff] Restore example code for Python versions before 3.15 (RUF017) (#25439)
• Fix typo bin/active → bin/activate in tutorial (#25473)

Other changes

• Shrink additional parser AST collections (#25465)

Contributors

• @​Redslayer112
• @​koriyoshi2041
• @​George-Ogden
• @​TejasAmle
• @​anishgirianish
• @​ntBre
• @​MichaReiser
• @​loganrosen
• @​RafaelJohn9
• @​adityasingh2400

0.15.15

... (truncated)

Commits

• 6c498ab Bump 0.15.16 (#25635)
• e51e132 [flake8-async] Implement yield-in-context-manager-in-async-generator (`AS...
• 7c6dcd9 [ty] Add caching for pattern match narrowing (#25613)
• 27058fc [ty] Compact retained definition and expression identities (#25606)
• bf80d05 Fix CODEOWNERS syntax (#25622)
• 10ccd51 Shrink additional parser AST collections (#25465)
• 0d7135f [ty] Upgrade Salsa (#25545)
• 49493a3 [ty] Show type alias value on hover (#25381)
• 85207d3 [ty] sys.implementation.version is not sys.version_info (#25608)
• a8a0614 [ty] Avoid retaining duplicate function signatures (#25609)
• Additional commits viewable in compare view

Updates ty from 0.0.40 to 0.0.46

Release notes

Sourced from ty's releases.

0.0.46

Release Notes

Released on 2026-06-08.

Bug fixes

• Avoid crash when hovering over Callable (#25759)

Core type checking

• Support Callable() in match statement class patterns (#25541)
• Improve support for enum.property (#25681)

Contributors

• @​carljm
• @​charliermarsh
• @​thejchap

Install ty 0.0.46

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/ty/releases/download/0.0.46/ty-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://releases.astral.sh/github/ty/releases/download/0.0.46/ty-installer.ps1 | iex"

Download ty 0.0.46

File	Platform	Checksum
ty-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
ty-x86_64-apple-darwin.tar.gz	Intel macOS	checksum
ty-aarch64-pc-windows-msvc.zip	ARM64 Windows	checksum
ty-i686-pc-windows-msvc.zip	x86 Windows	checksum
ty-x86_64-pc-windows-msvc.zip	x64 Windows	checksum
ty-aarch64-unknown-linux-gnu.tar.gz	ARM64 Linux	checksum
ty-i686-unknown-linux-gnu.tar.gz	x86 Linux	checksum
ty-powerpc64-unknown-linux-gnu.tar.gz	PPC64 Linux	checksum
ty-powerpc64le-unknown-linux-gnu.tar.gz	PPC64LE Linux	checksum
ty-riscv64gc-unknown-linux-gnu.tar.gz	RISCV Linux	checksum
ty-s390x-unknown-linux-gnu.tar.gz	S390x Linux	checksum
ty-x86_64-unknown-linux-gnu.tar.gz	x64 Linux	checksum

... (truncated)

Changelog

Sourced from ty's changelog.

0.0.46

Released on 2026-06-08.

Bug fixes

• Avoid crash when hovering over Callable (#25759)

Core type checking

• Support Callable() in match statement class patterns (#25541)
• Improve support for enum.property (#25681)

Contributors

• @​carljm
• @​charliermarsh
• @​thejchap

0.0.45

Released on 2026-06-08.

Bug fixes

• Avoid treating dynamic class attributes as instance attributes (#25678)
• Fix divergence in recursive inference due to ambiguous overload (#25548)
• Preserve literal promotion for mixed bounds (#25648)

Diagnostics

• Add missing-type-argument lint rule (#25617)

Core type checking

• Add support for narrowing on tuple match cases (#25493)
• Check implicit open TypedDict extra items (#25628)
• Create fresh copies of generic callable typevars (#24949)
• Preserve deprecation on replacement functions (#25688)
• Preserve intersection receivers during attribute lookup (#25626)
• Preserve transparent callable decorators (#25030)

Performance

• Avoid AST load for callable description names (#25728)
• Avoid caching absent class decorators and type parameters (#25689)
• Avoid caching atomic type specializations (#25663)
• Avoid caching constant constraint relations (#25656)
• Avoid caching missing implicit attributes (#25649)
• Avoid caching trivial class-header queries (#25692)

... (truncated)

Commits

• 2917c84 Bump version to 0.0.46 (#3700)
• 210302b Bump version to 0.0.45 (#3696)
• 5be8bff Use removeprefix for relative README image paths (#3685)
• cb8043c docs: add mypy/pyright rule mapping reference page (#3336)
• f5523e2 Bump version to 0.0.44 (#3667)
• 29ce314 Bump version to 0.0.43 (#3648)
• 794322d Update docker/build-push-action action to v7.2.0 (#3629)
• ce89685 Update prek dependencies (#3628)
• 792fb71 Update docker/login-action action to v4.2.0 (#3630)
• 5c37747 Update docker/metadata-action action to v6.1.0 (#3631)
• Additional commits viewable in compare view

Updates mkdocstrings-python from 2.0.3 to 2.0.4

Release notes

Sourced from mkdocstrings-python's releases.

2.0.4

2.0.4 - 2026-06-05

Compare with 2.0.3

Bug Fixes

• Display Methods instead of Functions for category headings inside classes (7bf8b98 by Timothée Mazzucotelli). Issue-330

Changelog

Sourced from mkdocstrings-python's changelog.

2.0.4 - 2026-06-05

Compare with 2.0.3

Bug Fixes

• Display Methods instead of Functions for category headings inside classes (7bf8b98 by Timothée Mazzucotelli). Issue-330

Commits

• dc6aa93 chore: Prepare release 2.0.4
• 7bf8b98 fix: Display Methods instead of Functions for category headings inside classes
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.