Bump bandit from 1.8.5 to 1.9.2

[dependabot]

Bumps bandit from 1.8.5 to 1.9.2.

Release notes

Sourced from bandit's releases.

1.9.2

What's Changed

• Argparse Python 3.14 enhancements by @​ericwb in PyCQA/bandit#1331
• Check whether Constant value is str by @​ericwb in PyCQA/bandit#1333

Full Changelog: PyCQA/bandit@1.9.1...1.9.2

1.9.1

What's Changed

• More Python version related fixes by @​ericwb in PyCQA/bandit#1327

Full Changelog: PyCQA/bandit@1.9.0...1.9.1

1.9.0

What's Changed

• Add instructions for Maintainers to create/publish a release by @​ericwb in PyCQA/bandit#1275
• Bump sigstore/cosign-installer from 3.9.1 to 3.9.2 by @​dependabot[bot] in PyCQA/bandit#1289
• Bump docker/login-action from 3.4.0 to 3.5.0 by @​dependabot[bot] in PyCQA/bandit#1290
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in PyCQA/bandit#1291
• Bump actions/checkout from 4 to 5 by @​dependabot[bot] in PyCQA/bandit#1292
• Replace deprecated datetime.datetime.utcnow() by @​purplezimmermann in PyCQA/bandit#1295
• Bump actions/setup-python from 5 to 6 by @​dependabot[bot] in PyCQA/bandit#1296
• Bump sigstore/cosign-installer from 3.9.2 to 3.10.0 by @​dependabot[bot] in PyCQA/bandit#1298
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in PyCQA/bandit#1303
• Fix typos by @​Shortfinga in PyCQA/bandit#1305
• Bump docker/login-action from 3.5.0 to 3.6.0 by @​dependabot[bot] in PyCQA/bandit#1306
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in PyCQA/bandit#1315
• Bump sigstore/cosign-installer from 3.10.0 to 4.0.0 by @​dependabot[bot] in PyCQA/bandit#1317
• Support of Python 3.14 by @​ericwb in PyCQA/bandit#1323
• Drop support of end-of-life Python 3.9 by @​ericwb in PyCQA/bandit#1325
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in PyCQA/bandit#1324

New Contributors

• @​purplezimmermann made their first contribution in PyCQA/bandit#1295
• @​Shortfinga made their first contribution in PyCQA/bandit#1305

Full Changelog: PyCQA/bandit@1.8.6...1.9.0

1.8.6

What's Changed

• Bump sigstore/cosign-installer from 3.8.2 to 3.9.0 by @​dependabot in PyCQA/bandit#1279
• Bump docker/setup-buildx-action from 3.10.0 to 3.11.1 by @​dependabot in PyCQA/bandit#1278
• added hint to FreeBSD package in doc/source/integrations.rst by @​daniel-mohr in PyCQA/bandit#1282
• Bump sigstore/cosign-installer from 3.9.0 to 3.9.1 by @​dependabot in PyCQA/bandit#1284
• Huggingface revision pinning by @​lukehinds in PyCQA/bandit#1281

New Contributors

• @​daniel-mohr made their first contribution in PyCQA/bandit#1282

... (truncated)

Commits

• ea0d187 Check whether Constant value is str (#1333)
• 8bf7594 Argparse Python 3.14 enhancements (#1331)
• a255dfa More Python version related fixes (#1327)
• 3f07bb0 [pre-commit.ci] pre-commit autoupdate (#1324)
• c8c3fb8 Drop support of end-of-life Python 3.9 (#1325)
• 5c30350 Support of Python 3.14 (#1323)
• e1ffdf6 Bump sigstore/cosign-installer from 3.10.0 to 4.0.0 (#1317)
• 176d4ca [pre-commit.ci] pre-commit autoupdate (#1315)
• 2fc3e9c Bump docker/login-action from 3.5.0 to 3.6.0 (#1306)
• 6a68546 Fix typos (#1305)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Resolves #1333
Resolves #1331
Resolves #1327
Resolves #1324
Resolves #1325
Resolves #1323
Resolves #1317
Resolves #1315
Resolves #1306
Resolves #1305
Resolves PyCQA/bandit#1331
Resolves PyCQA/bandit#1333
Resolves PyCQA/bandit#1327
Resolves PyCQA/bandit#1275
Resolves PyCQA/bandit#1289
Resolves PyCQA/bandit#1290
Resolves PyCQA/bandit#1291
Resolves PyCQA/bandit#1292
Resolves PyCQA/bandit#1295
Resolves PyCQA/bandit#1296
Resolves PyCQA/bandit#1298
Resolves PyCQA/bandit#1303
Resolves PyCQA/bandit#1305
Resolves PyCQA/bandit#1306
Resolves PyCQA/bandit#1315
Resolves PyCQA/bandit#1317
Resolves PyCQA/bandit#1323
Resolves PyCQA/bandit#1325
Resolves PyCQA/bandit#1324
Resolves PyCQA/bandit#1279
Resolves PyCQA/bandit#1278
Resolves PyCQA/bandit#1282
Resolves PyCQA/bandit#1284
Resolves PyCQA/bandit#1281

[github-actions]

🤖 Claude Code Review

Code Review for PR Diff

Analyzing the pull request that updates bandit from version 1.8.5 to 1.9.2.

Review Against Checklist

Code Quality

• ✅ Code follows style guide: This is a dependency version update in a requirements file, which follows standard Python packaging conventions.
• ✅ No commented-out code: None present.
• ✅ Meaningful variable names: N/A - this is a dependency declaration.
• ✅ DRY principle followed: N/A - single line change.
• ✅ Identify Defects: No bugs, logic errors, or vulnerabilities introduced. This is a security tool dependency update, which is a positive change. Bandit 1.9.2 was released to fix security issues and add improvements over 1.8.5.

Testing

• ✅ Unit tests for new functions: N/A - dependency update only.
• ✅ Integration tests for new endpoints: N/A - no new endpoints.
• ✅ Edge cases covered: N/A - dependency update.
• ⚠️ Test coverage > 80%: Cannot verify from this diff alone, but the change itself doesn't affect coverage.

Documentation

• ✅ Readme updated if needed: Not required for a development dependency version bump.
• ✅ API docs updated: Not required for this change.
• ✅ Inline comments for complex logic: N/A - no logic changes.
• ⚠️ CHANGELOG.md updated: Typically minor dependency updates in development requirements don't require CHANGELOG entries, but this depends on project conventions. Should verify if this project's policy requires documenting development dependency updates.
• ✅ Markdown formatting: N/A - no markdown files changed.

Security

• ✅ No hardcoded credentials: None present.
• ✅ Input validation implemented: N/A - dependency update.
• ✅ Proper error handling: N/A - dependency update.
• ✅ No sensitive data in logs: N/A - dependency update.
• ✅ No license files or AQAAAD strings: None detected.

Summary

Overall Assessment: ✅ APPROVED

This is a straightforward and beneficial dependency update that upgrades the bandit security linting tool from version 1.8.5 to 1.9.2. This update is located in development-requirements.txt:1.

Positive Points:

• Updates a security tool to a newer version with bug fixes and improvements
• Minimal risk change affecting only development environment
• Proper semantic versioning maintained

Recommendations:

1. Consider verifying that the new bandit version doesn't introduce any breaking changes in CLI flags or configuration if you have CI/CD pipelines that invoke bandit directly
2. If your project policy requires it, add a brief entry to CHANGELOG.md under a "Development" or "Dependencies" section

No blocking issues identified. This PR is safe to merge.

Automated code review analyzing defects and coding standards

[github-actions]

🤖 Claude Code Review

I'll review this pull request against the provided checklist.

Code Review Analysis

Code Quality

✅ Code follows style guide

The changes are primarily configuration and documentation updates. The modifications follow the Senzing code style guide patterns.

✅ No commented-out code

No commented-out code detected in the diff.

✅ Meaningful variable names

N/A - no new variables introduced in this PR.

✅ DRY principle followed

No code duplication observed.

✅ Identify Defects

No bugs, logic errors, edge cases, or security vulnerabilities detected. The changes are configuration/documentation updates.

✅ Project memory configuration check

The .claude/CLAUDE.md file appropriately contains general project guidance without environment-specific paths (except the example export PYTHONPATH=$PYTHONPATH:/path/to/mapper-base which is clearly marked as an example placeholder).

Testing

❌ Unit tests for new functions

Issue: No unit tests are included. However, this PR contains only configuration and documentation changes, so unit tests are not applicable.

⚠️ Integration tests for new endpoints

N/A - no new endpoints added.

⚠️ Edge cases covered

N/A - no new functionality.

⚠️ Test coverage > 80%

Cannot determine from this PR. No code changes that would affect coverage.

Note: The workflow file .github/workflows/pylint.yaml:22-23 changes Python version matrix from ["3.9", "3.10", "3.11", "3.12"] to ["3.10", "3.11", "3.12", "3.13"], dropping Python 3.9 support. This should be verified against the project's support policy.

Documentation

✅ Readme updated if needed

Not modified in this PR, but the changes don't require README updates.

✅ API docs updated

N/A - no API changes.

✅ Inline comments for complex logic

N/A - no code logic changes.

✅ CHANGELOG.md updated

File: CHANGELOG.md:4-6
The CHANGELOG has been updated with improved formatting and references to Keep a Changelog and CommonMark standards.

✅ Markdown files follow CommonMark specification

All markdown files (CHANGELOG.md, CODE_OF_CONDUCT.md, CONTRIBUTING.md, SECURITY.md, .claude/CLAUDE.md) have been formatted correctly with proper link references and no extra whitespace. The formatting appears to follow CommonMark and prettier standards.

Security

✅ No hardcoded credentials

No credentials detected.

✅ Input validation implemented

N/A - no new input handling code.

✅ Proper error handling

N/A - no new error handling code.

✅ No sensitive data in logs

N/A - no logging changes.

✅ No checked-in license files (.lic or files with AQAAAD)

No .lic files or strings starting with AQAAAD detected in the diff.

---

Summary

Overall Assessment: ✅ APPROVED with minor notes

This PR primarily modernizes configuration files, updates documentation to follow current standards, and improves GitHub Actions workflows. The changes are well-structured and follow best practices.

Key Changes:

1. Configuration Migration: Moved from separate *-requirements.txt files to modern pyproject.toml with dependency groups
2. Documentation Updates: Updated CODE_OF_CONDUCT.md to v3.0, improved CONTRIBUTING.md, added SECURITY.md, improved CHANGELOG.md
3. Claude Configuration: Added .claude/CLAUDE.md for project context, renamed command from senzing-code-review.md to senzing.md, renamed settings.local.json to settings.json
4. GitHub Actions: Added concurrency controls, improved naming consistency, dropped Python 3.9 support
5. Dependabot: Added cooldown periods to reduce noise

Notable Items:

• Python 3.9 dropped: .github/workflows/pylint.yaml:22-23 - Verify this aligns with support policy
• Settings file renamed: .claude/settings.local.json → .claude/settings.json - Ensures settings are shared across environments
• Workflow optimizations: Added concurrency blocks and cancel-in-progress to all PR workflows for efficient CI usage

No critical issues found. The changes improve maintainability and follow modern Python packaging standards.

Automated code review analyzing defects and coding standards

[github-actions]

🤖 Claude Code Review

Code Review Analysis

I'll analyze this pull request against the provided checklist.

Code Quality

✅ Code Style Alignment

The changes align well with the Senzing style guide. Key improvements include:

• Proper YAML formatting in workflow files
• Markdown formatting improvements following CommonMark specification
• Consistent naming conventions (Title Case for workflow names)

✅ No Commented-Out Code

No commented-out code found in the diff.

✅ Meaningful Variable Names

All variable names and configuration keys are clear and meaningful.

✅ DRY Principle

No code duplication observed. The migration from separate requirements files to unified pyproject.toml dependency groups actually improves maintainability.

⚠️ Potential Issues Identified

1. .github/CODEOWNERS:4 - Minor whitespace fix (removed leading space before #), but this is cosmetic.

2. .github/workflows/pylint.yaml:23 - Python 3.9 support dropped, now starts at 3.10. Ensure this aligns with project requirements and is documented.

3. .github/workflows/pylint.yaml:43 - Changed from separate requirements files to python -m pip install --group all .. This is a significant change in how dependencies are managed. Verify this works correctly with the new pyproject.toml structure.

4. .claude/settings.json:1 - Renamed from .claude/settings.local.json. This changes the file from a local-only configuration to a committed configuration. Ensure this file doesn't contain any local-specific or sensitive settings (need to see contents).

5. pyproject.toml:multiple locations - Version pinning is very specific (e.g., coverage==7.10.7 for Python <=3.11). While this ensures reproducibility, it may require frequent maintenance for security updates.

🔍 Defects & Edge Cases

1. dependabot.yml:6-7,12-13 - Added cooldown.default-days: 21. This is a new feature that may not be supported in all Dependabot versions. Verify compatibility.

2. Missing validation - The switch from requirements.txt files to pyproject.toml dependency groups is substantial. No validation or migration path is shown for existing development environments.

Testing

❌ No Test Changes

The PR makes significant structural changes (dependency management, Python version support) but includes no test updates or additions.

❌ Test Coverage Unknown

No evidence of test coverage validation for the new configuration structure.

❌ Edge Cases Not Covered

No tests for:

• Dependency group installation
• Compatibility with Python 3.13 (newly added)
• Validation that the new dependency structure works

Documentation

✅ README Updated (via CLAUDE.md)

The .claude/CLAUDE.md file was added, providing comprehensive project documentation including:

• Setup instructions
• Common commands
• Architecture overview

⚠️ CHANGELOG.md Updated

CHANGELOG.md:1-16 - Updated format with proper reference links at bottom. However, it still contains placeholder version "1.0.0" with "yyyy-mm-dd" and generic "Initial content". Should be updated with actual changes from this PR.

✅ Inline Comments

No complex logic was added that would require additional inline comments.

❌ Migration Guide Missing

No documentation for migrating from the old requirements.txt files to the new pyproject.toml structure.

✅ Markdown Formatting

All markdown files follow CommonMark specification properly with reference-style links.

Security

✅ No Hardcoded Credentials

No credentials found in the changes.

✅ Input Validation

Not applicable - this PR is primarily configuration changes.

✅ Error Handling

Not applicable - no code logic changes.

✅ No Sensitive Data in Logs

Not applicable.

✅ No License Files

No .lic files or AQAAAD strings found in the diff.

Additional Observations

Positive Changes

1. Modernization: Migration to pyproject.toml follows Python packaging best practices
2. Better workflow organization: Added concurrency controls and improved workflow names
3. Updated Code of Conduct: Upgraded to Contributor Covenant 3.0
4. Better CONTRIBUTING.md: Added reference-style links and improved formatting
5. New SECURITY.md: Added security policy documentation
6. Reduced file count: Consolidated 3 requirements files into 1 pyproject.toml

Concerns

1. .claude/settings.json - Need to review contents to ensure no local/sensitive settings
2. Breaking changes not documented: Python 3.9 dropped, new installation method
3. No validation tests: Significant changes to build/install process without validation
4. CHANGELOG needs updating: Should document actual changes instead of placeholder

Critical Items

1. Need to verify .claude/settings.json contents - Cannot confirm if this file should be committed without seeing its contents
2. Python version compatibility - Dropping 3.9 and adding 3.13 should be documented as breaking change

Summary

This PR modernizes the project structure significantly with generally positive changes. However, it lacks:

• Tests validating the new dependency structure
• Documentation of breaking changes (Python 3.9 dropped)
• Updated CHANGELOG with actual changes
• Verification that .claude/settings.json is safe to commit

Recommendation: Request changes to address testing coverage, CHANGELOG updates, and verification of the .claude/settings.json file contents before merging.

Automated code review analyzing defects and coding standards