Skip to content

v3.0.2

Choose a tag to compare

View all tags
@github-actions github-actions released this 23 May 05:45
· 9 commits to master since this release
v3.0.2
a59a269
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

What's Changed

Maintenance release: bug fixes, a fix to restore source builds, a supply-chain/security pass, and modernized release tooling. No breaking API changes. Strif remains zero-dependency at runtime.

Fixes

  • Restore source builds. tool.uv-dynamic-versioning.bump was a string ("true") which current uv-dynamic-versioning rejects, breaking uv sync and editable installs. Now a proper boolean.
  • temp_output_file no longer leaks file descriptors. The mkstemp fd was never closed on context exit; it is now closed in cleanup (and tolerates a user-closed fd).
  • is_truthy bool handling is now correct by construction (the bool branch previously sat unreachable behind the int check; behavior was right only by coincidence).
  • copy_to_backup is now silent when the source is missing, matching move_to_backup instead of raising FileNotFoundError.
  • move_file backup condition now checks the destination (not the source) before backing it up.
  • Removed a broken strif console-script entry point that referenced a nonexistent main (a real CLI may come later).

Security

  • No known vulnerabilities in the dependency tree (verified with pip-audit). This release fixes two CVEs that affected the previous dev toolchain: pytest CVE-2025-71176 (via the pytest 8→9 bump) and pygments CVE-2026-4539 (pinned to 2.20.0). Both are dev-only; strif's published wheel has zero runtime dependencies, so neither reached end users.
  • GitHub Actions pinned to commit SHAs in CI and the publish workflow, hardening the release pipeline against tag-retargeting supply-chain attacks.

Packaging & API

  • DEV_NULL is now exported from the top-level package (from strif import DEV_NULL).
  • Added Python 3.10 and 3.14 to the package classifiers (3.10 was supported but unlisted).
  • Dropped a no-op random.SystemRandom().seed() call.

Tooling

  • Upgraded the simple-modern-uv project template (v0.2.7 → v0.2.25): newer GitHub Actions, uv 0.10.2, and refreshed dev dependencies (pytest 9, ruff 0.15, rich 15, basedpyright 1.39, +pytest-sugar). Docs moved under docs/.
  • Releases are now tag-triggered: pushing a v* tag builds, publishes to PyPI via trusted publishing, and creates the GitHub Release automatically.

Tests

  • Added tests/test_files.py (18 tests) covering the fixed functions plus the previously-untested atomic_output_file. Suite is now 26 tests.

Full Changelog: v3.0.1...v3.0.2

Assets 2
Loading