Update dependencies and address security issues (#5765)

This PR addresses Dependabot vulnerability alerts and secret scanner
reports by updating dependencies and redacting some of the sensitive
configuration field.

* **Dependency Updates:** Updated various dependencies, including those
flagged by Dependabot, as reflected in `poetry.lock`. This resolves
known vulnerabilities.
* **Secret Redaction:** Addressed secret scanner findings by redacting
sensitive configuration values (e.g., `tokenfile`, `apikey`, `password`,
`username`, `userid`) in `beatport`, `discogs`, `embyupdate`,
`fetchart`, `lastimport`, `spotify`, and `subsonicupdate` plugins.
* **Python Version:** Standardized on Python 3.9 across GitHub Actions
workflows.
* **Code Style:** Minor adjustments for `ruff` compatibility, including
string concatenations and f-string quote consistency.

Author: snejus

.git-blame-ignore-revs

@@ -43,3 +43,7 @@ a6e5201ff3fad4c69bf24d17bace2ef744b9f51b
 f36bc497c8c8f89004f3f6879908d3f0b25123e1
 # Remove some lint exclusions and fix the issues
 5f78d1b82b2292d5ce0c99623ba0ec444b80d24c
+
+# 2025
+# Fix formatting
+c490ac5810b70f3cf5fd8649669838e8fdb19f4d

.github/workflows/ci.yaml

@@ -33,7 +33,7 @@ jobs:
         if: matrix.platform == 'ubuntu-latest'
         run: |
           sudo apt update
-          sudo apt install ffmpeg gobject-introspection libcairo2-dev libgirepository1.0-dev pandoc
+          sudo apt install ffmpeg gobject-introspection libcairo2-dev libgirepository-2.0-dev pandoc
 
       - name: Get changed lyrics files
         id: lyrics-update

.github/workflows/integration_test.yaml

@@ -12,7 +12,7 @@ jobs:
         uses: BrandonLWhite/[email protected]
       - uses: actions/setup-python@v5
         with:
-          python-version: 3.8
+          python-version: 3.9
           cache: poetry
 
       - name: Install dependencies

.github/workflows/make_release.yaml

@@ -8,7 +8,7 @@ on:
         required: true
 
 env:
-  PYTHON_VERSION: 3.8
+  PYTHON_VERSION: 3.9
   NEW_VERSION: ${{ inputs.version }}
   NEW_TAG: v${{ inputs.version }}
 
@@ -26,7 +26,7 @@ jobs:
           cache: poetry
 
       - name: Install dependencies
-        run: poetry install --only=release
+        run: poetry install --with=release --extras=docs
 
       - name: Bump project version
         run: poe bump "${{ env.NEW_VERSION }}"

.pre-commit-config.yaml

@@ -2,7 +2,11 @@
 # See https://pre-commit.com/hooks.html for more hooks
 
 repos:
-  - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.8.1
+  - repo: local
     hooks:
-      - id: ruff-format
+      - id: format
+        name: Format
+        entry: poe format
+        language: system
+        files: '.*.py'
+        pass_filenames: true

beets/autotag/hooks.py

@@ -18,7 +18,7 @@
 
 import re
 from functools import total_ordering
-from typing import TYPE_CHECKING, Any, Callable, NamedTuple, TypeVar, cast
+from typing import TYPE_CHECKING, Any, Callable, NamedTuple, TypeVar
 
 from jellyfish import levenshtein_distance
 from unidecode import unidecode
@@ -474,7 +474,6 @@ def _eq(self, value1: re.Pattern[str] | Any, value2: Any) -> bool:
         matched against `value2`.
         """
         if isinstance(value1, re.Pattern):
-            value2 = cast(str, value2)
             return bool(value1.match(value2))
         return value1 == value2
 

beets/autotag/match.py

@@ -20,10 +20,9 @@
 
 import datetime
 import re
-from collections.abc import Iterable, Sequence
 from enum import IntEnum
 from functools import cache
-from typing import TYPE_CHECKING, Any, NamedTuple, TypeVar, cast
+from typing import TYPE_CHECKING, Any, NamedTuple, TypeVar
 
 import lap
 import numpy as np
@@ -40,6 +39,8 @@
 from beets.util import plurality
 
 if TYPE_CHECKING:
+    from collections.abc import Iterable, Sequence
+
     from beets.library import Item
 
 # Artist signals that indicate "various artists". These are used at the
@@ -241,12 +242,14 @@ def distance(
     # Album.
     dist.add_string("album", likelies["album"], album_info.album)
 
+    preferred_config = config["match"]["preferred"]
     # Current or preferred media.
     if album_info.media:
         # Preferred media options.
-        patterns = config["match"]["preferred"]["media"].as_str_seq()
-        patterns = cast(Sequence[str], patterns)
-        options = [re.compile(r"(\d+x)?(%s)" % pat, re.I) for pat in patterns]
+        media_patterns: Sequence[str] = preferred_config["media"].as_str_seq()
+        options = [
+            re.compile(r"(\d+x)?(%s)" % pat, re.I) for pat in media_patterns
+        ]
         if options:
             dist.add_priority("media", album_info.media, options)
         # Current media.
@@ -258,7 +261,7 @@ def distance(
         dist.add_number("mediums", likelies["disctotal"], album_info.mediums)
 
     # Prefer earliest release.
-    if album_info.year and config["match"]["preferred"]["original_year"]:
+    if album_info.year and preferred_config["original_year"]:
         # Assume 1889 (earliest first gramophone discs) if we don't know the
         # original year.
         original = album_info.original_year or 1889
@@ -282,9 +285,8 @@ def distance(
             dist.add("year", 1.0)
 
     # Preferred countries.
-    patterns = config["match"]["preferred"]["countries"].as_str_seq()
-    patterns = cast(Sequence[str], patterns)
-    options = [re.compile(pat, re.I) for pat in patterns]
+    country_patterns: Sequence[str] = preferred_config["countries"].as_str_seq()
+    options = [re.compile(pat, re.I) for pat in country_patterns]
     if album_info.country and options:
         dist.add_priority("country", album_info.country, options)
     # Country.
@@ -447,9 +449,8 @@ def _add_candidate(
         return
 
     # Discard matches without required tags.
-    for req_tag in cast(
-        Sequence[str], config["match"]["required"].as_str_seq()
-    ):
+    required_tags: Sequence[str] = config["match"]["required"].as_str_seq()
+    for req_tag in required_tags:
         if getattr(info, req_tag) is None:
             log.debug("Ignored. Missing required tag: {0}", req_tag)
             return
@@ -462,8 +463,8 @@ def _add_candidate(
 
     # Skip matches with ignored penalties.
     penalties = [key for key, _ in dist]
-    ignored = cast(Sequence[str], config["match"]["ignored"].as_str_seq())
-    for penalty in ignored:
+    ignored_tags: Sequence[str] = config["match"]["ignored"].as_str_seq()
+    for penalty in ignored_tags:
         if penalty in penalties:
             log.debug("Ignored. Penalty: {0}", penalty)
             return
@@ -499,8 +500,8 @@ def tag_album(
     """
     # Get current metadata.
     likelies, consensus = current_metadata(items)
-    cur_artist = cast(str, likelies["artist"])
-    cur_album = cast(str, likelies["album"])
+    cur_artist: str = likelies["artist"]
+    cur_album: str = likelies["album"]
     log.debug("Tagging {0} - {1}", cur_artist, cur_album)
 
     # The output result, keys are the MB album ID.

beets/autotag/mb.py

@@ -19,9 +19,8 @@
 import re
 import traceback
 from collections import Counter
-from collections.abc import Iterator, Sequence
 from itertools import product
-from typing import Any, cast
+from typing import TYPE_CHECKING, Any
 from urllib.parse import urljoin
 
 import musicbrainzngs
@@ -37,6 +36,9 @@
     spotify_id_regex,
 )
 
+if TYPE_CHECKING:
+    from collections.abc import Iterator, Sequence
+
 VARIOUS_ARTISTS_ID = "89ad4ac3-39f7-470e-963a-56509c546377"
 
 BASE_URL = "https://musicbrainz.org/"
@@ -178,23 +180,26 @@ def _preferred_alias(aliases: list):
         return matches[0]
 
 
-def _preferred_release_event(release: dict[str, Any]) -> tuple[str, str]:
+def _preferred_release_event(
+    release: dict[str, Any],
+) -> tuple[str | None, str | None]:
     """Given a release, select and return the user's preferred release
     event as a tuple of (country, release_date). Fall back to the
     default release event if a preferred event is not found.
     """
-    countries = config["match"]["preferred"]["countries"].as_str_seq()
-    countries = cast(Sequence, countries)
+    preferred_countries: Sequence[str] = config["match"]["preferred"][
+        "countries"
+    ].as_str_seq()
 
-    for country in countries:
+    for country in preferred_countries:
         for event in release.get("release-event-list", {}):
             try:
                 if country in event["area"]["iso-3166-1-code-list"]:
                     return country, event["date"]
             except KeyError:
                 pass
 
-    return (cast(str, release.get("country")), cast(str, release.get("date")))
+    return release.get("country"), release.get("date")
 
 
 def _multi_artist_credit(
@@ -589,7 +594,9 @@ def album_info(release: dict) -> beets.autotag.hooks.AlbumInfo:
     if not release_date:
         # Fall back if release-specific date is not available.
         release_date = release_group_date
-    _set_date_str(info, release_date, False)
+
+    if release_date:
+        _set_date_str(info, release_date, False)
     _set_date_str(info, release_group_date, True)
 
     # Label name.

beets/dbcore/db.py

@@ -26,7 +26,7 @@
 from collections import defaultdict
 from collections.abc import Generator, Iterable, Iterator, Mapping, Sequence
 from sqlite3 import Connection
-from typing import TYPE_CHECKING, Any, AnyStr, Callable, Generic, TypeVar, cast
+from typing import TYPE_CHECKING, Any, AnyStr, Callable, Generic, TypeVar
 
 from unidecode import unidecode
 
@@ -126,8 +126,8 @@ def _get_formatted(self, model: Model, key: str) -> str:
             value = value.decode("utf-8", "ignore")
 
         if self.for_path:
-            sep_repl = cast(str, beets.config["path_sep_replace"].as_str())
-            sep_drive = cast(str, beets.config["drive_sep_replace"].as_str())
+            sep_repl: str = beets.config["path_sep_replace"].as_str()
+            sep_drive: str = beets.config["drive_sep_replace"].as_str()
 
             if re.match(r"^\w:", value):
                 value = re.sub(r"(?<=^\w):", sep_drive, value)

beets/test/_common.py

@@ -121,15 +121,15 @@ def assertNotExists(self, path):
 
     def assertIsFile(self, path):
         self.assertExists(path)
-        assert os.path.isfile(
-            syspath(path)
-        ), "path exists, but is not a regular file: {!r}".format(path)
+        assert os.path.isfile(syspath(path)), (
+            "path exists, but is not a regular file: {!r}".format(path)
+        )
 
     def assertIsDir(self, path):
         self.assertExists(path)
-        assert os.path.isdir(
-            syspath(path)
-        ), "path exists, but is not a directory: {!r}".format(path)
+        assert os.path.isdir(syspath(path)), (
+            "path exists, but is not a directory: {!r}".format(path)
+        )
 
     def assert_equal_path(self, a, b):
         """Check that two paths are equal."""