Build(deps-dev): bump the minor-patch group with 3 updates

[dependabot]

Bumps the minor-patch group with 3 updates: bandit, ruff and ty.

Updates bandit from 1.9.3 to 1.9.4

Release notes

Sourced from bandit's releases.

1.9.4

What's Changed

• chore: fixed some typos in comments by @​jakob1379 in PyCQA/bandit#1351
• Bump docker/login-action from 3.6.0 to 3.7.0 by @​dependabot[bot] in PyCQA/bandit#1353
• Bump docker/build-push-action from 6.18.0 to 6.19.2 by @​dependabot[bot] in PyCQA/bandit#1357
• Fix B613 crash when reading from stdin by @​worksbyfriday in PyCQA/bandit#1361
• Include filename in nosec 'no failed test' warning by @​worksbyfriday in PyCQA/bandit#1363
• Fix B615 false positive when revision is set via variable by @​worksbyfriday in PyCQA/bandit#1358
• Lower version guard in check_ast_node to Python 3.12 by @​rcgray in PyCQA/bandit#1355
• Fix B106 reporting wrong line number on multiline function calls by @​worksbyfriday in PyCQA/bandit#1360

New Contributors

• @​jakob1379 made their first contribution in PyCQA/bandit#1351
• @​worksbyfriday made their first contribution in PyCQA/bandit#1361
• @​rcgray made their first contribution in PyCQA/bandit#1355

Full Changelog: PyCQA/bandit@1.9.3...1.9.4

Commits

• 92ae8b8 Fix B106 reporting wrong line number on multiline function calls (#1360)
• c8c8a55 Lower version guard in check_ast_node to Python 3.12 (#1355)
• 8f2f928 Fix B615 false positive when revision is set via variable (#1358)
• e27493f Include filename in nosec 'no failed test' warning (#1363)
• b69b336 Fix B613 crash when reading from stdin (#1361)
• e418b79 Bump docker/build-push-action from 6.18.0 to 6.19.2 (#1357)
• ff646fd Bump docker/login-action from 3.6.0 to 3.7.0 (#1353)
• c0def6c chore: fixed some typos in comments (#1351)
• See full diff in compare view

Updates ruff from 0.15.1 to 0.15.2

Release notes

Sourced from ruff's releases.

0.15.2

Release Notes

Released on 2026-02-19.

Preview features

• Expand the default rule set (#23385)

  In preview, Ruff now enables a significantly expanded default rule set of 412 rules, up from the stable default set of 59 rules. The new rules are mostly a superset of the stable defaults, with the exception of these rules, which are removed from the preview defaults:

  • multiple-imports-on-one-line (E401)
  • module-import-not-at-top-of-file (E402)
  • module-import-not-at-top-of-file (E701)
  • multiple-statements-on-one-line-semicolon (E702)
  • useless-semicolon (E703)
  • none-comparison (E711)
  • true-false-comparison (E712)
  • not-in-test (E713)
  • not-is-test (E714)
  • type-comparison (E721)
  • lambda-assignment (E731)
  • ambiguous-variable-name (E741)
  • ambiguous-class-name (E742)
  • ambiguous-function-name (E743)
  • undefined-local-with-import-star (F403)
  • undefined-local-with-import-star-usage (F405)
  • undefined-local-with-nested-import-star-usage (F406)
  • forward-annotation-syntax-error (F722)

  If you use preview and prefer the old defaults, you can restore them with configuration like:

  # ruff.toml
  [lint]
  select = ["E4", "E7", "E9", "F"]
  pyproject.toml
  [tool.ruff.lint]
  select = ["E4", "E7", "E9", "F"]

  If you do give them a try, feel free to share your feedback in the GitHub discussion!

• [flake8-pyi] Also check string annotations (PYI041) (#19023)

Bug fixes

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.2

Released on 2026-02-19.

Preview features

• Expand the default rule set (#23385)

  In preview, Ruff now enables a significantly expanded default rule set of 412 rules, up from the stable default set of 59 rules. The new rules are mostly a superset of the stable defaults, with the exception of these rules, which are removed from the preview defaults:

  • multiple-imports-on-one-line (E401)
  • module-import-not-at-top-of-file (E402)
  • module-import-not-at-top-of-file (E701)
  • multiple-statements-on-one-line-semicolon (E702)
  • useless-semicolon (E703)
  • none-comparison (E711)
  • true-false-comparison (E712)
  • not-in-test (E713)
  • not-is-test (E714)
  • type-comparison (E721)
  • lambda-assignment (E731)
  • ambiguous-variable-name (E741)
  • ambiguous-class-name (E742)
  • ambiguous-function-name (E743)
  • undefined-local-with-import-star (F403)
  • undefined-local-with-import-star-usage (F405)
  • undefined-local-with-nested-import-star-usage (F406)
  • forward-annotation-syntax-error (F722)

  If you use preview and prefer the old defaults, you can restore them with configuration like:

  # ruff.toml
  [lint]
  select = ["E4", "E7", "E9", "F"]
  pyproject.toml
  [tool.ruff.lint]
  select = ["E4", "E7", "E9", "F"]

  If you do give them a try, feel free to share your feedback in the GitHub discussion!

... (truncated)

Commits

• 9d18ee9 Hard code workflow name and cancel-in-progress only for PRs (#23431)
• 7cc15f0 Bump 0.15.2 (#23430)
• d1b5443 Add extension mapping to configuration file options (#23384)
• 222574a Expand the default rule set (#23385)
• 1465b5d [flake8-async] Fix in_async_context logic (#23426)
• 410902f [pyupgrade] Fix handling of typing.{io,re} (UP035) (#23131)
• 729610a [ty] Fall back to ambiguous for large control flow graphs (#23399)
• 1425c18 [ty] Add code folding support
• 97acaae [ty] Fix stack overflow for self-referential TypeOf in annotations (#23407)
• 1f380c8 [ty] Update tests reveal_type and Never (#23418)
• Additional commits viewable in compare view

Updates ty from 0.0.17 to 0.0.18

Release notes

Sourced from ty's releases.

0.0.18

Release Notes

Released on 2026-02-20.

Bug fixes

• Support classes dynamically created via type(...) with cyclic bases (#22792)
• Fix incorrect types inferred when unpacking mixed tuples (#23437)
• Fix stack overflow for self-referential TypeOf in annotations (#23407)
• Fix several server panics that could occur when computing semantic tokens for the current file (#23403), #23398, #23401)

LSP server

• Add code folding support (#23393)
• Add warning message when running ty server interactively (#23416)
• Exclude test-related symbols from non-first-party packages in auto-import completions (#23252)
• Fix bug where diagnostics could disappear after opening an external file (#23447)
• Remove spurious destination for Go-To Definition on variables defined in a loop (#23391)
• Use the fully qualified name when "baking" an inlay hint into the source code if the scope already contains a variable with the same name as the unqualified name (#23265)
• Resolve TypeVars in call_signature_details parameter types (#23149)

CLI

• Add --output-format to ty version (#23387)

Configuration

• Add replace-imports-with-any option (#23122)
• Support shellexpand for configuration paths (#23274)

Type checking

• Add a new diagnostic to detect invalid class patterns in match statements (#22939)
• Allow Self in ClassVar type annotations (#23362)
• Consider synthesized methods and ClassVar-qualified declarations when determining whether an abstract method has been overridden in a subclass (#23381)
• Add a diagnostic when combining Final and ClassVar (#23365)
• Fix return type of assert_never (#23389)
• Fix assert_type diagnostic messages (#23342)
• Ban PEP-613 type alias values from containing type-qualifier special forms (#23444)
• Infer LiteralString for f"{literal_str_a} {literal_str_b}" (#23346)
• Infer precise types for bit-shift operations on integer literals (#23301)
• Make [abstract-method-in-final-class] diagnostics less verbose for classes with many abstract methods (#23379)
• Improve diagnostics for abstract @final classes (#23376)
• Only perform literal promotion for implicitly inferred literals (#23107)
• Parenthesize callable types when they appear in the return annotation of other callable types (#23327)
• Consider a call to a generic function returning Never to terminate control flow (#23419)
• Support calls to intersection types (#22469)
• Validate annotated assignments to attributes on self (#23388)
• Treat a bytes-literal type as a subtype of Sequence[<constituent integers in the bytestring>] (#23329)

... (truncated)

Changelog

Sourced from ty's changelog.

0.0.18

Released on 2026-02-20.

Bug fixes

• Support classes dynamically created via type(...) with cyclic bases (#22792)
• Fix incorrect types inferred when unpacking mixed tuples (#23437)
• Fix stack overflow for self-referential TypeOf in annotations (#23407)
• Fix several server panics that could occur when computing semantic tokens for the current file (#23403), #23398, #23401)

LSP server

• Add code folding support (#23393)
• Add warning message when running ty server interactively (#23416)
• Exclude test-related symbols from non-first-party packages in auto-import completions (#23252)
• Fix bug where diagnostics could disappear after opening an external file (#23447)
• Remove spurious destination for Go-To Definition on variables defined in a loop (#23391)
• Use the fully qualified name when "baking" an inlay hint into the source code if the scope already contains a variable with the same name as the unqualified name (#23265)
• Resolve TypeVars in call_signature_details parameter types (#23149)

CLI

• Add --output-format to ty version (#23387)

Configuration

• Add replace-imports-with-any option (#23122)
• Support shellexpand for configuration paths (#23274)

Type checking

• Add a new diagnostic to detect invalid class patterns in match statements (#22939)
• Allow Self in ClassVar type annotations (#23362)
• Consider synthesized methods and ClassVar-qualified declarations when determining whether an abstract method has been overridden in a subclass (#23381)
• Add a diagnostic when combining Final and ClassVar (#23365)
• Fix return type of assert_never (#23389)
• Fix assert_type diagnostic messages (#23342)
• Ban PEP-613 type alias values from containing type-qualifier special forms (#23444)
• Infer LiteralString for f"{literal_str_a} {literal_str_b}" (#23346)
• Infer precise types for bit-shift operations on integer literals (#23301)
• Make [abstract-method-in-final-class] diagnostics less verbose for classes with many abstract methods (#23379)
• Improve diagnostics for abstract @final classes (#23376)
• Only perform literal promotion for implicitly inferred literals (#23107)
• Parenthesize callable types when they appear in the return annotation of other callable types (#23327)
• Consider a call to a generic function returning Never to terminate control flow (#23419)
• Support calls to intersection types (#22469)
• Validate annotated assignments to attributes on self (#23388)
• Treat a bytes-literal type as a subtype of Sequence[<constituent integers in the bytestring>] (#23329)
• Allow a string-literal argument to match against an Iterable parameter in type variable inference. (#23326)

... (truncated)

Commits

• 7516727 Bump version to 0.0.18 (#2869)
• 8e86a56 Mention code folding on language server feature page
• ca49bf9 Add shellcheck to pre-commit configuration (#2845)
• 532e761 Update PyO3/maturin-action action to v1.50.0 (#2823)
• 0211006 Update prek dependencies (#2822)
• 60ebbfe docs: Add beta status notice to README (#2556)
• 31b126a docs: add link for the call hierarchy tracking issue (#2816)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions