⬆ Bump the python-packages group across 1 directory with 8 updates

[dependabot]

Bumps the python-packages group with 8 updates in the / directory:

Package	From	To
prek	0.3.2	0.4.1
pytest	8.4.2	9.0.3
mypy	1.14.1	2.1.0
ruff	0.13.0	0.15.13
respx	0.22.0	0.23.1
time-machine	2.15.0	3.2.0
ty	0.0.35	0.0.38
zizmor	1.24.1	1.25.2

Updates prek from 0.3.2 to 0.4.1

Release notes

Sourced from prek's releases.

0.4.1

Release Notes

Released on 2026-05-20.

Enhancements

• Fix pre-push range after rebase (#2089)
• Prefer extensions over loose filename tags (#2092)
• Skip installs for hooks that will not run (#2103)

Performance

• Optimize meta hook file scans (#2106)
• Reduce run filtering allocations (#2090)

Contributors

• @​j178

Install prek 0.4.1

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/j178/prek/releases/download/v0.4.1/prek-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/j178/prek/releases/download/v0.4.1/prek-installer.ps1 | iex"

Install prebuilt binaries via Homebrew

brew install prek

Download prek 0.4.1

File	Platform	Checksum
prek-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
prek-x86_64-apple-darwin.tar.gz	Intel macOS	checksum
prek-aarch64-pc-windows-msvc.zip	ARM64 Windows	checksum
prek-i686-pc-windows-msvc.zip	x86 Windows	checksum
prek-x86_64-pc-windows-msvc.zip	x64 Windows	checksum
prek-aarch64-unknown-linux-gnu.tar.gz	ARM64 Linux	checksum

... (truncated)

Changelog

Sourced from prek's changelog.

0.4.1

Released on 2026-05-20.

Enhancements

• Fix pre-push range after rebase (#2089)
• Prefer extensions over loose filename tags (#2092)
• Skip installs for hooks that will not run (#2103)

Performance

• Optimize meta hook file scans (#2106)
• Reduce run filtering allocations (#2090)

Contributors

• @​j178

0.4.0

Released on 2026-05-14.

Breaking changes

These are narrow cleanup breaks in behavior that was either temporary or never worked correctly. Most users should not need to change anything.

• Generated hook scripts no longer preserve -q, -v, or --no-progress passed to prek install. This only affects users who expected those global flags to be baked into installed hooks. (#1966)
• language_version no longer accepts direct executable paths. Use language_version: system for a system toolchain, or use a supported version request instead. This path form did not work reliably before, so existing working configs should be unaffected. (#1831)

Enhancements

• Expand tilde in --config, --cd, --log-file and --git-dir (#2063)
• Prevent auto-update cooldown downgrades (#2055)
• Use managed npm cache for node hooks (#2075)

Bug fixes

• Fix npm config env overrides for node hooks (#2074)

Documentation

• Add cookbook page for enabling Git 2.54 config-based global hooks (#2061)

Contributors

• @​j178

0.3.13

... (truncated)

Commits

• 871b9ed Bump version to 0.4.1 (#2107)
• 3c26faf Optimize meta hook file scans (#2106)
• 7780f11 Clean up run hook installation flow (#2105)
• c5dc885 Refine hook install filtering (#2104)
• 9db879e Skip installs for hooks that will not run (#2103)
• 2a0da57 Simplify workspace file handling (#2102)
• 33ca060 Lock file maintenance (#2072)
• 03f11c0 Update GitHub Actions (#2101)
• 354f431 Update dependency uv to v0.11.13 (#2094)
• 4a41828 Update Rust crate quick-xml to v0.39.4 (#2098)
• Additional commits viewable in compare view

Updates pytest from 8.4.2 to 9.0.3

Release notes

Sourced from pytest's releases.

9.0.3

pytest 9.0.3 (2026-04-07)

Bug fixes

• #12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

• #13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

  Previously this resulted in an internal assertion failure during plugin loading.

  Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

• #13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

• #14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

• #14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

• #13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
• #13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
• #14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
• #14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

• #12689: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible on the web interface.

  -- by aleguy02

9.0.2

pytest 9.0.2 (2025-12-06)

Bug fixes

• #13896: The terminal progress feature added in pytest 9.0.0 has been disabled by default, except on Windows, due to compatibility issues with some terminal emulators.

  You may enable it again by passing -p terminalprogress. We may enable it by default again once compatibility improves in the future.

  Additionally, when the environment variable TERM is dumb, the escape codes are no longer emitted, even if the plugin is enabled.

• #13904: Fixed the TOML type of the tmp_path_retention_count settings in the API reference from number to string.

• #13946: The private config.inicfg attribute was changed in a breaking manner in pytest 9.0.0. Due to its usage in the ecosystem, it is now restored to working order using a compatibility shim. It will be deprecated in pytest 9.1 and removed in pytest 10.

... (truncated)

Commits

• a7d58d7 Prepare release version 9.0.3
• 089d981 Merge pull request #14366 from bluetech/revert-14193-backport
• 8127eaf Revert "Fix: assertrepr_compare respects dict insertion order (#14050) (#14193)"
• 99a7e60 Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/95d8423bd...
• ddee02a Merge pull request #14343 from bluetech/cve-2025-71176-simple
• 74eac69 doc: Update training info (#14298) (#14301)
• f92dee7 Merge pull request #14267 from pytest-dev/patchback/backports/9.0.x/d6fa26c62...
• 7ee58ac Merge pull request #12378 from Pierre-Sassoulas/fix-implicit-str-concat-and-d...
• 37da870 Merge pull request #14259 from mitre88/patch-4 (#14268)
• c34bfa3 Add explanation for string context diffs (#14257) (#14266)
• Additional commits viewable in compare view

Updates mypy from 1.14.1 to 2.1.0

Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next Release

Mypy 2.1

We’ve just uploaded mypy 2.1.0 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features, performance improvements and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

librt.vecs: Fast Growable Array Type for Mypyc

The new librt.vecs module provides an efficient growable array type vec that is optimized for mypyc use. It provides fast, packed arrays with integer and floating point value types, which can be several times faster than list, and tens of times faster than array.array in code compiled using mypyc. It also supports nested vec objects and non-value-type items, such as vec[vec[str]].

Refer to the documentation for the details.

Contributed by Jukka Lehtosalo.

librt.random: Fast Pseudo-Random Number Generation

The new librt.random module provides fast pseudo-random number generation that is optimized for code compiled using mypyc. It can be 3x to 10x faster than the stdlib random module in compiled code.

Refer to the documentation for the details.

Contributed by Jukka Lehtosalo (PR 21433).

Mypyc Improvements

• Make compilation order with multiple files consistent (Piotr Sawicki, PR 21419)
• Fix crash on accessing StopAsyncIteration (Piotr Sawicki, PR 21406)
• Fix incremental compilation with separate flag (Vaggelis Danias, PR 21299)

Fixes to Crashes

• Fix crash on partial type with --allow-redefinition and global declaration (Jukka Lehtosalo, PR 21428)
• Fix broken awaitable generator patching (Ivan Levkivskyi, PR 21435)

Changes to Messages

... (truncated)

Commits

• c1c336d Remove +dev from version
• 74df14b Add changelog for mypy 2.1 (#21464)
• 022d9bc Revert "TypeForm: Enable by default (#21262)"
• 8826288 [mypyc] Document librt.random (#21463)
• 3f4067b Bump librt version to 0.11.0 (#21458)
• 2b1eb58 [mypyc] Enable incremental self-compilation (#21369)
• 8152f4a Respect file config comments for stale modules (#21444)
• 116d60b Fix nondeterminism from nonassociativity of overload joins (#21455)
• 6c4af8e Fix function call message change for small number of args (#21432)
• 4b8fdca [mypyc] Add librt.random module (#21433)
• Additional commits viewable in compare view

Updates ruff from 0.13.0 to 0.15.13

Release notes

Sourced from ruff's releases.

0.15.13

Release Notes

Released on 2026-05-14.

Preview features

• Add a rule to flag lazy imports that are eagerly evaluated (#25016)
• [pylint] Standardize diagnostic message (PLR0914, PLR0917) (#24996)

Bug fixes

• Fix F811 false positive for class methods (#24933)
• Fix setting selection for multi-folder workspace (#24819)
• [eradicate] Fix false positive for lines with leading whitespace (ERA001) (#25122)
• [flake8-pyi] Fix false positive for f-string debug specifier (PYI016) (#24098)

Rule changes

• Always include panic payload in panic diagnostic message (#24873)
• Restrict PYI034 for in-place operations to enclosing class (#24511)
• Improve error message for parameters that are declared global (#24902)
• Update known stdlib (#25103)

Performance

• [isort] Avoid constructing glob::Patterns for literal known modules (#25123)

CLI

• Add TOML examples to --config help text (#25013)
• Colorize ruff check 'All checks passed' (#25085)

Configuration

• Increase max allowed value of line-length setting (#24962)

Documentation

• Add D203 to rules that conflict with the formatter (#25044)
• Clarify COM819 and formatter interaction (#25045)
• Clarify that NotImplemented is a value, not an exception (F901) (#25054)
• Update number of lint rules supported (#24942)

Other changes

• Simplify the playground's markdown template (#24924)

Contributors

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.13

Released on 2026-05-14.

Preview features

• Add a rule to flag lazy imports that are eagerly evaluated (#25016)
• [pylint] Standardize diagnostic message (PLR0914, PLR0917) (#24996)

Bug fixes

• Fix F811 false positive for class methods (#24933)
• Fix setting selection for multi-folder workspace (#24819)
• [eradicate] Fix false positive for lines with leading whitespace (ERA001) (#25122)
• [flake8-pyi] Fix false positive for f-string debug specifier (PYI016) (#24098)

Rule changes

• Always include panic payload in panic diagnostic message (#24873)
• Restrict PYI034 for in-place operations to enclosing class (#24511)
• Improve error message for parameters that are declared global (#24902)
• Update known stdlib (#25103)

Performance

• [isort] Avoid constructing glob::Patterns for literal known modules (#25123)

CLI

• Add TOML examples to --config help text (#25013)
• Colorize ruff check 'All checks passed' (#25085)

Configuration

• Increase max allowed value of line-length setting (#24962)

Documentation

• Add D203 to rules that conflict with the formatter (#25044)
• Clarify COM819 and formatter interaction (#25045)
• Clarify that NotImplemented is a value, not an exception (F901) (#25054)
• Update number of lint rules supported (#24942)

Other changes

• Simplify the playground's markdown template (#24924)

Contributors

• @​MichaReiser

... (truncated)

Commits

• 2afb467 Bump 0.15.13 (#25157)
• 3008796 [ty] classify TypeVar semantic tokens as type parameters (#24891)
• 79470e3 [isort] Avoid constructing glob::Patterns for literal known modules (#25123)
• 2522549 Remove shellcheck from prek (#25154)
• 7db7170 [ty] Support TypedDict key completions in incomplete, anonymous contexts (#25...
• bb3dd53 [ty] Run full iteration analysis on narrowed typevars (#25143)
• 828cdb7 [ty] Isolate file-watching test environment (#25151)
• 89e1d86 [ty] Preserve TypedDict keys through dict unpacking (#24523)
• 86f3064 [ty] Avoid accessing args[0] for static_assert (#25149)
• ed819f9 [ty] Treat custom enum __new__ values as dynamic (#25136)
• Additional commits viewable in compare view

Updates respx from 0.22.0 to 0.23.1

Release notes

Sourced from respx's releases.

Version 0.23.1

0.23.1 (8th April 2026)

Fixed

• Fix regression causing params pattern to stop working under some conditions, by doing a strict detection of ANY in multi items patterns (#313)

CI

• Update workflows actions (#310)

Version 0.23.0

0.23.0 (7th April 2026)

Fixed

• Fix data pattern with list value (#264)
• Fix and enhance incorrect documentations about iterable side effects (#287)
• Fix documentation typo, thanks @​markhobson (#298)
• Fix support for multiple slashes // in URL path by not using urljoin when prepending path, thanks @​lewiscollard and @​Skeen (#302)
• Type Route.respond json as Any to align with HTTPX, thanks @​JacobHayes (#284)
• Properly handle ANY in MuitiItems patterns (#289)

CI

• Fix test warnings (#267)
• Add Python 3.14 to test matrix, thanks @​carlosdorneles-mb (#300)
• Update nix flake, mypy target and workflows (#306, #282)

Changelog

Sourced from respx's changelog.

[0.23.1] - 2026-04-08

Fixed

• Fix regression causing params pattern to stop working under some conditions, by doing a strict detection of ANY in multi items patterns (#313)

CI

• Update workflows actions (#310)

[0.23.0] - 2026-04-07

Fixed

• Fix data pattern with list value (#264)
• Fix and enhance incorrect documentations about iterable side effects (#287)
• Fix documentation typo, thanks @​markhobson (#298)
• Fix support for multiple slashes // in URL path by not using urljoin when prepending path, thanks @​lewiscollard and @​Skeen (#302)
• Type Route.respond json as Any to align with HTTPX, thanks @​JacobHayes (#284)
• Properly handle ANY in MuitiItems patterns (#289)

CI

• Fix test warnings (#267)
• Add Python 3.14 to test matrix, thanks @​carlosdorneles-mb (#300)
• Update nix flake, mypy target and workflows (#306, #282)

Commits

• fc8b43b Release 0.23.1
• 1da5d2f Strict detection of ANY in multi items patterns (#313)
• 6f1bf70 Bump checkout and python actions (#310)
• 62aaeab Release 0.23.0
• d8edf3d Adjust badges
• b3a193d Add downloads badge to docs
• 9961e9b Handle multiple routes using MuitiItems pattern with ANY (#289)
• e51c2a6 Update Route.respond json type hint to Any to match HTTPX (#284)
• a499260 Bump less-action/reusables from 8 to 10 (#282)
• 7b44b51 Update nix flake and mypy target (#306)
• Additional commits viewable in compare view

Updates time-machine from 2.15.0 to 3.2.0

Changelog

Sourced from time-machine's changelog.

3.2.0 (2025-12-17)

• Add :attr:time_machine.naive_mode to control how time-machine interprets naive datetimes.

  The default mode is MIXED, which preserves existing behaviour: naive datetime objects and date objects are interpreted as UTC, while naive datetime strings are interpreted as local time.

  Three alternative modes are available:

  • UTC: naive datetimes are always interpreted as UTC.
  • LOCAL: naive datetimes are interpreted as local time, matching Python's default semantics, and freezegun.
  • ERROR: naive datetimes raise a RuntimeError, ensuring your tests are isolated from the current timezone.

  .. note::

  It’s recommended you use LOCAL or ERROR to avoid confusion around naive datetimes.

  PR [#591](https://github.com/adamchainz/time-machine/issues/591) <https://github.com/adamchainz/time-machine/pull/591>__. Thanks to Paolo Melchiorre for review.

  Thanks to PhML, Stefaan Lippens, Matthieu Rigal, Nikita Demir, Steve Mavens, Andy Freeland, and Paul Ganssle for their input on Issue [#257](https://github.com/adamchainz/time-machine/issues/257) <https://github.com/adamchainz/time-machine/issues/257>__.

• Raise RuntimeError when attempting to start time travelling if freezegun <https://pypi.org/project/freezegun/>__ is active.

  This change should help avoid surprises when migrating complex test suites from freezegun to time-machine.

  PR [#590](https://github.com/adamchainz/time-machine/issues/590) <https://github.com/adamchainz/time-machine/pull/590>__.

3.1.0 (2025-11-21)

• Optimize patching of uuid module. By avoiding using unittest.mock, this small overhead from starting time_machine.travel() has been reduced about 20x, from ~600ns to ~30ns by one benchmark.

  PR [#585](https://github.com/adamchainz/time-machine/issues/585) <https://github.com/adamchainz/time-machine/pull/585>__.

3.0.0 (2025-11-18)

• Remove mocking of time.monotonic() and time.monotonic_ns().

  This mocking caused too many issues, such as causing freezes in asyncio event loops (Issue [#387](https://github.com/adamchainz/time-machine/issues/387) <https://github.com/adamchainz/time-machine/issues/387>), preventing pytest-durations from timing tests correctly (Issue [#505](https://github.com/adamchainz/time-machine/issues/505) <https://github.com/adamchainz/time-machine/issues/505>), and triggering timeouts in psycopg (Issue [#509](https://github.com/adamchainz/time-machine/issues/509) <https://github.com/adamchainz/time-machine/issues/509>__). The root cause here is that mocking the monotonic clock breaks its contract, allowing it to move backwards when it’s meant to only move forwards.

  As an alternative, use |unittest.mock|__ to mock the monotonic function for the specific tested modules that need it. That means that your code should import monotonic() or monotonic_ns() directly, so that your tests can mock it in those places only. For example, if your system under test looks like:

  .. |unittest.mock| replace:: unittest.mock __ https://docs.python.org/3/library/unittest.mock.html

... (truncated)

Commits

• 1b7ac45 Version 3.2.0
• 9284e44 Change freezegun detection (#592)
• dab094e Add naive_mode attribute to control handling of naive datetimes (#591)
• 242f897 Raise RuntimeError if freezegun is active when starting time-machine (#590)
• 4c014f2 Upgrade dependencies (#589)
• ef6c030 [pre-commit.ci] pre-commit autoupdate (#587)
• 96be985 Bump actions/checkout from 5 to 6 in the github-actions group (#588)
• b57d54e Build documentation on Python 3.14 (#586)
• b9f7500 Version 3.1.0
• 965e906 Optimize patching of uuid module (#585)
• Additional commits viewable in compare view

Updates ty from 0.0.35 to 0.0.38

Release notes

Sourced from ty's releases.

0.0.38

Release Notes

Released on 2026-05-19.

Bug fixes

• Fix panic in enum literal during cycle recovery (#25237)
• Fix panic from lazy NewType base expansion during cycle recovery (#25234)
• Fix class-body global lookup before class binding (#25224)
• Handle aliased dict fallbacks in TypedDict unions (#25241)
• Ignore _generate_next_value_ with custom construction hooks (#25210)

LSP server

• Fix find references for except handlers (#25231)
• Preserve delimiters when folding expressions (#24999)
• Use incremental file walk on .gitignore changes (#25183)

Core type checking

• Add first-class support for enum complements (#24961)
• Allow known non-field writes on frozen dataclass subclasses (#25087)
• Ignore generic specialization in layout compatibility checks (#25178)
• Preserve short-circuit bindings in all condition consumers (#25160)
• Support class decorators (#25091)
• Support custom _generate_next_value_ methods in enums (#25196)

Contributors

• @​MatthewMckee4
• @​MichaReiser
• @​charliermarsh
• @​lerebear
• @​thejchap

Install ty 0.0.38

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/ty/releases/download/0.0.38/ty-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://releases.astral.sh/github/ty/releases/download/0.0.38/ty-installer.ps1 | iex"

... (truncated)

Changelog

Sourced from ty's changelog.

0.0.38

Released on 2026-05-19.

Bug fixes

• Fix panic in enum literal during cycle recovery (#25237)
• Fix panic from lazy NewType base expansion during cycle recovery (#25234)
• Fix class-body global lookup before class binding (#25224)
• Handle aliased dict fallbacks in TypedDict unions (#25241)
• Ignore _generate_next_value_ with custom construction hooks (#25210)

LSP server

• Fix find references for except handlers (#25231)
• Preserve delimiters when folding expressions (#24999)
• Use incremental file walk on .gitignore changes (#25183)

Core type checking

• Add first-class support for enum complements (#24961)
• Allow known non-field writes on frozen dataclass subclasses (#25087)
• Ignore generic specialization in layout compatibility checks (#25178)
• Preserve short-circuit bindings in all condition consumers (#25160)
• Support class decorators (#25091)
• Support custom _generate_next_value_ methods in enums (#25196)

Contributors

• @​MatthewMckee4
• @​MichaReiser
• @​charliermarsh
• @​lerebear
• @​thejchap

0.0.37

Released on 2026-05-16.

Bug fixes

• Avoid unsound not in narrowing (#25161)
• Fix async iteration over narrowed typevars (#25155)
• Fix panic in double-inference for single starred positional TypedDict (#25176)
• Fix panic in disjoint base check (#25187)
• Fix panic in recursive binary inference (#25189)
• Fix panic in cyclic __new__ (#25185)
• Fix panic in reveal_protocol, reveal_mro, etc. with keyword arguments (#25179)
• Fix panic in imported overload definition (#25168)

... (truncated)

Commits

• 1d3efc1 Bump version to 0.0.38 (#3492)
• f5100cc scripts/update_schemastore: use -C to allow re-running schema update on exist...
• f18aed6 Bump version to 0.0.37 (#3473)
• a63e559 Bump version to 0.0.36 (#3463)
• 94370d5 Update prek dependencies (#3449)
• See full diff in compare view

Updates zizmor from 1.24.1 to 1.25.2

Release notes

Sourced from zizmor's releases.

v1.25.2

Bug Fixes 🐛🔗

• Fixed a bug where the unpinned-tools audit would incorrectly flag the aquasecurity/trivy-action action as installing an unpinned tool version, rather than aquasecurity/setup-trivy (#2018)

v1.25.1

Bug Fixes 🐛🔗

• Fixed a bug where the cache-poisoning audit would fail to consider release events as exempt from cache usage findings when filtered by a tag condition (#2004)

• Fixed a typo when suggesting --fix flags for findings (#2010)

  Many thanks to @​0xdea for implementing this fix!

• Fixed a typo in unpinned-tools annotations (#2008)

  Many thanks to @​martincostello for implementing this fix!

• Fixed a bug where the github-app audit would incorrectly flag some safe uses of actions/create-github-app-token as unsafe (#2011)

v1.25.0

New Features 🌈🔗

• zizmor's finding severities can now be remapped on a per-audit basis. See the configuration for details (#1913)

  Many thanks to @​Proximyst for proposing and implementing this improvement!

• New audit: github-app detects dangerous usages of GitHub App installation tokens (#1926)

• New audit: [unpinned-tools] detects actions that install tools without pinning to a specific version (#1820)

• zizmor now accepts the --no-ignores flag to disable all ignore comments and configurations when reporting findings (#1935)

• zizmor's LSP now honors the --persona flag on the CLI (#1943)

• zizmor is now aware of Docker-based action definitions, in addition to the pre-existing support for "composite" actions (#1965)

Enhancements🔗

• Recommend gh issue edit --add-label / gh pr edit --add-label as a replacement for actions-ecosystem/action-add-labels in superfluous-actions

• Recommend gh issue edit --remove-label / gh pr edit --remove-label as a replacement for actions-ecosystem/action-remove-labels in superfluous-actions

• Recommend jq as a replacement for sergeysova/jq-action in superfluous-actions

• Recommend git add, git commit, and git push as a replacement for stefanzweifel/git-auto-commit-action in superfluous-actions

• Recommend git add, git commit, and git push as a replacement for EndBug/add-and-commit in superfluous-actions

• tibdex/github-app-token is now recognized as an archived action by archived-uses (#1910)

... (truncated)

Changelog

Sourced from zizmor's changelog.

1.25.2

Bug Fixes 🐛

• Fixed a bug where the [unpinned-tools] audit would incorrectly flag the @​aquasecurity/trivy-action action as installing an unpinned tool version, rather than @​aquasecurity/setup-trivy (#2018)

1.25.1

Bug Fixes 🐛

• Fixed a bug where the [cache-poisoning] audit would fail to consider release events as exempt from cache usage findings when filtered by a tag condition (#2004)

• Fixed a typo when suggesting --fix flags for findings (#2010)

  Many thanks to @​0xdea for implementing this fix!

• Fixed a typo in [unpinned-tools] annotations (#2008)

  Many thanks to @​martincostello for implementing this fix!

• Fixed a bug where the [github-app] audit would incorrectly flag some safe uses of @​actions/create-github-app-token as unsafe (#2011)

1.25.0

New Features 🌈

• zizmor's finding severities can now be remapped on a per-audit basis. See the configuration for details (#1913)

  Many thanks to @​Proximyst for proposing and implementing this improvement!

• New audit: [github-app] detects dangerous usages of GitHub App installation tokens (#1926)

• New audit: [unpinned-tools] detects actions that install tools without pinning to a specific version (#1820)

• zizmor now accepts the --no-ignores flag to disable all ignore comments and configurations when reporting findings (#1935)

• zizmor's LSP now honors the --persona flag on the CLI (#1943)

• zizmor is now aware of Docker-based action definitions, in addition to the pre-existing support for "composite" actions (#1965)

... (truncated)

Commits

• b50d8f6 zizmor 1.25.2 (#2022)
• e8c9648 Bump rustls-webpki to 0.103.13 (#2021)
• 9e19bde Bump aws-lc crates (#2020)
• 49cb189 Bump rand to 0.9.4 (#2019)
• bfdb649 unpinned-tools: fix trivy action being detected (#2018)
• 9300d3b ww/release (#2016)
• 331917a chore: drop serde_yaml rename (#2015)
• 506f085 github-app: test repositories, not repository (#2011)
• 53dea37 unpinned-tools, docs: fix typos (#2008)