Bump the python group with 6 updates

[dependabot]

Bumps the python group with 6 updates:

Package	From	To
prek	0.3.6	0.3.8
ruff	0.15.7	0.15.8
toml-sort	0.24.3	0.24.4
ty	0.0.24	0.0.27
tox	4.50.3	4.52.0
tox-uv	1.33.4	1.34.0

Updates prek from 0.3.6 to 0.3.8

Release notes

Sourced from prek's releases.

0.3.8

Release Notes

Released on 2026-03-23.

Enhancements

• Add experimental language: deno support (#1516)
• Add pretty-format-json as builtin hook (#915)
• Add check-vcs-permalinks as builtin hook (#1842)
• Add check-illegal-windows-names as builtin hook (#1841)
• Add check-shebang-scripts-are-executable builtin hook (#1847)
• Add destroyed-symlinks builtin hook (#1851)
• Add file-contents-sorter as builtin hook (#1846)
• Add --all flag to prek uninstall (#1817)
• Improve file pattern parse errors (#1829)
• Validate uv binary after download (#1825)

Bug fixes

• Fix workspace-relative added file paths (#1852)
• Relax alias-anchor ratio check for check-yaml (#1839)

Contributors

• @​j178
• @​shaanmajid
• @​mvanhorn
• @​feliblo
• @​Tiryoh

Install prek 0.3.8

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/j178/prek/releases/download/v0.3.8/prek-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/j178/prek/releases/download/v0.3.8/prek-installer.ps1 | iex"

Install prebuilt binaries via Homebrew

brew install prek

... (truncated)

Changelog

Sourced from prek's changelog.

0.3.8

Released on 2026-03-23.

Enhancements

• Add experimental language: deno support (#1516)
• Add pretty-format-json as builtin hook (#915)
• Add check-vcs-permalinks as builtin hook (#1842)
• Add check-illegal-windows-names as builtin hook (#1841)
• Add check-shebang-scripts-are-executable builtin hook (#1847)
• Add destroyed-symlinks builtin hook (#1851)
• Add file-contents-sorter as builtin hook (#1846)
• Add --all flag to prek uninstall (#1817)
• Improve file pattern parse errors (#1829)
• Validate uv binary after download (#1825)

Bug fixes

• Fix workspace-relative added file paths (#1852)
• Relax alias-anchor ratio check for check-yaml (#1839)

Contributors

• @​j178
• @​shaanmajid
• @​mvanhorn
• @​feliblo
• @​Tiryoh

0.3.7

Due to a release process failure, this version was republished as 0.3.8.

Commits

• bb412c0 Bump version to 0.3.8 (#1858)
• 21de0b9 Fix permission for publish-npm
• 00e7be7 Clarify why check-illegal-windows-names stays builtin-only (#1857)
• 1dbec0c Bump version to 0.3.7 (#1856)
• ba62c04 Add pretty_format_json as builtin hook (#915)
• dbca904 Fix workspace-relative added file paths (#1852)
• 24f2d62 Add destroyed-symlinks builtin hook (#1851)
• fc529df Add check-shebang-scripts-are-executable builtin hook (#1847)
• addddb8 Add file-contents-sorter as builtin hook (#1846)
• cb3f71c Add check-vcs-permalinks as builtin hook (#1842)
• Additional commits viewable in compare view

Updates ruff from 0.15.7 to 0.15.8

Release notes

Sourced from ruff's releases.

0.15.8

Release Notes

Released on 2026-03-26.

Preview features

• [ruff] New rule unnecessary-if (RUF050) (#24114)
• [ruff] New rule useless-finally (RUF072) (#24165)
• [ruff] New rule f-string-percent-format (RUF073): warn when using % operator on an f-string (#24162)
• [pyflakes] Recognize frozendict as a builtin for Python 3.15+ (#24100)

Bug fixes

• [flake8-async] Use fully-qualified anyio.lowlevel import in autofix (ASYNC115) (#24166)
• [flake8-bandit] Check tuple arguments for partial paths in S607 (#24080)
• [pyflakes] Skip undefined-name (F821) for conditionally deleted variables (#24088)
• E501/W505/formatter: Exclude nested pragma comments from line width calculation (#24071)
• Fix %foo? parsing in IPython assignment expressions (#24152)
• analyze graph: resolve string imports that reference attributes, not just modules (#24058)

Rule changes

• [eradicate] ignore ty: ignore comments in ERA001 (#24192)
• [flake8-bandit] Treat sys.executable as trusted input in S603 (#24106)
• [flake8-self] Recognize Self annotation and self assignment in SLF001 (#24144)
• [pyflakes] F507: Fix false negative for non-tuple RHS in %-formatting (#24142)
• [refurb] Parenthesize generator arguments in FURB142 fixer (#24200)

Performance

• Speed up diagnostic rendering (#24146)

Server

• Warn when Markdown files are skipped due to preview being disabled (#24150)

Documentation

• Clarify extend-ignore and extend-select settings documentation (#24064)
• Mention AI policy in PR template (#24198)

Other changes

• Use trusted publishing for NPM packages (#24171)

Contributors

• @​bitloi
• @​Sim-hu

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.8

Released on 2026-03-26.

Preview features

• [ruff] New rule unnecessary-if (RUF050) (#24114)
• [ruff] New rule useless-finally (RUF072) (#24165)
• [ruff] New rule f-string-percent-format (RUF073): warn when using % operator on an f-string (#24162)
• [pyflakes] Recognize frozendict as a builtin for Python 3.15+ (#24100)

Bug fixes

• [flake8-async] Use fully-qualified anyio.lowlevel import in autofix (ASYNC115) (#24166)
• [flake8-bandit] Check tuple arguments for partial paths in S607 (#24080)
• [pyflakes] Skip undefined-name (F821) for conditionally deleted variables (#24088)
• E501/W505/formatter: Exclude nested pragma comments from line width calculation (#24071)
• Fix %foo? parsing in IPython assignment expressions (#24152)
• analyze graph: resolve string imports that reference attributes, not just modules (#24058)

Rule changes

• [eradicate] ignore ty: ignore comments in ERA001 (#24192)
• [flake8-bandit] Treat sys.executable as trusted input in S603 (#24106)
• [flake8-self] Recognize Self annotation and self assignment in SLF001 (#24144)
• [pyflakes] F507: Fix false negative for non-tuple RHS in %-formatting (#24142)
• [refurb] Parenthesize generator arguments in FURB142 fixer (#24200)

Performance

• Speed up diagnostic rendering (#24146)

Server

• Warn when Markdown files are skipped due to preview being disabled (#24150)

Documentation

• Clarify extend-ignore and extend-select settings documentation (#24064)
• Mention AI policy in PR template (#24198)

Other changes

• Use trusted publishing for NPM packages (#24171)

Contributors

• @​bitloi
• @​Sim-hu
• @​mvanhorn

... (truncated)

Commits

• c2a8815 Release 0.15.8 (#24217)
• d444d52 [ty] Infer lambda expressions with Callable type context (#22633)
• 9622285 [ty] Autocomplete arguments if in arguments node (#24167)
• d812662 Use the release environment in publish-docs (#24214)
• eda2355 [ty] Show Final source in final assignment diagnostic (#24194)
• 929eb52 [ty] Enforce Final attribute assignment rules for annotated and augmented wri...
• 34998be [ty] Fix typo in comment (#24211)
• 560aca0 [ty] Minor simplifications to some benchmark code (#24209)
• 683bae5 [ty] Track non-terminal-call constraints in global scope (#23245)
• 4704c2a [ty] Remove unnecessary intermediate collection in `StaticClassLiteral::field...
• Additional commits viewable in compare view

Updates toml-sort from 0.24.3 to 0.24.4

Release notes

Sourced from toml-sort's releases.

Version 0.24.4

Changed

• Exclude lock files from pre-commit hooks

Changelog

Sourced from toml-sort's changelog.

0.24.4

Changed

• Exclude lock files from pre-commit hooks

Commits

• 2970ae9 bump changelog, update version
• 9d6181f Merge pull request #96 from xavier2k6/revise_workflows
• fd562ad Merge pull request #98 from jamesbraza/excluding-uv-lock
• b93ce25 Excluding lock files from pre-commit hooks
• 04f3ad5 Refactor workflows
• See full diff in compare view

Updates ty from 0.0.24 to 0.0.27

Release notes

Sourced from ty's releases.

0.0.27

Release Notes

Released on 2026-03-31.

Bug fixes

• Fix panic on debug builds when attempting to provide autocomplete suggestions for list[int]<CURSOR>() (#24167)
• Fix instance-attribute lookup in methods of protocol classes (#24213)
• Fix nested global and nonlocal lookups through forwarding scopes (#24279)
• Fix panic on list[Annotated[()]] (#24303)
• Fix stack overflow on type A = TypeIs[Callable[[], A]] (#24245)
• Use _cls as the name of the first argument for synthesized collections.namedtuple constructor methods (#24333)

LSP server

• Fix semantic token classification for properties accessed on instances (#24065)
• Grey out unused bindings in the editor (#23305)

Core type checking

• Add bidirectional type context for TypedDict get() defaults (#24231)
• Add bidirectional type context for TypedDict pop() defaults (#24229)
• Add support for functional TypedDict (#24174, #24331, #24295)
• Ban type qualifiers in PEP-695 type aliases (#24242)
• Enforce Final attribute assignment rules for annotated and augmented writes (#23880)
• Improve support for Callable type context (#23888)
• Infer lambda expressions with Callable type context (#22633)
• Don't incorrectly infer the type of a method as being a singleton type when it's accessed off an instance (#24039)
• Propagate type context through await expressions (#24256)
• Resolve union-likes in emitting union attribute errors (#24263)
• Show the user where the variable was declared as Final when emitting a diagnostic about a Final variable being reassigned (#24194)

Contributors

• @​carljm
• @​mvanhorn
• @​oconnor663
• @​ibraheemdev
• @​zanieb
• @​denyszhak
• @​Glyphack
• @​charliermarsh
• @​AlexWaygood

Install ty 0.0.27

Install prebuilt binaries via shell script

</tr></table> 

... (truncated)

Changelog

Sourced from ty's changelog.

0.0.27

Released on 2026-03-31.

Bug fixes

• Fix panic on debug builds when attempting to provide autocomplete suggestions for list[int]<CURSOR>() (#24167)
• Fix instance-attribute lookup in methods of protocol classes (#24213)
• Fix nested global and nonlocal lookups through forwarding scopes (#24279)
• Fix panic on list[Annotated[()]] (#24303)
• Fix stack overflow on type A = TypeIs[Callable[[], A]] (#24245)
• Use _cls as the name of the first argument for synthesized collections.namedtuple constructor methods (#24333)

LSP server

• Fix semantic token classification for properties accessed on instances (#24065)
• Grey out unused bindings in the editor (#23305)

Core type checking

• Add bidirectional type context for TypedDict get() defaults (#24231)
• Add bidirectional type context for TypedDict pop() defaults (#24229)
• Add support for functional TypedDict (#24174, #24331, #24295)
• Ban type qualifiers in PEP-695 type aliases (#24242)
• Enforce Final attribute assignment rules for annotated and augmented writes (#23880)
• Improve support for Callable type context (#23888)
• Infer lambda expressions with Callable type context (#22633)
• Don't incorrectly infer the type of a method as being a singleton type when it's accessed off an instance (#24039)
• Propagate type context through await expressions (#24256)
• Resolve union-likes in emitting union attribute errors (#24263)
• Show the user where the variable was declared as Final when emitting a diagnostic about a Final variable being reassigned (#24194)

Contributors

• @​carljm
• @​mvanhorn
• @​oconnor663
• @​ibraheemdev
• @​zanieb
• @​denyszhak
• @​Glyphack
• @​charliermarsh
• @​AlexWaygood

0.0.26

Released on 2026-03-26.

Bug fixes

... (truncated)

Commits

• 5c9e342 Bump version to 0.0.27 (#3185)
• e6a5731 Update actions/cache action to v5.0.4 (#3172)
• c47b982 Update prek dependencies (#3173)
• 657abcf Update astral-sh/setup-uv action to v8 (#3174)
• 9e582cb Fetch the cargo-dist binary directly instead of using the installer (#3160)
• d5c51ea docs: use content tabs (#3146)
• 9893776 Use the release environment in publish-docs (#3147)
• 9403051 Bump version to 0.0.26 (#3145)
• d60899a Bump version to 0.0.25 (#3125)
• db65b3e Update documentation to reflect type:ignore changes (#3121)
• Additional commits viewable in compare view

Updates tox from 4.50.3 to 4.52.0

Release notes

Sourced from tox's releases.

v4.52.0

What's Changed

• remove unsupported --remote flag from gh repo fork by @​rahuldevikar in tox-dev/tox#3908
• ✨ feat(config): support escaped dots in -x override keys by @​gaborbernat in tox-dev/tox#3910
• 🐛 fix(docs): auto-generate manpage from CLI parser by @​gaborbernat in tox-dev/tox#3911
• ✨ feat(runner): add PEP 723 inline script metadata support by @​gaborbernat in tox-dev/tox#3912

Full Changelog: tox-dev/tox@4.51.0...4.52.0

v4.51.0

What's Changed

• 🔒 ci(workflows): add zizmor security auditing by @​gaborbernat in tox-dev/tox#3896
• Add base_python_file config option by @​rahuldevikar in tox-dev/tox#3899
• prevent machine ISA from overriding explicit env factors by @​rahuldevikar in tox-dev/tox#3904
• 🐛 fix(config): fix handling of env_list in nested contexts by @​Daverball in tox-dev/tox#3905
• fix: enable persist-credentials for release workflow by @​rahuldevikar in tox-dev/tox#3907

New Contributors

• @​Daverball made their first contribution in tox-dev/tox#3905

Full Changelog: tox-dev/tox@4.50.3...4.51.0

Changelog

Sourced from tox's changelog.

Features - 4.52.0

• Add virtualenv-pep-723 runner that reads dependencies and Python version from :PEP:723 inline script metadata — no need to duplicate them in tox config - by :user:gaborbernat. (:issue:3897)
• Support escaped dots (\.) in -x/--override keys, allowing overrides to target environments with dots in their names such as py3.14 - by :user:gaborbernat. (:issue:3910)

Bug fixes - 4.52.0

• Auto-generate the manpage from the CLI argparse parser at wheel build time, fixing broken section headers and documenting all commands and options - by :user:gaborbernat. (:issue:3878)

Miscellaneous internal changes - 4.52.0

• Remove unsupported --remote flag from gh repo fork in the update-schemastore workflow, as recent versions of gh no longer accept it - by :user:rahuldevikar. (:issue:3908)

---

v4.51.0 (2026-03-27)

---

Features - 4.51.0

• Add base_python_file configuration option to read the base Python version from a file (e.g. .python-version), similar to GitHub Actions' python-version-file - by :user:rahuldevikar (:issue:3894)

Bug fixes - 4.51.0

• Prevent implicit machine ISA (e.g. arm64, x86_64) from overriding explicit architecture factors in environment names, fixing cross-architecture conflicts in multiline factor conditionals - by :user:rahuldevikar. (:issue:3903)
• Nested environment list configuration values are now properly parsed, validated and expanded by the TOML parser. This allows you to use generative environment lists in tox-gh via the TOML format. Previously this was only possible with the INI format. - by :user:Daverball (:issue:3905)

Miscellaneous internal changes - 4.51.0

• Enable persist-credentials: true in the actions/checkout step of the prepare-release workflow so that git push operations succeed during automated releases - by :user:rahuldevikar. (:issue:3907)

---

v4.50.3 (2026-03-20)

---

Commits

• d83d577 release 4.52.0
• da0f890 ✨ feat(runner): add PEP 723 inline script metadata support (#3912)
• b232d2d 🐛 fix(docs): auto-generate manpage from CLI parser (#3911)
• 84958f7 [pre-commit.ci] pre-commit autoupdate (#3909)
• 15d9ac0 ✨ feat(config): support escaped dots in -x override keys (#3910)
• 0eda3a2 remove unsupported --remote flag from gh repo fork (#3908)
• 5f1ec1a release 4.51.0
• b5f9b13 fix: enable persist-credentials for release workflow (#3907)
• 8c9c199 🐛 fix(config): fix handling of env_list in nested contexts (#3905)
• 451aa9c prevent machine ISA from overriding explicit env factors (#3904)
• Additional commits viewable in compare view

Updates tox-uv from 1.33.4 to 1.34.0

Release notes

Sourced from tox-uv's releases.

1.34.0

What's Changed

• 🔒 ci(workflows): add zizmor security auditing by @​gaborbernat in tox-dev/tox-uv#317
• ✨ feat(runner): add PEP 723 inline script metadata support by @​gaborbernat in tox-dev/tox-uv#319

Full Changelog: tox-dev/tox-uv@1.33.4...1.34.0

Commits

• d9b72cf ✨ feat(runner): add PEP 723 inline script metadata support (#319)
• 0215281 [pre-commit.ci] pre-commit autoupdate (#318)
• 4deee33 🔒 ci(workflows): add zizmor security auditing (#317)
• 60d1fd6 [pre-commit.ci] pre-commit autoupdate (#316)
• 93eecc2 [pre-commit.ci] pre-commit autoupdate (#315)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions