chore(deps): bump the minor-and-patch group across 1 directory with 7 updates

[dependabot]

Bumps the minor-and-patch group with 7 updates in the / directory:

Package	From	To
algokit-utils	4.1.0	4.2.2
ruff	0.12.4	0.14.8
mypy	1.17.0	1.19.0
pip-audit	2.9.0	2.10.0
pre-commit	4.2.0	4.5.0
poethepoet	0.36.0	0.38.0
pytest-sugar	1.0.0	1.1.1

Updates algokit-utils from 4.1.0 to 4.2.2

Commits

• See full diff in compare view

Updates ruff from 0.12.4 to 0.14.8

Release notes

Sourced from ruff's releases.

0.14.8

Release Notes

Released on 2025-12-04.

Preview features

• [flake8-bugbear] Catch yield expressions within other statements (B901) (#21200)
• [flake8-use-pathlib] Mark fixes unsafe for return type changes (PTH104, PTH105, PTH109, PTH115) (#21440)

Bug fixes

• Fix syntax error false positives for await outside functions (#21763)
• [flake8-simplify] Fix truthiness assumption for non-iterable arguments in tuple/list/set calls (SIM222, SIM223) (#21479)

Documentation

• Suggest using --output-file option in GitLab integration (#21706)

Other changes

• [syntax-error] Default type parameter followed by non-default type parameter (#21657)

Contributors

• @​kieran-ryan
• @​11happy
• @​danparizher
• @​ntBre

Install ruff 0.14.8

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/ruff/releases/download/0.14.8/ruff-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/astral-sh/ruff/releases/download/0.14.8/ruff-installer.ps1 | iex"

Download ruff 0.14.8

File	Platform	Checksum
ruff-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
ruff-x86_64-apple-darwin.tar.gz	Intel macOS	checksum

... (truncated)

Changelog

Sourced from ruff's changelog.

0.14.8

Released on 2025-12-04.

Preview features

• [flake8-bugbear] Catch yield expressions within other statements (B901) (#21200)
• [flake8-use-pathlib] Mark fixes unsafe for return type changes (PTH104, PTH105, PTH109, PTH115) (#21440)

Bug fixes

• Fix syntax error false positives for await outside functions (#21763)
• [flake8-simplify] Fix truthiness assumption for non-iterable arguments in tuple/list/set calls (SIM222, SIM223) (#21479)

Documentation

• Suggest using --output-file option in GitLab integration (#21706)

Other changes

• [syntax-error] Default type parameter followed by non-default type parameter (#21657)

Contributors

• @​kieran-ryan
• @​11happy
• @​danparizher
• @​ntBre

0.14.7

Released on 2025-11-28.

Preview features

• [flake8-bandit] Handle string literal bindings in suspicious-url-open-usage (S310) (#21469)
• [pylint] Fix PLR1708 false positives on nested functions (#21177)
• [pylint] Fix suppression for empty dict without tuple key annotation (PLE1141) (#21290)
• [ruff] Add rule RUF066 to detect unnecessary class properties (#21535)
• [ruff] Catch more dummy variable uses (RUF052) (#19799)

Bug fixes

• [server] Set severity for non-rule diagnostics (#21559)
• [flake8-implicit-str-concat] Avoid invalid fix in (ISC003) (#21517)
• [parser] Fix panic when parsing IPython escape command expressions (#21480)

CLI

• Show partial fixability indicator in statistics output (#21513)

... (truncated)

Commits

• 9d4f1c6 Bump 0.14.8 (#21791)
• 326025d [ty] Always register rename provider if client doesn't support dynamic regist...
• 3aefe85 [ty] Ensure rename CursorTest calls can_rename before renaming (#21790)
• b8ecc83 Fix clippy errors on main (#21788)
• 6491932 [ty] Fix crash when hovering an unknown string annotation (#21782)
• a9f2bb4 [ty] Don't send publish diagnostics for clients supporting pull diagnostics (...
• e2b72fb [ty] cleanup test path (#21781)
• 14fce0d [ty] Improve the display of various special-form types (#21775)
• 8ebecb2 [ty] Add subdiagnostic hint if the user wrote X = Any rather than X: Any ...
• 45ac30a [ty] Teach ty the meaning of desperation (try ancestor pyproject.tomls as...
• Additional commits viewable in compare view

Updates mypy from 1.17.0 to 1.19.0

Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next Release

Drop Support for Python 3.9

Mypy no longer supports running with Python 3.9, which has reached end-of-life. When running mypy with Python 3.10+, it is still possible to type check code that needs to support Python 3.9 with the --python-version 3.9 argument. Support for this will be dropped in the first half of 2026!

Contributed by Marc Mueller (PR 20156).

Mypy 1.19

We’ve just uploaded mypy 1.19.0 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features, performance improvements and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

Python 3.9 Support Ending Soon

This is the last mypy feature release that supports Python 3.9, which reached end of life in October 2025.

Performance Improvements

• Switch to a more dynamic SCC processing logic (Ivan Levkivskyi, PR 20053)
• Speed up type aliases (Ivan Levkivskyi, PR 19810)

Fixed‑Format Cache Improvements

Mypy uses a cache by default to speed up incremental runs by reusing partial results from earlier runs. Mypy 1.18 added a new binary fixed-format cache representation as an experimental feature. The feature is no longer experimental, and we are planning to enable it by default in a future mypy release (possibly 1.20), since it's faster and uses less space than the original, JSON-based cache format. Use --fixed-format-cache to enable the fixed-format cache.

Mypy now has an extra dependency on the librt PyPI package, as it's needed for cache serialization and deserialization.

Mypy ships with a tool to convert fixed-format cache files to the old JSON format. Example of how to use this:

$ python -m mypy.exportjson .mypy_cache/.../my_module.data.ff

... (truncated)

Commits

• 0f068c9 Remove +dev
• 6d5cf52 Various updates to 1.19 changelog (#20304)
• 3c81308 Add draft version of 1.19 release notes (#20296)
• 1999a20 [mypyc] librt base64: use existing SIMD CPU dispatch by customizing build fla...
• 1b94fbb [mypyc] Fix vtable pointer with inherited dunder new (#20302)
• 13369cb [mypyc] Fix crash on super in generator (#20291)
• a087a58 Update import map when new modules added (#20271)
• 35e843c [mypyc] Add efficient librt.base64.b64decode (#20263)
• 094f66d [mypyc] Add repr to AssignmentTarget subclasses (#20258)
• 0738db3 Do not push partial types to the binder (#20202)
• Additional commits viewable in compare view

Updates pip-audit from 2.9.0 to 2.10.0

Release notes

Sourced from pip-audit's releases.

v2.10.0

Added

• pip-audit now supports the --osv-url URL flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records (#810)

• pip-audit now supports the Ecosyste.ms vulnerability service with --vulnerability-service=esms (#903).

Changed

• The minimum version of Python is now 3.10 (#905)

Fixed

• Fixed a bug where pip-audit would fail to parse pyproject.toml files containing TOML 1.0.0 features (#910)

• CycloneDX JSON/XML output now correctly links vulnerabilities to their affected components via the affects field (#980)

Changelog

Sourced from pip-audit's changelog.

[2.10.0]

Added

• pip-audit now supports the --osv-url URL flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records (#810)

• pip-audit now supports the Ecosyste.ms vulnerability service with --vulnerability-service=esms (#903).

Changed

• The minimum version of Python is now 3.10 (#905)

Fixed

• Fixed a bug where pip-audit would fail to parse pyproject.toml files containing TOML 1.0.0 features (#910)

• CycloneDX JSON/XML output now correctly links vulnerabilities to their affected components via the affects field (#980)

Commits

• dec2165 chore: prep release v2.10.0 (#905)
• d191a22 Fix CycloneDX vulnerability-component linking (#980) (#981)
• a3f69b1 dependabot: add cooldowns (#978)
• 42df1b2 build(deps): bump astral-sh/setup-uv from 7.1.3 to 7.1.4 (#976)
• d4cbb66 build(deps): bump actions/checkout from 5.0.1 to 6.0.0 (#977)
• 0f2889d build(deps): bump github/codeql-action from 4.31.3 to 4.31.4 (#975)
• ad15644 build(deps): bump actions/checkout from 5.0.0 to 5.0.1 (#974)
• 831ca98 build(deps): bump astral-sh/setup-uv from 7.1.2 to 7.1.3 (#972)
• afeb9ea build(deps): bump github/codeql-action from 4.31.2 to 4.31.3 (#973)
• 2969e7c build(deps): bump github/codeql-action from 4.31.0 to 4.31.2 (#971)
• Additional commits viewable in compare view

Updates pre-commit from 4.2.0 to 4.5.0

Release notes

Sourced from pre-commit's releases.

pre-commit v4.5.0

Features

• Add pre-commit hazmat.
  • #3585 PR by @​asottile.

pre-commit v4.4.0

Features

• Add --fail-fast option to pre-commit run.
  • #3528 PR by @​JulianMaurin.
• Upgrade ruby-build / rbenv.
  • #3566 PR by @​asottile.
  • #3565 issue by @​MRigal.
• Add language: unsupported / language: unsupported_script as aliases for language: system / language: script (which will eventually be deprecated).
  • #3577 PR by @​asottile.
• Add support docker-in-docker detection for cgroups v2.
  • #3535 PR by @​br-rhrbacek.
  • #3360 issue by @​JasonAlt.

Fixes

• Handle when docker gives SecurityOptions: null.
  • #3537 PR by @​asottile.
  • #3514 issue by @​jenstroeger.
• Fix error context for invalid stages in .pre-commit-config.yaml.
  • #3576 PR by @​asottile.

pre-commit v4.3.0

Features

• language: docker / language: docker_image: detect rootless docker.
  • #3446 PR by @​matthewhughes934.
  • #1243 issue by @​dkolepp.
• language: julia: avoid startup.jl when executing hooks.
  • #3496 PR by @​ericphanson.
• language: dart: support latest dart versions which require a higher sdk lower bound.
  • #3507 PR by @​bc-lee.

Changelog

Sourced from pre-commit's changelog.

4.5.0 - 2025-11-22

Features

• Add pre-commit hazmat.
  • #3585 PR by @​asottile.

4.4.0 - 2025-11-08

Features

• Add --fail-fast option to pre-commit run.
  • #3528 PR by @​JulianMaurin.
• Upgrade ruby-build / rbenv.
  • #3566 PR by @​asottile.
  • #3565 issue by @​MRigal.
• Add language: unsupported / language: unsupported_script as aliases for language: system / language: script (which will eventually be deprecated).
  • #3577 PR by @​asottile.
• Add support docker-in-docker detection for cgroups v2.
  • #3535 PR by @​br-rhrbacek.
  • #3360 issue by @​JasonAlt.

Fixes

• Handle when docker gives SecurityOptions: null.
  • #3537 PR by @​asottile.
  • #3514 issue by @​jenstroeger.
• Fix error context for invalid stages in .pre-commit-config.yaml.
  • #3576 PR by @​asottile.

4.3.0 - 2025-08-09

Features

• language: docker / language: docker_image: detect rootless docker.
  • #3446 PR by @​matthewhughes934.
  • #1243 issue by @​dkolepp.
• language: julia: avoid startup.jl when executing hooks.
  • #3496 PR by @​ericphanson.
• language: dart: support latest dart versions which require a higher sdk lower bound.
  • #3507 PR by @​bc-lee.

Commits

• 1af6c8f v4.5.0
• 3358a3b Merge pull request #3585 from pre-commit/hazmat
• bdf6879 add pre-commit hazmat
• e436690 Merge pull request #3584 from pre-commit/exitstack
• 8d34f95 use ExitStack instead of start + stop
• 9c7ea88 Merge pull request #3583 from pre-commit/forward-compat-map-manifest
• 844dacc add forward-compat error message
• 6a1d543 Merge pull request #3582 from pre-commit/move-gc-back
• 66278a9 move logic for gc back to commands.gc
• 1b32c50 Merge pull request #3579 from pre-commit/pre-commit-ci-update-config
• Additional commits viewable in compare view

Updates poethepoet from 0.36.0 to 0.38.0

Release notes

Sourced from poethepoet's releases.

0.38.0

Enhancements

• feat: Add parallel task type by @​nat-n in nat-n/poethepoet#323

Breaking changes

• Drop support for python 3.9 by @​nat-n in nat-n/poethepoet#329

Internal changes

• refactor: executor options by @​nat-n in nat-n/poethepoet#328

Full Changelog: nat-n/poethepoet@v0.37.0...v0.38.0

0.38.0-beta

Pre-release for parallel tasks

Adds new parallel task type that runs subtasks in parallel and multiplexes subprocess outputs with a line prefix

• Major refactor of task orchestration to use asyncio
• Rewrite of signal handling logic to improve subprocess cleanup

Full Changelog: nat-n/poethepoet@v0.37.0...v0.38.0-beta

0.37.0

Enhancements

• Support configuring task level verbosity by @​nat-n in nat-n/poethepoet#304
• Direct most non-task output to stderr by @​nat-n in nat-n/poethepoet#304

Full Changelog: nat-n/poethepoet@v0.36.0...v0.37.0

Commits

• 9e751f2 test: Try mitigate hanging flakey test
• fb01edb test: improve parallel task test stability
• ff04b33 chore: drop support for python 3.9 (#329)
• 818c407 feat: Add parallel task type (#323)
• 3257781 refactor: executor options (#328)
• 9c582c8 Bump version to 0.37.0
• 6eb522f feat: Support task level verbosity config and use stderr for most non-task ou...
• See full diff in compare view

Updates pytest-sugar from 1.0.0 to 1.1.1

Release notes

Sourced from pytest-sugar's releases.

pytest-sugar 1.1.1

Adjust signature of SugarTerminalReporter to avoid conflicts with other pytest plugins (#297 by @​TolstochenkoDaniil)

pytest-sugar 1.1.0

Add Playwright trace file detection and display support for failed tests (#296 by @​kiebak3r)

This enhancement automatically detects and displays Playwright trace.zip files with viewing commands when tests fail, making debugging easier for Playwright users.

New command-line options:

• --sugar-trace-dir: Configure the directory name for Playwright trace files (default: test-results)
• --sugar-no-trace: Disable Playwright trace file detection and display

Changelog

Sourced from pytest-sugar's changelog.

1.1.1 - 2025-08-23 ^^^^^^^^^^^^^^^^^^

Adjust signature of SugarTerminalReporter to avoid conflicts with other pytest plugins

Contributed by Daniil via [PR #297](Teemu/pytest-sugar#297)

1.1.0 - 2025-08-16 ^^^^^^^^^^^^^^^^^^

Add Playwright trace file detection and display support for failed tests. This enhancement automatically detects and displays Playwright trace.zip files with viewing commands when tests fail, making debugging easier for Playwright users.

New command-line options:

• --sugar-trace-dir: Configure the directory name for Playwright trace files (default: test-results)
• --sugar-no-trace: Disable Playwright trace file detection and display

Contributed by kie via [PR #296](Teemu/pytest-sugar#296)

Commits

• 8133503 Release pytest-sugar 1.1.1
• 6798042 Fix conflict with other Pytest plugins (#297)
• 43bbdd0 Release pytest-sugar 1.1.0
• 855d661 Feature - Playwright Support for Trace Zip Mapping (#296)
• 2a5862a Merge pull request #293 from cgoldberg/add-py313
• ca26d98 Add support for Python 3.13
• 69989eb Clarify license as BSD 3-Clause License
• 3c86a5c Merge pull request #289 from deronnax/remove-packaging-dep
• c123be0 remove 'packaging' package
• efafd9c Merge pull request #282 from penguinpee/main
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.