Skip to content

Bump ruff from 0.15.7 to 0.15.8#90

Merged
amrit110 merged 3 commits intomainfrom
dependabot/uv/ruff-0.15.8
Mar 30, 2026
Merged

Bump ruff from 0.15.7 to 0.15.8#90
amrit110 merged 3 commits intomainfrom
dependabot/uv/ruff-0.15.8

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 27, 2026

Bumps ruff from 0.15.7 to 0.15.8.

Release notes

Sourced from ruff's releases.

0.15.8

Release Notes

Released on 2026-03-26.

Preview features

  • [ruff] New rule unnecessary-if (RUF050) (#24114)
  • [ruff] New rule useless-finally (RUF072) (#24165)
  • [ruff] New rule f-string-percent-format (RUF073): warn when using % operator on an f-string (#24162)
  • [pyflakes] Recognize frozendict as a builtin for Python 3.15+ (#24100)

Bug fixes

  • [flake8-async] Use fully-qualified anyio.lowlevel import in autofix (ASYNC115) (#24166)
  • [flake8-bandit] Check tuple arguments for partial paths in S607 (#24080)
  • [pyflakes] Skip undefined-name (F821) for conditionally deleted variables (#24088)
  • E501/W505/formatter: Exclude nested pragma comments from line width calculation (#24071)
  • Fix %foo? parsing in IPython assignment expressions (#24152)
  • analyze graph: resolve string imports that reference attributes, not just modules (#24058)

Rule changes

  • [eradicate] ignore ty: ignore comments in ERA001 (#24192)
  • [flake8-bandit] Treat sys.executable as trusted input in S603 (#24106)
  • [flake8-self] Recognize Self annotation and self assignment in SLF001 (#24144)
  • [pyflakes] F507: Fix false negative for non-tuple RHS in %-formatting (#24142)
  • [refurb] Parenthesize generator arguments in FURB142 fixer (#24200)

Performance

  • Speed up diagnostic rendering (#24146)

Server

  • Warn when Markdown files are skipped due to preview being disabled (#24150)

Documentation

  • Clarify extend-ignore and extend-select settings documentation (#24064)
  • Mention AI policy in PR template (#24198)

Other changes

  • Use trusted publishing for NPM packages (#24171)

Contributors

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.8

Released on 2026-03-26.

Preview features

  • [ruff] New rule unnecessary-if (RUF050) (#24114)
  • [ruff] New rule useless-finally (RUF072) (#24165)
  • [ruff] New rule f-string-percent-format (RUF073): warn when using % operator on an f-string (#24162)
  • [pyflakes] Recognize frozendict as a builtin for Python 3.15+ (#24100)

Bug fixes

  • [flake8-async] Use fully-qualified anyio.lowlevel import in autofix (ASYNC115) (#24166)
  • [flake8-bandit] Check tuple arguments for partial paths in S607 (#24080)
  • [pyflakes] Skip undefined-name (F821) for conditionally deleted variables (#24088)
  • E501/W505/formatter: Exclude nested pragma comments from line width calculation (#24071)
  • Fix %foo? parsing in IPython assignment expressions (#24152)
  • analyze graph: resolve string imports that reference attributes, not just modules (#24058)

Rule changes

  • [eradicate] ignore ty: ignore comments in ERA001 (#24192)
  • [flake8-bandit] Treat sys.executable as trusted input in S603 (#24106)
  • [flake8-self] Recognize Self annotation and self assignment in SLF001 (#24144)
  • [pyflakes] F507: Fix false negative for non-tuple RHS in %-formatting (#24142)
  • [refurb] Parenthesize generator arguments in FURB142 fixer (#24200)

Performance

  • Speed up diagnostic rendering (#24146)

Server

  • Warn when Markdown files are skipped due to preview being disabled (#24150)

Documentation

  • Clarify extend-ignore and extend-select settings documentation (#24064)
  • Mention AI policy in PR template (#24198)

Other changes

  • Use trusted publishing for NPM packages (#24171)

Contributors

... (truncated)

Commits
  • c2a8815 Release 0.15.8 (#24217)
  • d444d52 [ty] Infer lambda expressions with Callable type context (#22633)
  • 9622285 [ty] Autocomplete arguments if in arguments node (#24167)
  • d812662 Use the release environment in publish-docs (#24214)
  • eda2355 [ty] Show Final source in final assignment diagnostic (#24194)
  • 929eb52 [ty] Enforce Final attribute assignment rules for annotated and augmented wri...
  • 34998be [ty] Fix typo in comment (#24211)
  • 560aca0 [ty] Minor simplifications to some benchmark code (#24209)
  • 683bae5 [ty] Track non-terminal-call constraints in global scope (#23245)
  • 4704c2a [ty] Remove unnecessary intermediate collection in `StaticClassLiteral::field...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump ruff from 0.15.7 to 0.15.8
bbe1deb 
Bumps [ruff](https://github.com/astral-sh/ruff) from 0.15.7 to 0.15.8.
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ruff@0.15.7...0.15.8)

---
updated-dependencies:
- dependency-name: ruff
  dependency-version: 0.15.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Mar 27, 2026
chore: bump requests to 2.33.0 and nbconvert to 7.17.0 to fix CVEs
1e44aa3 
- requests >= 2.33.0: fixes CVE-2026-25645 (predictable temp file path in extract_zipped_paths)
- nbconvert >= 7.17.0: fixes CVE-2025-53000

Co-authored-by: aieng-bot <aieng-bot@vectorinstitute.ai>
@amrit110
Copy link
Copy Markdown
Member

amrit110 commented Mar 28, 2026

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerability reported by pip-audit, but cannot fix it automatically because no patched version has been released to PyPI yet:

Package Version Vulnerability Status
pygments 2.19.2 CVE-2026-4539 No fix available on PyPI

Why this cannot be auto-fixed

The vulnerability exists in pygments itself (inefficient regular expression complexity in AdlLexer). A fix requires the upstream maintainers to release a new version. The project was informed of the problem through an issue report but has not responded yet. Once a patched release is published to PyPI, aieng-bot can re-run and apply the update automatically.

What was fixed automatically

  • requests bumped to >=2.33.0 — fixes CVE-2026-25645 (predictable temp file in extract_zipped_paths)
  • nbconvert bumped to >=7.17.0 — fixes CVE-2025-53000

Recommended next steps

  1. Monitor the pygments CVE-2026-4539 advisory for a patch release
  2. Consider whether a pip-audit ignore/exception can be added temporarily with justification (requires human review)
  3. Consider whether this dependency can be replaced with an alternative

This PR will not be auto-merged until the pygments vulnerability is resolved.

@amrit110
Copy link
Copy Markdown
Member

amrit110 commented Mar 28, 2026

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerabilities reported by pip-audit, but cannot fix them automatically because no patched version has been released to PyPI yet:

Package Version Vulnerability Status
pygments 2.19.2 CVE-2026-4539 No fix available on PyPI

Why this cannot be auto-fixed

The vulnerability exists in pygments (a regex complexity issue in pygments/lexers/archetype.py's AdlLexer). The PyPI latest version is 2.19.2, which is still affected. A fix requires the upstream maintainers to release a new version. Once a patched release is published to PyPI, aieng-bot can re-run and apply the update automatically.

Recommended next steps

  1. Monitor the vulnerability advisory for a patch release
  2. Check if a pip-audit ignore/exception can be added temporarily with justification (requires human review)
  3. Consider whether this dependency can be replaced with an alternative

This PR will not be auto-merged until the vulnerability is resolved.

@amrit110
Copy link
Copy Markdown
Member

amrit110 commented Mar 29, 2026

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerability reported by pip-audit, but cannot fix it automatically because no patched version has been released to PyPI yet:

Package Version Vulnerability Status
pygments 2.19.2 CVE-2026-4539 No fix available on PyPI

Why this cannot be auto-fixed

The vulnerability exists in pygments itself (inefficient regular expression complexity in pygments/lexers/archetype.py's AdlLexer function). The fix requires the upstream pygments maintainers to release a new version. The project has been notified of the issue but has not yet responded. Once a patched release is published to PyPI, aieng-bot can re-run and apply the update automatically.

Recommended next steps

  1. Monitor the vulnerability advisory (CVE-2026-4539) for a patch release from the pygments project
  2. Check if a pip-audit ignore/exception can be added temporarily with justification (requires human review)
  3. Consider whether this dependency can be replaced with an alternative

This PR will not be auto-merged until the vulnerability is resolved.

chore: bump pygments to 2.20.0 to fix CVE-2026-4539
a2a2532 
Co-authored-by: aieng-bot <aieng-bot@vectorinstitute.ai>
@amrit110 amrit110 merged commit 23bf0f1 into main Mar 30, 2026
3 checks passed
@amrit110 amrit110 deleted the dependabot/uv/ruff-0.15.8 branch March 30, 2026 00:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@amrit110