Update dependency black to v26.3.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
black (changelog)	26.3.0 → 26.3.1

GitHub Vulnerability Alerts

CVE-2026-32274

Impact

Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations.

Patches

Fixed in Black 26.3.1.

Workarounds

Do not allow untrusted user input into the value of the --python-cell-magics option.

---

Release Notes

psf/black (black)

v26.3.1

Compare Source

Stable style

• Prevent Jupyter notebook magic masking collisions from corrupting cells by using
  exact-length placeholders for short magics and aborting if a placeholder can no longer
  be unmasked safely (#​5038)

Configuration

• Always hash cache filename components derived from --python-cell-magics so custom
  magic names cannot affect cache paths (#​5038)

Blackd

• Disable browser-originated requests by default, add configurable origin allowlisting
  and request body limits, and bound executor submissions to improve backpressure
  (#​5039)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.