Deps: Bump the python-packages group with 4 updates

[dependabot]

Bumps the python-packages group with 4 updates: cryptography, pygments, ruff and tomli.

Updates cryptography from 46.0.5 to 46.0.6

Changelog

Sourced from cryptography's changelog.

46.0.6 - 2026-03-25

* **SECURITY ISSUE**: Fixed a bug where name constraints were not applied
  to peer names during verification when the leaf certificate contains a
  wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug,
  including those used by the Web PKI. Credit to **Oleh Konko (1seal)** for
  reporting the issue. **CVE-2026-34073**
.. _v46-0-5:

Commits

• 91d7288 Cherry-pick #14542 (#14543)
• See full diff in compare view

Updates pygments from 2.19.2 to 2.20.0

Release notes

Sourced from pygments's releases.

2.20.0

• New lexers:

  • Rell (#2914)

• Updated lexers:

  • archetype: Fix catastrophic backtracking in GUID and ID patterns (#3064)
  • ASN.1: Recognize minus sign and fix range operator (#3014, #3060)
  • C++: Add C++26 keywords (#2955), add integer literal suffixes (#2966)
  • ComponentPascal: Fix analyse_text (#3028, #3032)
  • Coq renamed to Rocq (#2883, #2908)
  • Cython: Various improvements (#2932, #2933)
  • Debian control: Improve architecture parsing (#3052)
  • Devicetree: Add support for overlay/fragments (#3021), add bytestring support (#3022), fix catastrophic backtracking (#3057)
  • Fennel: Various improvements (#2911)
  • Haskell: Handle escape sequences in character literals (#3069, #1795)
  • Java: Add module keywords (#2955)
  • Lean4: Add operators ]', ]?, ]! (#2946)
  • LESS: Support single-line comments (#3005)
  • LilyPond: Update to 2.25.29 (#2974)
  • LLVM: Support C-style comments (#3023, #2978)
  • Lua(u): Fix catastrophic backtracking (#3047)
  • Macaulay2: Update to 1.25.05 (#2893), 1.25.11 (#2988)
  • Mathematica: Various improvements (#2957)
  • meson: Add additional operators (#2919)
  • MySQL: Update keywords (#2970)
  • org-Mode: Support both schedule and deadline (#2899)
  • PHP: Add __PROPERTY__ magic constant (#2924), add reserved keywords (#3002)
  • PostgreSQL: Add more keywords (#2985)
  • protobuf: Fix namespace tokenization (#2929)
  • Python: Add t-string support (#2973, #3009, #3010)
  • Tablegen: Fix infinite loop (#2972, #2940)
  • Tera Term macro: Add commands introduced in v5.3 through v5.6 (#2951)
  • TOML: Support TOML 1.1.0 (#3026, #3027)
  • Turtle: Allow empty comment lines (#2980)
  • XML: Added .xbrl as file ending (#2890, #2891)

• Drop Python 3.8, and add Python 3.14 as a supported version (#2987, #3012)

• Various improvements to autopygmentize (#2894)

• Update onedark style to support more token types (#2977)

• Update rtt style to support more token types (#2895)

• Cache entry points to improve performance (#2979)

• Fix xterm-256 color table (#3043)

• Fix kwargs dictionary getting mutated on each call (#3044)

Changelog

Sourced from pygments's changelog.

Version 2.20.0

(released March 29th, 2026)

• New lexers:

  • Rell (#2914)

• Updated lexers:

  • archetype: Fix catastrophic backtracking in GUID and ID patterns (#3064)
  • ASN.1: Recognize minus sign and fix range operator (#3014, #3060)
  • C++: Add C++26 keywords (#2955), add integer literal suffixes (#2966)
  • ComponentPascal: Fix analyse_text (#3028, #3032)
  • Coq renamed to Rocq (#2883, #2908)
  • Cython: Various improvements (#2932, #2933)
  • Debian control: Improve architecture parsing (#3052)
  • Devicetree: Add support for overlay/fragments (#3021), add bytestring support (#3022), fix catastrophic backtracking (#3057)
  • Fennel: Various improvements (#2911)
  • Haskell: Handle escape sequences in character literals (#3069, #1795)
  • Java: Add module keywords (#2955)
  • Lean4: Add operators ]', ]?, ]! (#2946)
  • LESS: Support single-line comments (#3005)
  • LilyPond: Update to 2.25.29 (#2974)
  • LLVM: Support C-style comments (#3023, #2978)
  • Lua(u): Fix catastrophic backtracking (#3047)
  • Macaulay2: Update to 1.25.05 (#2893), 1.25.11 (#2988)
  • Mathematica: Various improvements (#2957)
  • meson: Add additional operators (#2919)
  • MySQL: Update keywords (#2970)
  • org-Mode: Support both schedule and deadline (#2899)
  • PHP: Add __PROPERTY__ magic constant (#2924), add reserved keywords (#3002)
  • PostgreSQL: Add more keywords (#2985)
  • protobuf: Fix namespace tokenization (#2929)
  • Python: Add t-string support (#2973, #3009, #3010)
  • Tablegen: Fix infinite loop (#2972, #2940)
  • Tera Term macro: Add commands introduced in v5.3 through v5.6 (#2951)
  • TOML: Support TOML 1.1.0 (#3026, #3027)
  • Turtle: Allow empty comment lines (#2980)
  • XML: Added .xbrl as file ending (#2890, #2891)

• Drop Python 3.8, and add Python 3.14 as a supported version (#2987, #3012)

• Various improvements to autopygmentize (#2894)

• Update onedark style to support more token types (#2977)

• Update rtt style to support more token types (#2895)

• Cache entry points to improve performance (#2979)

• Fix xterm-256 color table (#3043)

• Fix kwargs dictionary getting mutated on each call (#3044)

Commits

• 708197d Fix underline length.
• 1d4538a Prepare 2.20 release.
• 2ceaee4 Update CHANGES.
• e3a3c54 Fix Haskell lexer: handle escape sequences in character literals (#3069)
• d7c3453 Merge pull request #3071 from pygments/harden-html-formatter
• 0f97e7c Harden the HTML formatter against CSS.
• 9f981b2 Update CHANGES.
• 1d88915 Update CHANGES.
• c3d93ad Fix ASN.1 lexer: recognize minus sign and fix range operator (#3060)
• 4f06bcf fix bad behaving backtracking regex in CommonLispLexer
• Additional commits viewable in compare view

Updates ruff from 0.15.7 to 0.15.8

Release notes

Sourced from ruff's releases.

0.15.8

Release Notes

Released on 2026-03-26.

Preview features

• [ruff] New rule unnecessary-if (RUF050) (#24114)
• [ruff] New rule useless-finally (RUF072) (#24165)
• [ruff] New rule f-string-percent-format (RUF073): warn when using % operator on an f-string (#24162)
• [pyflakes] Recognize frozendict as a builtin for Python 3.15+ (#24100)

Bug fixes

• [flake8-async] Use fully-qualified anyio.lowlevel import in autofix (ASYNC115) (#24166)
• [flake8-bandit] Check tuple arguments for partial paths in S607 (#24080)
• [pyflakes] Skip undefined-name (F821) for conditionally deleted variables (#24088)
• E501/W505/formatter: Exclude nested pragma comments from line width calculation (#24071)
• Fix %foo? parsing in IPython assignment expressions (#24152)
• analyze graph: resolve string imports that reference attributes, not just modules (#24058)

Rule changes

• [eradicate] ignore ty: ignore comments in ERA001 (#24192)
• [flake8-bandit] Treat sys.executable as trusted input in S603 (#24106)
• [flake8-self] Recognize Self annotation and self assignment in SLF001 (#24144)
• [pyflakes] F507: Fix false negative for non-tuple RHS in %-formatting (#24142)
• [refurb] Parenthesize generator arguments in FURB142 fixer (#24200)

Performance

• Speed up diagnostic rendering (#24146)

Server

• Warn when Markdown files are skipped due to preview being disabled (#24150)

Documentation

• Clarify extend-ignore and extend-select settings documentation (#24064)
• Mention AI policy in PR template (#24198)

Other changes

• Use trusted publishing for NPM packages (#24171)

Contributors

• @​bitloi
• @​Sim-hu

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.8

Released on 2026-03-26.

Preview features

• [ruff] New rule unnecessary-if (RUF050) (#24114)
• [ruff] New rule useless-finally (RUF072) (#24165)
• [ruff] New rule f-string-percent-format (RUF073): warn when using % operator on an f-string (#24162)
• [pyflakes] Recognize frozendict as a builtin for Python 3.15+ (#24100)

Bug fixes

• [flake8-async] Use fully-qualified anyio.lowlevel import in autofix (ASYNC115) (#24166)
• [flake8-bandit] Check tuple arguments for partial paths in S607 (#24080)
• [pyflakes] Skip undefined-name (F821) for conditionally deleted variables (#24088)
• E501/W505/formatter: Exclude nested pragma comments from line width calculation (#24071)
• Fix %foo? parsing in IPython assignment expressions (#24152)
• analyze graph: resolve string imports that reference attributes, not just modules (#24058)

Rule changes

• [eradicate] ignore ty: ignore comments in ERA001 (#24192)
• [flake8-bandit] Treat sys.executable as trusted input in S603 (#24106)
• [flake8-self] Recognize Self annotation and self assignment in SLF001 (#24144)
• [pyflakes] F507: Fix false negative for non-tuple RHS in %-formatting (#24142)
• [refurb] Parenthesize generator arguments in FURB142 fixer (#24200)

Performance

• Speed up diagnostic rendering (#24146)

Server

• Warn when Markdown files are skipped due to preview being disabled (#24150)

Documentation

• Clarify extend-ignore and extend-select settings documentation (#24064)
• Mention AI policy in PR template (#24198)

Other changes

• Use trusted publishing for NPM packages (#24171)

Contributors

• @​bitloi
• @​Sim-hu
• @​mvanhorn

... (truncated)

Commits

• c2a8815 Release 0.15.8 (#24217)
• d444d52 [ty] Infer lambda expressions with Callable type context (#22633)
• 9622285 [ty] Autocomplete arguments if in arguments node (#24167)
• d812662 Use the release environment in publish-docs (#24214)
• eda2355 [ty] Show Final source in final assignment diagnostic (#24194)
• 929eb52 [ty] Enforce Final attribute assignment rules for annotated and augmented wri...
• 34998be [ty] Fix typo in comment (#24211)
• 560aca0 [ty] Minor simplifications to some benchmark code (#24209)
• 683bae5 [ty] Track non-terminal-call constraints in global scope (#23245)
• 4704c2a [ty] Remove unnecessary intermediate collection in `StaticClassLiteral::field...
• Additional commits viewable in compare view

Updates tomli from 2.4.0 to 2.4.1

Changelog

Sourced from tomli's changelog.

2.4.1

• Fixed
  • Limit number of parts of a TOML key to address quadratic time complexity

Commits

• c5f4469 Bump version: 2.4.0 → 2.4.1
• 2bcd262 Add change log for 2.4.1 and 2.3.1
• e1fdb94 Limit number of parts of a key (#286)
• c20c491 pre-commit autoupdate
• 920e20b Update performance benchmark and results
• 064e492 Merge pull request #280 from hukkin/version-2.4.0
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA d7bf3c7.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

poetry.lock

Package	Version	License	Issue Type
pygments	2.20.0	Null	Unknown License
ruff	0.15.8	Null	Unknown License

Allowed Licenses:

0BSD, AGPL-3.0-or-later, Apache-2.0, BlueOak-1.0.0, BSD-2-Clause, BSD-3-Clause-Clear, BSD-3-Clause, BSL-1.0, bzip2-1.0.6, CAL-1.0, CC-BY-3.0, CC-BY-4.0, CC-BY-SA-4.0, CC0-1.0, EPL-2.0, GPL-1.0-or-later, GPL-2.0-only, GPL-2.0-or-later, GPL-2.0, GPL-3.0-only, GPL-3.0-or-later, GPL-3.0, ISC, LGPL-2.0-only, LGPL-2.0-or-later, LGPL-2.1-only, LGPL-2.1-or-later, LGPL-2.1, LGPL-3.0-only, LGPL-3.0, LGPL-3.0-or-later, MIT, MIT-CMU, MPL-1.1, MPL-2.0, OFL-1.1, PSF-2.0, Python-2.0, Python-2.0.1, Unicode-3.0, Unicode-DFS-2016, Unlicense, Zlib, ZPL-2.1

OpenSSF Scorecard

Package	Version	Score	Details
pip/cryptography	46.0.6	Unknown	Unknown
pip/pygments	2.20.0	Unknown	Unknown
pip/ruff	0.15.8	Unknown	Unknown
pip/tomli	2.4.1	Unknown	Unknown

Scanned Files

• poetry.lock

[github-actions]

Conventional Commits Report

Type	Number
Dependencies	1

🚀 Conventional commits found.