Skip to content

Comments

build(deps): bump the pip group across 1 directory with 4 updates#5056

Closed
dependabot[bot] wants to merge 1 commit intostablefrom
dependabot/pip/bazel/pip-91b679cf5f
Closed

build(deps): bump the pip group across 1 directory with 4 updates#5056
dependabot[bot] wants to merge 1 commit intostablefrom
dependabot/pip/bazel/pip-91b679cf5f

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 20, 2026

Bumps the pip group with 4 updates in the /bazel directory: filelock, protobuf, virtualenv and nbconvert.

Updates filelock from 3.20.1 to 3.20.3

Release notes

Sourced from filelock's releases.

3.20.3

What's Changed

Full Changelog: tox-dev/filelock@3.20.2...3.20.3

3.20.2

What's Changed

New Contributors

Full Changelog: tox-dev/filelock@3.20.1...3.20.2

Changelog

Sourced from filelock's changelog.

########### Changelog ###########

3.24.3 (2026-02-19)

  • 🐛 fix(unix): handle ENOENT race on FUSE/NFS during acquire :pr:495
  • 🐛 fix(ci): add trailing blank line after changelog entries :pr:492

3.24.2 (2026-02-16)

  • 🐛 fix(rw): close sqlite3 cursors and skip SoftFileLock Windows race :pr:491
  • 🐛 fix(test): resolve flaky write non-starvation test :pr:490
  • 📝 docs: restructure using Diataxis framework :pr:489

3.24.1 (2026-02-15)

  • 🐛 fix(soft): resolve Windows deadlock and test race condition :pr:488

3.24.0 (2026-02-14)

  • ✨ feat(lock): add lifetime parameter for lock expiration (#68) :pr:486
  • ✨ feat(lock): add cancel_check to acquire (#309) :pr:487
  • 🐛 fix(api): detect same-thread self-deadlock :pr:481
  • ✨ feat(mode): respect POSIX default ACLs (#378) :pr:483
  • 🐛 fix(win): eliminate lock file race in threaded usage :pr:484
  • ✨ feat(lock): add poll_interval to constructor :pr:482
  • 🐛 fix(unix): auto-fallback to SoftFileLock on ENOSYS :pr:480

3.23.0 (2026-02-14)

  • 📝 docs: move from Unlicense to MIT :pr:479
  • 📝 docs: add fasteners to similar libraries :pr:478

3.22.0 (2026-02-14)

  • 🐛 fix(soft): skip stale detection on Windows :pr:477
  • ✨ feat(soft): detect and break stale locks :pr:476

... (truncated)

Commits

Updates protobuf from 6.32.0 to 6.33.5

Release notes

Sourced from protobuf's releases.

Protocol Buffers v34.0-rc1

Announcements

Bazel

Compiler

C++

... (truncated)

Commits

Updates virtualenv from 20.35.4 to 20.36.1

Release notes

Sourced from virtualenv's releases.

20.36.0

What's Changed

New Contributors

Full Changelog: pypa/virtualenv@20.35.3...20.36.0

Changelog

Sourced from virtualenv's changelog.

Bugfixes - 20.36.1

  • Fix TOCTOU vulnerabilities in app_data and lock directory creation that could be exploited via symlink attacks - reported by :user:tsigouris007, fixed by :user:gaborbernat. (:issue:3013)

v20.36.0 (2026-01-07)

Features - 20.36.0

  • Add support for PEP 440 version specifiers in the --python flag. Users can now specify Python versions using operators like >=, <=, ~=, etc. For example: virtualenv --python=">=3.12" myenv . (:issue:2994`)

v20.35.4 (2025-10-28)

Commits
  • d0ad11d release 20.36.1
  • dec4cec Merge pull request #3013 from gaborbernat/fix-sec
  • 5fe5d38 release 20.36.0 (#3011)
  • 9719376 release 20.36.0
  • 0276db6 Add support for PEP 440 version specifiers in the --python flag. (#3008)
  • 4f900c2 Fix Interpreter discovery bug wrt. Microsoft Store shortcut using Latin-1 (#3...
  • 13afcc6 fix: resolve EncodingWarning in tox upgrade environment (#3007)
  • 31b5d31 [pre-commit.ci] pre-commit autoupdate (#2997)
  • 7c28422 fix: update filelock dependency version to 3.20.1 to fix CVE CVE-2025-68146 (...
  • 365628c test_too_many_open_files: assert on errno.EMFILE instead of strerror (#3001)
  • Additional commits viewable in compare view

Updates nbconvert from 7.16.6 to 7.17.0

Release notes

Sourced from nbconvert's releases.

v7.17.0

7.17.0

(Full Changelog)

Enhancements made

Bugs fixed

Maintenance and upkeep improvements

Documentation improvements

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​bollwyvl (activity) | @​Carreau (activity) | @​h3pdesign (activity) | @​hackowitz-af (activity) | @​krassowski (activity) | @​mberlanda (activity) | @​mgorny (activity) | @​minrk (activity) | @​MSeal (activity) | @​QuLogic (activity) | @​salmankadaya (activity) | @​shreve (activity) | @​th3gowtham (activity)

Changelog

Sourced from nbconvert's changelog.

7.17.0

(Full Changelog)

Enhancements made

Bugs fixed

Maintenance and upkeep improvements

Documentation improvements

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review. See our definition of contributors.

(GitHub contributors page for this release)

@​bollwyvl (activity) | @​Carreau (activity) | @​h3pdesign (activity) | @​hackowitz-af (activity) | @​krassowski (activity) | @​mberlanda (activity) | @​mgorny (activity) | @​minrk (activity) | @​MSeal (activity) | @​QuLogic (activity) | @​salmankadaya (activity) | @​shreve (activity) | @​th3gowtham (activity)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump the pip group across 1 directory with 4 updates
43885c9 
Bumps the pip group with 4 updates in the /bazel directory: [filelock](https://github.com/tox-dev/py-filelock), [protobuf](https://github.com/protocolbuffers/protobuf), [virtualenv](https://github.com/pypa/virtualenv) and [nbconvert](https://github.com/jupyter/nbconvert).


Updates `filelock` from 3.20.1 to 3.20.3
- [Release notes](https://github.com/tox-dev/py-filelock/releases)
- [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst)
- [Commits](tox-dev/filelock@3.20.1...3.20.3)

Updates `protobuf` from 6.32.0 to 6.33.5
- [Release notes](https://github.com/protocolbuffers/protobuf/releases)
- [Commits](https://github.com/protocolbuffers/protobuf/commits)

Updates `virtualenv` from 20.35.4 to 20.36.1
- [Release notes](https://github.com/pypa/virtualenv/releases)
- [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst)
- [Commits](pypa/virtualenv@20.35.4...20.36.1)

Updates `nbconvert` from 7.16.6 to 7.17.0
- [Release notes](https://github.com/jupyter/nbconvert/releases)
- [Changelog](https://github.com/jupyter/nbconvert/blob/main/CHANGELOG.md)
- [Commits](jupyter/nbconvert@v7.16.6...v7.17.0)

---
updated-dependencies:
- dependency-name: filelock
  dependency-version: 3.20.3
  dependency-type: indirect
  dependency-group: pip
- dependency-name: protobuf
  dependency-version: 6.33.5
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: virtualenv
  dependency-version: 20.36.1
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: nbconvert
  dependency-version: 7.17.0
  dependency-type: indirect
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added Dependencies Pull requests that update a dependency file python Pull requests that update python code labels Feb 20, 2026
@Mizux
Copy link
Collaborator

Mizux commented Feb 20, 2026

wrong branch + we can't migrate to protobuf 33 with our bazel based build

see: protocolbuffers/protobuf#24084

@Mizux Mizux closed this Feb 20, 2026
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Feb 20, 2026

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot bot deleted the dependabot/pip/bazel/pip-91b679cf5f branch February 20, 2026 07:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Mizux