Bump the dependencies group across 1 directory with 19 updates

[dependabot]

Bumps the dependencies group with 19 updates in the / directory:

Package	From	To
cryptography	46.0.3	46.0.4
alabaster	0.7.16	1.0.0
certifi	2025.11.12	2026.1.4
packaging	25.0	26.0
pycparser	2.23	3.0
sphinxcontrib-trio	1.1.2	1.2.0
tomli	2.3.0	2.4.0
urllib3	2.6.0	2.6.3
coverage[toml]	7.12.0	7.13.2
pyasn1	0.6.1	0.6.2
black	25.9.0	25.12.0
filelock	3.20.0	3.20.3
humanize	4.14.0	4.15.0
librt	0.7.3	0.7.8
mypy	1.19.0	1.19.1
pathspec	0.12.1	1.0.4
pytokens	0.3.0	0.4.1
types-setuptools	80.9.0.20250822	80.10.0.20260124
virtualenv	20.35.4	20.36.1

Updates cryptography from 46.0.3 to 46.0.4

Changelog

Sourced from cryptography's changelog.

46.0.4 - 2026-01-27

* `Dropped support for win_arm64 wheels`_.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.
.. _v46-0-3:

Commits

• e6f44fc bump for 46.0.4 and drop win arm64 due to CI issues (#14217)
• See full diff in compare view

Updates alabaster from 0.7.16 to 1.0.0

Release notes

Sourced from alabaster's releases.

Alabaster 1.0.0

Changelog: https://alabaster.readthedocs.io/en/latest/changelog.html

Changelog

Sourced from alabaster's changelog.

:git_tag:1.0.0 -- 2024-07-26

• Dropped support for Python 3.9 and earlier.
• Dropped support for Sphinx 6.1 and earlier.
• Use a new SVG image for the GitHub banner.
• :feature:217 Use the new searchfield component for the search box. Patch by Tim Hoffmann.
• :feature:104 Allow translating strings in relations.html.
• 🐛125 Do not underline linked images. Patch by Joshua Bronson.
• 🐛169 Do not ignore the Pygments background colour. Patch by Matthias Geier.
• 🐛174 Fix clipping caused by incorrect CSS breakpoints.

Commits

• fba58a4 Bump to 1.0.0
• 7d5c318 Update project maintainers
• d25c4bc List basic.css in theme.conf (#219)
• 97235d1 Fix incorrect breakpoints that cause clipping around 875px (#174)
• 5bb4411 Remove explicit width for search field input (#218)
• 9fdb57c Update references to searchbox
• a35a1df Don't ignore the Pygments background (#169)
• 17e55e5 Fix for "Don't put an underline on linked images" (#125)
• 73be878 Allow translations for strings in relations.html (#104)
• eb522b8 Use searchfield instead of searchbox component in sidebar (#217)
• Additional commits viewable in compare view

Updates certifi from 2025.11.12 to 2026.1.4

Commits

• c64d9f3 2026.01.04 (#389)
• 4ac232f Bump actions/download-artifact from 6.0.0 to 7.0.0 (#387)
• 95ae4b2 Update CI workflow to use Ubuntu 24.04 and Python 3.14 stable (#386)
• b72a7b1 Bump dessant/lock-threads from 5.0.1 to 6.0.0 (#385)
• ecc2672 Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#384)
• 6a897db Bump peter-evans/create-pull-request from 7.0.11 to 8.0.0 (#383)
• 27ca98a Bump peter-evans/create-pull-request from 7.0.9 to 7.0.11 (#381)
• 56c59a6 Bump actions/checkout from 6.0.0 to 6.0.1 (#382)
• ae0021c Bump actions/setup-python from 6.0.0 to 6.1.0 (#380)
• ddf5d0b Bump actions/checkout from 5.0.1 to 6.0.0 (#378)
• Additional commits viewable in compare view

Updates packaging from 25.0 to 26.0

Release notes

Sourced from packaging's releases.

26.0

Read about the performance improvements here: https://iscinumpy.dev/post/packaging-faster.

What's Changed

Features:

• PEP 751: support pylock by @​sbidoul in pypa/packaging#900
• PEP 794: import name metadata by @​brettcannon in pypa/packaging#948
• Support writing metadata by @​henryiii in pypa/packaging#846
• Support __replace__ for Version by @​henryiii in pypa/packaging#1003
• Support positional pattern matching for Version and Specifier by @​henryiii in pypa/packaging#1004

Behavior adaptations:

• PEP 440 handling of prereleases for Specifier.contains, SpecifierSet.contains, and SpecifierSet.filter by @​notatallshaw in pypa/packaging#897
• Handle PEP 440 edge case in SpecifierSet.filter by @​notatallshaw in pypa/packaging#942
• Adjust arbitrary equality intersection preservation in SpecifierSet by @​notatallshaw in pypa/packaging#951
• Return False instead of raising for .contains with invalid version by @​Liam-DeVoe in pypa/packaging#932
• Support arbitrary equality on arbitrary strings for Specifier and SpecifierSet's filter and contains method. by @​notatallshaw in pypa/packaging#954
• Only try to parse as Version on certain marker keys, return False on unequal ordered comparsions by @​JP-Ellis in pypa/packaging#939

Fixes:

• Update _hash when unpickling Tag() by @​dholth in pypa/packaging#860
• Correct comment and simplify implicit prerelease handling in Specifier.prereleases by @​notatallshaw in pypa/packaging#896
• Use explicit _GLibCVersion NamedTuple in _manylinux by @​cthoyt in pypa/packaging#868
• Detect invalid license expressions containing () by @​bwoodsend in pypa/packaging#879
• Correct regex for metadata 'name' format by @​di in pypa/packaging#925
• Improve the message around expecting a semicolon by @​pradyunsg in pypa/packaging#833
• Support nested parens in license expressions by @​Liam-DeVoe in pypa/packaging#931
• Add space before at symbol in Requirements string by @​henryiii in pypa/packaging#953
• A root logger use found by ruff LOG, use packaging logger instead by @​henryiii in pypa/packaging#965
• Better support for subclassing Marker and Requirement by @​henryiii in pypa/packaging#1022
• Normalize all extras, not just if it comes first by @​henryiii in pypa/packaging#1024
• Don't produce a broken repr if Marker fails to construct by @​henryiii in pypa/packaging#1033

Performance:

• Avoid recompiling regexes in the tokenizer for a 3x speedup by @​hauntsaninja in pypa/packaging#1019
• Improve performance in _manylinux.py by @​cthoyt in pypa/packaging#869
• Minor cleanups to Version by @​bearomorphism in pypa/packaging#913
• Skip redundant creation of Versions in specifier comparison by @​notatallshaw in pypa/packaging#986
• Cache Specifier's Version by @​notatallshaw in pypa/packaging#985
• Make Version a little faster by @​henryiii in pypa/packaging#987
• Minor Version regex cleanup by @​henryiii in pypa/packaging#990
• Faster regex on Python 3.11.5+ by @​henryiii in pypa/packaging#988 and pypa/packaging#1055
• Lazily calculate _key in Version by @​notatallshaw in pypa/packaging#989 and regression for packaging_legacy fixed by @​henryiii in pypa/packaging#1048
• Faster canonicalize_version by @​henryiii in pypa/packaging#993
• Use fullmatch in a couple more places by @​henryiii in pypa/packaging#992

... (truncated)

Changelog

Sourced from packaging's changelog.

26.0 - 2026-01-20

Features:

PEP 751: support pylock (:pull:900)
PEP 794: import name metadata (:pull:948)
Support for writing metadata to a file (:pull:846)
Support __replace__ on Version (:pull:1003)
Support positional pattern matching for Version and SpecifierSet (:pull:1004)

Behavior adaptations:

PEP 440 handling of prereleases for Specifier.contains, SpecifierSet.contains, and SpecifierSet.filter (:pull:897)
Handle PEP 440 edge case in SpecifierSet.filter (:pull:942)
Adjust arbitrary equality intersection preservation in SpecifierSet (:pull:951)
Return False instead of raising for .contains with invalid version (:pull:932)
Support arbitrary equality on arbitrary strings for Specifier and SpecifierSet's filter and contains method. (:pull:954)
Only try to parse as Version on certain marker keys, return False on unequal ordered comparisons (:pull:939)

Fixes:

Update _hash when unpickling Tag() (:pull:860)
Correct comment and simplify implicit prerelease handling in Specifier.prereleases (:pull:896)
Use explicit _GLibCVersion NamedTuple in _manylinux (:pull:868)
Detect invalid license expressions containing () (:pull:879)
Correct regex for metadata 'name' format (:pull:925)
Improve the message around expecting a semicolon (:pull:833)
Support nested parens in license expressions (:pull:931)
Add space before at symbol in Requirements string (:pull:953)
A root logger use found, use a packaging logger instead (:pull:965)
Better support for subclassing Marker and Requirement (:pull:1022)
Normalize all extras, not just if it comes first (:pull:1024)
Don't produce a broken repr if Marker fails to construct (:pull:1033)

Performance:

Avoid recompiling regexes in the tokenizer for a 3x speedup (:pull:1019)
Improve performance in _manylinux.py (:pull:869)
Minor cleanups to Version (:pull:913)
Skip redundant creation of Version's in specifier comparison (:pull:986)
Cache the Specifier's Version (:pull:985)
Make Version a little faster (:pull:987)
Minor Version regex cleanup (:pull:990)
Faster regex on Python 3.11.5+ for Version (:pull:988, :pull:1055)
Lazily calculate _key in Version (:pull:989, :pull:1048)
Faster canonicalize_version (:pull:993)
Use re.fullmatch in a couple more places (:pull:992, :pull:1029)
Use map instead of generator (:pull:996)
Deprecate ._version (_Version, a NamedTuple) (:pull:995, :pull:1062)

</tr></table>

... (truncated)

Commits

• 3b77a26 Bump for release
• 31371cc docs: prepare for 26.0 final (#1063)
• 9627a88 perf: dual replace (#1064)
• d5398b8 fix: restore ._version as a compat shim (#1062)
• 3a7b600 Bump for development
• d4eefdc Bump for release
• 4618912 docs: prepare for 26.0rc3 (#1060)
• 0cf1b41 ci: test on first public release of CPythons (#1056)
• 716beb1 perf: 10% faster stripping zeros (#1058)
• 350a230 fix: support CPython 3.11.0-3.11.4 and older PyPy3.11 (#1055)
• Additional commits viewable in compare view

Updates pycparser from 2.23 to 3.0

Release notes

Sourced from pycparser's releases.

release_v3.00

What's Changed

• Removed dependency on PLY, by rewriting pycparser to use a hand-written lexer and recursive-descent parser for C. No API changes / functionality changes intended - the same AST is produced.
• Add support for Python 3.14 and drop EOL 3.8 by @​hugovk in eliben/pycparser#581
• Update _ast_gen.py to be in sync with c_ast.py by @​simonlindholm in eliben/pycparser#582

Full Changelog: eliben/pycparser@release_v2.23...release_v3.00

Commits

• 77de509 Prepare for release 3.00
• e57ccd1 Update README
• 230e12d disable uv caching in CI
• 9c52f40 Update CI to run make check+test via uvx
• 6b8f064 Use dataclass where applicable; add 'make test' to Makefile
• 25376cb Use f-strings instead of older formatting in other auxiliary files
• 9bd8997 Use f-strings instead of older formatting in core code + tests
• 664eac2 Modernize some code with pattern matching
• 842f064 Add type annotations to more examples
• 076f374 Add types to several exmaples
• Additional commits viewable in compare view

Updates sphinxcontrib-trio from 1.1.2 to 1.2.0

Commits

• f485ed3 Bump version
• aa122de Merge pull request #400 from A5rocks/override-fix
• 16bdea2 Bump minimum Sphinx
• 97808cc Add a changelog
• d8965d7 Fix autodoc overriding
• d76d5d9 Merge pull request #360 from python-trio/dependabot/pip/certifi-2022.5.18.1
• 12b4a11 Bump certifi from 2022.5.18 to 2022.5.18.1
• f21a7ab Merge pull request #359 from python-trio/dependabot/pip/certifi-2022.5.18
• 300833f Bump certifi from 2021.10.8 to 2022.5.18
• aa6b21e Merge pull request #358 from python-trio/dependabot/pip/pyparsing-3.0.9
• Additional commits viewable in compare view

Updates tomli from 2.3.0 to 2.4.0

Changelog

Sourced from tomli's changelog.

2.4.0

• Added
  • TOML v1.1.0 compatibility
  • Binary wheels for Windows arm64

Commits

• a678e6f Bump version: 2.3.0 → 2.4.0
• b8a1358 Tests: remove now needless "TOML compliance"->"burntsushi" format conversion
• 4979375 Update GitHub actions
• f890dd1 Update pre-commit hooks
• d9c65c3 Add 2.4.0 change log
• 0efe49d Update README for v2.4.0
• 9eb2125 TOML 1.1: Make seconds optional in Date-Time and Time (#203)
• 12314bd TOML 1.1: Add \xHH Unicode escape code to basic strings (#202)
• 2a2aa62 TOML 1.1: Allow newlines and trailing comma in inline tables (#200)
• 38297f8 Xfail on tests for TOML 1.1 features not yet supported
• Additional commits viewable in compare view

Updates urllib3 from 2.6.0 to 2.6.3

Release notes

Sourced from urllib3's releases.

2.6.3

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Fixed a security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (CVE-2026-21441 reported by @​D47A, 8.9 High, GHSA-38jv-5279-wg99)
• Started treating Retry-After times greater than 6 hours as 6 hours by default. (urllib3/urllib3#3743)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. (urllib3/urllib3#3752)

2.6.2

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. (urllib3/urllib3#3734)

2.6.1

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Changes

• Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. (#3731)

Changelog

Sourced from urllib3's changelog.

2.6.3 (2026-01-07)

• Fixed a high-severity security issue where decompression-bomb safeguards of the streaming API were bypassed when HTTP redirects were followed. (GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>__)
• Started treating Retry-After times greater than 6 hours as 6 hours by default. ([#3743](https://github.com/urllib3/urllib3/issues/3743) <https://github.com/urllib3/urllib3/issues/3743>__)
• Fixed urllib3.connection.VerifiedHTTPSConnection on Emscripten. ([#3752](https://github.com/urllib3/urllib3/issues/3752) <https://github.com/urllib3/urllib3/issues/3752>__)

2.6.2 (2025-12-11)

• Fixed HTTPResponse.read_chunked() to properly handle leftover data in the decoder's buffer when reading compressed chunked responses. ([#3734](https://github.com/urllib3/urllib3/issues/3734) <https://github.com/urllib3/urllib3/issues/3734>__)

2.6.1 (2025-12-08)

• Restore previously removed HTTPResponse.getheaders() and HTTPResponse.getheader() methods. ([#3731](https://github.com/urllib3/urllib3/issues/3731) <https://github.com/urllib3/urllib3/issues/3731>__)

Commits

• 0248277 Release 2.6.3
• 8864ac4 Merge commit from fork
• 70cecb2 Fix Scorecard issues related to vulnerable dev dependencies (#3755)
• 41f249a Move "v2.0 Migration Guide" to the end of the table of contents (#3747)
• fd4dffd Patch VerifiedHTTPSConnection for Emscripten (#3752)
• 13f0bfd Handle massive values in Retry-After when calculating time to sleep for (#3743)
• 8c480bf Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#3748)
• 4b40616 Bump actions/cache from 4.3.0 to 5.0.1 (#3750)
• 82b8479 Bump actions/download-artifact from 6.0.0 to 7.0.0 (#3749)
• 34284cb Mention experimental features in the security policy (#3746)
• Additional commits viewable in compare view

Updates coverage[toml] from 7.12.0 to 7.13.2

Release notes

Sourced from coverage[toml]'s releases.

7.13.2

Version 7.13.2 — 2026-01-25

• Fix: when Python is installed via symlinks, for example with Homebrew, the standard library files could be incorrectly included in coverage reports. This is now fixed, closing issue 2115.
• Fix: if a data file is created with no read permissions, the combine step would fail completely. Now a warning is issued and the file is skipped. Closes issue 2117.

➡️  PyPI page: coverage 7.13.2. :arrow_right:  To install: python3 -m pip install coverage==7.13.2

7.13.1

Version 7.13.1 — 2025-12-28

• Added: the JSON report now includes a "start_line" key for function and class regions, indicating the first line of the region in the source. Closes issue 2110.
• Added: The debug data command now takes file names as arguments on the command line, so you can inspect specific data files without needing to set the COVERAGE_FILE environment variable.
• Fix: the JSON report used to report module docstrings as executed lines, which no other report did, as described in issue 2105. This is now fixed, thanks to Jianrong Zhao.
• Fix: coverage.py uses a more disciplined approach to detecting where third-party code is installed, and avoids measuring it. This shouldn’t change any behavior. If you find that it does, please get in touch.
• Performance: data files that will be combined now record their hash as part of the file name. This lets us skip duplicate data more quickly, speeding the combining step.
• Docs: added a section explaining more about what is considered a missing branch and how it is reported: Examples of missing branches, as requested in issue 1597. Thanks to Ayisha Mohammed.
• Tests: the test suite misunderstood what core was being tested if COVERAGE_CORE wasn’t set on 3.14+. This is now fixed, closing issue 2109.

➡️  PyPI page: coverage 7.13.1. :arrow_right:  To install: python3 -m pip install coverage==7.13.1

7.13.0

Version 7.13.0 — 2025-12-08

• Feature: coverage.py now supports .coveragerc.toml configuration files. These files use TOML syntax and take priority over pyproject.toml but lower priority than .coveragerc files. Closes issue 1643 thanks to Olena Yefymenko.
• Fix: we now include a permanent .pth file which is installed with the code, fixing issue 2084. In 7.12.1b1 this was done incorrectly: it didn’t work when using the source wheel (py3-none-any). This is now fixed. Thanks, Henry Schreiner.
• Deprecated: when coverage.py is installed, it creates three command entry points: coverage, coverage3, and coverage-3.10 (if installed for Python 3.10). The second and third of these are not needed and will eventually be removed. They still work for now, but print a message about their deprecation.

➡️  PyPI page: coverage 7.13.0. :arrow_right:  To install: python3 -m pip install coverage==7.13.0

7.12.1b1

Version 7.12.1b1 — 2025-11-30

• Fix: coverage.py now includes a permanent .pth file in the distribution which is installed with the code. This fixes issue 2084: failure to patch for subprocess measurement when site-packages is not writable.

➡️  PyPI page: coverage 7.12.1b1. :arrow_right:  To install: python3 -m pip install coverage==7.12.1b1

Changelog

Sourced from coverage[toml]'s changelog.

Version 7.13.2 — 2026-01-25

• Fix: when Python is installed via symlinks, for example with Homebrew, the standard library files could be incorrectly included in coverage reports. This is now fixed, closing issue 2115_.

• Fix: if a data file is created with no read permissions, the combine step would fail completely. Now a warning is issued and the file is skipped. Closes issue 2117_.

.. _issue 2115: coveragepy/coveragepy#2115 .. _issue 2117: coveragepy/coveragepy#2117

.. _changes_7-13-1:

Version 7.13.1 — 2025-12-28

• Added: the JSON report now includes a "start_line" key for function and class regions, indicating the first line of the region in the source. Closes issue 2110_.

• Added: The debug data command now takes file names as arguments on the command line, so you can inspect specific data files without needing to set the COVERAGE_FILE environment variable.

• Fix: the JSON report used to report module docstrings as executed lines, which no other report did, as described in issue 2105_. This is now fixed, thanks to Jianrong Zhao.

• Fix: coverage.py uses a more disciplined approach to detecting where third-party code is installed, and avoids measuring it. This shouldn't change any behavior. If you find that it does, please get in touch.

• Performance: data files that will be combined now record their hash as part of the file name. This lets us skip duplicate data more quickly, speeding the combining step.

• Docs: added a section explaining more about what is considered a missing branch and how it is reported: :ref:branch_explain, as requested in issue 1597. Thanks to Ayisha Mohammed <pull 2092_>.

• Tests: the test suite misunderstood what core was being tested if COVERAGE_CORE wasn't set on 3.14+. This is now fixed, closing issue 2109_.

.. _issue 1597: coveragepy/coveragepy#1597 .. _pull 2092: coveragepy/coveragepy#2092

... (truncated)

Commits

• 513e971 docs: sample HTML for 7.13.2
• 27a8230 docs: prep for 7.13.2
• 27d8daa refactor: plural does more
• a2f248c fix: stdlib might be through a symlink. #2115
• bc52a22 debug: re-organize Matchers to show more of what they do
• f338d81 debug: build is a tuple, don't show it on two lines
• 92020e4 refactor(test): convert to parametrized
• 6387d0a test: let (most) tests run with no network
• 1d31e33 build: workflows sometimes need more than 10 min
• 6294978 refactor: an error message is now uniform across versions
• Additional commits viewable in compare view

Updates pyasn1 from 0.6.1 to 0.6.2

Release notes

Sourced from pyasn1's releases.

Release 0.6.2

It's a minor release.

• Fixed continuation octet limits in OID/RELATIVE-OID decoder (CVE-2026-23490).
• Added support for Python 3.14.
• Added SECURITY.md policy.
• Migrated to pyproject.toml packaging.

All changes are noted in the CHANGELOG.

Changelog

Sourced from pyasn1's changelog.

Revision 0.6.2, released 16-01-2026

• CVE-2026-23490 (GHSA-63vm-454h-vhhq): Fixed continuation octet limits in OID/RELATIVE-OID decoder (thanks to tsigouris007)
• Added support for Python 3.14 [pr #97](pyasn1/pyasn1#97)
• Added SECURITY.md policy
• Fixed unit tests failing due to missing code [issue #91](pyasn1/pyasn1#91) [pr #92](pyasn1/pyasn1#92)
• Migrated to pyproject.toml packaging [pr #90](pyasn1/pyasn1#90)

Commits

• e7356f8 Prepare release 0.6.2
• 3908f14 Merge commit from fork
• 0a7e067 Add support for Python 3.14 (#97)
• 33656e9 Create Security Policy
• fa62307 fix for issue #91: unit tests failing due to missing code (#92)
• f1ed02e Package pyasn1 with pyproject.toml (#90)
• 93c4d4f Switch documentation user to pyasn1 (#89)
• See full diff in compare view

Updates black from 25.9.0 to 25.12.0

Release notes

Sourced from black's releases.

25.12.0

Please test out the draft 2026 style in version 26.1a1! This style will be finalized in the January release (26.1.0). Most of the changes in --preview will be in the 2026 stable style, but not all. Please share your feedback!

This release (25.12.0) will still produce the 2025 style.

Highlights

• Black no longer supports running with Python 3.9 (#4842)

Stable style

• Fix bug where comments preceding # fmt: off/# fmt: on blocks were incorrectly removed, particularly affecting Jupytext's # %% [markdown] comments (#4845)
• Fix crash when multiple # fmt: skip comments are used in a multi-part if-clause, on string literals, or on dictionary entries with long lines (#4872)
• Fix possible crash when fmt: directives aren't on the top level (#4856)

Preview style

• Fix fmt: skip skipping the line after instead of the line it's on (#4855)
• Remove unnecessary parentheses from the left-hand side of assignments while preserving magic trailing commas and intentional multiline formatting (#4865)
• Fix fix_fmt_skip_in_one_liners crashing on with statements (#4853)
• Fix fix_fmt_skip_in_one_liners crashing on annotated parameters (#4854)
• Fix new lines being added after imports with # fmt: skip on them (#4894)

Packaging

• Releases now include arm64 Windows binaries and wheels (#4814)

Integrations

• Add output-file input to GitHub Action psf/black to write formatter output to a file for artifact capture and log cleanliness (#4824)

25.11.0

Highlights

• Enable base 3.14 support (#4804)
• Add support for the new Python 3.14 t-string syntax introduced by PEP 750 (#4805)

Stable style

• Fix bug where comments between # fmt: off and # fmt: on were reformatted (#4811)
• Comments containing fmt directives now preserve their exact formatting instead of being normalized (#4811)

... (truncated)

Changelog

Sourced from black's changelog.

25.12.0

Highlights

• Black no longer supports running with Python 3.9 (#4842)

Stable style

• Fix bug where comments preceding # fmt: off/# fmt: on blocks were incorrectly removed, particularly affecting Jupytext's # %% [markdown] comments (#4845)
• Fix crash when multiple # fmt: skip comments are used in a multi-part if-clause, on string literals, or on dictionary entries with long lines (#4872)
• Fix possible crash when fmt: directives aren't on the top level (#4856)
• Preserve parentheses when # type: ignore comments would be merged with other comments on the same line, preventing AST equivalence failures (#4888)

Preview style

• Fix fmt: skip skipping the line after instead of the line it's on (#4855)
• Remove unnecessary parentheses from the left-hand side of assignments while preserving magic trailing commas and intentional multiline formatting (#4865)
• Fix fix_fmt_skip_in_one_liners crashing on with statements (#4853)
• Fix fix_fmt_skip_in_one_liners crashing on annotated parameters (#4854)
• Fix new lines being added after imports with # fmt: skip on them (#4894)

Packaging

• Releases now include arm64 Windows binaries and wheels (#4814)

Integrations

• Add output-file input to GitHub Action psf/black to write formatter output to a file for artifact capture and log cleanliness (#4824)

25.11.0

Highlights

• Enable base 3.14 support (#4804)
• Add support for the new Python 3.14 t-string syntax introduced by PEP 750 (#4805)

Stable style

• Fix bug where comments between # fmt: off and # fmt: on were reformatted (#4811)
• Comments containing fmt directives now preserve their exact formatting instead of being normalized (#4811)

Preview style

• Move multiline_string_handling from --unstable to --preview (#4760)

... (truncated)

Commits

• 782e560 Pin actions/checkout@v5.0.0 (#4895)
• f0f4094 Fix new lines being added after imports with # fmt: skip on them (#4894)
• 70fc194 Revert "Fix # fmt: skip ignored in deeply nested expressions" (#4893)
• 7044b14 Prepare 25.12.0 release (#4891)
• 5b470f0 Fix # fmt: skip ignored in deeply nested expressions (#4883)
• 1b342ef Fix crash when multiple # fmt: skip comments are used in multi-part if-clau...
• 7b265f1 Pin Hatch to hopefully fix Docker builds (#4878)
• c9523f4 Attempt to fix Docker build failures (#4876)
• 0f376e0 Fix crashes when fmt directives are indented (#4856)
• a8bfcc1 Fix fmt: skip skipping the line after instead of the line it's on (#4855)
• Additional commits viewable in compare view

Updates filelock from 3.20.0 to 3.20.3

Release notes

Sourced from filelock's releases.

3.20.3

What's Changed

• Fix TOCTOU symlink vulnerability in SoftFileLock by @​gaborbernat in tox-dev/filelock#465

Full Changelog: tox-dev/filelock@3.20.2...3.20.3

3.20.2

What's Changed

• Support Unix systems without O_NOFOLLOW by @​mwilliamson in tox-dev/filelock#463
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in tox-dev/filelock#464

New Contributors

• @​mwilliamson made their first contribution in tox-dev/filelock#463

Full Changelog: tox-dev/filelock@3.20.1...3.20.2

3.20.1

What's Changed

• CVE-2025-68146: Fix TOCTOU symlink vulnerability in lock file creation by @​gaborbernat in tox-dev/filelock#461

Full Changelog: tox-dev/filelock@3.20.0...3.20.1

Commits

• 41b42dd Fix TOCTOU symlink vulnerability in SoftFileLock (#465)
Description has been truncated