Skip to content

Sync uv.lock#578

Merged
kdeldycke merged 1 commit into
mainfrom
sync-uv-lock
May 25, 2026
Merged

Sync uv.lock#578
kdeldycke merged 1 commit into
mainfrom
sync-uv-lock

Conversation

@kdeldycke
Copy link
Copy Markdown
Owner

@kdeldycke kdeldycke commented Apr 29, 2026
edited
Loading

Description

Runs uv lock --upgrade to update transitive dependencies to their latest allowed versions. See the sync-uv-lock job documentation for details.

Updated packages

Resolved with exclude-newer cutoff: 2026-05-18.

Package Change Released
certifi 2026.2.252026.4.22 2026-04-22
click 8.3.28.3.3 2026-04-22
click-extra 7.13.07.16.1 2026-05-15
coverage 7.13.57.14.0 2026-05-10
lizard 1.21.61.22.1 2026-04-23
packaging 26.126.2 2026-04-24
pathspec 1.0.41.1.1 2026-04-27
propcache 0.4.10.5.2 2026-05-08
pydantic 2.13.32.13.4 2026-05-06
pydantic-core 2.46.32.46.4 2026-05-06
pydantic-settings 2.14.02.14.1 2026-05-08
pytz 2026.1.post12026.2 2026-05-04
repomatic 6.14.06.18.4 2026-05-14
sphinxcontrib-mermaid 2.0.12.0.2 2026-05-05
tomlkit 0.14.00.15.0 2026-05-10
types-pytz 2026.1.1.202604082026.2.0.20260518 2026-05-18
wcwidth 0.6.00.7.0 2026-05-02

Release notes

click

8.3.3

This is the Click 8.3.3 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/click/8.3.3/
Changes: https://click.palletsprojects.com/page/changes/#version-8-3-3
Milestone: https://redirect.github.com/pallets/click/milestone/30

  • Use :func:shlex.split to split pager and editor commands into argv
    lists for :class:subprocess.Popen, removing shell=True.
    #​1026 #​1477 #​2775
  • Fix TypeError when rendering help for an option whose default value is
    an object that doesn't support equality comparison with strings, such as
    semver.Version. #​3298 #​3299
  • Fix pager test pollution under parallel execution by using pytest's
    tmp_path fixture instead of a shared temporary file path. #​3238
  • Treat Sentinel.UNSET values in a default_map as absent, so they fall
    through to the next default source instead of being used as the value.
    #​3224 #​3240
  • Patch pdb.Pdb in CliRunner isolation so pdb.set_trace(),
    breakpoint(), and debuggers subclassing pdb.Pdb (ipdb, pdbpp) can
    interact with the real terminal instead of the captured I/O streams.
    #​654 #​824 #​843 #​951 #​3235
  • Add optional randomized parallel test execution using pytest-randomly and
    pytest-xdist to detect test pollution and race conditions. #​3151
  • Add contributor documentation for running stress tests, randomized
    parallel tests, and Flask smoke tests. #​3151 #​3177
  • Show custom show_default string in prompts, matching the existing
    help text behavior. #​2836 #​2837 #​3165 #​3262 #​3280
    #​3328
  • Fix default=True with boolean flag_value always returning the
    flag_value instead of True. The default=True to flag_value
    substitution now only applies to non-boolean flags, where True acts as a

... Full release notes

click-extra

v7.14.0

[!NOTE]
7.14.0 is available on 🐍 PyPI and 🐙 GitHub.

  • Add wrap subcommand: click-extra wrap SCRIPT [ARGS]... applies help colorization to any installed Click CLI without modifying its source. Supports --theme option and [tool.click-extra.wrap.<script>] config sections for persistent CLI defaults. Resolves SCRIPT via console_scripts entry points, module:function notation, .py file paths, or bare module names. Unknown subcommand names fall through to wrap automatically, so click-extra flask --help works without typing wrap. run is kept as an alias.
  • Add show-params subcommand: click-extra show-params SCRIPT [SUBCOMMAND]... introspects any external Click CLI's parameters and displays them as a table. Supports all --table-format renderings. Drills into nested subcommands. Auto-discovers the Click command when the entry point is a wrapper function.
  • Style Spec. column with option theme (cyan) and Python type with metavar theme (cyan dim) in both --show-params and show-params, matching help-screen conventions.
  • Add get_param_spec() and format_param_row() as public API in click_extra.parameters. get_param_spec() extracts option-spec strings and handles hidden-param unhiding. format_param_row() is the shared cell renderer for both --show-params and show-params tables.
  • Make ParamStructure.get_param_type() a @staticmethod. Returns str for unrecognised custom types instead of raising ValueError.
  • Replace render-matrix subcommand with individual colors, styles, palette, 8color, and gradient subcommands grouped under a "Demo" section. Remove the click-extra-demo entry point.
  • Move Sphinx tests into tests/sphinx/. Downstream packagers can skip them with --ignore=tests/sphinx without pulling in Sphinx dependencies.

... Full release notes

v7.14.1

[!NOTE]
7.14.1 is available on 🐍 PyPI and 🐙 GitHub.

  • Relax Click requirement back to 8.1. Replace ParameterSource ordered comparisons in ConfigOption with explicit set membership so the code works on both the regular Enum (Click 8.1/8.2) and the IntEnum (Click 8.3+).
  • Relax tabulate requirement back to 0.9. Backport the colon_grid format by aliasing it to grid at module load when tabulate < 0.10 is installed.

Full changelog: v7.14.0...v7.14.1

🛡️ VirusTotal scans

Binary Detections Analysis
click-extra-7.14.1-linux-arm64.bin 0 / 63 View scan
click-extra-7.14.1-linux-x64.bin 0 / 64 View scan
click-extra-7.14.1-macos-arm64.bin 4 / 62 View scan
click-extra-7.14.1-macos-x64.bin 2 / 63 View scan

... Full release notes

v7.15.0

[!NOTE]
7.15.0 is available on 🐍 PyPI and 🐙 GitHub.

  • Add opt-in 24-bit true-color rendering to the ANSI Pygments stack. Pass true_color=True to AnsiColorLexer, AnsiFilter, or any session lexer (like get_lexer_by_name("ansi-shell-session", true_color=True)) to preserve SGR 38;2;r;g;b and 48;2;r;g;b sequences as Token.Ansi.FG_{rrggbb} / Token.Ansi.BG_{rrggbb} tokens instead of quantizing them to the 256-color palette. AnsiHtmlFormatter renders those tokens as inline style="color: #rrggbb" / style="background-color: #rrggbb" spans. The default behavior (256-color quantization) is unchanged.
  • New click_extra.theme module centralizes all theme machinery: HelpExtraTheme, default_theme, nocolor_theme, OK, KO, ThemeOption, theme_option decorator, theme_registry, and register_theme(). Every click-extra command now accepts --theme [dark|light]; downstream consumers can extend the choice list via register_theme(). The active theme for a CLI run is stored in ctx.meta[context.THEME] by ThemeOption and retrieved via get_current_theme(), so back-to-back invocations in the same process (Sphinx builds, test runners, REPLs) no longer leak --theme choices into each other. The wrap subcommand reads the theme from the parent group's context rather than carrying its own --theme. Adds a corresponding docs/theme.md user guide. Breaking: downstream code importing theme symbols directly from click_extra.colorize must update to click_extra.theme; the canonical from click_extra import HelpExtraTheme path is unaffected.

... Full release notes

v7.16.0

[!NOTE]
7.16.0 is available on 🐍 PyPI and 🐙 GitHub.

  • Theme system overhaul. Four branded palettes join the built-in catalog: solarized_dark (Ethan Schoonover), dracula (Zeno Rocha), nord (Arctic Ice Studio), and monokai (Wimer Hazenberg), hand-curated for the semantic roles click-extra exposes (option, metavar, choice, deprecated, envvar, …). The full catalog now ships as click_extra/themes.toml (a TOML data file) instead of Python subclasses, loaded at import time via importlib.resources for proper wheel/zipapp support. BUILTIN_THEMES is the single public dict of {name: HelpExtraTheme}; access individual palettes via BUILTIN_THEMES["dark"], BUILTIN_THEMES["solarized_dark"], etc. Adding a built-in theme is a one-file data edit: declare a [<name>] table with one inline-table per styled slot, no Python needed. Breaking: the click_extra.themes module is removed (import from click_extra or click_extra.theme); the six per-theme UPPER_CASE constants (DARK, DRACULA, LIGHT, MONOKAI, NORD, SOLARIZED_DARK) are removed (use BUILTIN_THEMES["<name>"] instead).
  • Breaking: default_theme module attribute replaced by the get_default_theme() / set_default_theme(theme) accessors. The previous module-attribute pattern silently froze whatever was bound at import time when consumers (e.g. ExtraVersionOption's style defaults) captured default_theme.invoked_command as a default function parameter, so later overrides via wrap.patch_click() didn't propagate. The function pair always observes the current value. click_extra.wrap.patch_click() now calls set_default_theme().

... Full release notes

v7.16.1

[!NOTE]
7.16.1 is available on 🐍 PyPI and 🐙 GitHub.

  • Fix ConfigOption mutating its cached params_template when merging user configuration. _recursive_update updates its first argument in place, so back-to-back invocations of the same CLI (Sphinx builds, test runners, REPLs) leaked keys set by an earlier --config into the current invocation's default_map. Both the --config load path and --validate-config now pass a deep copy of the template.

Full changelog: v7.16.0...v7.16.1

🛡️ VirusTotal scans

Binary Detections Analysis
click-extra-7.16.1-linux-arm64.bin 1 / 63 View scan
click-extra-7.16.1-linux-x64.bin 1 / 64 View scan
click-extra-7.16.1-macos-arm64.bin 1 / 62 View scan
click-extra-7.16.1-macos-x64.bin 0 / 63 View scan

... Full release notes

coverage

7.14.0

Version 7.14.0 — 2026-05-10

  • Feature: now when running one of the reporting commands, if there are parallel data files that need combining, they will be implicitly combined before creating the report. There is no option to avoid the combination; let us know if you have a use case that requires it. Thanks, Tim Hatch. Closes issue 1781.
  • Fix: the output from combine was too verbose, listing each file considered. Now it shows a single line with the counts of files combined, files skipped, and files with errors. The -q flag suppresses this line. The old detailed lines are available with the new --debug=combine option.
  • Fix: running a Python file through a symlink now sets the sys.path correctly, matching regular Python behavior. Fixes issue 2157.
  • Fix: Collector.flush_data could fail with “RuntimeError: Set changed size during iteration” when a tracer in another thread added a line to the per-file set that add_lines (or add_arcs) was iterating. The values passed to CoverageData are now snapshotted via dict.copy() and set.copy(), which are atomic under the GIL. Thanks, Alex Vandiver.
  • Fix: the soft keyword lazy is now bolded in HTML reports.
  • We are no longer testing eventlet support. Eventlet started issuing stern deprecation warnings that break our tests. Our support code is still there.

➡️  PyPI page: coverage 7.14.0.
➡️  To install: python3 -m pip install coverage==7.14.0

packaging

26.2

What's Changed

Fixes:

Documentation:

Internal:

New Contributors

Full Changelog: https://redirect.github.com/pypa/packaging/compare/26.1...26.2

pathspec

v1.1.0

Release v1.1.0. See CHANGES.rst.

v1.1.1

Release v1.1.1. See CHANGES.rst.

propcache

v0.5.2

0.5.0 and 0.5.1 were tagged earlier today but never reached PyPI: 0.5.0's deploy failed at cibuildwheel's post-build pytest on free-threaded armv7l musllinux (SIGBUS under QEMU emulation while importing the C extension), and 0.5.1's deploy hit a transient sigstore Rekor 502 during the attestation step. 0.5.2 is the first of the three to actually publish.

Features

  • Added support for newer type hints and remove Optional and Union from all annotations
    -- by :user:Vizonex

    Related issues and pull requests on GitHub:
    #​193.

Removals and backward incompatible breaking changes

  • Dropped support for Python 3.9 as it has reached end of life.

    Related issues and pull requests on GitHub:
    #​216.

Packaging updates and notes for downstreams

  • Changed the Cython build dependency from ~= 3.1.0 to >= 3.2.0,
    removing the upper version bound to avoid conflicts for downstream packagers
    -- by :user:jameshilliard and :user:gundalow.

    The upstream Cython version is pinned to 3.2.4 in the CI/CD environment.

    Related issues and pull requests on GitHub:
    #​184, #​188, #​214.

  • Start building and shipping riscv64 wheels
    -- by :user:justeph.

    Related issues and pull requests on GitHub:
    #​194.

  • The :pep:517 build backend now supports a new build-inplace
    config setting (and PROPCACHE_BUILD_INPLACE environment variable)
    for controlling whether to build the project in-tree or in a
    temporary directory. It only affects wheels and is set up to build
    in a temporary directory by default. It does not affect editable
    wheel builds; they will keep being built in-tree regardless.

    Here's an example of using this setting:

    .. code-block:: console

    $ python -m build --config-setting=build-inplace=true

    Additionally, when building wheels in an automatically created

... Full release notes

pydantic

v2.13.4

v2.13.4 (2026-05-06)

What's Changed

Packaging

  • Bump libc from 0.2.155 to 0.2.185 by @​Viicos in #​13109
  • Adapt pydantic-core linker flags on macOS by @​washingtoneg and @​Viicos in #​13147

Fixes

  • Preserve RootModel core metadata by @​Viicos in #​13129

Full Changelog: https://redirect.github.com/pydantic/pydantic/compare/v2.13.3...v2.13.4

pydantic-settings

v2.14.1

What's Changed

Full Changelog: https://redirect.github.com/pydantic/pydantic-settings/compare/v2.14.0...v2.14.1

repomatic

v6.15.0

[!NOTE]
6.15.0 is available on 🐍 PyPI and 🐙 GitHub.

  • Set validate = false in the bundled mdformat.toml so mdformat-recover-urls decodes percent-encoded non-ASCII characters in link destinations back to their original form. Without this, anchor links with Chinese, accented, or other non-ASCII characters got rewritten to %XX sequences on every format-markdown run.
  • Add 💸/🆓 licensing markers to the awesome-list contributing guide, issue template, and PR template (English and Chinese mirrors). Tool, dataset, and project entries are now flagged with 💸 (commercial vendor selling a paid version on top of the OSS core) or 🆓 (fully open-source: foundation-governed, community-driven, corporate-OSS without a paid product, or support-only commercial model). Articles, papers, blog posts, news items, and curation lists remain unmarked. The two markers are mutually exclusive and the awesome-list entry format keeps awesome-lint-compatible - syntax.
  • Detect vulnerable dependencies from the GitHub Advisory Database in addition to the PyPA Advisory Database. The fix-vulnerable-deps job now unions uv audit and the repository's Dependabot alerts feed, deduplicates by (package, advisory_id), credits each entry's source(s) in the PR body, and shows the exclude-newer cooldown cutoff above the updated packages table so reviewers can confirm which upgrades required a cooldown bypass. Configurable via [tool.repomatic] vulnerable-deps.sources.

... Full release notes

v6.16.0

[!NOTE]
6.16.0 is available on 🐍 PyPI and 🐙 GitHub.

  • Add sphinx-docs agent to the agents component (deployed by repomatic init agents alongside grunt-qa and qa-engineer, or via [tool.repomatic] include = ["agents"]). The agent carries a canonical Sphinx extension set with notes on sphinx_click vs click_extra.sphinx, a standard octicon registry, governance rules for suppress_warnings/nitpick_ignore/linkcheck_ignore entries, the <!-- {feature}-{kind}-start --> auto-region marker convention, and a Sphinx cross-reference render test recipe. Drops sphinx_issues from the set: its :issue:/:pr:/:user:/:commit: roles render only inside Sphinx, appearing as raw role text in GitHub's repo browser, IDE previews, and PyPI descriptions; a Python migration script (covering MyST roles, reST roles, and cross-repo prefixed forms) and a matching sphinx-docs-sync audit category are included. docs/myst-docstrings.md documents the load-order failure mode (backtick-doubled :py:obj: roles) when repomatic.myst_docstrings loads after sphinx_autodoc_typehints.
  • Add three [tool.repomatic.workflow] configuration knobs for customizing paths: filters in generated thin callers and synced headers: extra-paths appends repo-specific entries (like install.sh, dotfiles/**) to every workflow's filter, ignore-paths strips canonical entries that don't exist downstream (like tests/**, uv.lock) by exact match, and paths keyed by workflow filename replaces a workflow's filter wholesale (skipping the other knobs and --source-paths for that filename).

... Full release notes

v6.17.0

[!NOTE]
6.17.0 is available on 🐍 PyPI and 🐙 GitHub.

  • Fix parallel OSError: Lock for file .git/config did already exist test failures. tests/test_git_ops.py and tests/test_metadata.py share pytestmark = pytest.mark.xdist_group("git") so pydriller's Git(".") initialization (which acquires .git/config.lock on every call) is serialized to a single pytest-xdist worker. Add mypy_path = "docs" to [tool.mypy] so mypy resolves import docs_update in tests/test_readme.py against docs/docs_update.py.
  • Fix backslash-escaped brackets rendering literally in docs/configuration.md per-option **Type:** lines (like list\[dict[str, str]\]). The escape, needed only for raw GFM table cells in the repomatic show-config CLI output (where mdformat would otherwise interpret […] as a markdown link), was leaking into inline-code spans where backslashes are literal in CommonMark. _format_type now returns clean Python type strings; the new escape_type_for_gfm_table helper is applied only at the CLI rendering layer.
  • Add --template-file <path> and --template-arg KEY=VALUE flags to repomatic pr-body so downstream repos can render project-specific PR templates without forking repomatic. --template and --template-file are mutually exclusive. load_template, render_template, render_title, render_commit_message, and template_args now accept a {class}~pathlib.Path to read a template from disk in addition to a packaged-resource name. render_title returns an empty string instead of raising KeyError when the frontmatter defines no title.

... Full release notes

v6.18.1

[!NOTE]
6.18.1 is available on 🐍 PyPI and 🐙 GitHub.

  • Fix publish-pypi composite action attempting to verify build attestations on every file in the workflow workspace (including changelog.md, pyproject.toml, etc.) instead of just the downloaded distribution artifacts. The actions/download-artifact step now downloads to dist/ so the verification loop and uv publish only target the actual artifact files.

Full changelog: v6.18.0...v6.18.1

🛡️ VirusTotal scans

Binary Detections Analysis
repomatic-6.18.1-linux-arm64.bin 0 / 61 View scan
repomatic-6.18.1-linux-x64.bin 0 / 63 View scan
repomatic-6.18.1-macos-arm64.bin 4 / 62 View scan
repomatic-6.18.1-macos-x64.bin 1 / 61 View scan

... Full release notes

v6.18.2

[!NOTE]
6.18.2 is available on 🐍 PyPI and 🐙 GitHub.

  • Fix release.yaml uploading distributions to PyPI without PEP 740 attestations. The build job now signs each dist file with pypi-attestations sign (using the job's OIDC token via Sigstore), writing <dist>.publish.attestation sidecars directly into ./dist/ so the dist artifact carries its own attestations. The publish-pypi composite action shrinks to setup-uv → download artifact → uv publish dist/*. Replaces the previous actions/attest + GitHub-attestation-API flow for Python distributions: the Nuitka binary attestation flow is unchanged, and PyPI's PEP 740 provenance is now populated so the setup-guide check_pypi_trusted_publisher probe can confirm the trusted publisher is wired up. Removes the attestation-signer-repo input from the composite action and the separate attestation-<artifact-name> artifact: dist files and their .publish.attestation sidecars travel together in a single artifact and end up alongside each other on the GitHub release page.

Full changelog: v6.18.1...v6.18.2

🛡️ VirusTotal scans

Binary Detections Analysis
repomatic-6.18.2-linux-arm64.bin 0 / 62 View scan
repomatic-6.18.2-linux-x64.bin 0 / 61 View scan

... Full release notes

v6.18.3

[!NOTE]
6.18.3 is available on 🐍 PyPI and 🐙 GitHub.

  • Fix autofix.yaml setup-guide job being skipped on workflow_dispatch re-runs. The if: condition now allows both push and workflow_dispatch events instead of push only, so manual re-runs from the Actions UI re-evaluate the setup guide and update the issue accordingly.
  • Fix release.yaml publish-pypi job running against downstream callers and failing PyPI trusted publishing with a job_workflow_ref mismatch. The gate now uses github.repository == 'kdeldycke/repomatic' (which reflects the caller's repo under workflow_call) instead of github.event_name == 'push' (which stays push in both self-release and downstream contexts), so the upstream-only job is properly skipped when invoked from a downstream caller. Downstream repos publish through their own thin-caller publish-pypi job, which inherits the correct OIDC context.
  • Switch the compile-binaries job from --onefile to --mode=onefile, the documented spelling since Nuitka 4.0 (--onefile is now hidden but still accepted).

Full changelog: v6.18.2...v6.18.3

🛡️ VirusTotal scans

Binary Detections Analysis
repomatic-6.18.3-linux-arm64.bin 0 / 62 View scan
repomatic-6.18.3-linux-x64.bin 0 / 64 View scan

... Full release notes

v6.18.4

[!NOTE]
6.18.4 is available on 🐍 PyPI and 🐙 GitHub.

  • Replace the RepoScope.NON_AWESOME variant with PYTHON_ONLY, gating affected components on the presence of a PEP 621 [project].name in pyproject.toml (detected via the new repomatic.pyproject.is_python_project helper). Repos that carry pyproject.toml only for [tool.*] configuration (like dotfiles) are now classified as non-Python and skip Python-flavored components by default. RepoScope.matches() now takes both is_awesome and is_python traits. Existing entries are reclassified: codecov, publish-pypi-action, changelog.yaml, debug.yaml, release.yaml, and the generated changelog.md move to PYTHON_ONLY; renovate moves to ALL (Renovate is language-agnostic). Explicit CLI naming and [tool.repomatic] include continue to bypass scope, so a dotfiles repo can still opt into publish-pypi-action if needed.
  • Extend release_prep.freeze_workflow_urls and unfreeze_workflow_urls to walk non-symlink YAML files under repomatic/data/ in addition to .github/workflows/. The bundled release-publish-pypi-job.yaml fragment now participates in the @main@vX.Y.Z rewrite, so wheels built from a freeze commit ship with the pinned action ref baked in. Symlinks in the data dir are skipped to avoid double-processing. repomatic.github.workflow_sync._PUBLISH_PYPI_DEFAULT_ACTION_REF is now derived from DEFAULT_VERSION so the search string always matches the ref in the (possibly frozen) bundled fragment.
  • Bump Biome from 2.4.13 to 2.4.14 and Lychee from 0.24.1 to 0.24.2 in the tool registry.

... Full release notes

sphinxcontrib-mermaid

Changelog

tomlkit

0.15.0

What's Changed

New Contributors

... Full release notes

types-pytz

Changelog

wcwidth

0.7.0

  • New support for kitty text sizing protocol (OSC 66) in width() and clip().
  • New clip() parameter control_codes='parse', 'ignore', and 'strict'. clip()
    is now able to clip OSC 8 hyperlinks and OSC 66 text sizing sequences.
  • Improved clip() and width() to support horizontal cursor sequences (cub, cuf,
    hpa). Cursor-left (cub) or backspace (\b) now overwrites text. column_address
    (hpa) and carriage return (\r) are now parsed, and more values conditionally raise
    ValueError when control_codes='strict'.

PR's

Full Changelog: https://redirect.github.com/jquast/wcwidth/compare/0.6.0...0.7.0

Configuration

Relevant [tool.repomatic] options:

Important

If you suspect the PR content is outdated, click Run workflow to refresh it manually before merging.

Workflow metadata
Field Value
Trigger push
Actor @kdeldycke
Ref main
Commit 0f936a05
Job sync-uv-lock
Workflow autofix.yaml
Run #767.1

🏭 Generated with repomatic 6.20.0

@kdeldycke kdeldycke added the 🔗 dependencies Dependency changes label Apr 29, 2026
@kdeldycke kdeldycke self-assigned this Apr 29, 2026
@kdeldycke kdeldycke force-pushed the sync-uv-lock branch 8 times, most recently from 0e8cc30 to bf98769 Compare May 25, 2026 15:11
@kdeldycke kdeldycke merged commit f902b0a into main May 25, 2026
21 of 28 checks passed
@kdeldycke kdeldycke deleted the sync-uv-lock branch May 25, 2026 15:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@kdeldycke kdeldycke

Labels

🔗 dependencies Dependency changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kdeldycke