Skip to content

chore(deps): bump the pip group across 2 directories with 4 updates#629

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/pip-f1d36037a9
Open

chore(deps): bump the pip group across 2 directories with 4 updates#629
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/pip-f1d36037a9

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps the pip group with 1 update in the / directory: checkov.
Bumps the pip group with 3 updates in the /src/500-application/506-ros2-connector directory: numpy, pytest and pytest-asyncio.

Updates checkov from 3.2.529 to 3.3.2

Release notes

Sourced from checkov's releases.

3.3.2

Bug Fix

  • terraform_plan: handle computed log_bucket in CKV_GCP_62 and CKV_GCP_63 - #7582
  • terraform: pass CKV_GCP_123 when remove_default_node_pool is true - #7575

3.3.1

Feature

  • serverless: disable vars opt out - #7574

3.3.0

  • no noteworthy changes

3.2.534

Feature

  • general: fix regex to include hyphen - #7566

3.2.533

Bug Fix

  • general: increase domain allow list as it blocks prisma release - #7567
  • sca: Kustomize and Helm improvements - #7568
  • terraform: pin security-group module to 5.3.1 in linked-module test - #7570

3.2.532

Feature

  • general: verify ECDSA-P256 signatures on external custom checks before loading - #7556

3.2.531

Feature

  • terraform: add CKV_AWS_393 for GitHub OIDC trust on aws_iam_role - #7561

3.2.530

Bug Fix

  • serverless: disable env/file variable resolution by default - #7554
Changelog

Sourced from checkov's changelog.

3.3.2 - 2026-06-23

Bug Fix

  • terraform_plan: handle computed log_bucket in CKV_GCP_62 and CKV_GCP_63 - #7582
  • terraform: pass CKV_GCP_123 when remove_default_node_pool is true - #7575

3.3.1 - 2026-06-11

Feature

  • serverless: disable vars opt out - #7574

3.3.0 - 2026-06-10

  • no noteworthy changes

3.2.534 - 2026-06-09

Feature

  • general: fix regex to include hyphen - #7566

3.2.533 - 2026-06-04

Bug Fix

  • general: increase domain allow list as it blocks prisma release - #7567
  • sca: Kustomize and Helm improvements - #7568
  • terraform: pin security-group module to 5.3.1 in linked-module test - #7570

3.2.532 - 2026-06-02

Feature

  • general: verify ECDSA-P256 signatures on external custom checks before loading - #7556

3.2.531 - 2026-06-01

Feature

  • terraform: add CKV_AWS_393 for GitHub OIDC trust on aws_iam_role - #7561

3.2.530 - 2026-05-28

Bug Fix

  • serverless: disable env/file variable resolution by default - #7554
Commits
  • c9497de fix(terraform_plan): handle computed log_bucket in CKV_GCP_62 and CKV_GCP_63 ...
  • 6a82b2f fix(terraform_plan): handle computed log_bucket in CKV_GCP_62 and CKV_GCP_63 ...
  • efe84c2 fix(terraform): pass CKV_GCP_123 when remove_default_node_pool is true (#7575)
  • c265fda chore: update release notes
  • 807eb13 feat(serverless): disable vars opt out (#7574)
  • 7f8645d chore: update release notes
  • 5b5ce3e feat(general): fix regex to include hyphen (#7566)
  • 295570b chore: update release notes
  • 73dac2f feat(general): fix regex to include hyphen (#7566)
  • 69e64f7 feat(general): fix regex to include hyphen (#7566)
  • Additional commits viewable in compare view

Updates numpy from 2.4.6 to 2.5.0

Release notes

Sourced from numpy's releases.

v2.5.0 (June 21, 2026)

NumPy 2.5.0 Release Notes

Numpy 2.5.0 is a transitional release. It drops support for Python 3.11, marking the end of distutils, and expires a large number of deprecations made in the 2.0.x release. It also improves free threading and brings sorting into compliance with the array-api standard with the addition of descending sorts. There is also a fair amount of preparation for Python 3.15, which will be supported starting with the first rc.

This release supports Python versions 3.12-3.14.

Highlights

  • Distutils has been removed,
  • Many expired deprecations, see below,
  • Many new deprecations, see below,
  • Many static typing improvements.
  • Improved support for free threading,
  • Support for descending sorts,

See New Features below for other additions.

Deprecations

  • numpy.char.chararray is deprecated. Use an ndarray with a string or bytes dtype instead.

    (gh-30605)

  • numpy.take now correctly checks if the result can be cast to the provided out=out under the same-kind rule. A DeprecationWarning is given now when this check fails. Previously, take incorrectly checked if out could be cast to the result (the wrong direction). This deprecation also affects compress and possibly other functions. (Future versions of NumPy may tighten the casting check further.)

    (gh-30615)

  • The numpy.char.[as]array functions are deprecated. Use an numpy.[as]array with a string or bytes dtype instead.

    (gh-30802)

  • Setting the dtype attribute is deprecated because mutating an array is unsafe if an array is shared, especially by multiple threads. As an alternative, you can create a view with a new dtype via array.view(dtype=new_dtype).

    (gh-29244)

... (truncated)

Commits
  • 6910b28 Merge pull request #31706 from charris/prepare-2.5.0-release
  • e0acd2b REL: Prepare for the NumPy 2.5.0 release.
  • 8d928b7 Merge pull request #31704 from charris/backport-31649
  • c2055ba MAINT: update openblas to 0.3.33.112.0 (#31649)
  • ce17c81 Merge pull request #31703 from charris/backport-31609
  • 3de6203 BUG: fix StringDType distinct-allocator bugs and add tests (#31609)
  • c723971 Merge pull request #31700 from charris/backport-31694
  • 64513b2 MAINT: Bump pypa/cibuildwheel from 3.4.1 to 4.1.0
  • 04707f0 Merge pull request #31698 from charris/try-fix-emscripten
  • 5cf0686 MAINT: Try to fix emscripten wheel build.
  • Additional commits viewable in compare view

Updates pytest from 9.0.3 to 9.1.1

Release notes

Sourced from pytest's releases.

9.1.1

pytest 9.1.1 (2026-06-19)

Bug fixes

  • #14220: Fixed a logic bug in pytest.RaisesGroup which would might cause it to display incorrect "It matches FooError() which was paired with BarError" messages.
  • #14591: Fixed a regression in pytest 9.1.0 which caused overriding a parametrized fixture with an indirect @​pytest.mark.parametrize to fail with "duplicate parametrization of '<fixture name>'".
  • #14606: Fixed list-item typing errors from mypy in @pytest.mark.parametrize <pytest.mark.parametrize ref> argvalues parameter.
  • #14608: Fixed a regression in pytest 9.1.0 where conftest.py files located in <invocation dir>/test* were no longer loaded as initial conftests when invoked without arguments. This could cause certain hooks (like pytest_addoption) in these files to not fire.

9.1.0

pytest 9.1.0 (2026-06-13)

Removals and backward incompatible breaking changes

  • #14533: When using --doctest-modules, autouse fixtures with module, package or session scope that are defined inline in Python test modules (not plugins or conftests) will now possibly execute twice.

    If this is undesirable, move the fixture definition to a conftest.py file if possible.

    Technical explanation for those interested: When using --doctest-modules, pytest possibly collects Python modules twice, once as pytest.Module and once as a DoctestModule (depending on the configuration). Due to improvements in pytest's fixture implementation, if e.g. the DoctestModule collects a fixture, it is now visible to it only, and not to the Module. This means that both need to register the fixtures independently.

Deprecations (removal in next major release)

  • #10819: Added a deprecation warning for class-scoped fixtures defined as instance methods (without @classmethod). Such fixtures set attributes on a different instance than the test methods use, leading to unexpected behavior. Use @classmethod decorator instead -- by yastcher.

    See 10819 and 14011.

  • #12882: Calling request.getfixturevalue() <pytest.FixtureRequest.getfixturevalue> during teardown to request a fixture that was not already requested is now deprecated and will become an error in pytest 10.

    See dynamic-fixture-request-during-teardown for details.

  • #13409: Using non-~collections.abc.Collection iterables (such as generators, iterators, or custom iterable objects) for the argvalues parameter in @pytest.mark.parametrize <pytest.mark.parametrize ref> and metafunc.parametrize <pytest.Metafunc.parametrize> is now deprecated.

    These iterables get exhausted after the first iteration, leading to tests getting unexpectedly skipped in cases such as running pytest.main() multiple times, using class-level parametrize decorators, or collecting tests multiple times.

    See parametrize-iterators for details and suggestions.

  • #13946: The private config.inicfg attribute is now deprecated. Use config.getini() <pytest.Config.getini> to access configuration values instead.

    See config-inicfg for more details.

  • #14004: Passing baseid to ~pytest.FixtureDef or nodeid strings to fixture registration APIs is now deprecated. These are internal pytest APIs that are used by some plugins.

... (truncated)

Commits
  • cf470ec Prepare release version 9.1.1
  • e0c8ce6 Merge pull request #14625 from pytest-dev/patchback/backports/9.1.x/a07c31a97...
  • 1b82d16 Merge pull request #14624 from pytest-dev/patchback/backports/9.1.x/b375b79ec...
  • 501c4bc Merge pull request #14596 from bluetech/doc-classmethod
  • b61f588 Merge pull request #14622 from chrisburr/fix-14608-initial-conftest-test-subdir
  • 9a567e0 [automated] Update plugin list (#14617) (#14618)
  • ef8b299 Merge pull request #14620 from pytest-dev/patchback/backports/9.1.x/680f9f3ed...
  • 66abd07 Merge pull request #14220 from bysiber/fix-stale-iexp-raisesgroup
  • 79fbf93 Merge pull request #14612 from pytest-dev/patchback/backports/9.1.x/974ed48b6...
  • 0d312eb Merge pull request #14611 from bluetech/parametrize-argvalues-typing
  • Additional commits viewable in compare view

Updates pytest-asyncio from 1.3.0 to 1.4.0

Release notes

Sourced from pytest-asyncio's releases.

pytest-asyncio v1.4.0

1.4.0 - 2026-05-26

Deprecated

  • Overriding the event_loop_policy fixture is deprecated. Use the pytest_asyncio_loop_factories hook instead. (#1419)

Added

  • Added the pytest_asyncio_loop_factories hook to parametrize asyncio tests with custom event loop factories.

    The hook returns a mapping of factory names to loop factories, and pytest.mark.asyncio(loop_factories=[...]) selects a subset of configured factories per test. When a single factory is configured, test names are unchanged.

    Synchronous @pytest_asyncio.fixture functions now see the correct event loop when custom loop factories are configured, even when test code disrupts the current event loop (e.g., via asyncio.run() or asyncio.set_event_loop(None)). (#1164)

Changed

  • Improved the readability of the warning message that is displayed when asyncio_default_fixture_loop_scope is unset (#1298)
  • Only import asyncio.AbstractEventLoopPolicy for type checking to avoid raising a DeprecationWarning. (#1394)
  • Updated minimum supported pytest version to v8.4.0. (#1397)

Fixed

  • Fixed a ResourceWarning: unclosed event loop warning that could occur when a synchronous test called asyncio.run() or otherwise unset the current event loop after pytest-asyncio had run an async test or fixture. (#724)

Notes for Downstream Packagers

  • Added dependency on sphinx-tabs >= 3.5 to organize documentation examples into tabs. (#1395)

pytest-asyncio v1.4.0a2

1.4.0a2 - 2026-05-02

Deprecated

  • Overriding the event_loop_policy fixture is deprecated. Use the pytest_asyncio_loop_factories hook instead. (#1419)

Added

  • Added the pytest_asyncio_loop_factories hook to parametrize asyncio tests with custom event loop factories.

    The hook returns a mapping of factory names to loop factories, and pytest.mark.asyncio(loop_factories=[...]) selects a subset of configured factories per test. When a single factory is configured, test names are unchanged on pytest 8.4+.

    Synchronous @pytest_asyncio.fixture functions now see the correct event loop when custom loop factories are configured, even when test code disrupts the current event loop (e.g., via asyncio.run() or asyncio.set_event_loop(None)). (#1164)

Changed

  • Improved the readability of the warning message that is displayed when asyncio_default_fixture_loop_scope is unset (#1298)
  • Only import asyncio.AbstractEventLoopPolicy for type checking to avoid raising a DeprecationWarning. (#1394)

... (truncated)

Commits
  • 6e14cd2 chore: Prepare release of v1.4.0.
  • 4b900fb Build(deps): Bump codecov/codecov-action from 6.0.0 to 6.0.1
  • ab9f632 Build(deps): Bump zipp from 3.23.1 to 4.1.0
  • a56fc77 Build(deps): Bump hypothesis from 6.152.6 to 6.152.8
  • e8bae9b Build(deps): Bump requests from 2.34.0 to 2.34.2
  • fc43340 Build(deps): Bump idna from 3.14 to 3.15
  • 762eaf5 Build(deps): Bump jaraco-functools from 4.4.0 to 4.5.0
  • b62e222 Build(deps): Bump click from 8.3.3 to 8.4.0
  • 9190447 Build(deps): Bump pydantic from 2.13.3 to 2.13.4
  • 82a393c ci: Remove unnecessary debug output.
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Dependency updates security Security-related changes or concerns labels Jun 22, 2026
@dependabot dependabot Bot requested a review from a team June 22, 2026 16:10
@dependabot @github

dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: pip. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@github-actions

github-actions Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown

Dependency Review

The following issues were found:
  • ❌ 1 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 6 package(s) with unknown licenses.
See the Details below.

Vulnerabilities

requirements.txt

NameVersionVulnerabilitySeverity
ecdsa0.19.2Minerva timing attack on P-256 in python-ecdsahigh
Only included vulnerabilities with severity high or higher.

License Issues

requirements.txt

PackageVersionLicenseIssue Type
numpy2.5.0NullUnknown License
checkov3.3.2NullUnknown License
ecdsa0.19.2NullUnknown License

src/500-application/506-ros2-connector/services/requirements.base.txt

PackageVersionLicenseIssue Type
numpy2.5.0NullUnknown License
pytest9.1.1NullUnknown License
pytest-asyncio1.4.0NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
pip/ecdsa 0.19.2 🟢 6
Details
CheckScoreReason
Maintained🟢 1010 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 3Found 5/15 approved changesets -- score normalized to 3
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing🟢 10project is fuzzed
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST🟢 8SAST tool detected but not run on all commits
pip/aiohttp 3.13.5 UnknownUnknown
pip/checkov 3.3.2 🟢 7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) out of 30 and 7 issue activity out of 30 found in the last 90 days -- score normalized to 10
Code-Review🟢 311 out of last 30 changesets reviewed before merge -- score normalized to 3
Vulnerabilities🟢 10no vulnerabilities detected
CII-Best-Practices⚠️ 2badge detected: in_progress
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
Token-Permissions⚠️ 0non read-only tokens detected in GitHub workflows
Security-Policy🟢 10security policy file detected
License🟢 10license file detected
Dependency-Update-Tool🟢 10update tool detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Fuzzing⚠️ 0project is not fuzzed
SAST🟢 10SAST tool is run on all commits
Binary-Artifacts🟢 10no binaries found in the repo
Packaging🟢 10publishing workflow detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
pip/numpy 2.5.0 UnknownUnknown
pip/numpy 2.5.0 UnknownUnknown
pip/pytest 9.1.1 UnknownUnknown
pip/pytest-asyncio 1.4.0 UnknownUnknown

Scanned Files

  • requirements.txt
  • src/500-application/506-ros2-connector/services/requirements.base.txt

@dependabot dependabot Bot force-pushed the dependabot/pip/pip-f1d36037a9 branch from 004ece7 to c55b0aa Compare June 25, 2026 15:29
@dependabot
chore(deps): bump the pip group across 2 directories with 4 updates
ae035ea 
Bumps the pip group with 1 update in the / directory: [checkov](https://github.com/bridgecrewio/checkov).
Bumps the pip group with 3 updates in the /src/500-application/506-ros2-connector directory: [numpy](https://github.com/numpy/numpy), [pytest](https://github.com/pytest-dev/pytest) and [pytest-asyncio](https://github.com/pytest-dev/pytest-asyncio).


Updates `checkov` from 3.2.529 to 3.3.2
- [Release notes](https://github.com/bridgecrewio/checkov/releases)
- [Changelog](https://github.com/bridgecrewio/checkov/blob/main/CHANGELOG.md)
- [Commits](bridgecrewio/checkov@3.2.529...3.3.2)

Updates `numpy` from 2.4.6 to 2.5.0
- [Release notes](https://github.com/numpy/numpy/releases)
- [Changelog](https://github.com/numpy/numpy/blob/main/doc/RELEASE_WALKTHROUGH.rst)
- [Commits](numpy/numpy@v2.4.6...v2.5.0)

Updates `pytest` from 9.0.3 to 9.1.1
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](pytest-dev/pytest@9.0.3...9.1.1)

Updates `pytest-asyncio` from 1.3.0 to 1.4.0
- [Release notes](https://github.com/pytest-dev/pytest-asyncio/releases)
- [Commits](pytest-dev/pytest-asyncio@v1.3.0...v1.4.0)

---
updated-dependencies:
- dependency-name: checkov
  dependency-version: 3.3.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: pip
- dependency-name: numpy
  dependency-version: 2.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: pip
- dependency-name: pytest
  dependency-version: 9.1.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: pip
- dependency-name: pytest-asyncio
  dependency-version: 1.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/pip/pip-f1d36037a9 branch from c55b0aa to ae035ea Compare June 26, 2026 15:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Dependency updates security Security-related changes or concerns

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants