Deps: Bump the python-packages group with 4 updates

[dependabot]

Bumps the python-packages group with 4 updates: anyio, mypy, pygments and ruff.

Updates anyio from 4.7.0 to 4.8.0

Release notes

Sourced from anyio's releases.

4.8.0

• Added experimental support for running functions in subinterpreters on Python 3.13 and later
• Added support for the copy(), copy_into(), move() and move_into() methods in anyio.Path, available in Python 3.14
• Changed TaskGroup on asyncio to always spawn tasks non-eagerly, even if using a task factory created via asyncio.create_eager_task_factory(), to preserve expected Trio-like task scheduling semantics (PR by @​agronholm and @​graingert)
• Configure SO_RCVBUF, SO_SNDBUF and TCP_NODELAY on the selector thread waker socket pair (this should improve the performance of wait_readable() and wait_writable() when using the ProactorEventLoop) (#836; PR by @​graingert)
• Fixed AssertionError when using nest-asyncio (#840)
• Fixed return type annotation of various context managers' __exit__ method (#847; PR by @​Enegg)

Changelog

Sourced from anyio's changelog.

Version history

This library adheres to Semantic Versioning 2.0 <http://semver.org/>_.

4.8.0

• Added experimental support for running functions in subinterpreters on Python 3.13 and later
• Added support for the copy(), copy_into(), move() and move_into() methods in anyio.Path, available in Python 3.14
• Changed TaskGroup on asyncio to always spawn tasks non-eagerly, even if using a task factory created via asyncio.create_eager_task_factory(), to preserve expected Trio-like task scheduling semantics (PR by @​agronholm and @​graingert)
• Configure SO_RCVBUF, SO_SNDBUF and TCP_NODELAY on the selector thread waker socket pair (this should improve the performance of wait_readable()) and wait_writable() when using the ProactorEventLoop ([#836](https://github.com/agronholm/anyio/issues/836) <https://github.com/agronholm/anyio/pull/836>_; PR by @​graingert)
• Fixed AssertionError when using nest-asyncio ([#840](https://github.com/agronholm/anyio/issues/840) <https://github.com/agronholm/anyio/issues/840>_)
• Fixed return type annotation of various context managers' __exit__ method ([#847](https://github.com/agronholm/anyio/issues/847) <https://github.com/agronholm/anyio/issues/847>_; PR by @​Enegg)

4.7.0

• Updated TaskGroup to work with asyncio's eager task factories ([#764](https://github.com/agronholm/anyio/issues/764) <https://github.com/agronholm/anyio/issues/764>_)
• Added the wait_readable() and wait_writable() functions which will accept an object with a .fileno() method or an integer handle, and deprecated their now obsolete versions (wait_socket_readable() and wait_socket_writable()) (PR by @​davidbrochart)
• Changed EventAdapter (an Event with no bound async backend) to allow set() to work even before an async backend is bound to it ([#819](https://github.com/agronholm/anyio/issues/819) <https://github.com/agronholm/anyio/issues/819>_)
• Added support for wait_readable() and wait_writable() on ProactorEventLoop (used on asyncio + Windows by default)
• Fixed a misleading ValueError in the context of DNS failures ([#815](https://github.com/agronholm/anyio/issues/815) <https://github.com/agronholm/anyio/issues/815>_; PR by @​graingert)
• Fixed the return type annotations of readinto() and readinto1() methods in the anyio.AsyncFile class ([#825](https://github.com/agronholm/anyio/issues/825) <https://github.com/agronholm/anyio/issues/825>_)
• Fixed TaskInfo.has_pending_cancellation() on asyncio returning false positives in cleanup code on Python >= 3.11 ([#832](https://github.com/agronholm/anyio/issues/832) <https://github.com/agronholm/anyio/issues/832>_; PR by @​gschaffner)
• Fixed cancelled cancel scopes on asyncio calling asyncio.Task.uncancel when propagating a CancelledError on exit to a cancelled parent scope ([#790](https://github.com/agronholm/anyio/issues/790) <https://github.com/agronholm/anyio/pull/790>_; PR by @​gschaffner)

4.6.2

... (truncated)

Commits

• 74022ec Bumped up the version
• 264a6f9 Added support for subinterpreter workers (#850)
• 6d612a9 Refactored waiting for tasks to complete from task group on the asyncio backe...
• 8b7a535 Removed the unwarranted gc_collect fixture
• acdac7a Changed TaskGroup to always spawn tasks lazily, even with eager task factorie...
• 43e1f5f Fixed __exit__() return type of various context managers (#849)
• e8730ae Added preliminary support for Python 3.14 (#813)
• 9a792f3 Pruned unnecessary mypy options
• 2a105b2 Updated downstream test workflow
• 3f8c639 [pre-commit.ci] pre-commit autoupdate (#846)
• Additional commits viewable in compare view

Updates mypy from 1.14.0 to 1.14.1

Commits

• 251d12f Remove +dev from version for release 1.14.1
• 667e5f7 Revert "Remove redundant inheritances from Iterator in builtins" (#18324)
• 67f673a Fix enum truthiness for StrEnum (#18379)
• 3755abb Fix getargs argument passing (#18350)
• b9fa8ee Update version to 1.14.1+dev for point release
• See full diff in compare view

Updates pygments from 2.18.0 to 2.19.0

Release notes

Sourced from pygments's releases.

2.19.0

• New lexers:

  • CodeQL (#2819)
  • Debian Sources (#2788, #2747)
  • Gleam (#2662)
  • GoogleSQL (#2820, #2814)
  • JSON5 (#2734, #1880)
  • Maple (#2763, #2548)
  • NumbaIR (#2433)
  • PDDL (#2799, #2616)
  • Rego (#2794)
  • TableGen (#2751)
  • Vue.js (#2832)

• Updated lexers:

  • BQN: Various improvements (#2789)
  • C#: Fix number highlighting (#986, #2727), add file keyword (#2726, #2805, #2806), add various other keywords (#2745, #2770)
  • CSS: Add revert (#2766, #2775)
  • Debian control: Add Change-By field (#2757)
  • Elip: Improve punctuation handling (#2651)
  • Igor: Add int (#2801)
  • Ini: Fix quoted strings with embedded comment characters (#2767, #2720)
  • Java: Support functions returning types containing a question mark (#2737)
  • JavaScript: Support private identiiers (#2729, #2671)
  • LLVM: Add splat, improve floating-point number parsing (#2755)
  • Lua: Improve variable detection, add built-in functions (#2829)
  • Macaulay2: Update to 1.24.11 (#2800)
  • PostgreSQL: Add more EXPLAIN keywords (#2785), handle / (#2774)
  • S-Lexer: Fix keywords (#2082, #2750)
  • TransactSQL: Fix single-line comments (#2717)
  • Turtle: Fix triple quoted strings (#2744, #2758)
  • Typst: Various improvements (#2724)
  • Various: Add ^ as an operator to Matlab, Octave and Scilab (#2798)
  • Vyper: Add staticcall and extcall (#2719)

• Mark file extensions for HTML/XML+Evoque as aliases (#2743)
• Add a color for Operator.Word to the rrt style (#2709)
• Fix broken link in the documentation (#2803, #2804)
• Drop executable bit where not needed (#2781)
• Reduce Mojo priority relative to Python in ``analyze_text´` (#2771, #2772)
• Fix documentation builds (#2712)
• Match example file names to the lexer's name (#2713, #2715)
• Ensure lexer metadata is present (#2714)
• Search more directories on macOS for fonts (#2809)
• Improve test robustness (#2812)

Changelog

Sourced from pygments's changelog.

Version 2.19.0

(released January 5th, 2025)

• New lexers:

  • CodeQL (#2819)
  • Debian Sources (#2788, #2747)
  • Gleam (#2662)
  • GoogleSQL (#2820, #2814)
  • JSON5 (#2734, #1880)
  • Maple (#2763, #2548)
  • NumbaIR (#2433)
  • PDDL (#2799, #2616)
  • Rego (#2794)
  • TableGen (#2751)
  • Vue.js (#2832)

• Updated lexers:

  • BQN: Various improvements (#2789)
  • C#: Fix number highlighting (#986, #2727), add file keyword (#2726, #2805, #2806), add various other keywords (#2745, #2770)
  • CSS: Add revert (#2766, #2775)
  • Debian control: Add Change-By field (#2757)
  • Elip: Improve punctuation handling (#2651)
  • Igor: Add int (#2801)
  • Ini: Fix quoted strings with embedded comment characters (#2767, #2720)
  • Java: Support functions returning types containing a question mark (#2737)
  • JavaScript: Support private identiiers (#2729, #2671)
  • LLVM: Add splat, improve floating-point number parsing (#2755)
  • Lua: Improve variable detection, add built-in functions (#2829)
  • Macaulay2: Update to 1.24.11 (#2800)
  • PostgreSQL: Add more EXPLAIN keywords (#2785), handle / (#2774)
  • S-Lexer: Fix keywords (#2082, #2750)
  • TransactSQL: Fix single-line comments (#2717)
  • Turtle: Fix triple quoted strings (#2744, #2758)
  • Typst: Various improvements (#2724)
  • Various: Add ^ as an operator to Matlab, Octave and Scilab (#2798)
  • Vyper: Add staticcall and extcall (#2719)

• Mark file extensions for HTML/XML+Evoque as aliases (#2743)
• Add a color for Operator.Word to the rrt style (#2709)
• Fix broken link in the documentation (#2803, #2804)
• Drop executable bit where not needed (#2781)
• Reduce Mojo priority relative to Python in ``analyze_text´` (#2771, #2772)
• Fix documentation builds (#2712)
• Match example file names to the lexer's name (#2713, #2715)
• Ensure lexer metadata is present (#2714)
• Search more directories on macOS for fonts (#2809)
• Improve test robustness (#2812)

Commits

• 62dff31 Prepare 2.19 release.
• 0ee47fb It's 2025.
• 3f79c5d Check fixes.
• ed13988 Small fixes for Maple lexer.
• a522163 Merge pull request #2763 from Randl/master
• 69216f7 Small fixes for Numba IR.
• 08b8a96 Merge pull request #2433 from Matt711/numbair
• 9ac75ea Small fixups for CodeQL.
• ef4f5e9 Merge pull request #2819 from DarkaMaul/dm/add-codeql-lexer
• 2dc2c3f Merge branch 'master' into dm/add-codeql-lexer
• Additional commits viewable in compare view

Updates ruff from 0.8.4 to 0.8.6

Release notes

Sourced from ruff's releases.

0.8.6

Release Notes

Preview features

• [format]: Preserve multiline implicit concatenated strings in docstring positions (#15126)
• [ruff] Add rule to detect empty literal in deque call (RUF025) (#15104)
• [ruff] Avoid reporting when ndigits is possibly negative (RUF057) (#15234)

Rule changes

• [flake8-todos] remove issue code length restriction (TD003) (#15175)
• [pyflakes] Ignore errors in @no_type_check string annotations (F722, F821) (#15215)

CLI

• Show errors for attempted fixes only when passed --verbose (#15237)

Bug fixes

• [ruff] Avoid syntax error when removing int over multiple lines (RUF046) (#15230)
• [pyupgrade] Revert "Add all PEP-585 names to UP006 rule" (#15250)

Contributors

• @​AlexWaygood
• @​InSyncWithFoo
• @​Lee-W
• @​MichaReiser
• @​augustelalande
• @​charliermarsh
• @​dcreager
• @​dylwil3
• @​mdbernard
• @​sharkdp
• @​w0nder1ng

Install ruff 0.8.6

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/ruff/releases/download/0.8.6/ruff-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy ByPass -c "irm https://github.com/astral-sh/ruff/releases/download/0.8.6/ruff-installer.ps1 | iex"

... (truncated)

Changelog

Sourced from ruff's changelog.

0.8.6

Preview features

• [format]: Preserve multiline implicit concatenated strings in docstring positions (#15126)
• [ruff] Add rule to detect empty literal in deque call (RUF025) (#15104)
• [ruff] Avoid reporting when ndigits is possibly negative (RUF057) (#15234)

Rule changes

• [flake8-todos] remove issue code length restriction (TD003) (#15175)
• [pyflakes] Ignore errors in @no_type_check string annotations (F722, F821) (#15215)

CLI

• Show errors for attempted fixes only when passed --verbose (#15237)

Bug fixes

• [ruff] Avoid syntax error when removing int over multiple lines (RUF046) (#15230)
• [pyupgrade] Revert "Add all PEP-585 names to UP006 rule" (#15250)

0.8.5

Preview features

• [airflow] Extend names moved from core to provider (AIR303) (#15145, #15159, #15196, #15216)
• [airflow] Extend rule to check class attributes, methods, arguments (AIR302) (#15054, #15083)
• [fastapi] Update FAST002 to check keyword-only arguments (#15119)
• [flake8-type-checking] Disable TC006 and TC007 in stub files (#15179)
• [pylint] Detect nested methods correctly (PLW1641) (#15032)
• [ruff] Detect more strict-integer expressions (RUF046) (#14833)
• [ruff] Implement falsy-dict-get-fallback (RUF056) (#15160)
• [ruff] Implement unnecessary-round (RUF057) (#14828)

Rule changes

• Visit PEP 764 inline TypedDict keys as non-type-expressions (#15073)
• [flake8-comprehensions] Skip C416 if comprehension contains unpacking (#14909)
• [flake8-pie] Allow cast(SomeType, ...) (PIE796) (#15141)
• [flake8-simplify] More precise inference for dictionaries (SIM300) (#15164)
• [flake8-use-pathlib] Catch redundant joins in PTH201 and avoid syntax errors (#15177)
• [pycodestyle] Preserve original value format (E731) (#15097)
• [pydocstyle] Split on first whitespace character (D403) (#15082)
• [pyupgrade] Add all PEP-585 names to UP006 rule (#5454)

Configuration

• [flake8-type-checking] Improve flexibility of runtime-evaluated-decorators (#15204)
• [pydocstyle] Add setting to ignore missing documentation for *args and **kwargs parameters (D417) (#15210)

... (truncated)

Commits

• 6b907c1 Ruff 0.8.6 (#15253)
• f319531 Make unreachable a test rule for now (#15252)
• e4d9fe0 Revert "Add all PEP-585 names to UP006 rule" (#15250)
• baf0d66 Update salsa (#15243)
• bde8ecd [red-knot] Remove unneeded branch in Type::is_equivalent_to() (#15242)
• 842f882 [ruff] Avoid reporting when ndigits is possibly negative (RUF057) (#15234)
• 75015b0 Attribute panics to the mdtests that cause them (#15241)
• 706d87f Show errors for attempted fixes only when passed --verbose (#15237)
• 0837cdd [RUF] Add rule to detect empty literal in deque call (RUF025) (#15104)
• 0dbfa8d TD003: remove issue code length restriction (#15175)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ❌ 1 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 3f64dda.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

poetry.lock

Package	Version	License	Issue Type
ruff	0.8.6	0BSD AND Apache-2.0 AND BSD-3-Clause AND MIT	Incompatible License
mypy	1.14.1	Null	Unknown License

Allowed Licenses: 0BSD, AGPL-3.0-or-later, Apache-2.0, BlueOak-1.0.0, BSD-2-Clause, BSD-3-Clause-Clear, BSD-3-Clause, BSL-1.0, CAL-1.0, CC-BY-3.0, CC-BY-4.0, CC-BY-SA-4.0, CC0-1.0, EPL-2.0, GPL-2.0-only, GPL-2.0-or-later, GPL-2.0, GPL-3.0-or-later, ISC, LGPL-2.0-only, LGPL-2.0-or-later, LGPL-2.1-only, LGPL-2.1-or-later, LGPL-2.1, LGPL-3.0-only, LGPL-3.0, LGPL-3.0-or-later, MIT, MIT-CMU, MPL-1.1, MPL-2.0, OFL-1.1, PSF-2.0, Python-2.0, Python-2.0.1, Unicode-DFS-2016, Unlicense

OpenSSF Scorecard

Package	Version	Score	Details
pip/anyio	4.8.0	🟢 5.6	Details Check Score Reason Code-Review 🟢 5 Found 15/27 approved changesets -- score normalized to 5 Maintained 🟢 10 30 commit(s) and 23 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases ⚠️ -1 no releases found License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/mypy	1.14.1	🟢 6.2	Details Check Score Reason Code-Review 🟢 7 Found 23/30 approved changesets -- score normalized to 7 Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/pygments	2.19.0	🟢 6.3	Details Check Score Reason Code-Review 🟢 4 Found 13/30 approved changesets -- score normalized to 4 Maintained 🟢 10 30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Security-Policy ⚠️ 0 security policy file not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Fuzzing 🟢 10 project is fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/ruff	0.8.6	Unknown	Unknown

Scanned Files

• poetry.lock