Bump the python-dependencies group with 14 updates

[dependabot]

Bumps the python-dependencies group with 14 updates:

Package	From	To
django	5.2.8	6.0
sqlparse	0.5.4	0.5.5
mkdocs-material	9.7.0	9.7.1
mkdocstrings-python	2.0.0	2.0.1
platformdirs	4.5.0	4.5.1
pymdown-extensions	10.17.2	10.20
urllib3	2.5.0	2.6.2
coverage[toml]	7.12.0	7.13.1
filelock	3.20.0	3.20.1
mypy	1.19.0	1.19.1
nodeenv	1.9.1	1.10.0
pre-commit	4.5.0	4.5.1
pytest	9.0.1	9.0.2
ruff	0.14.7	0.14.10

Updates django from 5.2.8 to 6.0

Commits

• 36b5f39 [6.0.x] Bumped version for 6.0 release.
• 4f46d1f [6.0.x] Updated man page for Django 6.0.
• a9f5ca5 [6.0.x] Refs #35859 -- Clarified Tasks ref and topics docs regarding availabl...
• 45f9e0e [6.0.x] Finalized release notes for Django 6.0.
• ac44a55 [6.0.x] Made cosmetic edits to docs/releases/6.0.txt.
• 00575b7 [6.0.x] Updated translations from Transifex.
• 8414487 [6.0.x] Refs #35444 -- Fixed typo in PostgreSQL StringAgg deprecation warning.
• 1f8f36e [6.0.x] Added CVE-2025-13372 and CVE-2025-64460 to security archive.
• 224fc79 [6.0.x] Added stub release notes for 5.2.10.
• 1dbd07a [6.0.x] Fixed CVE-2025-64460 -- Corrected quadratic inner text accumulation i...
• Additional commits viewable in compare view

Updates sqlparse from 0.5.4 to 0.5.5

Changelog

Sourced from sqlparse's changelog.

Release 0.5.5 (Dec 19, 2025)

Bug Fixes

• Fix DoS protection to raise SQLParseError instead of silently returning None when grouping limits are exceeded (issue827).
• Fix splitting of BEGIN TRANSACTION statements (issue826).

Commits

• 0d24023 Bump version to 0.5.5
• da67ac1 Enhance DoS protection by raising SQLParseError for exceeded grouping limits ...
• 5ca50a2 Fix splitting of BEGIN TRANSACTION statements (fixes #826).
• acd8e58 Back to development version.
• See full diff in compare view

Updates mkdocs-material from 9.7.0 to 9.7.1

Release notes

Sourced from mkdocs-material's releases.

mkdocs-material-9.7.1

• Updated requests to 2.30+ to mitigate CVE in urllib
• Fixed privacy plugin not picking up protocol-relative URLs
• Fixed #8542: false positives and negatives captured in privacy plugin

Changelog

Sourced from mkdocs-material's changelog.

mkdocs-material-9.7.1 (2025-12-18)

• Updated requests to 2.30+ to mitigate CVE in urllib
• Fixed privacy plugin not picking up protocol-relative URLs
• Fixed #8542: false positives and negatives captured in privacy plugin

mkdocs-material-9.7.0 (2025-11-11)

⚠️ Material for MkDocs is now in maintenance mode

This is the last release of Material for MkDocs that will receive new features. Going forward, the Material for MkDocs team focuses on Zensical, a next-gen static site generator built from first principles. We will provide critical bug fixes and security updates for Material for MkDocs for 12 months at least.

Read the full announcement on our blog: https://squidfunk.github.io/mkdocs-material/blog/2025/11/05/zensical/

This release includes all features that were previously exclusive to the Insiders edition. These features are now freely available to everyone.

Note on deprecated plugins: The projects and typeset plugins are included in this release, but must be considered deprecated. Both plugins proved unsustainable to maintain and represent architectural dead ends. They are provided as-is without ongoing support.

Changes:

• Added support for pinned blog posts and author profiles
• Added support for customizing pagination for blog index pages
• Added support for customizing blog category sort order
• Added support for staying on page when switching languages
• Added support for disabling tags in table of contents
• Added support for nested tags and shadow tags
• Added support for footnote tooltips
• Added support for instant previews
• Added support for instant prefetching
• Added support for custom social card layouts
• Added support for custom social card background images
• Added support for selectable rangs in code blocks
• Added support for custom selectors for code annotations
• Added support for configurable log level in privacy plugin
• Added support for processing of external links in privacy plugin
• Added support for automatic image optimization via optimize plugin
• Added support for navigation paths (breadcrumbs)
• Fixed #8519: Vector accents do not render when using KaTeX

mkdocs-material-9.6.23 (2025-11-01)

• Updated Burmese translation

... (truncated)

Commits

• 7e236f6 Temporarily disable publishing
• 3941491 Fixed CI
• 034eaf7 Prepare 9.7.1 release
• 79ba428 Fixed privacy plugin not picking up protocol-relative URLs
• 61cad24 Updated dependencies
• dde13ce Fixed false positives and negatives captured in privacy plugin (#8542)
• 291012d Updated requests to 2.30+ to mitigate CVE in urllib
• 673d8ca Fixed links
• 1722784 Documentation
• aee925f Fixed links
• Additional commits viewable in compare view

Updates mkdocstrings-python from 2.0.0 to 2.0.1

Release notes

Sourced from mkdocstrings-python's releases.

2.0.1

2.0.1 - 2025-12-03

Compare with 2.0.0

Bug Fixes

• Don't ignore filters when category grouping is disabled (63aa1b0 by Timothée Mazzucotelli). Issue-324

Code Refactoring

• Localize more contents in templates (854b6a6 by Zhikang Yan). PR-321
• Improve ja/zh translations (b83107c by Zhikang Yan). PR-322

Changelog

Sourced from mkdocstrings-python's changelog.

2.0.1 - 2025-12-03

Compare with 2.0.0

Bug Fixes

• Don't ignore filters when category grouping is disabled (63aa1b0 by Timothée Mazzucotelli). Issue-324

Code Refactoring

• Localize more contents in templates (854b6a6 by Zhikang Yan). PR-321
• Improve ja/zh translations (b83107c by Zhikang Yan). PR-322

Commits

• 6e7b971 chore: Prepare release 2.0.1
• 854b6a6 refactor: Localize more contents in templates
• b83107c refactor: Improve ja/zh translations
• 63aa1b0 fix: Don't ignore filters when category grouping is disabled
• 76c08ac docs: Fix cross-reference
• 50d135a chore: Template upgrade
• See full diff in compare view

Updates platformdirs from 4.5.0 to 4.5.1

Release notes

Sourced from platformdirs's releases.

4.5.1

What's Changed

• Fix no-ctypes fallback on windows by @​youknowone in tox-dev/platformdirs#403

Full Changelog: tox-dev/platformdirs@4.5.0...4.5.1

Commits

• e4dbdb8 Fix no-ctypes fallback on windows (#403)
• 4cc78aa [pre-commit.ci] pre-commit autoupdate (#401)
• b624d78 [pre-commit.ci] pre-commit autoupdate (#400)
• eb06e7e Bump actions/checkout from 5 to 6 in the all group (#399)
• 85efbe9 [pre-commit.ci] pre-commit autoupdate (#397)
• 704c603 [pre-commit.ci] pre-commit autoupdate (#394)
• a018178 [pre-commit.ci] pre-commit autoupdate (#393)
• 9920b9b Bump the all group with 2 updates (#392)
• c804724 [pre-commit.ci] pre-commit autoupdate (#391)
• a6a2489 [pre-commit.ci] pre-commit autoupdate (#390)
• See full diff in compare view

Updates pymdown-extensions from 10.17.2 to 10.20

Release notes

Sourced from pymdown-extensions's releases.

10.20

• NEW: Quotes: New blockquotes extension added that uses a more modern approach when compared to Python Markdown's default. Quotes specifically will not group consecutive blockquotes together in the same lazy fashion that the default Python Markdown does which follows a more modern trend to how parsers these days handle block quotes.

  In addition, Quotes also provides an optional feature to enable specifying callouts/alerts in the style used by GitHub and Obsidian.

10.19.1

• FIX: Arithmatex: Fix issue where block $$ math used inline within a paragraph could result in nested math parsing.

10.19

• NEW: Emoji: Update Twemoji to use Unicode 16.
• NEW: Critic: Roll back view mode deprecation as some still like to use it, though further enhancements to this mode are not planned.

10.18

• NEW: Critic: view mode has been deprecated. To avoid warnings or future issues, explicitly set mode to either accept or reject. In the future, the new default will be accept and the view mode will be removed entirely.
• FIX: Block Admonition: important should have always been available as a default.

Commits

• 7d5c4be Quotes: Add nesting examples, fix some grammar, and add nesting test
• 9d5b64a Update notes about the new callouts
• 531a77a Docs: make line number hover stand out more
• 0d7be84 Revert change to line wrapping
• 6f9cb09 Wrap lines table format as well and adjust docs theme line highlight
• 97f7166 Wrap Pygments lines with <span> to allow for better styling
• ad0d493 Update map
• 753ddde Tweak admonition colors
• 7e686ee Docs: Update JS deps
• 2703d81 Add custom blockquote extension (#2817)
• Additional commits viewable in compare view

Updates urllib3 from 2.5.0 to 2.6.2

Release notes

Sourced from urllib3's releases.

2.6.2

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (urllib3/urllib3#3734)

2.6.1

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. (#3731)

2.6.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

• Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (CVE-2025-66471 reported by @​Cycloctane, 8.9 High, GHSA-2xpw-w6gg-jr37)
• Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (CVE-2025-66418 reported by @​illia-v, 8.9 High, GHSA-gm62-xv2j-4w53)

[!IMPORTANT]

• If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using urllib3[brotli] to install a compatible Brotli package automatically.
• If you use custom decompressors, please make sure to update them to respect the changed API of urllib3.response.ContentDecoder.

Features

• Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. (#3653)
• Added host and port information to string representations of HTTPConnection. (#3666)
• Added support for Python 3.14 free-threading builds explicitly. (#3696)

Removals

• Removed the HTTPResponse.getheaders() method in favor of HTTPResponse.headers. Removed the HTTPResponse.getheader(name, default) method in favor of HTTPResponse.headers.get(name, default). (#3622)

... (truncated)

Changelog

Sourced from urllib3's changelog.

2.6.2 (2025-12-11)

• Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. ([#3734](https://github.com/urllib3/urllib3/issues/3734) <https://github.com/urllib3/urllib3/issues/3734>__)

2.6.1 (2025-12-08)

• Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. ([#3731](https://github.com/urllib3/urllib3/issues/3731) <https://github.com/urllib3/urllib3/issues/3731>__)

2.6.0 (2025-12-05)

Security

• Fixed a security issue where streaming API could improperly handle highly compressed HTTP content ("decompression bombs") leading to excessive resource consumption even when a small amount of data was requested. Reading small chunks of compressed data is safer and much more efficient now. (GHSA-2xpw-w6gg-jr37 <https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37>__)
• Fixed a security issue where an attacker could compose an HTTP response with virtually unlimited links in the Content-Encoding header, potentially leading to a denial of service (DoS) attack by exhausting system resources during decoding. The number of allowed chained encodings is now limited to 5. (GHSA-gm62-xv2j-4w53 <https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53>__)

.. caution::

• If urllib3 is not installed with the optional urllib3[brotli] extra, but your environment contains a Brotli/brotlicffi/brotlipy package anyway, make sure to upgrade it to at least Brotli 1.2.0 or brotlicffi 1.2.0.0 to benefit from the security fixes and avoid warnings. Prefer using urllib3[brotli] to install a compatible Brotli package automatically.

• If you use custom decompressors, please make sure to update them to respect the changed API of urllib3.response.ContentDecoder.

Features

• Enabled retrieval, deletion, and membership testing in HTTPHeaderDict using bytes keys. ([#3653](https://github.com/urllib3/urllib3/issues/3653) <https://github.com/urllib3/urllib3/issues/3653>__)
• Added host and port information to string representations of HTTPConnection. ([#3666](https://github.com/urllib3/urllib3/issues/3666) <https://github.com/urllib3/urllib3/issues/3666>__)
• Added support for Python 3.14 free-threading builds explicitly. ([#3696](https://github.com/urllib3/urllib3/issues/3696) <https://github.com/urllib3/urllib3/issues/3696>__)

... (truncated)

Commits

• 83f8643 Release 2.6.2
• 571a9b7 Fix HTTPResponse.read_chunked when leftover data is present in decoder's bu...
• bfe8e19 Release 2.6.1
• 3ceeb84 Restore getheaders() and getheader() (#3732)
• 720f484 Release 2.6.0
• 24d7b67 Merge commit from fork
• c19571d Merge commit from fork
• 816fcf0 Bump actions/setup-python from 6.0.0 to 6.1.0 (#3725)
• 18af0a1 Improve speed of BytesQueueBuffer.get() by using memoryview (#3711)
• 1f6abac Bump versions of pre-commit hooks (#3716)
• Additional commits viewable in compare view

Updates coverage[toml] from 7.12.0 to 7.13.1

Release notes

Sourced from coverage[toml]'s releases.

7.13.1

Version 7.13.1 — 2025-12-28

• Added: the JSON report now includes a "start_line" key for function and class regions, indicating the first line of the region in the source. Closes issue 2110.
• Added: The debug data command now takes file names as arguments on the command line, so you can inspect specific data files without needing to set the COVERAGE_FILE environment variable.
• Fix: the JSON report used to report module docstrings as executed lines, which no other report did, as described in issue 2105. This is now fixed, thanks to Jianrong Zhao.
• Fix: coverage.py uses a more disciplined approach to detecting where third-party code is installed, and avoids measuring it. This shouldn’t change any behavior. If you find that it does, please get in touch.
• Performance: data files that will be combined now record their hash as part of the file name. This lets us skip duplicate data more quickly, speeding the combining step.
• Docs: added a section explaining more about what is considered a missing branch and how it is reported: Examples of missing branches, as requested in issue 1597. Thanks to Ayisha Mohammed.
• Tests: the test suite misunderstood what core was being tested if COVERAGE_CORE wasn’t set on 3.14+. This is now fixed, closing issue 2109.

➡️  PyPI page: coverage 7.13.1. :arrow_right:  To install: python3 -m pip install coverage==7.13.1

7.13.0

Version 7.13.0 — 2025-12-08

• Feature: coverage.py now supports .coveragerc.toml configuration files. These files use TOML syntax and take priority over pyproject.toml but lower priority than .coveragerc files. Closes issue 1643 thanks to Olena Yefymenko.
• Fix: we now include a permanent .pth file which is installed with the code, fixing issue 2084. In 7.12.1b1 this was done incorrectly: it didn’t work when using the source wheel (py3-none-any). This is now fixed. Thanks, Henry Schreiner.
• Deprecated: when coverage.py is installed, it creates three command entry points: coverage, coverage3, and coverage-3.10 (if installed for Python 3.10). The second and third of these are not needed and will eventually be removed. They still work for now, but print a message about their deprecation.

➡️  PyPI page: coverage 7.13.0. :arrow_right:  To install: python3 -m pip install coverage==7.13.0

7.12.1b1

Version 7.12.1b1 — 2025-11-30

• Fix: coverage.py now includes a permanent .pth file in the distribution which is installed with the code. This fixes issue 2084: failure to patch for subprocess measurement when site-packages is not writable.

➡️  PyPI page: coverage 7.12.1b1. :arrow_right:  To install: python3 -m pip install coverage==7.12.1b1

Changelog

Sourced from coverage[toml]'s changelog.

Version 7.13.1 — 2025-12-28

• Added: the JSON report now includes a "start_line" key for function and class regions, indicating the first line of the region in the source. Closes issue 2110_.

• Added: The debug data command now takes file names as arguments on the command line, so you can inspect specific data files without needing to set the COVERAGE_FILE environment variable.

• Fix: the JSON report used to report module docstrings as executed lines, which no other report did, as described in issue 2105_. This is now fixed, thanks to Jianrong Zhao.

• Fix: coverage.py uses a more disciplined approach to detecting where third-party code is installed, and avoids measuring it. This shouldn't change any behavior. If you find that it does, please get in touch.

• Performance: data files that will be combined now record their hash as part of the file name. This lets us skip duplicate data more quickly, speeding the combining step.

• Docs: added a section explaining more about what is considered a missing branch and how it is reported: :ref:branch_explain, as requested in issue 1597. Thanks to Ayisha Mohammed <pull 2092_>.

• Tests: the test suite misunderstood what core was being tested if COVERAGE_CORE wasn't set on 3.14+. This is now fixed, closing issue 2109_.

.. _issue 1597: coveragepy/coveragepy#1597 .. _pull 2092: coveragepy/coveragepy#2092 .. _issue 2105: coveragepy/coveragepy#2105 .. _issue 2109: coveragepy/coveragepy#2109 .. _issue 2110: coveragepy/coveragepy#2110

.. _changes_7-13-0:

Version 7.13.0 — 2025-12-08

• Feature: coverage.py now supports :file:.coveragerc.toml configuration files. These files use TOML syntax and take priority over :file:pyproject.toml but lower priority than :file:.coveragerc files. Closes issue 1643_ thanks to Olena Yefymenko <pull 1952_>_.

• Fix: we now include a permanent .pth file which is installed with the code, fixing issue 2084_. In 7.12.1b1 this was done incorrectly: it didn't work when using the source wheel (py3-none-any). This is now fixed. Thanks,

... (truncated)

Commits

• a6afdc3 docs: sample HTML for 7.13.1
• a497081 docs: prep for 7.13.1
• e992033 docs: polish up CHANGES
• 18bba6e chore: bump the action-dependencies group with 4 updates (#2111)
• 80fb808 refactor: (?x:...) lets us use re.VERBOSE even when combining later
• cc272bd docs: leave a comment so we'll find this when 3.12 is the minimum
• 70d007d types: be explicit
• a2c1940 types: fully import modules that will be patched
• 57b975d types: explicit Protocol inheritance permits changing parameter names
• 63ec12d types: clarify that morfs arguments can be a single morf
• Additional commits viewable in compare view

Updates filelock from 3.20.0 to 3.20.1

Release notes

Sourced from filelock's releases.

3.20.1

What's Changed

• CVE-2025-68146: Fix TOCTOU symlink vulnerability in lock file creation by @​gaborbernat in tox-dev/filelock#461

Full Changelog: tox-dev/filelock@3.20.0...3.20.1

Commits

• 377f622 [pre-commit.ci] pre-commit autoupdate (#460)
• 4724d7f Fix TOCTOU symlink vulnerability in lock file creation (#461)
• cb69414 Bump actions/upload-artifact from 5 to 6 (#459)
• 0769294 Bump actions/download-artifact from 6 to 7 (#458)
• 414193a [pre-commit.ci] pre-commit autoupdate (#457)
• 1456797 [pre-commit.ci] pre-commit autoupdate (#456)
• 8d6bf90 Bump actions/checkout from 5 to 6 (#455)
• f7edeeb [pre-commit.ci] pre-commit autoupdate (#454)
• fb09235 [pre-commit.ci] pre-commit autoupdate (#453)
• f5825d8 [pre-commit.ci] pre-commit autoupdate (#452)
• Additional commits viewable in compare view

Updates mypy from 1.19.0 to 1.19.1

Changelog

Sourced from mypy's changelog.

Mypy 1.19.1

• Fix noncommutative joins with bounded TypeVars (Shantanu, PR 20345)
• Respect output format for cached runs by serializing raw errors in cache metas (Ivan Levkivskyi, PR 20372)
• Allow types.NoneType in match cases (A5rocks, PR 20383)
• Fix mypyc generator regression with empty tuple (BobTheBuidler, PR 20371)
• Fix crash involving Unpack-ed TypeVarTuple (Shantanu, PR 20323)
• Fix crash on star import of redefinition (Ivan Levkivskyi, PR 20333)
• Fix crash on typevar with forward ref used in other module (Ivan Levkivskyi, PR 20334)
• Fail with an explicit error on PyPy (Ivan Levkivskyi, PR 20389)

Acknowledgements

Thanks to all mypy contributors who contributed to this release:

• A5rocks
• BobTheBuidler
• bzoracler
• Chainfire
• Christoph Tyralla
• David Foster
• Frank Dana
• Guo Ci
• iap
• Ivan Levkivskyi
• James Hilton-Balfe
• jhance
• Joren Hammudoglu
• Jukka Lehtosalo
• KarelKenens
• Kevin Kannammalil
• Marc Mueller
• Michael Carlstrom
• Michael J. Sullivan
• Piotr Sawicki
• Randolf Scholz
• Shantanu
• Sigve Sebastian Farstad
• sobolevn
• Stanislav Terliakov
• Stephen Morton
• Theodore Ando
• Thiago J. Barbalho
• wyattscarpenter

I’d also like to thank my employer, Dropbox, for supporting mypy development.

Mypy 1.18

We’ve just uploaded mypy 1.18.1 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features, performance

... (truncated)

Commits

• 412c19a Bump version to 1.19.1
• 20aea0a Update changelog for 1.19.1 (#20414)
• 2b23b50 Serialize raw errors in cache metas (#20372)
• f60f90f Fail on PyPy in main instead of setup.py (#20389)
• 58d485b Fail with an explicit error on PyPy (#20384)
• a4b31a2 Allow types.NoneType in match cases (#20383)
• 8a6eff4 [mypyc] fix generator regression with empty tuple (#20371)
• 70eceea Fix noncommutative joins with bounded TypeVars (#20345)
• 3890fc4 Fix crash involving Unpack-ed TypeVarTuple (#20323)
• c93d917 Fix crash on star import of redefinition (#20333)
• Additional commits viewable in compare view

Updates nodeenv from 1.9.1 to 1.10.0

Release notes

Sourced from nodeenv's releases.

1.10.0 - drop

What's Changed

Fixed bugs 🐛

• Use lowercase lookup for archmap by @​robmoss2k in ekalinin/nodeenv#382

Improvements 🛠

• Add support for Python 3.13 by @​hugovk in ekalinin/nodeenv#367
• Add UV Virtual Environment support by @​Vizonex in ekalinin/nodeenv#386
• Use sh instead of bash by @​WhyNotHugo in ekalinin/nodeenv#389
• Replace additional use of which(1) with shutil.which() by @​mgorny in ekalinin/nodeenv#355

Other Changes

• Support leading v in .node-version by @​nix6839 in ekalinin/nodeenv#359
• Check host platform when finding node version by @​max0x53 in ekalinin/nodeenv#363

New Contributors

• @​hugovk made their first contribution in ekalinin/nodeenv#367
• @​nix6839 made their first contribution in ekalinin/nodeenv#359
• @​max0x53 made their first contribution in ekalinin/nodeenv#363
• @​robmoss2k made their first contribution in ekalinin/nodeenv#382
• @​Vizonex made their first contribution in ekalinin/nodeenv#386
• @​WhyNotHugo made their first contribution in ekalinin/nodeenv#389
• @​mgorny made their first contribution in ekalinin/nodeenv#355

Full Changelog: ekalinin/nodeenv@1.9.1...1.10.0

Commits

• 9dee547 chore: bump nodeenv version to 1.10.0
• d45aabb chore: add pyright ignore comments for compatibility
• 55d6c21 chore: update AUTHORS
• 5f694e6 test: update test test_node_system_creates_shim
• fa3fdfb Merge branch 'master' of github.com:ekalinin/nodeenv
• e868dbe Replace additional use of which(1) with shutil.which() (#355)
• b4cd00d test: enhance activation tests for nodeenv with custom prompts and file handling
• 0b5ea9d refactor(tests): improve readability of mock patches in nodeenv tests
• 37c0c30 ci: add GH workflow for testing and coverage in PR
• 326a7a4 test: add comprehensive tests for install_npm and install_npm_win functions
• Additional commits viewable in compare view

Updates pre-commit from 4.5.0 to 4.5.1

Release notes

Sourced from pre-commit's releases.

pre-commit v4.5.1

Fixes

• Fix language: python with repo: local without additional_dependencies.
  • #3597 PR by @​asottile.

Changelog

Sourced from pre-commit's changelog.

4.5.1 - 2025-12-16

Fixes

• Fix language: python with repo: local without additional_dependencies.
  • #3597 PR by @​asottile.

Commits

• 8a0630c v4.5.1
• fcbc745 Merge pull request #3597 from pre-commit/empty-setup-py
• 51592ee fix python local template when artifact dirs are present
• 67e8faf Merge pull request #3596 from pre-commit/pre-commit-ci-update-config
• c251e6b [pre-commit.ci] pre-commit autoupdate
• 98ccafa Merge pull request #3593 from pre-commit/pre-commit-ci-update-config
• 4895355 [pre-commit.ci] pre-commit autoupdate
• 2cedd58 Merge pull request #3588 from pre-commit/pre-commit-ci-update-config
• 465192d [pre-commit.ci] pre-commit autoupdate
• fd42f96 Merge pull request #3586 from pre-commit/zipapp-sha256-file-not-needed
• Additional commits viewable in compare view

Updates pytest from 9.0.1 to 9.0.2

Release notes

Sourced from pytest's releases.

9.0.2

pytest 9.0.2 (2025-12-06)

Bug fixes

• #13896: The terminal progress feature added in pytest 9.0.0 has been disabled by default, except on Windows, due to compatibility issues with some terminal emulators.

  You may enable it again by passing -p terminalprogress. We may enable it by default again once compatibility improves in the future.

  Additionally, when the environment variable TERM is dumb, the escape codes are no longer emitted, even if the plugin is enabled.

• #13904: Fixed the TOML type of the tmp_path_retention_count settings in the API reference from number to string.

• #13946: The private config.inicfg attribute was changed in a breaking manner in pytest 9.0.0. Due to its usage in the ecosystem, it is now restored to working order using a compatibility shim. It will be deprecated in pytest 9.1 and removed in pytest 10.

• #13965: Fixed quadratic-time behavior when handling unittest subtests in Python 3.10.

Improved documentation

• #4492: The API Reference now contains cross-reference-able documentation of pytest's command-line flags <command-line-flags>.

Commits

• 3d10b51 Prepare release version 9.0.2
• 188750b Merge pull request #14030 from pytest-dev/patchback/backports/9.0.x/1e4b01d1f...
• b7d7bef Merge pull request #14014 from bluetech/compat-note
• bd08e85 Merge pull request #14013 from pytest-dev/patchback/backports/9.0.x/922b60377...
• bc78386 Add CLI options reference documentation (#13930)
• 5a4e398 Fix docs typo (#14005) (#14008)
• d7ae6df Merge pull request #14006 from pytest-dev/maintenance/update-plugin-list-tmpl...
• 556f6a2 pre-commit: fix rst-lint after new release (#13999) (#14001)
• c60fbe6 Fix quadratic-time behavior when handling unittest subtests in Python 3.10 ...
• 73d9b01 Merge pull request #13995 from nicoddemus/patchback/backports/9.0.x/1b5200c0f...
• Additional commits viewable in compare view

Updates ruff from 0.14.7 to 0.14.10

Release notes

Sourced from ruff's releases.

0.14.10

Release Notes

Released on 2025-12-18.

Preview features

• [formatter] Fluent formatting of method chains (#21369)
• [formatter] Keep lambda parameters on one line and parenthesize the body if it expands (#21385)
• [flake8-implicit-str-concat] New rule to prevent implicit string concatenation in collections (ISC004) (#21972)
• [flake8-use-pathlib] Make fixes unsafe when types change in compound statements (PTH104, PTH105, PTH109, PTH115) (#22009)
• [refurb] Extend support for Path.open (FURB101, FURB103) (#21080)

Bug fixes

• [pyupgrade] Fix parsing named Unicode escape sequences (UP032) (#21901)

Rule changes

• [eradicate] Ignore ruff:disable and ruff:enable comments in ERA001 (Description has been truncated