chore(deps): bump the pip group with 6 updates

[dependabot]

Bumps the pip group with 6 updates:

Package	From	To
mkdocs-material	9.6.3	9.6.4
mkdocstrings[python]	0.28.0	0.28.1
ruff	0.9.5	0.9.6
bandit	1.8.2	1.8.3
semgrep	1.107.0	1.108.0
coverage[toml]	7.6.11	7.6.12

Updates mkdocs-material from 9.6.3 to 9.6.4

Release notes

Sourced from mkdocs-material's releases.

mkdocs-material-9.6.4

• Fixed #7985: Blog content sometimes not stretching to full width
• Fixed #7978: Navigation rendering bug in Safari 18.3

Changelog

Sourced from mkdocs-material's changelog.

mkdocs-material-9.6.4 (2025-02-12)

• Fixed #7985: Blog content sometimes not stretching to full width
• Fixed #7978: Navigation rendering bug in Safari 18.3

mkdocs-material-9.6.3 (2025-02-07)

• Fixed rendering of arrow heads in Mermaid.js class diagrams
• Fixed #7960: Tags plugin crashes on numeric metadata titles

mkdocs-material-9.6.2 (2025-02-03)

• Fixed #7955: Excessively long words don't break on narrow screens
• Fixed #7947: Scope setting interferes with outdated version banner

mkdocs-material-9.6.1 (2025-01-31)

• Fixed #7943: Tags plugin crashing due to merge error

mkdocs-material-9.6.0 (2025-01-31)

• Added meta plugin
• Rewrite of the tags plugin
• Added support for allow lists in tags plugin
• Added support for and custom sorting in tags plugin
• Added support for related links in blog plugin
• Added support for custom index pages in blog plugin
• Added support for navigation subtitles
• Fixed #7924: Anchors might require two clicks when using instant navigation

mkdocs-material-9.5.50 (2025-01-18)

• Fixed #7913: Social plugin renders attribute lists in page title

mkdocs-material-9.5.49+insiders-4.53.15 (2025-01-15)

• Fixed #7896: Scoped tags listings not rendering in subsections

mkdocs-material-9.5.49 (2024-12-16)

• Adjusted title color in dark mode for all supported Mermaid.js diagrams
• Fixed #7803: Privacy plugin crashes on generated files
• Fixed #7781: Mermaid.js flow chart title not visible in dark mode

mkdocs-material-9.5.48 (2024-12-08)

• Fixed #7774: Disabling social cards doesn't work

mkdocs-material-9.5.47 (2024-12-01)

... (truncated)

Commits

• 9b0f482 Prepare 9.6.4 release
• a9bae7f Fixed navigation spacing in Safari 18.3 (#7979)
• 9be17e7 Documentation (#7989)
• 8a57610 Fixed blog post content sometimes not stretching
• 10dd004 Added warning on using Docker in production (#7977)
• cd2ec69 Fixed wrong value type for enabled setting in GitHub Actions (#7980)
• See full diff in compare view

Updates mkdocstrings[python] from 0.28.0 to 0.28.1

Release notes

Sourced from mkdocstrings[python]'s releases.

0.28.1

0.28.1 - 2025-02-14

Compare with 0.28.0

Bug Fixes

• Renew MkDocs' relpath processor instead of using same instance (4ab180d by Timothée Mazzucotelli). Issue-mkdocs-3919

Changelog

Sourced from mkdocstrings[python]'s changelog.

0.28.1 - 2025-02-14

Compare with 0.28.0

Bug Fixes

• Renew MkDocs' relpath processor instead of using same instance (4ab180d by Timothée Mazzucotelli). Issue-mkdocs-3919

Commits

• 145954c chore: Prepare release 0.28.1
• 4ab180d fix: Renew MkDocs' relpath processor instead of using same instance
• ede1941 chore: Increase mkdocstrings-python lower bound again
• e1eb99c docs: Use inventories instead of import for Python example
• 926dd7e docs: Remove trailing spaces
• 698a321 chore: Update mkdocstrings-python dev-dep to force uv to install it
• 1cb9177 chore: Update location of the Python handler's JSON schema
• See full diff in compare view

Updates ruff from 0.9.5 to 0.9.6

Release notes

Sourced from ruff's releases.

0.9.6

Release Notes

Preview features

• [airflow] Add external_task.{ExternalTaskMarker, ExternalTaskSensor} for AIR302 (#16014)
• [flake8-builtins] Make strict module name comparison optional (A005) (#15951)
• [flake8-pyi] Extend fix to Python <= 3.9 for redundant-none-literal (PYI061) (#16044)
• [pylint] Also report when the object isn't a literal (PLE1310) (#15985)
• [ruff] Implement indented-form-feed (RUF054) (#16049)
• [ruff] Skip type definitions for missing-f-string-syntax (RUF027) (#16054)

Rule changes

• [flake8-annotations] Correct syntax for typing.Union in suggested return type fixes for ANN20x rules (#16025)
• [flake8-builtins] Match upstream module name comparison (A005) (#16006)
• [flake8-comprehensions] Detect overshadowed list/set/dict, ignore variadics and named expressions (C417) (#15955)
• [flake8-pie] Remove following comma correctly when the unpacked dictionary is empty (PIE800) (#16008)
• [flake8-simplify] Only trigger SIM401 on known dictionaries (#15995)
• [pylint] Do not report calls when object type and argument type mismatch, remove custom escape handling logic (PLE1310) (#15984)
• [pyupgrade] Comments within parenthesized value ranges should not affect applicability (UP040) (#16027)
• [pyupgrade] Don't introduce invalid syntax when upgrading old-style type aliases with parenthesized multiline values (UP040) (#16026)
• [pyupgrade] Ensure we do not rename two type parameters to the same name (UP049) (#16038)
• [pyupgrade] [ruff] Don't apply renamings if the new name is shadowed in a scope of one of the references to the binding (UP049, RUF052) (#16032)
• [ruff] Update RUF009 to behave similar to B008 and ignore attributes with immutable types (#16048)

Server

• Root exclusions in the server to project root (#16043)

Bug fixes

• [flake8-datetime] Ignore .replace() calls while looking for .astimezone (#16050)
• [flake8-type-checking] Avoid TC004 false positive where the runtime definition is provided by __getattr__ (#16052)

Documentation

• Improve ruff-lsp migration document (#16072)
• Undeprecate ruff.nativeServer (#16039)

Contributors

• @​AlexWaygood
• @​Daverball
• @​InSyncWithFoo
• @​Lee-W
• @​MichaReiser
• @​carlosgmartin
• @​dhruvmanila
• @​dylwil3
• @​junhsonjb

... (truncated)

Changelog

Sourced from ruff's changelog.

0.9.6

Preview features

• [airflow] Add external_task.{ExternalTaskMarker, ExternalTaskSensor} for AIR302 (#16014)
• [flake8-builtins] Make strict module name comparison optional (A005) (#15951)
• [flake8-pyi] Extend fix to Python <= 3.9 for redundant-none-literal (PYI061) (#16044)
• [pylint] Also report when the object isn't a literal (PLE1310) (#15985)
• [ruff] Implement indented-form-feed (RUF054) (#16049)
• [ruff] Skip type definitions for missing-f-string-syntax (RUF027) (#16054)

Rule changes

• [flake8-annotations] Correct syntax for typing.Union in suggested return type fixes for ANN20x rules (#16025)
• [flake8-builtins] Match upstream module name comparison (A005) (#16006)
• [flake8-comprehensions] Detect overshadowed list/set/dict, ignore variadics and named expressions (C417) (#15955)
• [flake8-pie] Remove following comma correctly when the unpacked dictionary is empty (PIE800) (#16008)
• [flake8-simplify] Only trigger SIM401 on known dictionaries (#15995)
• [pylint] Do not report calls when object type and argument type mismatch, remove custom escape handling logic (PLE1310) (#15984)
• [pyupgrade] Comments within parenthesized value ranges should not affect applicability (UP040) (#16027)
• [pyupgrade] Don't introduce invalid syntax when upgrading old-style type aliases with parenthesized multiline values (UP040) (#16026)
• [pyupgrade] Ensure we do not rename two type parameters to the same name (UP049) (#16038)
• [pyupgrade] [ruff] Don't apply renamings if the new name is shadowed in a scope of one of the references to the binding (UP049, RUF052) (#16032)
• [ruff] Update RUF009 to behave similar to B008 and ignore attributes with immutable types (#16048)

Server

• Root exclusions in the server to project root (#16043)

Bug fixes

• [flake8-datetime] Ignore .replace() calls while looking for .astimezone (#16050)
• [flake8-type-checking] Avoid TC004 false positive where the runtime definition is provided by __getattr__ (#16052)

Documentation

• Improve ruff-lsp migration document (#16072)
• Undeprecate ruff.nativeServer (#16039)

Commits

• 524cf6e Bump version to 0.9.6 (#16074)
• 857cf0d Revert tailwindcss v4 update (#16075)
• 0f1eb1e Improve migration document (#16072)
• b69eb90 Fix reference definition labels for backtick-quoted shortcut links (#16035)
• d2f661f RUF009 should behave similar to B008 and ignore attributes with immutable typ...
• 07cf885 [pylint] Also report when the object isn't a literal (PLE1310) (#15985)
• c089896 Update Rust crate rustc-hash to v2.1.1 (#16060)
• 869a954 Root exclusions in the server to project root (#16043)
• cc0a5dd Directly include Settings struct for the server (#16042)
• b54e390 Update Rust crate clap to v4.5.28 (#16059)
• Additional commits viewable in compare view

Updates bandit from 1.8.2 to 1.8.3

Release notes

Sourced from bandit's releases.

1.8.3

What's Changed

• Bump docker/build-push-action from 6.10.0 to 6.11.0 by @​dependabot in PyCQA/bandit#1220
• Bump docker/build-push-action from 6.11.0 to 6.12.0 by @​dependabot in PyCQA/bandit#1221
• Bump docker/build-push-action from 6.12.0 to 6.13.0 by @​dependabot in PyCQA/bandit#1222
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci in PyCQA/bandit#1229
• Update bug template to include latest released versions by @​ericwb in PyCQA/bandit#1218
• Add markupsafe.Markup XSS plugin by @​Daverball in PyCQA/bandit#1225
• Warn not error on an nonexistant test given by @​ericwb in PyCQA/bandit#1230
• Bump sigstore/cosign-installer from 3.7.0 to 3.8.0 by @​dependabot in PyCQA/bandit#1233
• Bump docker/setup-buildx-action from 3.8.0 to 3.9.0 by @​dependabot in PyCQA/bandit#1234
• B107: Skip None values in hardcoded password detection by @​lukehinds in PyCQA/bandit#1232
• Pytorch fix by @​lukehinds in PyCQA/bandit#1231

New Contributors

• @​Daverball made their first contribution in PyCQA/bandit#1225

Full Changelog: PyCQA/bandit@1.8.2...1.8.3

Commits

• 8ff25e0 Pytorch fix (#1231)
• def123a B107: Skip None values in hardcoded password detection (#1232)
• 00b1e95 Bump docker/setup-buildx-action from 3.8.0 to 3.9.0 (#1234)
• a324f42 Bump sigstore/cosign-installer from 3.7.0 to 3.8.0 (#1233)
• affd4fd Warn not error on an nonexistant test given (#1230)
• 5e3e694 Add markupsafe.Markup XSS plugin (#1225)
• 6133e08 Update bug template to include latest released versions (#1218)
• 7619cc4 [pre-commit.ci] pre-commit autoupdate (#1229)
• 3348781 Bump docker/build-push-action from 6.12.0 to 6.13.0 (#1222)
• ef0090f Bump docker/build-push-action from 6.11.0 to 6.12.0 (#1221)
• Additional commits viewable in compare view

Updates semgrep from 1.107.0 to 1.108.0

Release notes

Sourced from semgrep's releases.

Release v1.108.0

1.108.0 - 2025-02-12

Added

• pro: Semgrep can now dynamically resolve dependencies for Python projects using pip, allowing it to determine transitive dependencies automatically. (sc-2069)

Changed

• Bump base Alpine docker image from 3.19 to 3.21. (alpine-version)
• The semgrep-appsec-platform specific metadata fields "semgrep.dev:" and "semgrep.policy:" are now filtered from the JSON output unless you are logged in with the Semgrep appsec platform. See https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#json for more information. (metadata-filter)
• The Semgrep Docker image now uses Python 3.12 (bumped from 3.11). (python-version)

Fixed

• This PR changes the way we handle failures in git worktree remove more gracefully. Instead of erroring, we continue to scan so that the user can still get results, but log the error. It also adds a guard so that this failure is less likely to happen and will include more debugging information when it does. (sms-521)

Changelog

Sourced from semgrep's changelog.

1.108.0 - 2025-02-12

Added

• pro: Semgrep can now dynamically resolve dependencies for Python projects using pip, allowing it to determine transitive dependencies automatically. (sc-2069)

Changed

• Bump base Alpine docker image from 3.19 to 3.21. (alpine-version)
• The semgrep-appsec-platform specific metadata fields "semgrep.dev:" and "semgrep.policy:" are now filtered from the JSON output unless you are logged in with the Semgrep appsec platform. See https://semgrep.dev/docs/semgrep-appsec-platform/json-and-sarif#json for more information. (metadata-filter)
• The Semgrep Docker image now uses Python 3.12 (bumped from 3.11). (python-version)

Fixed

• This PR changes the way we handle failures in git worktree remove more gracefully. Instead of erroring, we continue to scan so that the user can still get results, but log the error. It also adds a guard so that this failure is less likely to happen and will include more debugging information when it does. (sms-521)

Commits

• 2fc9561 chore: release version 1.108.0
• 5014e89semgrep/semgrep-proprietary#3100
• db0cd24semgrep/semgrep-proprietary#3
• db7b46e Update Generic Secrets to only show the messaging in CI context [SCRT-831] (s...
• e8be00f refactor: Add GetTargets Python -> OCaml RPC call (semgrep/semgrep-proprietar...
• b5d0bce chore(lfs): Bump base docker image to alpine:3.21 (semgrep/semgrep-propriet...
• b595c25semgrep/semgrep-proprietary#3064
• 01e54c5semgrep/semgrep-proprietary#3082
• 94dc594 Update docs to reflect the symbol analysis data that we can collect for scrat...
• 6ed0d6c refactor: Enforce keyword args for TargetManager constructor and one method (...
• Additional commits viewable in compare view

Updates coverage[toml] from 7.6.11 to 7.6.12

Release notes

Sourced from coverage[toml]'s releases.

7.6.12

Version 7.6.12 — 2025-02-11

• Fix: some aarch64 distributions were missing (issue 1927). These are now building reliably.

➡️  PyPI page: coverage 7.6.12. :arrow_right:  To install: python3 -m pip install coverage==7.6.12

Changelog

Sourced from coverage[toml]'s changelog.

Version 7.6.12 — 2025-02-11

• Fix: some aarch64 distributions were missing (issue 1927_). These are now building reliably.

.. _issue 1927: nedbat/coveragepy#1927

.. _changes_7-6-11:

Commits

• 7e5373e docs: sample HTML for 7.6.12
• a4ed38b docs: prep for 7.6.12
• ce4efdc build: fix aarch64 kits #1927
• a1f3192 build: don't publish if kit building failed
• bb68f99 chore: bump the action-dependencies group with 2 updates (#1926)
• f3d6b4a refactor: check for more kinds of constant tests
• 67899ea refactor: we no longer care what kind of constant the compile-time constants are
• c850f20 refactor: macOS is MACOS, not OSX
• a1b2c1a build: there are always tweaks to howto.txt
• 9c03039 build: bump version to 7.6.12
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions