build(deps): bump the test-and-lint-dependencies group with 3 updates

[dependabot]

Bumps the test-and-lint-dependencies group with 3 updates: ruff, mypy and zizmor.

Updates ruff from 0.11.11 to 0.11.12

Release notes

Sourced from ruff's releases.

0.11.12

Release Notes

Preview features

• [airflow] Revise fix titles (AIR3) (#18215)
• [pylint] Implement missing-maxsplit-arg (PLC0207) (#17454)
• [pyupgrade] New rule UP050 (useless-class-metaclass-type) (#18334)
• [flake8-use-pathlib] Replace os.symlink with Path.symlink_to (PTH211) (#18337)

Bug fixes

• [flake8-bugbear] Ignore __debug__ attribute in B010 (#18357)
• [flake8-async] Fix anyio.sleep argument name (ASYNC115, ASYNC116) (#18262)
• [refurb] Fix FURB129 autofix generating invalid syntax (#18235)

Rule changes

• [flake8-implicit-str-concat] Add autofix for ISC003 (#18256)
• [pycodestyle] Improve the diagnostic message for E712 (#18328)
• [flake8-2020] Fix diagnostic message for != comparisons (YTT201) (#18293)
• [pyupgrade] Make fix unsafe if it deletes comments (UP010) (#18291)

Documentation

• Simplify rules table to improve readability (#18297)
• Update editor integrations link in README (#17977)
• [flake8-bugbear] Add fix safety section (B006) (#17652)

Contributors

• @​AlexWaygood
• @​CodeMan62
• @​InSyncWithFoo
• @​Kalmaegi
• @​LaBatata101
• @​Lee-W
• @​MaddyGuthridge
• @​MatthewMckee4
• @​MichaReiser
• @​Vasanth-96
• @​carljm
• @​charliermarsh
• @​chirizxc
• @​dcreager
• @​dhruvmanila
• @​dsherret
• @​dylwil3
• @​felixscherz
• @​fennr

... (truncated)

Changelog

Sourced from ruff's changelog.

0.11.12

Preview features

• [airflow] Revise fix titles (AIR3) (#18215)
• [pylint] Implement missing-maxsplit-arg (PLC0207) (#17454)
• [pyupgrade] New rule UP050 (useless-class-metaclass-type) (#18334)
• [flake8-use-pathlib] Replace os.symlink with Path.symlink_to (PTH211) (#18337)

Bug fixes

• [flake8-bugbear] Ignore __debug__ attribute in B010 (#18357)
• [flake8-async] Fix anyio.sleep argument name (ASYNC115, ASYNC116) (#18262)
• [refurb] Fix FURB129 autofix generating invalid syntax (#18235)

Rule changes

• [flake8-implicit-str-concat] Add autofix for ISC003 (#18256)
• [pycodestyle] Improve the diagnostic message for E712 (#18328)
• [flake8-2020] Fix diagnostic message for != comparisons (YTT201) (#18293)
• [pyupgrade] Make fix unsafe if it deletes comments (UP010) (#18291)

Documentation

• Simplify rules table to improve readability (#18297)
• Update editor integrations link in README (#17977)
• [flake8-bugbear] Add fix safety section (B006) (#17652)

Commits

• aee3af0 Bump 0.11.12 (#18369)
• 04dc48e [refurb] Fix FURB129 autofix generating invalid syntax (#18235)
• 27743ef [pylint] Implement missing-maxsplit-arg (PLC0207) (#17454)
• c60b4d7 [ty] Add subtyping between Callable types and class literals with __init__ ...
• 16621fa [flake8-bugbear ] Add fix safety section (B006) (#17652)
• e23d4ea [flake8-bugbear] Ignore __debug__ attribute in B010 (#18357)
• 452f992 [ty] Simplify signature types, use them in CallableType (#18344)
• a5ebb3f [ty] Support ephemeral uv virtual environments (#18335)
• 9925910 Add a ViolationMetadata::rule method (#18234)
• a3ee6bb Return DiagnosticGuard from Checker::report_diagnostic (#18232)
• Additional commits viewable in compare view

Updates mypy from 1.15.0 to 1.16.0

Changelog

Sourced from mypy's changelog.

Mypy Release Notes

Next Release

Mypy 1.16

We’ve just uploaded mypy 1.16 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

Different Property Getter and Setter Types

Mypy now supports using different types for a property getter and setter:

class A:
    _value: int
@property
def foo(self) -> int:
    return self._value
@foo.setter
def foo(self, x: str | int) -> None:
try:
self._value = int(x)
except ValueError:
raise Exception(f"'{x}' is not a valid value for 'foo'")

This was contributed by Ivan Levkivskyi (PR 18510).

Flexible Variable Redefinitions (Experimental)

Mypy now allows unannotated variables to be freely redefined with different types when using the experimental --allow-redefinition-new flag. You will also need to enable --local-partial-types. Mypy will now infer a union type when different types are assigned to a variable:

# mypy: allow-redefinition-new, local-partial-types
def f(n: int, b: bool) -> int | str:
if b:
x = n
else:
</tr></table>

... (truncated)

Commits

• 9e72e96 Update version to 1.16.0
• 8fe719f Add changelog for 1.16 (#19138)
• 2a036e7 Revert "Infer correct types with overloads of Type[Guard | Is] (#19161)
• b6da4fc Allow enum members to have type objects as values (#19160)
• 334469f [mypyc] Improve documentation of native and non-native classes (#19154)
• a499d9f Document --allow-redefinition-new (#19153)
• 96525a2 Merge commit '9e45dadcf6d8dbab36f83d9df94a706c0b4f9207' into release-1.16
• 9e45dad Clear more data in TypeChecker.reset() instead of asserting (#19087)
• 772cd0c Add --strict-bytes to --strict (#19049)
• 0b65f21 Admit that Final variables are never redefined (#19083)
• Additional commits viewable in compare view

Updates zizmor from 1.7.0 to 1.9.0

Release notes

Sourced from zizmor's releases.

v1.9.0

New Features 🌈🔗

• zizmor now supports generating completions for Nushell (#838)

Enhancements 🌱🔗

• The template-injection audit has been rewritten, and is now significantly more precise and general over contexts supplied via GitHub's webhook payloads (i.e. github.event.*) (#745)
• The template-injection audit now detects vulnerable template injections in more actions inputs, thanks to an integration with CodeQL's sink metadata (#849)

Bug Fixes 🐛🔗

• The insecure-commands now correctly detects different truthy values in ACTIONS_ALLOW_UNSECURE_COMMANDS (#840)
• The template-injection audit now correctly emits pedantic findings in a blanket manner, rather than filtering them based on the presence of other findings (#745)
• CLI: Fixed a misleading error message when zizmor is used with a GitHub host other than github.com (#863)

v1.8.0

Announcements 📣🔗

• zizmor's website has changed! The new website is hosted at docs.zizmor.sh. The old website will redirect to the new one for a while, but users should update any old links in preparation for the v1.8.0 release, which will likely remove the redirects entirely (#769)

• zizmor is now hosted under the @​zizmorcore GitHub organization as zizmorcore/zizmor. The old repository at woodruffw/zizmor will redirect to the new one, but users should update any old links to limit confusion

New Features 🌈🔗

• zizmor now supports the ZIZMOR_CONFIG environment variable as an alternative to --config (#789)

Bug Fixes 🐛🔗

• zizmor now correctly handles index-style contexts in the template-injection audit (#800, #806)

v1.8.0-rc3

No release notes provided.

v1.8.0-rc1

No release notes provided.

v1.8.0-rc0

No release notes provided.

Changelog

Sourced from zizmor's changelog.

1.9.0

New Features 🌈

• zizmor now supports generating completions for Nushell (#838)

Enhancements 🌱

• The [template-injection] audit has been rewritten, and is now significantly more precise and general over contexts supplied via GitHub's webhook payloads (i.e. github.event.*) (#745)
• The [template-injection] audit now detects vulnerable template injections in more actions inputs, thanks to an integration with CodeQL's sink metadata (#849)

Bug Fixes 🐛

• The [insecure-commands] now correctly detects different truthy values in ACTIONS_ALLOW_UNSECURE_COMMANDS (#840)
• The [template-injection] audit now correctly emits pedantic findings in a blanket manner, rather than filtering them based on the presence of other findings (#745)
• CLI: Fixed a misleading error message when zizmor is used with a GitHub host other than github.com (#863)

v1.8.0

Announcements 📣

• zizmor's website has changed! The new website is hosted at docs.zizmor.sh. The old website will redirect to the new one for a while, but users should update any old links in preparation for the v1.8.0 release, which will likely remove the redirects entirely (#769)

• zizmor is now hosted under the @​zizmorcore GitHub organization as @​zizmorcore/zizmor. The old repository at @​woodruffw/zizmor will redirect to the new one, but users should update any old links to limit confusion

New Features 🌈

• zizmor now supports the ZIZMOR_CONFIG environment variable as an alternative to --config (#789)

Bug Fixes 🐛

• The [template-injection] audit no longer produces false positive findings on alternative representations of the same context pattern. For example, github.event.pull_request.head.sha is considered safe

... (truncated)

Commits

• 5fbfaeb chore: prep for 1.9.0 release (#877)
• 4dcaad5 chore: release github-actions-expressions 0.0.4 (#878)
• 32d8821 chore(docs): update sponsors (#875)
• 27a85f2 feat(ci): check for Wolfi OS zizmor updates (#874)
• 04768b6 chore(docs): bump trophies (#870)
• 5d49dce add django-tasks-scheduler (#869)
• 5155349 chore(docs): add crates/README.md (#867)
• 8a05bd3 chore(docs): bump trophies (#866)
• 2cfef36 refactor: minimize clones in yamlpath/routing (#865)
• 3545ae6 fix: update error message to handle enterprise servers (#863)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions