Deps: Bump the python-packages group with 3 updates

[dependabot]

Bumps the python-packages group with 3 updates: lxml, coverage and ruff.

Updates lxml from 5.3.0 to 5.3.1

Changelog

Sourced from lxml's changelog.

5.3.1 (2025-02-09)

Bugs fixed

• GH#440: Some tests were adapted for libxml2 2.14.0. Patch by Nick Wellnhofer.

• LP#2097175: DTD(external_id="…") erroneously required a byte string as ID value.

• GH#450: iterparse() internally triggered the `DeprecationWarning`` added in lxml 5.3.0 when parsing HTML.

Other changes

• GH#442: Binary wheels for macOS no longer use the linker flag -flat_namespace.

Commits

• 1dd5001 Update changelog.
• 7b177e4 CI: Fix dependency issues.
• 088c9e5 CI: Use older Ubuntu image to fix builds.
• 58af8b3 CI: Try to get legacy jobs working again.
• 37cdbb5 Prepare release of lxml 5.3.1.
• 64ac58f Build/CI: Update cache action from deprecated version.
• 6b654c9 Buld: Downgrade Ubuntu build image to fix dependency issues.
• 71fda3f Update changelog.
• 306041e iterparse: ignore "strip_cdata" when parsing HTML (GH-450)
• e73c466 Fix DTD(external_id="...") option.
• Additional commits viewable in compare view

Updates coverage from 7.6.11 to 7.6.12

Changelog

Sourced from coverage's changelog.

Version 7.6.12 — 2025-02-11

• Fix: some aarch64 distributions were missing (issue 1927_). These are now building reliably.

.. _issue 1927: nedbat/coveragepy#1927

.. _changes_7-6-11:

Commits

• 7e5373e docs: sample HTML for 7.6.12
• a4ed38b docs: prep for 7.6.12
• ce4efdc build: fix aarch64 kits #1927
• a1f3192 build: don't publish if kit building failed
• bb68f99 chore: bump the action-dependencies group with 2 updates (#1926)
• f3d6b4a refactor: check for more kinds of constant tests
• 67899ea refactor: we no longer care what kind of constant the compile-time constants are
• c850f20 refactor: macOS is MACOS, not OSX
• a1b2c1a build: there are always tweaks to howto.txt
• 9c03039 build: bump version to 7.6.12
• See full diff in compare view

Updates ruff from 0.9.5 to 0.9.6

Release notes

Sourced from ruff's releases.

0.9.6

Release Notes

Preview features

• [airflow] Add external_task.{ExternalTaskMarker, ExternalTaskSensor} for AIR302 (#16014)
• [flake8-builtins] Make strict module name comparison optional (A005) (#15951)
• [flake8-pyi] Extend fix to Python <= 3.9 for redundant-none-literal (PYI061) (#16044)
• [pylint] Also report when the object isn't a literal (PLE1310) (#15985)
• [ruff] Implement indented-form-feed (RUF054) (#16049)
• [ruff] Skip type definitions for missing-f-string-syntax (RUF027) (#16054)

Rule changes

• [flake8-annotations] Correct syntax for typing.Union in suggested return type fixes for ANN20x rules (#16025)
• [flake8-builtins] Match upstream module name comparison (A005) (#16006)
• [flake8-comprehensions] Detect overshadowed list/set/dict, ignore variadics and named expressions (C417) (#15955)
• [flake8-pie] Remove following comma correctly when the unpacked dictionary is empty (PIE800) (#16008)
• [flake8-simplify] Only trigger SIM401 on known dictionaries (#15995)
• [pylint] Do not report calls when object type and argument type mismatch, remove custom escape handling logic (PLE1310) (#15984)
• [pyupgrade] Comments within parenthesized value ranges should not affect applicability (UP040) (#16027)
• [pyupgrade] Don't introduce invalid syntax when upgrading old-style type aliases with parenthesized multiline values (UP040) (#16026)
• [pyupgrade] Ensure we do not rename two type parameters to the same name (UP049) (#16038)
• [pyupgrade] [ruff] Don't apply renamings if the new name is shadowed in a scope of one of the references to the binding (UP049, RUF052) (#16032)
• [ruff] Update RUF009 to behave similar to B008 and ignore attributes with immutable types (#16048)

Server

• Root exclusions in the server to project root (#16043)

Bug fixes

• [flake8-datetime] Ignore .replace() calls while looking for .astimezone (#16050)
• [flake8-type-checking] Avoid TC004 false positive where the runtime definition is provided by __getattr__ (#16052)

Documentation

• Improve ruff-lsp migration document (#16072)
• Undeprecate ruff.nativeServer (#16039)

Contributors

• @​AlexWaygood
• @​Daverball
• @​InSyncWithFoo
• @​Lee-W
• @​MichaReiser
• @​carlosgmartin
• @​dhruvmanila
• @​dylwil3
• @​junhsonjb

... (truncated)

Changelog

Sourced from ruff's changelog.

0.9.6

Preview features

• [airflow] Add external_task.{ExternalTaskMarker, ExternalTaskSensor} for AIR302 (#16014)
• [flake8-builtins] Make strict module name comparison optional (A005) (#15951)
• [flake8-pyi] Extend fix to Python <= 3.9 for redundant-none-literal (PYI061) (#16044)
• [pylint] Also report when the object isn't a literal (PLE1310) (#15985)
• [ruff] Implement indented-form-feed (RUF054) (#16049)
• [ruff] Skip type definitions for missing-f-string-syntax (RUF027) (#16054)

Rule changes

• [flake8-annotations] Correct syntax for typing.Union in suggested return type fixes for ANN20x rules (#16025)
• [flake8-builtins] Match upstream module name comparison (A005) (#16006)
• [flake8-comprehensions] Detect overshadowed list/set/dict, ignore variadics and named expressions (C417) (#15955)
• [flake8-pie] Remove following comma correctly when the unpacked dictionary is empty (PIE800) (#16008)
• [flake8-simplify] Only trigger SIM401 on known dictionaries (#15995)
• [pylint] Do not report calls when object type and argument type mismatch, remove custom escape handling logic (PLE1310) (#15984)
• [pyupgrade] Comments within parenthesized value ranges should not affect applicability (UP040) (#16027)
• [pyupgrade] Don't introduce invalid syntax when upgrading old-style type aliases with parenthesized multiline values (UP040) (#16026)
• [pyupgrade] Ensure we do not rename two type parameters to the same name (UP049) (#16038)
• [pyupgrade] [ruff] Don't apply renamings if the new name is shadowed in a scope of one of the references to the binding (UP049, RUF052) (#16032)
• [ruff] Update RUF009 to behave similar to B008 and ignore attributes with immutable types (#16048)

Server

• Root exclusions in the server to project root (#16043)

Bug fixes

• [flake8-datetime] Ignore .replace() calls while looking for .astimezone (#16050)
• [flake8-type-checking] Avoid TC004 false positive where the runtime definition is provided by __getattr__ (#16052)

Documentation

• Improve ruff-lsp migration document (#16072)
• Undeprecate ruff.nativeServer (#16039)

Commits

• 524cf6e Bump version to 0.9.6 (#16074)
• 857cf0d Revert tailwindcss v4 update (#16075)
• 0f1eb1e Improve migration document (#16072)
• b69eb90 Fix reference definition labels for backtick-quoted shortcut links (#16035)
• d2f661f RUF009 should behave similar to B008 and ignore attributes with immutable typ...
• 07cf885 [pylint] Also report when the object isn't a literal (PLE1310) (#15985)
• c089896 Update Rust crate rustc-hash to v2.1.1 (#16060)
• 869a954 Root exclusions in the server to project root (#16043)
• cc0a5dd Directly include Settings struct for the server (#16042)
• b54e390 Update Rust crate clap to v4.5.28 (#16059)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ❌ 2 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 4669b30.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

poetry.lock

Package	Version	License	Issue Type
lxml	5.3.1	BSD-3-Clause AND GPL-1.0-or-later	Incompatible License
ruff	0.9.6	0BSD AND Apache-2.0 AND BSD-3-Clause AND MIT	Incompatible License

Allowed Licenses: 0BSD, AGPL-3.0-or-later, Apache-2.0, BlueOak-1.0.0, BSD-2-Clause, BSD-3-Clause-Clear, BSD-3-Clause, BSL-1.0, CAL-1.0, CC-BY-3.0, CC-BY-4.0, CC-BY-SA-4.0, CC0-1.0, EPL-2.0, GPL-2.0-only, GPL-2.0-or-later, GPL-2.0, GPL-3.0-or-later, ISC, LGPL-2.0-only, LGPL-2.0-or-later, LGPL-2.1-only, LGPL-2.1-or-later, LGPL-2.1, LGPL-3.0-only, LGPL-3.0, LGPL-3.0-or-later, MIT, MIT-CMU, MPL-1.1, MPL-2.0, OFL-1.1, PSF-2.0, Python-2.0, Python-2.0.1, Unicode-DFS-2016, Unlicense, Zlib, ZPL-2.1

OpenSSF Scorecard

Package	Version	Score	Details
pip/coverage	7.6.12	🟢 8.5	Details Check Score Reason Code-Review ⚠️ 0 Found 1/28 approved changesets -- score normalized to 0 Security-Policy 🟢 10 security policy file detected Maintained 🟢 10 30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected License 🟢 10 license file detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 Fuzzing 🟢 10 project is fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected CII-Best-Practices 🟢 5 badge detected: Passing Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits
pip/lxml	5.3.1	🟢 6.6	Details Check Score Reason Code-Review ⚠️ 0 Found 2/29 approved changesets -- score normalized to 0 Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 9 license file detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 10 0 existing vulnerabilities detected Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Fuzzing 🟢 10 project is fuzzed Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases.
pip/ruff	0.9.6	Unknown	Unknown

Scanned Files

• poetry.lock

[github-actions]

Conventional Commits Report

Type	Number
Dependencies	1

🚀 Conventional commits found.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 97.74%. Comparing base (49a3e40) to head (4669b30).
Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1201   +/-   ##
=======================================
  Coverage   97.74%   97.74%           
=======================================
  Files          71       71           
  Lines        4967     4967           
  Branches      895      895           
=======================================
  Hits         4855     4855           
  Misses         76       76           
  Partials       36       36           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.