⬆ Bump the python-packages group with 6 updates

[dependabot]

Bumps the python-packages group with 6 updates:

Package	From	To
pydantic	2.12.5	2.13.4
black	26.3.1	26.5.1
ty	0.0.35	0.0.37
prek	0.3.13	0.4.0
zizmor	1.24.1	1.25.2
pygithub	2.9.0	2.9.1

Updates pydantic from 2.12.5 to 2.13.4

Release notes

Sourced from pydantic's releases.

v2.13.4 2026-05-06

v2.13.4 (2026-05-06)

What's Changed

Packaging

• Bump libc from 0.2.155 to 0.2.185 by @​Viicos in #13109
• Adapt pydantic-core linker flags on macOS by @​washingtoneg and @​Viicos in #13147

Fixes

• Preserve RootModel core metadata by @​Viicos in #13129

Full Changelog: pydantic/pydantic@v2.13.3...v2.13.4

v2.13.3 2026-04-20

v2.13.3 (2026-04-20)

What's Changed

Fixes

• Handle AttributeError subclasses with from_attributes by @​Viicos in #13096

Full Changelog: pydantic/pydantic@v2.13.2...v2.13.3

v2.13.2 2026-04-17

v2.13.2 (2026-04-17)

What's Changed

Fixes

• Fix ValidationInfo.field_name missing with model_validate_json() by @​Viicos in #13084

Full Changelog: pydantic/pydantic@v2.13.1...v2.13.2

v2.13.1 2026-04-15

v2.13.1 (2026-04-15)

What's Changed

Fixes

• Fix ValidationInfo.data missing with model_validate_json() by @​davidhewitt in #13079

Full Changelog: pydantic/pydantic@v2.13.0...v2.13.1

v2.13.0 2026-04-13

... (truncated)

Changelog

Sourced from pydantic's changelog.

v2.13.4 (2026-05-06)

GitHub release

What's Changed

Packaging

• Bump libc from 0.2.155 to 0.2.185 by @​Viicos in #13109
• Adapt pydantic-core linker flags on macOS by @​washingtoneg and @​Viicos in #13147

Fixes

• Preserve RootModel core metadata by @​Viicos in #13129

v2.13.3 (2026-04-20)

GitHub release

What's Changed

Fixes

• Handle AttributeError subclasses with from_attributes by @​Viicos in #13096

v2.13.2 (2026-04-17)

GitHub release

What's Changed

Fixes

• Fix ValidationInfo.field_name missing with model_validate_json() by @​Viicos in #13084

v2.13.1 (2026-04-15)

GitHub release

What's Changed

Fixes

• Fix ValidationInfo.data missing with model_validate_json() by @​davidhewitt in #13079

v2.13.0 (2026-04-13)

GitHub release

The highlights of the v2.13 release are available in the blog post.

... (truncated)

Commits

• cf67d4b Fix linting
• f0d8a21 Prepare release v2.13.4
• 5e3fe1d Check for pydantic tag pattern in CI
• 7f9edcc Document tagging conventions
• b46a0c9 Adapt pydantic-core linker flags on macOS
• 50629c8 Update to PyPy 7.3.22
• 8522ebb Preserve RootModel core metadata
• a37f3af Adapt MISSING sentinel test to work with unreleased typing_extensions ver...
• 909259a Remove Logfire example in documentation
• 2c4174c Bump libc from 0.2.155 to 0.2.185
• Additional commits viewable in compare view

Updates black from 26.3.1 to 26.5.1

Release notes

Sourced from black's releases.

26.5.1

Stable style

• Fix unstable formatting of annotated assignments whose subscript annotation contains an inline comment (e.g. x: list[ # pyright: ignore[...]) (#5130)
• Preserve inline comments (including # type: ignore) immediately before a # fmt: skip line, avoiding AST equivalence failures (#5139)

Packaging

• Correct the version in the published executables (#5137)

Documentation

• Add Neovim integration guide covering conform.nvim, ALE, and simple command approaches (#5124)

26.5.0

Highlights

• Add support for unpacking in comprehensions (PEP 798) and for lazy imports (PEP 810), both new syntactic features in Python 3.15 (#5048)
• Python 3.15 is now supported. Compiled wheels are not yet provided for Python 3.15, so performance may be slower than on existing Python versions. Wheels will be provided once Python 3.15 is later in its release cycle. (#5127)

Stable style

• Fix # fmt: skip being ignored in nested if expressions with parenthesized in clauses (#4903)
• Add syntactic support for Python 3.15 (#5048)
• Fix crash when an f-string follows a # fmt: off comment inside brackets (#5097)
• Preserve multiline compound statement headers when # fmt: skip is placed on the colon line (#5117)

Preview style

• Improve heuristics around whether blank lines should appear before, within and after groups of same-name decorated functions (such as @overload groups) in .pyi stub files (#5021)
• Fix blank lines being removed between a function and a decorated class in .pyi stub files (#5092)
• Prevent string merger from creating unsplittable long lines when a pragma comment (e.g. # type: ignore) follows the closing bracket (#5096)

Packaging

• Run CI on 3.15 (#5127)

Output

... (truncated)

Changelog

Sourced from black's changelog.

Version 26.5.1

Stable style

• Fix unstable formatting of annotated assignments whose subscript annotation contains an inline comment (e.g. x: list[ # pyright: ignore[...]) (#5130)
• Preserve inline comments (including # type: ignore) immediately before a # fmt: skip line, avoiding AST equivalence failures (#5139)

Packaging

• Correct the version in the published executables (#5137)

Documentation

• Add Neovim integration guide covering conform.nvim, ALE, and simple command approaches (#5124)

Version 26.5.0

Highlights

• Add support for unpacking in comprehensions (PEP 798) and for lazy imports (PEP 810), both new syntactic features in Python 3.15 (#5048)
• Python 3.15 is now supported. Compiled wheels are not yet provided for Python 3.15, so performance may be slower than on existing Python versions. Wheels will be provided once Python 3.15 is later in its release cycle. (#5127)

Stable style

• Fix # fmt: skip being ignored in nested if expressions with parenthesized in clauses (#4903)
• Add syntactic support for Python 3.15 (#5048)
• Fix crash when an f-string follows a # fmt: off comment inside brackets (#5097)
• Preserve multiline compound statement headers when # fmt: skip is placed on the colon line (#5117)

Preview style

• Improve heuristics around whether blank lines should appear before, within and after groups of same-name decorated functions (such as @overload groups) in .pyi stub files (#5021)
• Fix blank lines being removed between a function and a decorated class in .pyi stub files (#5092)
• Prevent string merger from creating unsplittable long lines when a pragma comment (e.g. # type: ignore) follows the closing bracket (#5096)

Packaging

• Run CI on 3.15 (#5127)

... (truncated)

Commits

• 87928e6 Prepare release 26.5.1 (#5140)
• c970a49 Preserve comments before fmt: skip lines (#5139)
• 5809338 Preserve inline comments inside annotation subscripts (#5130)
• 61361b7 docs: add Neovim integration guide and fix http link (#5124)
• ebe6018 CI Hotfixes (#5136)
• 9cbd95f Fix publish binaries again on Windows (#5134)
• 3dc8e6c Add new changelog (#5132)
• 6d0fff0 Fix publish binaries workflow (#5133)
• d2490e2 Prepare release 26.5.0 (#5131)
• 2b13ea7 Preserve multiline headers with fmt skip (#5117)
• Additional commits viewable in compare view

Updates ty from 0.0.35 to 0.0.37

Release notes

Sourced from ty's releases.

0.0.37

Release Notes

Released on 2026-05-16.

Bug fixes

• Avoid unsound not in narrowing (#25161)
• Fix async iteration over narrowed typevars (#25155)
• Fix panic in double-inference for single starred positional TypedDict (#25176)
• Fix panic in disjoint base check (#25187)
• Fix panic in recursive binary inference (#25189)
• Fix panic in cyclic __new__ (#25185)
• Fix panic in reveal_protocol, reveal_mro, etc. with keyword arguments (#25179)
• Fix panic in imported overload definition (#25168)

LSP server

• Don't show argument inlay for case-insensitive matches or prefix/suffixes (#25174)
• Reduce CPU usage of the LSP when switching between large changesets (#25142)

Core type checking

• Avoid enforcing __new__ with custom metaclasses (#25180)
• Make overload public type reachability-aware (#25171)
• Only specialized types of generic class instances should influence variance (#25124)
• Preserve ParamSpec argument context through wrapper calls (#24934)
• Support partially specialized type context for collection literals (#24506)

Contributors

• @​RasmusNygren
• @​MichaReiser
• @​charliermarsh
• @​ibraheemdev

Install ty 0.0.37

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/ty/releases/download/0.0.37/ty-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://releases.astral.sh/github/ty/releases/download/0.0.37/ty-installer.ps1 | iex"

... (truncated)

Changelog

Sourced from ty's changelog.

0.0.37

Released on 2026-05-16.

Bug fixes

• Avoid unsound not in narrowing (#25161)
• Fix async iteration over narrowed typevars (#25155)
• Fix panic in double-inference for single starred positional TypedDict (#25176)
• Fix panic in disjoint base check (#25187)
• Fix panic in recursive binary inference (#25189)
• Fix panic in cyclic __new__ (#25185)
• Fix panic in reveal_protocol, reveal_mro, etc. with keyword arguments (#25179)
• Fix panic in imported overload definition (#25168)

LSP server

• Don't show argument inlay for case-insensitive matches or prefix/suffixes (#25174)
• Reduce CPU usage of the LSP when switching between large changesets (#25142)

Core type checking

• Avoid enforcing __new__ with custom metaclasses (#25180)
• Make overload public type reachability-aware (#25171)
• Only specialized types of generic class instances should influence variance (#25124)
• Preserve ParamSpec argument context through wrapper calls (#24934)
• Support partially specialized type context for collection literals (#24506)

Contributors

• @​RasmusNygren
• @​MichaReiser
• @​charliermarsh
• @​ibraheemdev

0.0.36

Released on 2026-05-14.

Bug fixes

• Fix Go To-Definition for self-imported submodules (#25106)
• Fix ClassVar[Self] assignment checks for class objects (#24657)
• Fix attribute access on Callable-bounded TypeVars (#24793)
• Fix panic from TypedDict schema cycle with Self fields (#25094)
• Fix panic from accessing args[0] for static_assert (#25149)
• Fix panic from non-name walrus target access (#25121)
• Fix singleton classification for runtime typing objects (#25099)
• Guard self-referential TypeOf recursion in generic callables (#24668)
• Preserve lexical ParamSpec scope for returned Callable annotations (#24909)

... (truncated)

Commits

• f18aed6 Bump version to 0.0.37 (#3473)
• a63e559 Bump version to 0.0.36 (#3463)
• 94370d5 Update prek dependencies (#3449)
• See full diff in compare view

Updates prek from 0.3.13 to 0.4.0

Release notes

Sourced from prek's releases.

0.4.0

Release Notes

Released on 2026-05-14.

Breaking changes

These are narrow cleanup breaks in behavior that was either temporary or never worked correctly. Most users should not need to change anything.

• Generated hook scripts no longer preserve -q, -v, or --no-progress passed to prek install. This only affects users who expected those global flags to be baked into installed hooks. (#1966)
• language_version no longer accepts direct executable paths. Use language_version: system for a system toolchain, or use a supported version request instead. This path form did not work reliably before, so existing working configs should be unaffected. (#1831)

Enhancements

• Expand tilde in --config, --cd, --log-file and --git-dir (#2063)
• Prevent auto-update cooldown downgrades (#2055)
• Use managed npm cache for node hooks (#2075)

Bug fixes

• Fix npm config env overrides for node hooks (#2074)

Documentation

• Add cookbook page for enabling Git 2.54 config-based global hooks (#2061)

Contributors

• @​j178

Install prek 0.4.0

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/j178/prek/releases/download/v0.4.0/prek-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/j178/prek/releases/download/v0.4.0/prek-installer.ps1 | iex"

Install prebuilt binaries via Homebrew

brew install prek

... (truncated)

Changelog

Sourced from prek's changelog.

0.4.0

Released on 2026-05-14.

Breaking changes

These are narrow cleanup breaks in behavior that was either temporary or never worked correctly. Most users should not need to change anything.

• Generated hook scripts no longer preserve -q, -v, or --no-progress passed to prek install. This only affects users who expected those global flags to be baked into installed hooks. (#1966)
• language_version no longer accepts direct executable paths. Use language_version: system for a system toolchain, or use a supported version request instead. This path form did not work reliably before, so existing working configs should be unaffected. (#1831)

Enhancements

• Expand tilde in --config, --cd, --log-file and --git-dir (#2063)
• Prevent auto-update cooldown downgrades (#2055)
• Use managed npm cache for node hooks (#2075)

Bug fixes

• Fix npm config env overrides for node hooks (#2074)

Documentation

• Add cookbook page for enabling Git 2.54 config-based global hooks (#2061)

Contributors

• @​j178

Commits

• b570c73 Bump version to 0.4.0 (#2081)
• 007b244 Revert pass-through of global install flags into generated hook scripts (#1966)
• b66c39c Remove direct path support from language_version (#1831)
• 321f8b8 Drain PTY output without timeout (#2079)
• 0249d81 Migrate std::fs to fs_err (#2077)
• 99ac4fb Use managed npm cache for node hooks (#2075)
• 7783bdc Fix npm config env overrides for node hooks (#2074)
• 737b554 Update pre-commit (#2071)
• de896b6 Update MSRV to v1.93.1 (#2068)
• 105d630 Update Rust crate reqwest to v0.13.3 (#2070)
• Additional commits viewable in compare view

Updates zizmor from 1.24.1 to 1.25.2

Release notes

Sourced from zizmor's releases.

v1.25.2

Bug Fixes 🐛🔗

• Fixed a bug where the unpinned-tools audit would incorrectly flag the aquasecurity/trivy-action action as installing an unpinned tool version, rather than aquasecurity/setup-trivy (#2018)

v1.25.1

Bug Fixes 🐛🔗

• Fixed a bug where the cache-poisoning audit would fail to consider release events as exempt from cache usage findings when filtered by a tag condition (#2004)

• Fixed a typo when suggesting --fix flags for findings (#2010)

  Many thanks to @​0xdea for implementing this fix!

• Fixed a typo in unpinned-tools annotations (#2008)

  Many thanks to @​martincostello for implementing this fix!

• Fixed a bug where the github-app audit would incorrectly flag some safe uses of actions/create-github-app-token as unsafe (#2011)

v1.25.0

New Features 🌈🔗

• zizmor's finding severities can now be remapped on a per-audit basis. See the configuration for details (#1913)

  Many thanks to @​Proximyst for proposing and implementing this improvement!

• New audit: github-app detects dangerous usages of GitHub App installation tokens (#1926)

• New audit: [unpinned-tools] detects actions that install tools without pinning to a specific version (#1820)

• zizmor now accepts the --no-ignores flag to disable all ignore comments and configurations when reporting findings (#1935)

• zizmor's LSP now honors the --persona flag on the CLI (#1943)

• zizmor is now aware of Docker-based action definitions, in addition to the pre-existing support for "composite" actions (#1965)

Enhancements🔗

• Recommend gh issue edit --add-label / gh pr edit --add-label as a replacement for actions-ecosystem/action-add-labels in superfluous-actions

• Recommend gh issue edit --remove-label / gh pr edit --remove-label as a replacement for actions-ecosystem/action-remove-labels in superfluous-actions

• Recommend jq as a replacement for sergeysova/jq-action in superfluous-actions

• Recommend git add, git commit, and git push as a replacement for stefanzweifel/git-auto-commit-action in superfluous-actions

• Recommend git add, git commit, and git push as a replacement for EndBug/add-and-commit in superfluous-actions

• tibdex/github-app-token is now recognized as an archived action by archived-uses (#1910)

... (truncated)

Changelog

Sourced from zizmor's changelog.

1.25.2

Bug Fixes 🐛

• Fixed a bug where the [unpinned-tools] audit would incorrectly flag the @​aquasecurity/trivy-action action as installing an unpinned tool version, rather than @​aquasecurity/setup-trivy (#2018)

1.25.1

Bug Fixes 🐛

• Fixed a bug where the [cache-poisoning] audit would fail to consider release events as exempt from cache usage findings when filtered by a tag condition (#2004)

• Fixed a typo when suggesting --fix flags for findings (#2010)

  Many thanks to @​0xdea for implementing this fix!

• Fixed a typo in [unpinned-tools] annotations (#2008)

  Many thanks to @​martincostello for implementing this fix!

• Fixed a bug where the [github-app] audit would incorrectly flag some safe uses of @​actions/create-github-app-token as unsafe (#2011)

1.25.0

New Features 🌈

• zizmor's finding severities can now be remapped on a per-audit basis. See the configuration for details (#1913)

  Many thanks to @​Proximyst for proposing and implementing this improvement!

• New audit: [github-app] detects dangerous usages of GitHub App installation tokens (#1926)

• New audit: [unpinned-tools] detects actions that install tools without pinning to a specific version (#1820)

• zizmor now accepts the --no-ignores flag to disable all ignore comments and configurations when reporting findings (#1935)

• zizmor's LSP now honors the --persona flag on the CLI (#1943)

• zizmor is now aware of Docker-based action definitions, in addition to the pre-existing support for "composite" actions (#1965)

... (truncated)

Commits

• b50d8f6 zizmor 1.25.2 (#2022)
• e8c9648 Bump rustls-webpki to 0.103.13 (#2021)
• 9e19bde Bump aws-lc crates (#2020)
• 49cb189 Bump rand to 0.9.4 (#2019)
• bfdb649 unpinned-tools: fix trivy action being detected (#2018)
• 9300d3b ww/release (#2016)
• 331917a chore: drop serde_yaml rename (#2015)
• 506f085 github-app: test repositories, not repository (#2011)
• 53dea37 unpinned-tools, docs: fix typos (#2008)
• 8068e11 fix: replace --fix=unsafe with --fix=unsafe-only in suggestion (#2010)
• Additional commits viewable in compare view

Updates pygithub from 2.9.0 to 2.9.1

Release notes

Sourced from pygithub's releases.

v2.9.1

Bug Fixes

• Fix getting release by tag in lazy mode by @​EnricoMi in PyGithub/PyGithub#3469

Full Changelog: PyGithub/PyGithub@v2.9.0...v2.9.1

Changelog

Sourced from pygithub's changelog.

Version 2.9.1 (April 14, 2026)

Bug Fixes ^^^^^^^^^

• Fix getting release by tag in lazy mode ([#3469](https://github.com/pygithub/pygithub/issues/3469) <https://github.com/PyGithub/PyGithub/pull/3469>) (7d1ba281e <https://github.com/PyGithub/PyGithub/commit/7d1ba281e>)

Commits

• 73742d4 Release 2.9.1 (#3478)
• 7d1ba28 Fix getting release by tag in lazy mode (#3469)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

📝 Docs preview

Last commit 53cdb18 at: https://89a133c9.sqlmodel.pages.dev