chore(deps): update dependency black to v26 [security]#585
chore(deps): update dependency black to v26 [security]#585renovate[bot] wants to merge 1 commit into
Conversation
⚠ Artifact update problemRenovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is. ♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
The artifact failure details are included below: File name: poetry.lock |
|
3b9ef1b to
2fae7be
Compare
361b6ec to
6c1e129
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #585 +/- ##
==========================================
+ Coverage 91.36% 91.83% +0.47%
==========================================
Files 50 52 +2
Lines 2756 2817 +61
==========================================
+ Hits 2518 2587 +69
+ Misses 238 230 -8
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
842f54e to
a538e77
Compare
a538e77 to
55fd45b
Compare
55fd45b to
8665e8b
Compare
4209e63 to
ed91394
Compare
ed91394 to
bd7a98e
Compare
b99e914 to
21e4451
Compare
a1bed29 to
78f79ec
Compare
3e28425 to
8217b55
Compare
8217b55 to
0c5571d
Compare
This PR contains the following updates:
^24.10→^26.0.0Black: Arbitrary file writes from unsanitized user input in cache file name
CVE-2026-32274 / GHSA-3936-cmfr-pm3m
More information
Details
Impact
Black writes a cache file, the name of which is computed from various formatting options. The value of the
--python-cell-magicsoption was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations.Patches
Fixed in Black 26.3.1.
Workarounds
Do not allow untrusted user input into the value of the
--python-cell-magicsoption.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
psf/black (black)
v26.3.1Compare Source
Stable style
exact-length placeholders for short magics and aborting if a placeholder can no longer
be unmasked safely (#5038)
Configuration
--python-cell-magicsso custommagic names cannot affect cache paths (#5038)
Blackd
and request body limits, and bound executor submissions to improve backpressure
(#5039)
v26.3.0Compare Source
Stable style
# type: ignorecomments would be merged with othercomments on the same line, preventing AST equivalence failures (#4888)
Preview style
ifguards incaseblocks were incorrectly split when the pattern hada trailing comma (#4884)
string_processingcrashing on unassigned long string literals with trailingcommas (one-item tuples) (#4929)
Packaging
frozen environments (#4930)
Performance
uvloop.install()in favor ofuvloop.new_event_loop()(#4996)
maybe_install_uvloopfunction tomaybe_use_uvloopto simplify loopinstallation and creation of either a uvloop/winloop evenloop or default eventloop
(#4996)
Output
version, since AST safety checks cannot parse newer syntax. Also replace the
misleading "INTERNAL ERROR" message with an actionable error explaining the version
mismatch (#4983)
Blackd
windows when winloop is installed. (#4996)
Integrations
blackrequirements in the GitHub Action whenuse_pyprojectisenabled so that only version specifiers are accepted and direct references such as
black @​ https://...are rejected. Users should upgrade to the latest version of theaction as soon as possible. This update is received automatically when using
psf/black@stable, and is independent of the version of Black installed by theaction. (#5031)
Documentation
wrap_comprehension_in,simplify_power_operator_hugging, andwrap_long_dict_values_in_parensfeatures(#4987)
v26.1.0Compare Source
Highlights
Introduces the 2026 stable style (#4892), stabilizing the following changes:
always_one_newline_after_import: Always force one blank line after importstatements, except when the line after the import is a comment or an import statement
(#4489)
fix_fmt_skip_in_one_liners: Fix# fmt: skipbehavior on one-liner declarations,such as
def foo(): return "mock" # fmt: skip, where previously the declaration wouldhave been incorrectly collapsed (#4800)
fix_module_docstring_detection: Fix module docstrings being treated as normalstrings if preceded by comments (#4764)
fix_type_expansion_split: Fix type expansions split in generic functions (#4777)multiline_string_handling: Make expressions involving multiline strings more compact(#1879)
normalize_cr_newlines: Add\rstyle newlines to the potential newlines tonormalize file newlines both from and to (#4710)
remove_parens_around_except_types: Remove parentheses around multiple exceptiontypes in
exceptandexcept*withoutas(#4720)remove_parens_from_assignment_lhs: Remove unnecessary parentheses from the left-handside of assignments while preserving magic trailing commas and intentional multiline
formatting (#4865)
standardize_type_comments: Format type comments which have zero or more spacesbetween
#andtype:or betweentype:and value to# type: (value)(#4645)The following change was not in any previous stable release:
_width_table.pyand added tests for the Khmer language (#4253)This release alo bumps
pathspecto v1 and fixes inconsistencies with Git's.gitignorelogic (#4958). Now, files will be ignored if a pattern matches them, evenif the parent directory is directly unignored. For example, Black would previously
format
exclude/not_this/foo.pywith this.gitignore:Now,
exclude/not_this/foo.pywill remain ignored. To ensureexclude/not_this/andall of it's children are included in formatting (and in Git), use this
.gitignore:This new behavior matches Git. The leading
*/are only necessary if you wish to ignorematching subdirectories (like the previous behavior did), and not just matching root
directories.
Output
Integrations
v25.12.0Compare Source
Highlights
Stable style
# fmt: off/# fmt: onblocks were incorrectlyremoved, particularly affecting Jupytext's
# %% [markdown]comments (#4845)# fmt: skipcomments are used in a multi-part if-clause, onstring literals, or on dictionary entries with long lines (#4872)
fmt:directives aren't on the top level (#4856)Preview style
fmt: skipskipping the line after instead of the line it's on (#4855)magic trailing commas and intentional multiline formatting (#4865)
fix_fmt_skip_in_one_linerscrashing onwithstatements (#4853)fix_fmt_skip_in_one_linerscrashing on annotated parameters (#4854)# fmt: skipon them (#4894)Packaging
Integrations
output-fileinput to GitHub Actionpsf/blackto write formatter output to afile for artifact capture and log cleanliness (#4824)
v25.11.0Compare Source
Highlights
Stable style
# fmt: offand# fmt: onwere reformatted (#4811)being normalized (#4811)
Preview style
multiline_string_handlingfrom--unstableto--preview(#4760)comments (#4764)
# type: <value>(#4645)fix_fmt_skip_in_one_linerspreview feature to respect# fmt: skipfor compoundstatements with semicolon-separated bodies (#4800)
Configuration
no_cacheoption to control caching behavior. (#4803)Packaging
Output
(#4610)
Blackd
requests to blackd (#4774)
Integrations
psf/blackto support therequired-versionmajor-version-only"stability" format when using pyproject.toml (#4770)
v25.9.0Compare Source
Highlights
await/asyncas soft keywords/variable names(#4676)
Stable style
delstatement containing tuples (#4628)withstatements (#4630)
# fmt: skipfollowed by a comment at the end of file (#4635)asclause of awithstatement (#4634)withstatement (#4646)\followed by a\rfollowed by a comment (#4663)\\r\n(#4673)await ...(where...is a literalEllipsis) (#4676)(#4670)
Preview style
# fmt: skipwould stillbe formatted (#4552)
multiline_string_handlingwith ternaries and dictionaries (#4657)string_processingwould not split f-strings directly afterexpressions (#4680)
inclause of comprehensions across lines if necessary (#4699)exceptandexcept*withoutas. (#4720)\rstyle newlines to the potential newlines to normalize file newlines both fromand to (#4710)
Parser
parameter bounds and defaults. (#4602)
Performance
Integrations
psf/blackto read Black version from an additional section inpyproject.toml:
[project.dependency-groups](#4606)Documentation
v25.1.0Compare Source
Highlights
This release introduces the new 2025 stable style (#4558), stabilizing the following
changes:
# fmt: skipcomments is no longer normalized (#4146)(#4154)
*and more complex type variable tuple (#4440)The following changes were not in any previous release:
over multiple lines first instead of type parameter definitions (#4553)
Stable style
empty lines (#4484)
withstatements containing tuple generators/unpacking(#4538)
Preview style
(#4498)
string_processingandwrap_long_dict_values_in_parensfrom removingparentheses around long dictionary values (#4377)
wrap_long_dict_values_in_parensfrom the unstable to preview style (#4561)Packaging
License-Expressionmetadata field, seePEP 639. (#4479)
Performance
is_fstring_startfunction in Black's tokenizer (#4541)Integrations
--stdin-filenameset to a force excluded path, stdin won't beformatted. (#4539)
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.