build(deps): bump the test-and-lint-dependencies group with 3 updates

[dependabot]

Bumps the test-and-lint-dependencies group with 3 updates: ruff, mypy and zizmor.

Updates ruff from 0.12.12 to 0.13.0

Release notes

Sourced from ruff's releases.

0.13.0

Release Notes

Check out the blog post for a migration guide and overview of the changes!

Breaking changes

• Several rules can now add from __future__ import annotations automatically

  TC001, TC002, TC003, RUF013, and UP037 now add from __future__ import annotations as part of their fixes when the lint.future-annotations setting is enabled. This allows the rules to move more imports into TYPE_CHECKING blocks (TC001, TC002, and TC003), use PEP 604 union syntax on Python versions before 3.10 (RUF013), and unquote more annotations (UP037).

• Full module paths are now used to verify first-party modules

  Ruff now checks that the full path to a module exists on disk before categorizing it as a first-party import. This change makes first-party import detection more accurate, helping to avoid false positives on local directories with the same name as a third-party dependency, for example. See the FAQ section on import categorization for more details.

• Deprecated rules must now be selected by exact rule code

  Ruff will no longer activate deprecated rules selected by their group name or prefix. As noted below, the two remaining deprecated rules were also removed in this release, so this won't affect any current rules, but it will still affect any deprecations in the future.

• The deprecated macOS configuration directory fallback has been removed

  Ruff will no longer look for a user-level configuration file at ~/Library/Application Support/ruff/ruff.toml on macOS. This feature was deprecated in v0.5 in favor of using the XDG specification (usually resolving to ~/.config/ruff/ruff.toml), like on Linux. The fallback and accompanying deprecation warning have now been removed.

Removed Rules

The following rules have been removed:

• pandas-df-variable-name (PD901)
• non-pep604-isinstance (UP038)

Stabilization

The following rules have been stabilized and are no longer in preview:

• airflow-dag-no-schedule-argument (AIR002)
• airflow3-removal (AIR301)
• airflow3-moved-to-provider (AIR302)
• airflow3-suggested-update (AIR311)
• airflow3-suggested-to-move-to-provider (AIR312)
• long-sleep-not-forever (ASYNC116)
• f-string-number-format (FURB116)
• os-symlink (PTH211)
• generic-not-last-base-class (PYI059)
• redundant-none-literal (PYI061)
• pytest-raises-ambiguous-pattern (RUF043)
• unused-unpacked-variable (RUF059)
• useless-class-metaclass-type (UP050)

The following behaviors have been stabilized:

... (truncated)

Changelog

Sourced from ruff's changelog.

0.13.0

Check out the blog post for a migration guide and overview of the changes!

Breaking changes

• Several rules can now add from __future__ import annotations automatically

  TC001, TC002, TC003, RUF013, and UP037 now add from __future__ import annotations as part of their fixes when the lint.future-annotations setting is enabled. This allows the rules to move more imports into TYPE_CHECKING blocks (TC001, TC002, and TC003), use PEP 604 union syntax on Python versions before 3.10 (RUF013), and unquote more annotations (UP037).

• Full module paths are now used to verify first-party modules

  Ruff now checks that the full path to a module exists on disk before categorizing it as a first-party import. This change makes first-party import detection more accurate, helping to avoid false positives on local directories with the same name as a third-party dependency, for example. See the FAQ section on import categorization for more details.

• Deprecated rules must now be selected by exact rule code

  Ruff will no longer activate deprecated rules selected by their group name or prefix. As noted below, the two remaining deprecated rules were also removed in this release, so this won't affect any current rules, but it will still affect any deprecations in the future.

• The deprecated macOS configuration directory fallback has been removed

  Ruff will no longer look for a user-level configuration file at ~/Library/Application Support/ruff/ruff.toml on macOS. This feature was deprecated in v0.5 in favor of using the XDG specification (usually resolving to ~/.config/ruff/ruff.toml), like on Linux. The fallback and accompanying deprecation warning have now been removed.

Removed Rules

The following rules have been removed:

• pandas-df-variable-name (PD901)
• non-pep604-isinstance (UP038)

Stabilization

The following rules have been stabilized and are no longer in preview:

... (truncated)

Commits

• a1fdd66 Bump 0.13.0 (#20336)
• 8770b95 [ty] introduce DivergentType (#20312)
• 65982a1 [ty] Use 'unknown' specialization for upper bound on Self (#20325)
• 57d1f71 [ty] Simplify unions of enum literals and subtypes thereof (#20324)
• 7a75702 Ignore deprecated rules unless selected by exact code (#20167)
• 9ca632c Stabilize adding future import via config option (#20277)
• 64fe7d3 [flake8-errmsg] Stabilize extending raw-string-in-exception (EM101) to ...
• beeeb8d Stabilize the remaining Airflow rules (#20250)
• b6fca52 [flake8-bugbear] Stabilize support for non-context-manager calls in `assert...
• ac7f882 [flake8-commas] Stabilize support for trailing comma checks in type paramet...
• Additional commits viewable in compare view

Updates mypy from 1.17.1 to 1.18.1

Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next Release

Mypy 1.18

We’ve just uploaded mypy 1.18 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features, performance improvements and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

Mypy Performance Improvements

Mypy 1.18 includes numerous performance improvements, resulting in about 40% speedup compared to 1.17 when type checking mypy itself. In extreme cases, the improvement can be 10x or higher. The list below is an overview of the various mypy optimizations. Many mypyc improvements (discussed in a separate section below) also improve performance.

Type caching optimizations have a small risk of causing regressions. When reporting issues with unexpected inferred types, please also check if --disable-expression-cache will work around the issue, as it turns off some of these optimizations.

• Improve self check performance by 1.8% (Jukka Lehtosalo, PR 19768, 19769, 19770)
• Optimize fixed-format deserialization (Ivan Levkivskyi, PR 19765)
• Use macros to optimize fixed-format deserialization (Ivan Levkivskyi, PR 19757)
• Two additional micro‑optimizations (Ivan Levkivskyi, PR 19627)
• Another set of micro‑optimizations (Ivan Levkivskyi, PR 19633)
• Cache common types (Ivan Levkivskyi, PR 19621)
• Skip more method bodies in third‑party libraries for speed (Ivan Levkivskyi, PR 19586)
• Simplify the representation of callable types (Ivan Levkivskyi, PR 19580)
• Add cache for types of some expressions (Ivan Levkivskyi, PR 19505)
• Use cache for dictionary expressions (Ivan Levkivskyi, PR 19536)
• Use cache for binary operations (Ivan Levkivskyi, PR 19523)
• Cache types of type objects (Ivan Levkivskyi, PR 19514)
• Avoid duplicate work when checking boolean operations (Ivan Levkivskyi, PR 19515)
• Optimize generic inference passes (Ivan Levkivskyi, PR 19501)
• Speed up the default plugin (Jukka Lehtosalo, PRs 19385 and 19462)
• Remove nested imports from the default plugin (Ivan Levkivskyi, PR 19388)
• Micro‑optimize type expansion (Jukka Lehtosalo, PR 19461)
• Micro‑optimize type indirection (Jukka Lehtosalo, PR 19460)
• Micro‑optimize the plugin framework (Jukka Lehtosalo, PR 19464)
• Avoid temporary set creation in subtype checking (Jukka Lehtosalo, PR 19463)
• Subtype checking micro‑optimization (Jukka Lehtosalo, PR 19384)
• Return early where possible in subtype check (Stanislav Terliakov, PR 19400)
• Deduplicate some types before joining (Stanislav Terliakov, PR 19409)
• Speed up type checking by caching argument inference context (Jukka Lehtosalo, PR 19323)

... (truncated)

Commits

• 03fbaa9 bump version to 1.18.1 due to wheels failure
• b44a1fb removed +dev from version
• 7197a99 Removed Unreleased in the Changelog for Release 1.18 (#19827)
• ee61cec Updates to 1.18 changelog (#19826)
• 24eed0b Initial changelog for release 1.18 (#19818)
• 0ca1f2a Expose --fixed-format-cache if compiled (#19815)
• 2ce1bb2 [mypyc] Fix subclass processing in detect_undefined_bitmap (#19787)
• a6b55f0 feat: new mypyc primitives for weakref.proxy (#19217)
• 5a323dd Make --allow-redefinition-new argument public (#19796)
• 8638eb4 [stubtest] temporary --ignore-disjoint-bases flag (#19740)
• Additional commits viewable in compare view

Updates zizmor from 1.12.1 to 1.13.0

Release notes

Sourced from zizmor's releases.

v1.13.0

New Features 🌈🔗

• New audit: undocumented-permissions detects explicit permission grants that lack an explanatory comment (#1131)

  Many thanks to @​johnbillion for proposing and implementing this audit!

Enhancements 🌱🔗

• zizmor's configuration discovery behavior has been significantly refactored, making it easier to audit multiple independent inputs with their own configuration files (#1094)

  For most users, this change should cause no compatibility issues. For example, the following commands will continue to load the same configuration files as before:

  zizmor .
  zizmor .github/
  

  For other users, the behavior will change, but in a way that's intended to correct a long-standing bug with configuration discovery. In particular, the following commands will now behave differently:

  # OLD: would discover config in $CWD
  # NEW: will discover two different configs, one in each of the repos
  zizmor ./repoA ./repoB
  

  Separately from these changes, zizmor continues to support --config <path> and ZIZMOR_CONFIG with the exact same behavior as before.

  See Configuration - Discovery for a detailed explanation of the new behavior.

• Audit rules can now be disabled entirely in zizmor's configuration. See rules..disable for details (#1132)

• The obfuscation audit now supports auto-fixes for many findings (#1088)

Bug Fixes 🐛🔗

• zizmor now correctly honors --strict-collection when collecting from remote inputs. This also means that the default collection strictness has changed for remote inputs to match all other inputs (#1122)

• Fixed a bug where zizmor would crash on certain UTF-8 inputs lacking an explicit final newline due to a bug in the annotate-snippets crate (#1136)

Changelog

Sourced from zizmor's changelog.

1.13.0

New Features 🌈

• New audit: [undocumented-permissions] detects explicit permission grants that lack an explanatory comment (#1131)

  Many thanks to @​johnbillion for proposing and implementing this audit!

Enhancements 🌱

• zizmor's configuration discovery behavior has been significantly refactored, making it easier to audit multiple independent inputs with their own configuration files (#1094)

  For most users, this change should cause no compatibility issues. For example, the following commands will continue to load the same configuration files as before:

  zizmor .
  zizmor .github/

  For other users, the behavior will change, but in a way that's intended to correct a long-standing bug with configuration discovery. In particular, the following commands will now behave differently:

  # OLD: would discover config in $CWD
  # NEW: will discover two different configs, one in each of the repos
  zizmor ./repoA ./repoB

  Separately from these changes, zizmor continues to support --config <path> and ZIZMOR_CONFIG with the exact same behavior as before.

  See Configuration - Discovery for a detailed explanation of the new behavior.

• Audit rules can now be disabled entirely in zizmor's configuration. See rules.<id>.disable for details (#1132)

• The [obfuscation] audit now supports auto-fixes for many findings (#1088)

Bug Fixes 🐛

• zizmor now correctly honors --strict-collection when collecting from

... (truncated)

Commits

• bcaa1bb chore: prep for v1.13.0 release (#1147)
• 8057ef2 chore(docs): add tip about pedantic persona for template-injection (#1145)
• 3656303 chore(docs): update trophy qualification to 500 stars (#1144)
• e0ec65a Introduce a rule which suggests that permissions are documented (#1131)
• 4a92dfc refactor: move expr call APIs to a new module (#1143)
• 5a4d4e5 Add Fixes for obfuscation audit rule (#1088)
• 77d549d chore(deps): bump github/codeql-action in the github-actions group (#1140)
• 7384a42 chore(deps): bump the cargo group with 4 updates (#1141)
• 4d6c747 chore(docs): remove external links section, add crates.io link to footer (#1137)
• 8b5a358 bugfix(deps): bump annotate-snippets to 0.12.2 (#1136)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[coveralls]

coverage: 96.603%. remained the same
when pulling f1afc98 on dependabot/pip/test-and-lint-dependencies-2012793cec
into 390fbea on develop.