chore(deps): update all dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout	action	major	v5 -> v6
astral-sh/ruff-pre-commit	repository	patch	v0.14.4 -> v0.14.8
ghcr.io/astral-sh/uv	final	patch	0.9.9 -> 0.9.17
pre-commit/mirrors-mypy	repository	minor	v1.18.2 -> v1.19.0
pycqa/bandit	repository	minor	1.8.6 -> 1.9.2
python		patch	3.14.0 -> 3.14.2
python	stage	patch	3.14.0-slim-trixie -> 3.14.2-slim-trixie

Note: The pre-commit manager in Renovate is not supported by the pre-commit maintainers or community. Please do not report any problems there, instead create a Discussion in the Renovate repository if you have any questions.

---

Release Notes

actions/checkout (actions/checkout)

v6

Compare Source

astral-sh/ruff-pre-commit (astral-sh/ruff-pre-commit)

v0.14.8

Compare Source

See: https://github.com/astral-sh/ruff/releases/tag/0.14.8

v0.14.7

Compare Source

See: https://github.com/astral-sh/ruff/releases/tag/0.14.7

v0.14.6

Compare Source

See: https://github.com/astral-sh/ruff/releases/tag/0.14.6

v0.14.5

Compare Source

See: https://github.com/astral-sh/ruff/releases/tag/0.14.5

astral-sh/uv (ghcr.io/astral-sh/uv)

v0.9.17

Compare Source

Released on 2025-12-09.

Enhancements

• Add torch-tensorrt and torchao to the PyTorch list (#​17053)
• Add hint for misplaced --verbose in uv tool run (#​17020)
• Add support for relative durations in exclude-newer (a.k.a., dependency cooldowns) (#​16814)
• Add support for relocatable nushell activation script (#​17036)

Bug fixes

• Respect dropped (but explicit) indexes in dependency groups (#​17012)

Documentation

• Improve source-exclude reference docs (#​16832)
• Recommend UV_NO_DEV in Docker installs (#​17030)
• Update UV_VERSION in docs for GitLab CI/CD (#​17040)

v0.9.16

Compare Source

Released on 2025-12-06.

Python

• Add CPython 3.14.2
• Add CPython 3.13.11

Enhancements

• Add a 5m default timeout to acquiring file locks to fail faster on deadlock (#​16342)
• Add a stub debug subcommand to uv pip announcing its intentional absence (#​16966)
• Add bounds in uv add --script (#​16954)
• Add brew specific message for uv self update (#​16838)
• Error when built wheel is for the wrong platform (#​16074)
• Filter wheels from PEP 751 files based on --no-binary et al in uv pip compile (#​16956)
• Support --target and --prefix in uv pip list, uv pip freeze, and uv pip show (#​16955)
• Tweak language for build backend validation errors (#​16720)
• Use explicit credentials cache instead of global static (#​16768)
• Enable SIMD in HTML parsing (#​17010)

Preview features

• Fix missing preview warning in uv workspace metadata (#​16988)
• Add a uv auth helper --protocol bazel command (#​16886)

Bug fixes

• Fix Pyston wheel compatibility tags (#​16972)
• Allow redundant entries in tool.uv.build-backend.module-name but emit warnings (#​16928)
• Fix infinite loop in non-attribute re-treats during HTML parsing (#​17010)

Documentation

• Clarify --project flag help text to indicate project discovery (#​16965)
• Regenerate the crates.io READMEs on release (#​16992)
• Update Docker integration guide to prefer COPY over ADD for simple cases (#​16883)
• Update PyTorch documentation to include information about supporting CUDA 13.0.x (#​16957)
• Update the versioning policy (#​16710)
• Upgrade PyTorch documentation to latest versions (#​16970)

v0.9.15

Compare Source

Released on 2025-12-02.

Python

• Add CPython 3.14.1
• Add CPython 3.13.10

Enhancements

• Add ROCm 6.4 to --torch-backend=auto (#​16919)
• Add a Windows manifest to uv binaries (#​16894)
• Add LFS toggle to Git sources (#​16143)
• Cache source reads during resolution (#​16888)
• Include PEP 740 attestations when publishing uv to PyPI (#​16910)
• Allow reading requirements from scripts without an extension (#​16923)
• Allow reading requirements from scripts with HTTP(S) paths (#​16891)

Bug fixes

• Fix uv-trampoline-builder builds from crates.io by moving bundled executables (#​16922)
• Respect NO_COLOR and always show the command as a header when paging uv help output (#​16908)
• Use 0o666 permissions for flock files instead of 0o777 (#​16845)
• Revert "Bump astral-tl to v0.7.10 (#​16887)" to narrow down a regression causing hangs in metadata retrieval (#​16938)

Documentation

• Link to the uv version in crates.io member READMEs (#​16939)

v0.9.14

Compare Source

Released on 2025-12-01.

Performance

• Bump astral-tl to v0.7.10 to enable SIMD for HTML parsing (#​16887)

Bug fixes

• Allow earlier post releases with exclusive ordering (#​16881)
• Prefer updating existing .zshenv over creating a new one in tool update-shell (#​16866)
• Respect -e flags in uv add (#​16882)

Enhancements

• Attach subcommand to User-Agent string (#​16837)
• Prefer UV_WORKING_DIR over UV_WORKING_DIRECTORY for consistency (#​16884)

v0.9.13

Compare Source

Released on 2025-11-26.

Bug fixes

• Revert "Allow --with-requirements to load extensionless inline-metadata scripts" to fix reading of requirements files from streams (#​16861)
• Validate URL wheel tags against Requires-Python and required environments (#​16824)

Documentation

• Drop unpublished crates from the uv crates.io README (#​16847)
• Fix the links to uv in crates.io member READMEs (#​16848)

v0.9.12

Compare Source

Released on 2025-11-24.

Enhancements

• Allow --with-requirements to load extensionless inline-metadata scripts (#​16744)
• Collect and upload PEP 740 attestations during uv publish (#​16731)
• Prevent uv export from overwriting pyproject.toml (#​16745)

Documentation

• Add a crates.io README for uv (#​16809)
• Add documentation for intermediate Docker layers in a workspace (#​16787)
• Enumerate workspace members in the uv crate README (#​16811)
• Fix documentation links for crates (#​16801)
• Generate a crates.io README for uv workspace members (#​16812)
• Move the "Export" guide to the projects concept section (#​16835)
• Update the cargo install recommendation to use crates (#​16800)
• Use the word "internal" in crate descriptions (#​16810)

v0.9.11

Compare Source

Released on 2025-11-20.

Python

• Add CPython 3.15.0a2

See the python-build-standalone release notes for details.

Enhancements

• Add SBOM support to uv export (#​16523)
• Publish to crates.io (#​16770)

Preview features

• Add uv workspace list --paths (#​16776)
• Fix the preview warning on uv workspace dir (#​16775)

Bug fixes

• Fix uv init author serialization via toml_edit inline tables (#​16778)
• Fix status messages without TTY (#​16785)
• Preserve end-of-line comment whitespace when editing pyproject.toml (#​16734)
• Disable always-authenticate when running under Dependabot (#​16773)

Documentation

• Document the new behavior for free-threaded python versions (#​16781)
• Improve note about build system in publish guide (#​16788)
• Move do not upload publish note out of the guide into concepts (#​16789)

v0.9.10

Compare Source

Released on 2025-11-17.

Enhancements

• Add support for SSL_CERT_DIR (#​16473)
• Enforce UTF‑8-encoded license files during uv build (#​16699)
• Error when a project.license-files glob matches nothing (#​16697)
• pip install --target (and sync) install Python if necessary (#​16694)
• Account for python_downloads_json_url in pre-release Python version warnings (#​16737)
• Support HTTP/HTTPS URLs in uv python --python-downloads-json-url (#​16542)

Preview features

• Add support for --upgrade in uv python install (#​16676)
• Fix handling of python install --default for pre-release Python versions (#​16706)
• Add uv workspace list to list workspace members (#​16691)

Bug fixes

• Don't check file URLs for ambiguously parsed credentials (#​16759)

Documentation

• Add a "storage" reference document (#​15954)

pre-commit/mirrors-mypy (pre-commit/mirrors-mypy)

v1.19.0

Compare Source

pycqa/bandit (pycqa/bandit)

v1.9.2

Compare Source

What's Changed

• Argparse Python 3.14 enhancements by @​ericwb in PyCQA#1331
• Check whether Constant value is str by @​ericwb in PyCQA#1333

Full Changelog: PyCQA/bandit@1.9.1...1.9.2

v1.9.1

Compare Source

What's Changed

• More Python version related fixes by @​ericwb in PyCQA#1327

Full Changelog: PyCQA/bandit@1.9.0...1.9.1

v1.9.0

Compare Source

What's Changed

• Add instructions for Maintainers to create/publish a release by @​ericwb in PyCQA#1275
• Bump sigstore/cosign-installer from 3.9.1 to 3.9.2 by @​dependabot[bot] in PyCQA#1289
• Bump docker/login-action from 3.4.0 to 3.5.0 by @​dependabot[bot] in PyCQA#1290
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in PyCQA#1291
• Bump actions/checkout from 4 to 5 by @​dependabot[bot] in PyCQA#1292
• Replace deprecated datetime.datetime.utcnow() by @​purplezimmermann in PyCQA#1295
• Bump actions/setup-python from 5 to 6 by @​dependabot[bot] in PyCQA#1296
• Bump sigstore/cosign-installer from 3.9.2 to 3.10.0 by @​dependabot[bot] in PyCQA#1298
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in PyCQA#1303
• Fix typos by @​Shortfinga in PyCQA#1305
• Bump docker/login-action from 3.5.0 to 3.6.0 by @​dependabot[bot] in PyCQA#1306
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in PyCQA#1315
• Bump sigstore/cosign-installer from 3.10.0 to 4.0.0 by @​dependabot[bot] in PyCQA#1317
• Support of Python 3.14 by @​ericwb in PyCQA#1323
• Drop support of end-of-life Python 3.9 by @​ericwb in PyCQA#1325
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in PyCQA#1324

New Contributors

• @​purplezimmermann made their first contribution in PyCQA#1295
• @​Shortfinga made their first contribution in PyCQA#1305

Full Changelog: PyCQA/bandit@1.8.6...1.9.0

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.