Skip to content

build(deps): bump pre-commit from 4.5.1 to 4.6.0#20861

Merged
cmmarslender merged 1 commit into
mainfrom
dependabot/pip/pre-commit-4.6.0
May 22, 2026
Merged

build(deps): bump pre-commit from 4.5.1 to 4.6.0#20861
cmmarslender merged 1 commit into
mainfrom
dependabot/pip/pre-commit-4.6.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 5, 2026
edited by cursor Bot
Loading

Bumps pre-commit from 4.5.1 to 4.6.0.

Release notes

Sourced from pre-commit's releases.

pre-commit v4.6.0

Features

  • pre-commit hook-impl: allow --hook-dir to be missing to enable easier usage with git 2.54+ git hooks.

Fixes

Changelog

Sourced from pre-commit's changelog.

4.6.0 - 2026-04-21

Features

  • pre-commit hook-impl: allow --hook-dir to be missing to enable easier usage with git 2.54+ git hooks.

Fixes

Commits
  • f35134b v4.6.0
  • 2a51ffc Merge pull request #3662 from pre-commit/hook-impl-optional-hook-dir
  • d7dee32 make --hook-dir optional for hook-impl
  • 965aeb1 Merge pull request #3661 from pre-commit/hook-impl-required
  • 2eacc06 --hook-type is required for hook-impl
  • f5678bf Merge pull request #3657 from pre-commit/pre-commit-ci-update-config
  • 054cc5b [pre-commit.ci] pre-commit autoupdate
  • 5c0f302 Merge pull request #3652 from pre-commit/pre-commit-ci-update-config
  • a5d9114 [pre-commit.ci] pre-commit autoupdate
  • 129a1f5 Merge pull request #3641 from pre-commit/mxr-patch-1
  • Additional commits viewable in compare view

Note

Low Risk
Low risk dev-tooling change: updates the optional pre-commit dependency and lockfile without affecting runtime code paths.

Overview
Updates the optional dev dependency pre-commit from 4.5.1 to 4.6.0 by tightening the version constraint in pyproject.toml.

Regenerates poetry.lock to reflect the new pre-commit artifact hashes and updated lock metadata (content-hash).

Reviewed by Cursor Bugbot for commit 888da4a. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot dependabot Bot added Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file python Pull requests that update Python code labels May 5, 2026
@dependabot dependabot Bot requested a review from a team as a code owner May 5, 2026 20:30
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code Changed Required label for PR that categorizes merge commit message as "Changed" for changelog labels May 5, 2026
cursor[bot]
cursor Bot reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit aed4f915f53cb701ccd9d65303690dcb45d01640. Configure here.

Comment thread pyproject.toml
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 5, 2026
edited
Loading

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Verdict: benign

Why this looks safe

  • Upstream is normal: The diff range matches the official pre-commit v4.6.0 release; changes are centered on hook-impl CLI flags (--hook-dir optional for Git 2.54+ hooks, --hook-type required)—behavior you’d expect from the public changelog, not a supply-chain pivot.

  • Scanner report supports that interpretation: No Unicode, confusable-character, or IOC hits. “Shell/process spawn” hits are subprocess use in hook_impl.py—core, long-standing behavior for a tool that runs git and hook commands. Treat those as expected noise, not indicators of compromise.

  • False positives / heuristics:

    • typosquatting_indicator on @mattp-. in upstream CHANGELOG.md is a username with a hyphen, not typosquatting.
    • maintainer_drift on 4.5.1->4.6.0 is version churn, not evidence the package changed maintainers.

  • No red flags from your checklist: Nothing in the supplied report points to obfuscation, encoded payloads, odd hosts, persistence paths, or suspicious npm lifecycle scripts (this is PyPI / Poetry, not npm). New upstream test/config edits in the pre-commit repo are consistent with a routine release, not with a trojaned dependency drop.

Actionable note for reviewers: If the chia-blockchain PR itself touches .github/workflows/ or unrelated files beyond pyproject.toml / poetry.lock (and maybe docs), re-check that file list—but the upstream hook-impl / subprocess findings alone are not suspicious.

Compatibility Analysis

Tracing how pre-commit is declared and invoked in this repo and whether changes to hook-impl affect those paths.

1) Where pre-commit shows up (chia-blockchain, excluding .upstream-dependency / scan artifacts)

Area Role
pyproject.toml Optional dev extra: pre-commit pinned (in your tree: >=4.6.0).
poetry.lock Resolved version for that optional dependency (and transitive mentions in other packages’ extras).
.github/workflows/pre-commit.yml CI installs dev deps, then runs pre-commit run --all-files --verbose.
.pre-commit-config.yaml Hook repos and revisions (normal config; not tied to hook-impl CLI).
CONTRIBUTING.md Tells contributors to install/use pre-commit / pre-commit install.
chia/_tests/build-init-files.py, chia/_tests/check_sql_statements.py Comments only; no programmatic API use.

There are no tracked custom shell hooks under a repo hooks/ tree; nothing in this repo invokes pre-commit hook-impl by name.

2) Overlap with 4.6.0 behavior

Release changes are only for the pre-commit hook-impl subcommand: optional --hook-dir, --hook-type required.

This repo’s documented and CI path is pre-commit run (plus typical local pre-commit install), which does not match that surface. There is no in-tree Python import pre_commit (only in the vendored .upstream-dependency mirror).

Conclusion: usage sites do not intersect the changed CLI in any identifiable way.

3) Risks / unknowns

  • Hand-written git hooks that call pre-commit hook-impl without --hook-type could fail after upgrade (unlikely given standard pre-commit install templates; not present in-repo).
  • Lockfile + pyproject should stay consistent on the PR (Dependabot usually updates both); mismatch would be a workflow issue, not a pre-commit API issue.
  • No release-note signal of Python-version or hook-config format breaks for this minor bump.

4) Recommendation

Merge — tooling-only bump; 4.6.0 changes target an internal/advanced entrypoint this project does not use in CI or tracked automation. Green pre-commit workflow on the PR is sufficient validation.

Malware Scan Summary

  • Status: warn
  • Warn only mode: true
  • Changed upstream files scanned: 8
  • Resolution strategy: tag_range
  • Changed node/vendor paths: 0
  • Changed lockfiles: 0
  • Resolved upstream range: 8a0630ca1aa7f6d5665effe674ebe2022af17919..f35134b05028ec938ac605ae500fdf95462655d3
  • Resolved refs: from=8a0630ca1aa7f6d5665effe674ebe2022af17919 to=f35134b05028ec938ac605ae500fdf95462655d3
  • Unicode findings (post-allowlist): 0
  • Confusable findings (post-allowlist): 0
  • IOC findings (post-allowlist): 0
  • Heuristic findings (post-allowlist): 11

Top findings

  • pre_commit/commands/hook_impl.py:5 shell_process_spawn :: import subprocess
  • pre_commit/commands/hook_impl.py:46 shell_process_spawn :: return subprocess.run(cmd, input=stdin).returncode, stdin
  • pre_commit/commands/hook_impl.py:117 shell_process_spawn :: return not subprocess.call(('git', 'rev-list', '--quiet', rev))
  • pre_commit/commands/hook_impl.py:143 shell_process_spawn :: ancestors = subprocess.check_output((
  • pre_commit/commands/hook_impl.py:152 shell_process_spawn :: roots = set(subprocess.check_output(cmd).decode().splitlines())
  • pre_commit/commands/hook_impl.py:164 shell_process_spawn :: source = subprocess.check_output(rev_cmd).decode().strip()
  • tests/commands/hook_impl_test.py:3 shell_process_spawn :: import subprocess
  • tests/commands/hook_impl_test.py:94 shell_process_spawn :: with mock.patch.object(subprocess, 'run', call):
  • CHANGELOG.md:1476 shell_process_spawn :: - pre-commit run --files ... no longer runs a subprocess per file
  • CHANGELOG.md:414 typosquatting_indicator :: - #2564 PR by @mattp-.
  • pre-commit:0 maintainer_drift :: 4.5.1->4.6.0

@dependabot dependabot Bot force-pushed the dependabot/pip/pre-commit-4.6.0 branch from aed4f91 to 763f831 Compare May 6, 2026 16:32
@coveralls-official
Copy link
Copy Markdown

coveralls-official Bot commented May 6, 2026
edited
Loading

Coverage Report for CI Build 26267552263

Warning

No base build found for commit 43df2fa on main.
Coverage changes can't be calculated without a base build.
If a base build is processing, this comment will update automatically when it completes.

Coverage: 91.472%

Details

  • Patch coverage: No coverable lines changed in this PR.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

Requires a base build to compare against. How to fix this →

Coverage Stats

Coverage Status
Relevant Lines: 122097
Covered Lines: 111863
Line Coverage: 91.62%
Relevant Branches: 12036
Covered Branches: 10831
Branch Coverage: 89.99%
Branches in Coverage %: Yes
Coverage Strength: 1.83 hits per line
💛 - Coveralls

@github-actions github-actions Bot added the merge_conflict Branch has conflicts that prevent merge to main label May 13, 2026
@dependabot dependabot Bot force-pushed the dependabot/pip/pre-commit-4.6.0 branch from 763f831 to cebf71b Compare May 13, 2026 14:35
@github-actions github-actions Bot removed the merge_conflict Branch has conflicts that prevent merge to main label May 13, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 13, 2026
edited
Loading

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Reviewing the dependency update and upstream changes for supply-chain risk.
Verdict: benign

This is a low-risk, patch-level bump of an optional dev dependency with no supply-chain red flags.

Scanner vs. manual review: The malware scan returned warn, but all 11 heuristic hits are false positives for this package. There were 0 Unicode/confusable/IOC findings. I agree with that interpretation—the warnings do not indicate compromise.

What changed (upstream 4.5.14.6.0):

  • Only 8 files, +34/−8 lines; core logic change is making --hook-dir optional for Git 2.54+ hooks and requiring --hook-type in hook-impl.
  • No new install_requires; same 5 transitive deps (cfgv, identify, nodeenv, pyyaml, virtualenv).
  • Same maintainer metadata (Anthony Sottile / pre-commit/pre-commit).

Checklist highlights:

Category Assessment
Obfuscation / eval / encoded payloads None in diff
Unexpected network / exfiltration None; only existing GitHub issue URL in error text
Suspicious subprocess usage Pre-existing and expected for a git-hooks runner; new code only adds an early return when hook_dir is None
Unicode / GlassWorm Scanner: 0 findings
Dependency integrity Semver minor bump with matching tag f35134b; PyPI lock hashes present; no new transitive deps
Dependabot context Chia PR scope is pyproject.toml + poetry.lock only; no node_modules/vendor changes; no new install scripts; no Chia .github/workflows changes

Heuristic noise explained:

  • subprocess hits in hook_impl.py — normal for running git and legacy hook scripts.
  • CHANGELOG.md subprocess/typosquat hits — historical changelog text (@mattp-.), not executable code.
  • maintainer_drift: 4.5.1->4.6.0 — version bump detection, not publisher impersonation.

Recommendation: Approve from a supply-chain perspective. CI passing on the existing pre-commit run --all-files workflow is sufficient validation; no extra malware-specific follow-up needed.

Compatibility Analysis

Analyzing how this repo uses pre-commit and whether v4.6.0 changes affect those usage sites.

Compatibility & adoption — pre-commit 4.5.1 → 4.6.0

1) Where it’s used

Surface Role
pyproject.toml Optional dev extra: pre-commit = { version = ">=4.6.0", optional = true }
poetry.lock Locked to 4.6.0 (dev group only)
.pre-commit-config.yaml Hook definitions (ruff, local scripts, mirror repos); does not pin the Python package version
.github/workflows/pre-commit.yml CI: pre-commit run --all-files --verbose after dev venv install
CONTRIBUTING.md Documents pre-commit run and pre-commit install for contributors
chia/_tests/check_sql_statements.py, build-init-files.py Comments only — run as hooks, not as imports of the package

Not used: production/runtime install path, no import pre_commit in application code.

2) Intersection with 4.6.0 API changes

Upstream 4.6.0 only changes the internal pre-commit hook-impl CLI:

  • --hook-type is now required
  • --hook-dir is optional (Git 2.54+ hook layout)

This repo does not call hook-impl directly (no scripts/workflows reference it).

Relevant paths Chia actually uses:

Command Touches changed API?
pre-commit run (CI + docs) No — unchanged
pre-commit install (docs) Indirect — install writes hooks that already pass --hook-type and --hook-dir via hook-tmpl / install_uninstall.py in upstream 4.6.0

Generated hook shape (upstream): ARGS=(hook-impl --config=... --hook-type=pre-commit) plus template line ARGS+=(--hook-dir "$HERE" -- "$@"). That remains valid on 4.6.0; optional --hook-dir is additive for newer Git, not a breaking change for existing installs.

3) Risks / unknowns

Risk Level
Production / node runtime impact None — dev-only optional dependency
CI regression Low — same pre-commit run entrypoint; confirm 🚨 pre-commit workflow is green on the PR
Custom/manual hook-impl wrappers omitting --hook-type Very low — would fail on 4.6.0; not present in this repo
Transitive deps Unchanged — same five deps (cfgv, identify, nodeenv, pyyaml, virtualenv)
.pre-commit-config.yaml in scan “changed files” Likely incidental to review tooling, not required for this package bump

4) Recommendation

Merge.

Patch-level, dev-only bump; release notes affect an internal subcommand this repo does not invoke. Primary validation: green pre-commit GitHub Actions job on PR #20861. No code changes expected beyond pyproject.toml / poetry.lock (already at >=4.6.0 / 4.6.0 in this tree). Contributors on Git 2.54+ may benefit from optional --hook-dir; existing pre-commit install hooks keep working.

Malware Scan Summary

  • Status: warn
  • Warn only mode: true
  • Changed upstream files scanned: 8
  • Resolution strategy: tag_range
  • Changed node/vendor paths: 0
  • Changed lockfiles: 0
  • Resolved upstream range: 8a0630ca1aa7f6d5665effe674ebe2022af17919..f35134b05028ec938ac605ae500fdf95462655d3
  • Resolved refs: from=8a0630ca1aa7f6d5665effe674ebe2022af17919 to=f35134b05028ec938ac605ae500fdf95462655d3
  • Unicode findings (post-allowlist): 0
  • Confusable findings (post-allowlist): 0
  • IOC findings (post-allowlist): 0
  • Heuristic findings (post-allowlist): 11

Top findings

  • pre_commit/commands/hook_impl.py:5 shell_process_spawn :: import subprocess
  • pre_commit/commands/hook_impl.py:46 shell_process_spawn :: return subprocess.run(cmd, input=stdin).returncode, stdin
  • pre_commit/commands/hook_impl.py:117 shell_process_spawn :: return not subprocess.call(('git', 'rev-list', '--quiet', rev))
  • pre_commit/commands/hook_impl.py:143 shell_process_spawn :: ancestors = subprocess.check_output((
  • pre_commit/commands/hook_impl.py:152 shell_process_spawn :: roots = set(subprocess.check_output(cmd).decode().splitlines())
  • pre_commit/commands/hook_impl.py:164 shell_process_spawn :: source = subprocess.check_output(rev_cmd).decode().strip()
  • tests/commands/hook_impl_test.py:3 shell_process_spawn :: import subprocess
  • tests/commands/hook_impl_test.py:94 shell_process_spawn :: with mock.patch.object(subprocess, 'run', call):
  • CHANGELOG.md:1476 shell_process_spawn :: - pre-commit run --files ... no longer runs a subprocess per file
  • CHANGELOG.md:414 typosquatting_indicator :: - #2564 PR by @mattp-.
  • pre-commit:0 maintainer_drift :: 4.5.1->4.6.0

@github-actions github-actions Bot added the merge_conflict Branch has conflicts that prevent merge to main label May 18, 2026
@dependabot dependabot Bot force-pushed the dependabot/pip/pre-commit-4.6.0 branch from cebf71b to b5b536c Compare May 18, 2026 16:36
@github-actions github-actions Bot added merge_conflict Branch has conflicts that prevent merge to main and removed merge_conflict Branch has conflicts that prevent merge to main labels May 18, 2026
@dependabot dependabot Bot force-pushed the dependabot/pip/pre-commit-4.6.0 branch from b5b536c to cb0f85f Compare May 18, 2026 21:56
@github-actions github-actions Bot removed the merge_conflict Branch has conflicts that prevent merge to main label May 18, 2026
@emlowe emlowe removed the Changed Required label for PR that categorizes merge commit message as "Changed" for changelog label May 19, 2026
emlowe
emlowe previously approved these changes May 19, 2026
View reviewed changes
@github-actions github-actions Bot added the merge_conflict Branch has conflicts that prevent merge to main label May 19, 2026
@dependabot dependabot Bot force-pushed the dependabot/pip/pre-commit-4.6.0 branch from cb0f85f to 8dafcdb Compare May 19, 2026 15:00
@github-actions github-actions Bot added merge_conflict Branch has conflicts that prevent merge to main and removed merge_conflict Branch has conflicts that prevent merge to main labels May 19, 2026
@dependabot dependabot Bot force-pushed the dependabot/pip/pre-commit-4.6.0 branch from 8dafcdb to 9df0e52 Compare May 19, 2026 20:17
@github-actions github-actions Bot removed the merge_conflict Branch has conflicts that prevent merge to main label May 19, 2026
emlowe
emlowe previously approved these changes May 19, 2026
View reviewed changes
@github-actions github-actions Bot added the merge_conflict Branch has conflicts that prevent merge to main label May 19, 2026
@dependabot dependabot Bot force-pushed the dependabot/pip/pre-commit-4.6.0 branch from 9df0e52 to 052a0df Compare May 19, 2026 23:32
@github-actions github-actions Bot removed the merge_conflict Branch has conflicts that prevent merge to main label May 19, 2026
emlowe
emlowe previously approved these changes May 20, 2026
View reviewed changes
@github-actions github-actions Bot added the merge_conflict Branch has conflicts that prevent merge to main label May 20, 2026
@dependabot dependabot Bot force-pushed the dependabot/pip/pre-commit-4.6.0 branch from 052a0df to da78c33 Compare May 20, 2026 16:53
@github-actions github-actions Bot removed the merge_conflict Branch has conflicts that prevent merge to main label May 20, 2026
@emlowe
Copy link
Copy Markdown
Contributor

emlowe commented May 20, 2026

@dependabot rebase

@dependabot dependabot Bot force-pushed the dependabot/pip/pre-commit-4.6.0 branch from da78c33 to dd2c67e Compare May 20, 2026 23:33
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 20, 2026
edited
Loading

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Reviewing how this repo pins and uses pre-commit, and inspecting the upstream 4.5.1→4.6.0 diff for supply-chain risk.
Verdict: benign

This is a routine patch bump (4.5.1 → 4.6.0) of the official pre-commit/pre-commit package with no signs of compromise.

PR scope (chia-blockchain): Only dev dependency pins change — pyproject.toml (>=4.6.0) and poetry.lock (resolved to 4.6.0 with standard PyPI sha256 hashes). No new transitive dependencies; same five deps (cfgv, identify, nodeenv, pyyaml, virtualenv). No changes to .github/workflows/, .pre-commit-config.yaml, or application code.

Upstream delta (8 files, +34/−8 lines): The functional change is narrowly scoped to pre-commit hook-impl for Git 2.54+ compatibility:

  • hook_dir becomes optional (str | None); when None, returns early without running legacy hooks.
  • --hook-type is now required in argparse.
  • Matching unit tests added. No new network calls, obfuscation, persistence, or credential handling in the diff.

Checklist review:

Category Result
Obfuscation / eval / encoded payloads None in diff
Unexpected network / exfiltration None added
FS writes to startup/persistence None
Process spawning subprocess usage in hook_impl.py is pre-existing (git + legacy hooks); new code skips subprocess when hook_dir is None
Unicode / GlassWorm / Trojan Source Scanner: 0 unicode, confusable, IOC findings
Typosquatting False positive (@mattp-. in old CHANGELOG line)
npm lifecycle scripts N/A (Python package)
Transitive dependency graph change None
Lockfile integrity Valid PyPI hashes for pre_commit-4.6.0 wheel/sdist
Version integrity Single semver step; tag v4.6.0 matches release notes and commit history
Maintainer drift False positive — scanner flagged routine 4.5.1→4.6.0 bump via npm-oriented heuristic on a PyPI package
Suspicious workflow changes in consumer PR None

Scanner disagreement: All 11 heuristic warn findings are false positives for this update. The shell_process_spawn hits flag legitimate, long-standing subprocess usage in a git-hook tool (and one unrelated historical CHANGELOG line). The maintainer_drift hit is expected on any version bump. Scanner status warn reflects heuristic noise, not evidence of malware.

Chia impact: CI runs pre-commit run --all-files --verbose (.github/workflows/pre-commit.yml); it does not invoke hook-impl directly. The upstream change is low-risk and aligns with documented release notes from @asottile.

Recommendation: Approve from a supply-chain perspective. Confirm the repo’s pre-commit CI job passes on the PR branch as the practical validation step.

Compatibility Analysis

Reviewing how this repo uses pre-commit and whether the 4.6.0 changes affect those usage sites.

Compatibility & adoption analysis — pre-commit 4.5.1 → 4.6.0

1) Where it’s used

Location Usage
pyproject.toml Optional dev dependency (pre-commit = { version = ">=4.6.0", ... })
poetry.lock Locked at 4.6.0 (same five transitive deps: cfgv, identify, nodeenv, pyyaml, virtualenv)
.pre-commit-config.yaml Hook definitions (local system hooks + mirrors for prettier/shfmt/pre-commit-hooks)
.github/workflows/pre-commit.yml CI: pre-commit run --all-files --verbose on Linux/macOS/Windows × Python 3.10–3.14
CONTRIBUTING.md Docs for pre-commit run / pre-commit install
App/test code No import pre_commit or direct CLI calls beyond comments in hook scripts

Pre-commit is a dev/CI-only CLI tool here, not a runtime dependency.

2) Intersection with 4.6.0 API changes

Upstream delta (8 files, +34/−8) is entirely scoped to the internal hook-impl subcommand:

  • --hook-dir optional (Git 2.54+ native hooks)
  • --hook-type now required when invoking hook-impl directly

Repo usage vs. changed surface:

This repo’s path Touches changed API?
pre-commit run --all-files (CI) Norun unchanged
.pre-commit-config.yaml No — config schema unchanged
pre-commit install (contributor docs) Noinstall_uninstall.py already emits --hook-type=... in generated git hooks
Direct pre-commit hook-impl ... Not used anywhere in repo

No usage sites intersect with the changed APIs.

3) Risks / unknowns

  • CI (pre-commit run): Very low risk; primary validation path is unchanged.
  • Local git hooks: Low risk; pre-commit install already passes --hook-type. Developers on Git 2.54+ may actually benefit from optional --hook-dir.
  • Manual hook-impl without --hook-type: Would now fail — not a repo pattern.
  • Hook behavior / config: No breaking changes to hook execution, languages, or .pre-commit-config.yaml format in this release.
  • Python version: 4.6.0 requires >=3.10; matches project matrix.
  • Residual unknown: Full matrix CI (9 OS/arch/Python combos) is the real gate; no functional reason to expect regressions from this patch.

4) Recommendation: merge

Routine patch bump with changes isolated to an internal subcommand this repo never calls directly. Primary usage (pre-commit run in CI) and contributor workflow (pre-commit install) are unaffected. No config or workflow changes required.

Test plan: Confirm the existing 🚨 pre-commit workflow passes on the PR branch (that is sufficient validation).

Malware Scan Summary

  • Status: warn
  • Warn only mode: true
  • Changed upstream files scanned: 8
  • Resolution strategy: tag_range
  • Changed node/vendor paths: 0
  • Changed lockfiles: 0
  • Resolved upstream range: 8a0630ca1aa7f6d5665effe674ebe2022af17919..f35134b05028ec938ac605ae500fdf95462655d3
  • Resolved refs: from=8a0630ca1aa7f6d5665effe674ebe2022af17919 to=f35134b05028ec938ac605ae500fdf95462655d3
  • Unicode findings (post-allowlist): 0
  • Confusable findings (post-allowlist): 0
  • IOC findings (post-allowlist): 0
  • Heuristic findings (post-allowlist): 11

Top findings

  • pre_commit/commands/hook_impl.py:5 shell_process_spawn :: import subprocess
  • pre_commit/commands/hook_impl.py:46 shell_process_spawn :: return subprocess.run(cmd, input=stdin).returncode, stdin
  • pre_commit/commands/hook_impl.py:117 shell_process_spawn :: return not subprocess.call(('git', 'rev-list', '--quiet', rev))
  • pre_commit/commands/hook_impl.py:143 shell_process_spawn :: ancestors = subprocess.check_output((
  • pre_commit/commands/hook_impl.py:152 shell_process_spawn :: roots = set(subprocess.check_output(cmd).decode().splitlines())
  • pre_commit/commands/hook_impl.py:164 shell_process_spawn :: source = subprocess.check_output(rev_cmd).decode().strip()
  • tests/commands/hook_impl_test.py:3 shell_process_spawn :: import subprocess
  • tests/commands/hook_impl_test.py:94 shell_process_spawn :: with mock.patch.object(subprocess, 'run', call):
  • CHANGELOG.md:1476 shell_process_spawn :: - pre-commit run --files ... no longer runs a subprocess per file
  • CHANGELOG.md:414 typosquatting_indicator :: - #2564 PR by @mattp-.
  • pre-commit:0 maintainer_drift :: 4.5.1->4.6.0

@github-actions github-actions Bot added the merge_conflict Branch has conflicts that prevent merge to main label May 21, 2026
@dependabot dependabot Bot force-pushed the dependabot/pip/pre-commit-4.6.0 branch from dd2c67e to efd74c1 Compare May 21, 2026 20:05
@github-actions github-actions Bot added merge_conflict Branch has conflicts that prevent merge to main and removed merge_conflict Branch has conflicts that prevent merge to main labels May 21, 2026
@dependabot dependabot Bot force-pushed the dependabot/pip/pre-commit-4.6.0 branch from efd74c1 to 18688e9 Compare May 21, 2026 23:33
@github-actions github-actions Bot added merge_conflict Branch has conflicts that prevent merge to main and removed merge_conflict Branch has conflicts that prevent merge to main labels May 21, 2026
@dependabot
build(deps): bump pre-commit from 4.5.1 to 4.6.0
888da4a 
Bumps [pre-commit](https://github.com/pre-commit/pre-commit) from 4.5.1 to 4.6.0.
- [Release notes](https://github.com/pre-commit/pre-commit/releases)
- [Changelog](https://github.com/pre-commit/pre-commit/blob/main/CHANGELOG.md)
- [Commits](pre-commit/pre-commit@v4.5.1...v4.6.0)

---
updated-dependencies:
- dependency-name: pre-commit
  dependency-version: 4.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/pip/pre-commit-4.6.0 branch from 18688e9 to 888da4a Compare May 22, 2026 03:56
@github-actions github-actions Bot removed the merge_conflict Branch has conflicts that prevent merge to main label May 22, 2026
@cmmarslender cmmarslender merged commit 30fcc94 into main May 22, 2026
633 of 638 checks passed
@cmmarslender cmmarslender deleted the dependabot/pip/pre-commit-4.6.0 branch May 22, 2026 14:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@emlowe emlowe emlowe approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@emlowe @cmmarslender