Deps: Bump the python-packages group with 6 updates

[dependabot]

Bumps the python-packages group with 6 updates:

Package	From	To
coverage	7.10.2	7.10.3
types-paramiko	3.5.0.20250801	4.0.0.20250809
anyio	4.9.0	4.10.0
charset-normalizer	3.4.2	3.4.3
cryptography	45.0.5	45.0.6
ruff	0.12.7	0.12.8

Updates coverage from 7.10.2 to 7.10.3

Changelog

Sourced from coverage's changelog.

Version 7.10.3 — 2025-08-10

• Fixes for patch = subprocess:

  • If subprocesses spawned yet more subprocesses simultaneously, some coverage could be missed. This is now fixed, closing issue 2024_.

  • If subprocesses were created in other directories, their data files were stranded there and not combined into the totals, as described in issue 2025_. This is now fixed.

  • On Windows (or maybe only some Windows?) the patch would fail with a ModuleNotFound error trying to import coverage. This is now fixed, closing issue 2022_.

  • Originally only options set in the coverage configuration file would apply to subprocesses. Options set on the coverage run command line (such as --branch) wouldn't be communicated to the subprocesses. This could lead to combining failures, as described in issue 2021_. Now the entire configuration is used in subprocesses, regardless of its origin.

  • Added debug=patch to help diagnose problems.

• Fix: really close all SQLite databases, even in-memory ones. Closes issue 2017_.

.. _issue 2017: nedbat/coveragepy#2017 .. _issue 2021: nedbat/coveragepy#2021 .. _issue 2022: nedbat/coveragepy#2022 .. _issue 2024: nedbat/coveragepy#2024 .. _issue 2025: nedbat/coveragepy#2025

.. _changes_7-10-2:

Commits

• 0691ce5 docs: sample HTML for 7.10.3
• 34c9aca docs: prep for 7.10.3
• fd83f21 style: lists for homogenous collections
• d961800 docs: remove an unused reference
• 697d4bb fix: subprocesses inherit the entire configuration. #2021
• b6db3b7 build: show the total during local metacov
• cfbceb5 docs: reverted #2018
• 264bbd3 refactor: more patch logging
• 3ecdfaf chore: bump the action-dependencies group with 2 updates (#2026)
• 41a2256 fix: revert "thread safe resume (#2018)" (#2027)
• Additional commits viewable in compare view

Updates types-paramiko from 3.5.0.20250801 to 4.0.0.20250809

Commits

• See full diff in compare view

Updates anyio from 4.9.0 to 4.10.0

Release notes

Sourced from anyio's releases.

4.10.0

• Added the feed_data() method to the BufferedByteReceiveStream class, allowing users to inject data directly into the buffer
• Added various class methods to wrap existing sockets as listeners or socket streams:
  • SocketListener.from_socket()
  • SocketStream.from_socket()
  • UNIXSocketStream.from_socket()
  • UDPSocket.from_socket()
  • ConnectedUDPSocket.from_socket()
  • UNIXDatagramSocket.from_socket()
  • ConnectedUNIXDatagramSocket.from_socket()
• Added a hierarchy of connectable stream classes for transparently connecting to various remote or local endpoints for exchanging bytes or objects
• Added context manager mix-in classes (anyio.ContextManagerMixin and anyio.AsyncContextManagerMixin) to help write classes that embed other context managers, particularly cancel scopes or task groups (#905; PR by @​agronholm and @​tapetersen)
• Added the ability to specify the thread name in start_blocking_portal() (#818; PR by @​davidbrochart)
• Added anyio.notify_closing to allow waking anyio.wait_readable and anyio.wait_writable before closing a socket. Among other things, this prevents an OSError on the ProactorEventLoop. (#896; PR by @​graingert)
• Incorporated several documentation improvements from the EuroPython 2025 sprint (special thanks to the sprinters: Emmanuel Okedele, Jan Murre, Euxenia Miruna Goia and Christoffer Fjord)
• Added a documentation page explaining why one might want to use AnyIO's APIs instead of asyncio's
• Updated the to_interpreters module to use the public concurrent.interpreters API on Python 3.14 or later
• Fixed anyio.Path.copy() and anyio.Path.copy_into() failing on Python 3.14.0a7
• Fixed return annotation of __aexit__ on async context managers. CMs which can suppress exceptions should return bool, or None otherwise. (#913; PR by @​Enegg)
• Fixed rollover boundary check in SpooledTemporaryFile so that rollover only occurs when the buffer size exceeds max_size (#915; PR by @​11kkw)
• Migrated testing and documentation dependencies from extras to dependency groups
• Fixed compatibility of anyio.to_interpreter with Python 3.14.0b2 (#926; PR by @​hroncok)
• Fixed SyntaxWarning on Python 3.14 about return in finally (#816)
• Fixed RunVar name conflicts. RunVar instances with the same name should not share storage (#880; PR by @​vimfu)
• Renamed the BrokenWorkerIntepreter exception to BrokenWorkerInterpreter. The old name is available as a deprecated alias. (#938; PR by @​ayussh-verma)
• Fixed an edge case in CapacityLimiter on asyncio where a task, waiting to acquire a limiter gets cancelled and is subsequently granted a token from the limiter, but before the cancellation is delivered, and then fails to notify the next waiting task (#947)

Changelog

Sourced from anyio's changelog.

Version history

This library adheres to Semantic Versioning 2.0 <http://semver.org/>_.

4.10.0

• Added the feed_data() method to the BufferedByteReceiveStream class, allowing users to inject data directly into the buffer

• Added various class methods to wrap existing sockets as listeners or socket streams:

  • SocketListener.from_socket()
  • SocketStream.from_socket()
  • UNIXSocketStream.from_socket()
  • UDPSocket.from_socket()
  • ConnectedUDPSocket.from_socket()
  • UNIXDatagramSocket.from_socket()
  • ConnectedUNIXDatagramSocket.from_socket()

• Added a hierarchy of connectable stream classes for transparently connecting to various remote or local endpoints for exchanging bytes or objects

• Added context manager mix-in classes (anyio.ContextManagerMixin and anyio.AsyncContextManagerMixin) to help write classes that embed other context managers, particularly cancel scopes or task groups ([#905](https://github.com/agronholm/anyio/issues/905) <https://github.com/agronholm/anyio/pull/905>_; PR by @​agronholm and @​tapetersen)

• Added the ability to specify the thread name in start_blocking_portal() ([#818](https://github.com/agronholm/anyio/issues/818) <https://github.com/agronholm/anyio/issues/818>_; PR by @​davidbrochart)

• Added anyio.notify_closing to allow waking anyio.wait_readable and anyio.wait_writable before closing a socket. Among other things, this prevents an OSError on the ProactorEventLoop. ([#896](https://github.com/agronholm/anyio/issues/896) <https://github.com/agronholm/anyio/pull/896>_; PR by @​graingert)

• Incorporated several documentation improvements from the EuroPython 2025 sprint (special thanks to the sprinters: Emmanuel Okedele, Jan Murre, Euxenia Miruna Goia and Christoffer Fjord)

• Added a documentation page explaining why one might want to use AnyIO's APIs instead of asyncio's

• Updated the to_interpreters module to use the public concurrent.interpreters API on Python 3.14 or later

• Fixed anyio.Path.copy() and anyio.Path.copy_into() failing on Python 3.14.0a7

• Fixed return annotation of __aexit__ on async context managers. CMs which can suppress exceptions should return bool, or None otherwise. ([#913](https://github.com/agronholm/anyio/issues/913) <https://github.com/agronholm/anyio/pull/913>_; PR by @​Enegg)

• Fixed rollover boundary check in SpooledTemporaryFile so that rollover only occurs when the buffer size exceeds max_size ([#915](https://github.com/agronholm/anyio/issues/915) <https://github.com/agronholm/anyio/pull/915>_; PR by @​11kkw)

• Migrated testing and documentation dependencies from extras to dependency groups

• Fixed compatibility of anyio.to_interpreter with Python 3.14.0b2 ([#926](https://github.com/agronholm/anyio/issues/926) <https://github.com/agronholm/anyio/issues/926>_; PR by @​hroncok)

• Fixed SyntaxWarning on Python 3.14 about return in finally ([#816](https://github.com/agronholm/anyio/issues/816) <https://github.com/agronholm/anyio/issues/816>_)

... (truncated)

Commits

• 0cf55b8 Bumped up the version
• b029df5 Updated the to_interpreter module to use the public API on Python 3.14 (#956)
• 01f02cf Incorporated EP2025 sprint feedback and added a new section (#955)
• d896480 [pre-commit.ci] pre-commit autoupdate (#954)
• 0282b81 Added the BufferedByteReceiveStream.feed_data() method (#945)
• 19e5477 Fixed a cancellation edge case for asyncio CapacityLimiter (#952)
• 4666df3 [pre-commit.ci] pre-commit autoupdate (#946)
• 38c2567 [pre-commit.ci] pre-commit autoupdate (#942)
• 3db73ac Add missing imports for Readcting to cancellation in worker threads example (...
• 2eda004 Added an example on how to use move_on_after() with shielding
• Additional commits viewable in compare view

Updates charset-normalizer from 3.4.2 to 3.4.3

Release notes

Sourced from charset-normalizer's releases.

Version 3.4.3

3.4.3 (2025-08-09)

Changed

• mypy(c) is no longer a required dependency at build time if CHARSET_NORMALIZER_USE_MYPYC isn't set to 1. (#595) (#583)
• automatically lower confidence on small bytes samples that are not Unicode in detect output legacy function. (#391)

Added

• Custom build backend to overcome inability to mark mypy as an optional dependency in the build phase.
• Support for Python 3.14

Fixed

• sdist archive contained useless directories.
• automatically fallback on valid UTF-16 or UTF-32 even if the md says it's noisy. (#633)

Misc

• SBOM are automatically published to the relevant GitHub release to comply with regulatory changes. Each published wheel comes with its SBOM. We choose CycloneDX as the format.
• Prebuilt optimized wheel are no longer distributed by default for CPython 3.7 due to a change in cibuildwheel.

Changelog

Sourced from charset-normalizer's changelog.

3.4.3 (2025-08-09)

Changed

• mypy(c) is no longer a required dependency at build time if CHARSET_NORMALIZER_USE_MYPYC isn't set to 1. (#595) (#583)
• automatically lower confidence on small bytes samples that are not Unicode in detect output legacy function. (#391)

Added

• Custom build backend to overcome inability to mark mypy as an optional dependency in the build phase.
• Support for Python 3.14

Fixed

• sdist archive contained useless directories.
• automatically fallback on valid UTF-16 or UTF-32 even if the md says it's noisy. (#633)

Misc

• SBOM are automatically published to the relevant GitHub release to comply with regulatory changes. Each published wheel comes with its SBOM. We choose CycloneDX as the format.
• Prebuilt optimized wheel are no longer distributed by default for CPython 3.7 due to a change in cibuildwheel.

Commits

• 46f662d Release 3.4.3 (#638)
• 1a059b2 🔧 skip building on freethreaded as we're not confident it is stable
• 2275e3d 📝 final note in CHANGELOG.md
• c96acdf 📝 update release date on CHANGELOG.md
• 43e5460 📝 update README.md
• f277074 🔧 automatically lower confidence on small bytes str on non Unicode res...
• 15ae241 🐛 automatically fallback on valid UTF-16 or UTF-32 even if the md says it...
• 37397c1 🔧 enable 3.14 in nox test_mypyc session
• cb82537 ⏪ revert license due to compat python 3.7 issue setuptools
• 6a2efeb 🎨 fix linter errors
• Additional commits viewable in compare view

Updates cryptography from 45.0.5 to 45.0.6

Changelog

Sourced from cryptography's changelog.

45.0.6 - 2025-08-05

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.2.
.. _v45-0-5:

Commits

• 66198c2 Bump for release (#13249)
• See full diff in compare view

Updates ruff from 0.12.7 to 0.12.8

Release notes

Sourced from ruff's releases.

0.12.8

Release Notes

Preview features

• [flake8-use-pathlib] Expand PTH201 to check all PurePath subclasses (#19440)

Bug fixes

• [flake8-blind-except] Change BLE001 to correctly parse exception tuples (#19747)
• [flake8-errmsg] Exclude typing.cast from EM101 (#19656)
• [flake8-simplify] Fix raw string handling in SIM905 for embedded quotes (#19591)
• [flake8-import-conventions] Avoid false positives for NFKC-normalized __debug__ import aliases in ICN001 (#19411)
• [isort] Fix syntax error after docstring ending with backslash (I002) (#19505)
• [pylint] Mark PLC0207 fixes as unsafe when *args unpacking is present (#19679)
• [pyupgrade] Prevent infinite loop with I002 (UP010, UP035) (#19413)
• [ruff] Parenthesize generator expressions in f-strings (RUF010) (#19434)

Rule changes

• [eradicate] Don't flag pyrefly pragmas as unused code (ERA001) (#19731)

Documentation

• Replace "associative" with "commutative" in docs for RUF036 (#19706)
• Fix copy and line separator colors in dark mode (#19630)
• Fix link to typing documentation (#19648)
• [refurb] Make more examples error out-of-the-box (#19695,#19673,#19672)

Other changes

• Include column numbers in GitLab output format (#19708)
• Always expand tabs to four spaces in diagnostics (#19618)
• Update pre-commit's ruff id (#19654)

Contributors

• @​AlexWaygood
• @​BurntSushi
• @​MatthewMckee4
• @​MeGaGiGaGon
• @​MichaReiser
• @​UnboundVariable
• @​cristian64
• @​danparizher
• @​dcreager
• @​deliro
• @​dhruvmanila
• @​github-actions
• @​harshil21
• @​hunterhogan

... (truncated)

Changelog

Sourced from ruff's changelog.

0.12.8

Preview features

• [flake8-use-pathlib] Expand PTH201 to check all PurePath subclasses (#19440)

Bug fixes

• [flake8-blind-except] Change BLE001 to correctly parse exception tuples (#19747)
• [flake8-errmsg] Exclude typing.cast from EM101 (#19656)
• [flake8-simplify] Fix raw string handling in SIM905 for embedded quotes (#19591)
• [flake8-import-conventions] Avoid false positives for NFKC-normalized __debug__ import aliases in ICN001 (#19411)
• [isort] Fix syntax error after docstring ending with backslash (I002) (#19505)
• [pylint] Mark PLC0207 fixes as unsafe when *args unpacking is present (#19679)
• [pyupgrade] Prevent infinite loop with I002 (UP010, UP035) (#19413)
• [ruff] Parenthesize generator expressions in f-strings (RUF010) (#19434)

Rule changes

• [eradicate] Don't flag pyrefly pragmas as unused code (ERA001) (#19731)

Documentation

• Replace "associative" with "commutative" in docs for RUF036 (#19706)
• Fix copy and line separator colors in dark mode (#19630)
• Fix link to typing documentation (#19648)
• [refurb] Make more examples error out-of-the-box (#19695,#19673,#19672)

Other changes

• Include column numbers in GitLab output format (#19708)
• Always expand tabs to four spaces in diagnostics (#19618)
• Update pre-commit's ruff id (#19654)

Commits

• f51a228 Bump 0.12.8 (#19813)
• d5e1b79 [ty] Fix static assertion size check (#19814)
• 7dfde3b Update Rust toolchain to 1.89 (#19807)
• b22586f [ty] Add ty.inlayHints.variableTypes server option (#19780)
• c401a6d [ty] Add failing tests for tuple subclasses (#19803)
• 7b6abfb [ty] Add ty.experimental.rename server setting (#19800)
• b005cdb [ty] Implemented support for "rename" language server feature (#19551)
• b96aa46 [ty] Reduce size of member table (#19572)
• cc97579 [ty] Move server capabilities creation (#19798)
• ef1802b [ty] Repurpose FunctionType.into_bound_method_type to return `BoundMethodTy...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

poetry.lock

Package	Version	License	Issue Type
types-paramiko	4.0.0.20250809	Null	Unknown License

Allowed Licenses: 0BSD, AGPL-3.0-or-later, Apache-2.0, BlueOak-1.0.0, BSD-2-Clause, BSD-3-Clause-Clear, BSD-3-Clause, BSL-1.0, CAL-1.0, CC-BY-3.0, CC-BY-4.0, CC-BY-SA-4.0, CC0-1.0, EPL-2.0, GPL-1.0-or-later, GPL-2.0-only, GPL-2.0-or-later, GPL-2.0, GPL-3.0-only, GPL-3.0-or-later, GPL-3.0, ISC, LGPL-2.0-only, LGPL-2.0-or-later, LGPL-2.1-only, LGPL-2.1-or-later, LGPL-2.1, LGPL-3.0-only, LGPL-3.0, LGPL-3.0-or-later, MIT, MIT-CMU, MPL-1.1, MPL-2.0, OFL-1.1, PSF-2.0, Python-2.0, Python-2.0.1, Unicode-DFS-2016, Unlicense, Zlib, ZPL-2.1

OpenSSF Scorecard

Package	Version	Score	Details
pip/anyio	4.10.0	🟢 5.6	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 5 Found 11/21 approved changesets -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/charset-normalizer	3.4.3	🟢 8.5	Details Check Score Reason Code-Review ⚠️ 2 Found 1/4 approved changesets -- score normalized to 2 Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 Vulnerabilities 🟢 10 0 existing vulnerabilities detected CII-Best-Practices 🟢 5 badge detected: Passing SAST 🟢 9 SAST tool detected but not run on all commits Packaging 🟢 10 packaging workflow detected Fuzzing 🟢 10 project is fuzzed Signed-Releases 🟢 8 4 out of the last 5 releases have a total of 4 signed artifacts. License 🟢 10 license file detected Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches CI-Tests 🟢 8 7 out of 8 merged PRs checked by a CI test -- score normalized to 8 Contributors 🟢 3 project has 1 contributing companies or organizations -- score normalized to 3
pip/coverage	7.10.3	🟢 8.5	Details Check Score Reason Security-Policy 🟢 10 security policy file detected Maintained 🟢 10 30 commit(s) and 24 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 0 Found 1/29 approved changesets -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices 🟢 5 badge detected: Passing Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits
pip/cryptography	45.0.6	🟢 8.4	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy 🟢 10 security policy file detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions License 🟢 9 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing 🟢 10 project is fuzzed Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 Vulnerabilities 🟢 8 2 existing vulnerabilities detected
pip/ruff	0.12.8	Unknown	Unknown
pip/types-paramiko	4.0.0.20250809	🟢 5.2	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 9 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities ⚠️ 0 12 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• poetry.lock

[github-actions]

Conventional Commits Report

Type	Number
Dependencies	1

🚀 Conventional commits found.