Update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
actions/upload-artifact	action	patch	v7.0.0 → v7.0.1
click (changelog)	project.dependencies	minor	8.3.1 → 8.4.0
mypy (changelog)	dev	patch	1.20.0 → 1.20.2
pypa/gh-action-pypi-publish	action	minor	v1.13.0 → v1.14.0
requests (changelog)	project.dependencies	minor	2.33.1 → 2.34.2
ruff (source, changelog)	dev	patch	0.15.8 → 0.15.13

---

Release Notes

actions/upload-artifact (actions/upload-artifact)

v7.0.1

Compare Source

What's Changed

• Update the readme with direct upload details by @​danwkennedy in #​795
• Readme: bump all the example versions to v7 by @​danwkennedy in #​796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in #​797

Full Changelog: actions/upload-artifact@v7...v7.0.1

pallets/click (click)

v8.4.0

Compare Source

Unreleased

• :class:ParamType typing improvements. :pr:3371

  • :class:ParamType is now a generic abstract base class,
    parameterized by its converted value type.
  • :meth:~ParamType.convert return types are narrowed on all
    concrete types (str for :class:STRING, int for
    :class:INT, etc.).
  • :meth:~ParamType.to_info_dict returns specific
    :class:~typing.TypedDict subclasses instead of
    dict[str, Any].
  • :class:CompositeParamType and the number-range base are now
    generic with abstract methods.

• Refactor convert_type to extract type inference into a private
  _guess_type helper, and add :func:typing.overload signatures.
  :pr:3372

• :class:Parameter typing improvements. :pr:2805

  • :class:Parameter is now an abstract base class, making explicit
    that it cannot be instantiated directly.
  • :attr:Parameter.name is now str instead of str | None.
    When expose_value=False, the name is set to "" instead
    of None.
  • The ctx parameter of :meth:Parameter.get_error_hint is now
    typed as Context | None, matching the runtime behavior.

• Split string values from default_map for parameters with nargs > 1
  or :class:Tuple type, matching environment variable behavior.
  :issue:2745 :pr:3364

• Auto-detect type=UNPROCESSED for flag_value of non-basic types
  (not str, int, float, or bool), so programmer-provided
  Python objects like classes and enum members are passed through unchanged
  instead of being stringified. Previously type=click.UNPROCESSED had
  to be set explicitly. :issue:2012 :pr:3363

• The error hint now uses :meth:Command.get_help_option_names to pick
  non-shadowed help option names, so Try '... -h' no longer points to a
  subcommand option that shadows -h. All surviving names are shown
  (-h/--help). :issue:2790 :pr:3208

• Fix readline functionality on non-Windows platforms. Prompt text is now
  passed directly to readline instead of being printed separately, allowing
  proper backspace, line editing, and line wrapping behavior. :issue:2968
  :pr:2969

• Use :func:os.startfile on Windows to open URLs in :func:open_url,
  replacing the start built-in which cannot be invoked without
  shell=True. :issue:3164 :pr:3186

• Fix Fish shell completion errors when option help text contains newlines.
  :issue:3043 :pr:3126

• Add :class:NoSuchCommand exception with suggestions for misspelled
  commands. :issue:3107 :pr:3228

• Use :class:ValueError message when conversion in :class:FuncParamType would
  fail. :issue:3105 :pr:3211

• Add click.get_pager_file for file-like access to an output
  pager. :pr:1572 :pr:3405

• :class:~click.formatting.TextWrapper and
  :func:~click.formatting.wrap_text now measure line width in visible
  characters, ignoring ANSI escape sequences. :pr:3420

• Fix :meth:HelpFormatter.write_usage emitting only a blank line when
  called without args. The usage prefix and program name are now
  written even when no arguments follow, and the trailing separator
  space is stripped so the line ends at the program name.
  :issue:3360 :pr:3434

• Show custom error messages from types when :func:prompt with
  hide_input=True fails validation, instead of always showing a
  generic message. Built-in type messages mask the input value.
  :issue:2809 :pr:3256

• Add capture parameter to :class:CliRunner with two modes: sys
  (default) and fd. fd redirects file descriptors 1 and 2
  via :func:os.dup2 so output that bypasses sys.stdout (stale stream
  references, C extensions, subprocesses, faulthandler) is captured
  with proper isolation. :issue:854 :issue:2412 :issue:2468
  :issue:2497 :issue:2761 :issue:2827 :issue:2865

• Revert the 8.3.3 change that exposed the original file descriptor
  via fileno() on the redirected CliRunner streams in the default
  capture mode. os.dup2(w, sys.stdout.fileno()) calls inside a CLI no
  longer mutate the host runner's stdout, which broke Pytest's fd-level
  capture teardown. C-level consumers that need a real fd should use
  capture="fd". :issue:3384 :pr:3391

• Mark additional built-in strings with gettext() to extend translation
  coverage. :pr:2902

• Fix feature switch groups (several flag_value options sharing one
  parameter name) silently dropping an explicit default when a sibling
  option without an explicit default was declared first. Arbitration is now
  source-aware: a more explicit :class:ParameterSource always wins, and
  within ParameterSource.DEFAULT, an option that received an explicit
  default= keyword wins over a sibling whose default was auto-derived.
  The 8.3.x first-wins fallback for remaining ties was reverted to the
  pre-8.3.x last-wins fallback. :issue:3403 :pr:3404

• Fix missing space between option help text and the (DEPRECATED)
  label, and localize the option label so it matches the command label.
  The label and the DeprecationWarning reason suffix are now produced
  by shared helpers. :pr:3423

• Document short option stacking (-abc is parsed as -a -b -c) and
  clarify that multi-character short option names are not supported.
  :issue:2779 :pr:3431

v8.3.3

Compare Source

v8.3.2

Compare Source

Released 2026-04-02

• Fix handling of flag_value when is_flag=False to allow such options to be
  used without an explicit value. :issue:3084 :pr:3152
• Hide Sentinel.UNSET values as None when using lookup_default().
  :issue:3136 :pr:3199 :pr:3202 :pr:3209 :pr:3212 :pr:3224
• Prevent _NamedTextIOWrapper from closing streams owned by StreamMixer.
  :issue:824 :issue:2991 :issue:2993 :issue:3110 :pr:3139 :pr:3140
• Add comprehensive tests for CliRunner stream lifecycle, covering
  logging interaction, multi-threaded safety, and sequential invocation
  isolation. Add high-iteration stress tests behind a stress marker
  with a dedicated CI job. :pr:3139
• Fix callable flag_value being instantiated when used as a default via
  default=True. :issue:3121 :pr:3201 :pr:3213 :pr:3225

python/mypy (mypy)

v1.20.2

Compare Source

v1.20.1

Compare Source

• Always disable sync in SQLite cache (Ivan Levkivskyi, PR 21184)
• Temporarily skip few base64 tests (Ivan Levkivskyi, PR 21193)
• Revert dict.__or__ typeshed change (Ivan Levkivskyi, PR 21186)
• Fix narrowing for match case with variadic tuples (Shantanu, PR 21192)
• Avoid narrowing type[T] in type calls (Shantanu, PR 21174)
• Fix regression for catching empty tuple in except (Shantanu, PR 21153)
• Fix reachability for frozenset and dict view narrowing (Shantanu, PR 21151)
• Fix narrowing with chained comparison (Shantanu, PR 21150)
• Avoid narrowing to unreachable at module level (Shantanu, PR 21144)
• Allow dangerous identity comparisons to Any typed variables (Shantanu, PR 21142)
• --warn-unused-config should not be a strict flag (Ivan Levkivskyi, PR 21139)

pypa/gh-action-pypi-publish (pypa/gh-action-pypi-publish)

v1.14.0

Compare Source

Audit your supply chain regularly!

✨ What's Changed

The main change in this release is that verbose and print-hash inputs are now on by default. This was contributed by @​whitequark💰 in #​397.

📝 Docs

@​woodruffw💰 updated the mentions of PEP 740 to stop implying that it might be experimental (it hasn't been for quite a while!) in #​388 and @​him2him2💰 brushed up some grammar in the README and SECURITY docs via #​395.

🛠️ Internal Updates

@​woodruffw💰 bumped sigstore and pypi-attestations in the lock file (#​391) and @​webknjaz💰 added infra for using type annotations in the project (#​381).

💪 New Contributors

• @​him2him2 made their first contribution in #​395
• @​whitequark made their first contribution in #​397

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.13.0...v1.14.0

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

🙏 Special Thanks to @​facutuesca💰 and @​woodruffw💰 for helping maintain this project when I can't!

💬 Discuss on Bluesky 🦋, on Mastodon 🐘 and on GitHub.

psf/requests (requests)

v2.34.2

Compare Source

• Moved headers input type back to Mapping to avoid invariance issues
  with MutableMapping and inferred dict types. Users calling
  Request.headers.update() may need to narrow typing in their code. (#​7441)

v2.34.1

Compare Source

Bugfixes

• Widened json input type from dict and list to Mapping
  and Sequence. (#​7436)
• Changed headers input type to MutableMapping and removed None from
  Request.headers typing to improve handling for users. (#​7431)
• Response.reason moved from str | None to str to improve handling
  for users. (#​7437)
• Fixed a bug where some bodies with custom __getattr__ implementations
  weren't being properly detected as Iterables. (#​7433)

v2.34.0

Compare Source

Announcements

• Requests 2.34.0 introduces inline types, replacing those provided by
  typeshed. Public API types should be fully compatible with mypy, pyright,
  and ty. We believe types are comprehensive but if you find issues, please
  report them to the pinned tracking issue.

  Special thanks to @​bastimeyer, @​cthoyt, @​edgarrmondragon, and @​srittau for
  helping review and test the types ahead of the release. (#​7272)

Improvements

• Digest Auth hashing algorithms have added usedforsecurity=False to clarify
  security considerations. (#​7310)
• Requests added support for Python 3.15 based on beta1. Downstream projects
  should be able to start testing prior to its release in October. (#​7422)
• Requests added support for Python 3.14t. (#​7419)

Bugfixes

• Response.history no longer contains a reference to itself, preventing
  accidental looping when traversing the history list. (#​7328)
• Requests no longer performs greedy matching on no_proxy domains. The
  proxy_bypass implementation has been updated with CPython's fix from
  bpo-39057. (#​7427)
• Requests no longer incorrectly strips duplicate leading slashes in
  URI paths. This should address user issues with specific presigned
  URLs. Note the full fix requires urllib3 2.7.0+. (#​7315)

astral-sh/ruff (ruff)

v0.15.13

Compare Source

Released on 2026-05-14.

Preview features

• Add a rule to flag lazy imports that are eagerly evaluated (#​25016)
• [pylint] Standardize diagnostic message (PLR0914, PLR0917) (#​24996)

Bug fixes

• Fix F811 false positive for class methods (#​24933)
• Fix setting selection for multi-folder workspace (#​24819)
• [eradicate] Fix false positive for lines with leading whitespace (ERA001) (#​25122)
• [flake8-pyi] Fix false positive for f-string debug specifier (PYI016) (#​24098)

Rule changes

• Always include panic payload in panic diagnostic message (#​24873)
• Restrict PYI034 for in-place operations to enclosing class (#​24511)
• Improve error message for parameters that are declared global (#​24902)
• Update known stdlib (#​25103)

Performance

• [isort] Avoid constructing glob::Patterns for literal known modules (#​25123)

CLI

• Add TOML examples to --config help text (#​25013)
• Colorize ruff check 'All checks passed' (#​25085)

Configuration

• Increase max allowed value of line-length setting (#​24962)

Documentation

• Add D203 to rules that conflict with the formatter (#​25044)
• Clarify COM819 and formatter interaction (#​25045)
• Clarify that NotImplemented is a value, not an exception (F901) (#​25054)
• Update number of lint rules supported (#​24942)

Other changes

• Simplify the playground's markdown template (#​24924)

Contributors

• @​MichaReiser
• @​brian-c11
• @​Andrej730
• @​denyszhak
• @​darestack
• @​sharkdp
• @​charliermarsh
• @​EkriirkE
• @​eyupcanakman
• @​Hrk84ya
• @​thernstig
• @​ntBre

v0.15.12

Compare Source

Released on 2026-04-24.

Preview features

• Implement #ruff:file-ignore file-level suppressions (#​23599)
• Implement #ruff:ignore logical-line suppressions (#​23404)
• Revert preview changes to displayed diagnostic severity in LSP (#​24789)
• [airflow] Implement task-branch-as-short-circuit (AIR004) (#​23579)
• [flake8-bugbear] Fix break/continue handling in loop-iterator-mutation (B909) (#​24440)
• [pylint] Fix PLC2701 for type parameter scopes (#​24576)

Rule changes

• [pandas-vet] Suggest .array as well in PD011 (#​24805)

CLI

• Respect default Unix permissions for cache files (#​24794)

Documentation

• [pylint] Fix PLR0124 description not to claim self-comparison always returns the same value (#​24749)
• [pyupgrade] Expand docs on reusable TypeVars and scoping (UP046) (#​24153)
• Improve rules table accessibility (#​24711)

Contributors

• @​dylwil3
• @​AlexWaygood
• @​woodruffw
• @​avasis-ai
• @​Dev-iL
• @​denyszhak
• @​ShipItAndPray
• @​anishgirianish
• @​augustelalande
• @​amyreese
• @​majiayu000

v0.15.11

Compare Source

Released on 2026-04-16.

Preview features

• [ruff] Ignore RUF029 when function is decorated with asynccontextmanager (#​24642)
• [airflow] Implement airflow-xcom-pull-in-template-string (AIR201) (#​23583)
• [flake8-bandit] Fix S103 false positives and negatives in mask analysis (#​24424)

Bug fixes

• [flake8-async] Omit overridden methods for ASYNC109 (#​24648)

Documentation

• [flake8-async] Add override mention to ASYNC109 docs (#​24666)
• Update Neovim config examples to use vim.lsp.config (#​24577)

Contributors

• @​augustelalande
• @​anishgirianish
• @​benberryallwood
• @​charliermarsh
• @​Dev-iL

v0.15.10

Compare Source

Released on 2026-04-09.

Preview features

• [flake8-logging] Allow closures in except handlers (LOG004) (#​24464)
• [flake8-self] Make SLF diagnostics robust to non-self-named variables (#​24281)
• [flake8-simplify] Make the fix for collapsible-if safe in preview (SIM102) (#​24371)

Bug fixes

• Avoid emitting multi-line f-string elements before Python 3.12 (#​24377)
• Avoid syntax error from E502 fixes in f-strings and t-strings (#​24410)
• Strip form feeds from indent passed to dedent_to (#​24381)
• [pyupgrade] Fix panic caused by handling of octals (UP012) (#​24390)
• Reject multi-line f-string elements before Python 3.12 (#​24355)

Rule changes

• [ruff] Treat f-string interpolation as potential side effect (RUF019) (#​24426)

Server

• Add support for custom file extensions (#​24463)

Documentation

• Document adding fixes in CONTRIBUTING.md (#​24393)
• Fix JSON typo in settings example (#​24517)

Contributors

• @​charliermarsh
• @​dylwil3
• @​silverstein
• @​anishgirianish
• @​shizukushq
• @​zanieb
• @​AlexWaygood

v0.15.9

Compare Source

Released on 2026-04-02.

Preview features

• [pyflakes] Flag annotated variable redeclarations as F811 in preview mode (#​24244)
• [ruff] Allow dunder-named assignments in non-strict mode for RUF067 (#​24089)

Bug fixes

• [flake8-errmsg] Avoid shadowing existing msg in fix for EM101 (#​24363)
• [flake8-simplify] Ignore pre-initialization references in SIM113 (#​24235)
• [pycodestyle] Fix W391 fixes for consecutive empty notebook cells (#​24236)
• [pyupgrade] Fix UP008 nested class matching (#​24273)
• [pyupgrade] Ignore strings with string-only escapes (UP012) (#​16058)
• [ruff] RUF072: skip formfeeds on dedent (#​24308)
• [ruff] Avoid re-using symbol in RUF024 fix (#​24316)
• [ruff] Parenthesize expression in RUF050 fix (#​24234)
• Disallow starred expressions as values of starred expressions (#​24280)

Rule changes

• [flake8-simplify] Suppress SIM105 for except* before Python 3.12 (#​23869)
• [pyflakes] Extend F507 to flag %-format strings with zero placeholders (#​24215)
• [pyupgrade] UP018 should detect more unnecessarily wrapped literals (UP018) (#​24093)
• [pyupgrade] Fix UP008 callable scope handling to support lambdas (#​24274)
• [ruff] RUF010: Mark fix as unsafe when it deletes a comment (#​24270)

Formatter

• Add nested-string-quote-style formatting option (#​24312)

Documentation

• [flake8-bugbear] Clarify RUF071 fix safety for non-path string comparisons (#​24149)
• [flake8-type-checking] Clarify import cycle wording for TC001/TC002/TC003 (#​24322)

Other changes

• Avoid rendering fix lines with trailing whitespace after | (#​24343)

Contributors

• @​charliermarsh
• @​MichaReiser
• @​tranhoangtu-it
• @​dylwil3
• @​zsol
• @​renovate
• @​bitloi
• @​danparizher
• @​chinar-amrutkar
• @​second-ed
• @​getehen
• @​Redovo1
• @​matthewlloyd
• @​zanieb
• @​InSyncWithFoo
• @​RenzoMXD

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.