Skip to content

Bump the build-tools-pip group with 5 updates#11328

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/build-tools-pip-f34a4d9204
Open

Bump the build-tools-pip group with 5 updates#11328
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/build-tools-pip-f34a4d9204

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Jun 1, 2026

Bumps the build-tools-pip group with 5 updates:

Package From To
jinja2 3.1.2 3.1.6
jsonschema 4.20.0 4.26.0
mozilla-repo-urls 0.1.1 0.2.2
mozilla-taskgraph 4.1.1 4.1.2
taskcluster-taskgraph 20.0.0 23.0.0

Updates jinja2 from 3.1.2 to 3.1.6

Release notes

Sourced from jinja2's releases.

3.1.6

This is the Jinja 3.1.6 security release, which fixes security issues but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.6/ Changes: https://jinja.palletsprojects.com/en/stable/changes/#version-3-1-6

  • The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. GHSA-cpwx-vrp4-4pq7

3.1.5

This is the Jinja 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Jinja2/3.1.5/ Changes: https://jinja.palletsprojects.com/changes/#version-3-1-5 Milestone: https://github.com/pallets/jinja/milestone/16?closed=1

  • The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. GHSA-q2x7-8rv6-6q7h
  • Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. #1792, GHSA-gmj6-6f8f-6699
  • Sandbox does not allow clear and pop on known mutable sequence types. #2032
  • Calling sync render for an async template uses asyncio.run. #1952
  • Avoid unclosed auto_aiter warnings. #1960
  • Return an aclose-able AsyncGenerator from Template.generate_async. #1960
  • Avoid leaving root_render_func() unclosed in Template.generate_async. #1960
  • Avoid leaving async generators unclosed in blocks, includes and extends. #1960
  • The runtime uses the correct concat function for the current environment when calling block references. #1701
  • Make |unique async-aware, allowing it to be used after another async-aware filter. #1781
  • |int filter handles OverflowError from scientific notation. #1921
  • Make compiling deterministic for tuple unpacking in a {% set ... %} call. #2021
  • Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. #2025
  • Fix copy/pickle support for the internal missing object. #2027
  • Environment.overlay(enable_async) is applied correctly. #2061
  • The error message from FileSystemLoader includes the paths that were searched. #1661
  • PackageLoader shows a clearer error message when the package does not contain the templates directory. #1705
  • Improve annotations for methods returning copies. #1880
  • urlize does not add mailto: to values like @a@b. #1870
  • Tests decorated with @pass_context can be used with the |select filter. #1624
  • Using set for multiple assignment (a, b = 1, 2) does not fail when the target is a namespace attribute. #1413
  • Using set in all branches of {% if %}{% elif %}{% else %} blocks does not cause the variable to be considered initially undefined. #1253

3.1.4

This is the Jinja 3.1.4 security release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes.

PyPI: https://pypi.org/project/Jinja2/3.1.4/ Changes: https://jinja.palletsprojects.com/en/3.1.x/changes/#version-3-1-4

  • The xmlattr filter does not allow keys with / solidus, > greater-than sign, or = equals sign, in addition to disallowing spaces. Regardless of any validation done by Jinja, user input should never be used as keys to this filter, or must be separately validated first. GHSA-h75v-3vvj-5mfj

3.1.3

This is a fix release for the 3.1.x feature branch.

  • Fix for GHSA-h5c8-rqwp-cp95. You are affected if you are using xmlattr and passing user input as attribute keys.

... (truncated)

Changelog

Sourced from jinja2's changelog.

Version 3.1.6

Released 2025-03-05

  • The |attr filter does not bypass the environment's attribute lookup, allowing the sandbox to apply its checks. :ghsa:cpwx-vrp4-4pq7

Version 3.1.5

Released 2024-12-21

  • The sandboxed environment handles indirect calls to str.format, such as by passing a stored reference to a filter that calls its argument. :ghsa:q2x7-8rv6-6q7h
  • Escape template name before formatting it into error messages, to avoid issues with names that contain f-string syntax. :issue:1792, :ghsa:gmj6-6f8f-6699
  • Sandbox does not allow clear and pop on known mutable sequence types. :issue:2032
  • Calling sync render for an async template uses asyncio.run. :pr:1952
  • Avoid unclosed auto_aiter warnings. :pr:1960
  • Return an aclose-able AsyncGenerator from Template.generate_async. :pr:1960
  • Avoid leaving root_render_func() unclosed in Template.generate_async. :pr:1960
  • Avoid leaving async generators unclosed in blocks, includes and extends. :pr:1960
  • The runtime uses the correct concat function for the current environment when calling block references. :issue:1701
  • Make |unique async-aware, allowing it to be used after another async-aware filter. :issue:1781
  • |int filter handles OverflowError from scientific notation. :issue:1921
  • Make compiling deterministic for tuple unpacking in a {% set ... %} call. :issue:2021
  • Fix dunder protocol (copy/pickle/etc) interaction with Undefined objects. :issue:2025
  • Fix copy/pickle support for the internal missing object. :issue:2027
  • Environment.overlay(enable_async) is applied correctly. :pr:2061
  • The error message from FileSystemLoader includes the paths that were searched. :issue:1661
  • PackageLoader shows a clearer error message when the package does not contain the templates directory. :issue:1705
  • Improve annotations for methods returning copies. :pr:1880
  • urlize does not add mailto: to values like @a@b. :pr:1870

... (truncated)

Commits

Updates jsonschema from 4.20.0 to 4.26.0

Release notes

Sourced from jsonschema's releases.

v4.26.0

What's Changed

New Contributors

Full Changelog: python-jsonschema/jsonschema@v4.25.1...v4.26.0

v4.25.1

What's Changed

... (truncated)

Changelog

Sourced from jsonschema's changelog.

v4.26.0

  • Decrease import time by delaying importing of urllib.request (#1416).

v4.25.1

  • Fix an incorrect required argument in the Validator protocol's type annotations (#1396).

v4.25.0

  • Add support for the iri and iri-reference formats to the format-nongpl extra via the MIT-licensed rfc3987-syntax. They were alread supported by the format extra. (#1388).

v4.24.1

  • Properly escape segments in ValidationError.json_path (#139).

v4.24.0

  • Fix improper handling of unevaluatedProperties in the presence of additionalProperties (#1351).
  • Support for Python 3.8 has been dropped, as it is end-of-life.

v4.23.0

  • Do not reorder dictionaries (schemas, instances) that are printed as part of validation errors.
  • Declare support for Py3.13

v4.22.0

  • Improve best_match (and thereby error messages from jsonschema.validate) in cases where there are multiple sibling errors from applying anyOf / allOf -- i.e. when multiple elements of a JSON array have errors, we now do prefer showing errors from earlier elements rather than simply showing an error for the full array (#1250).
  • (Micro-)optimize equality checks when comparing for JSON Schema equality by first checking for object identity, as == would.

v4.21.1

  • Slightly speed up the contains keyword by removing some unnecessary validator (re-)creation.

v4.21.0

  • Fix the behavior of enum in the presence of 0 or 1 to properly consider True and False unequal (#1208).
  • Special case the error message for {min,max}{Items,Length,Properties} when they're checking for emptiness rather than true length.
Commits
  • a727743 Add a changelog entry for 4.26.
  • 6d28c13 Update the lockfile.
  • 739499e Update pre-commit hooks.
  • cb2d779 Merge pull request #1443 from python-jsonschema/pre-commit-ci-update-config
  • e6bbbb7 [pre-commit.ci] pre-commit autoupdate
  • d56037a Merge pull request #1442 from python-jsonschema/dependabot/github_actions/ast...
  • e54ce13 Bump astral-sh/setup-uv from 7.1.4 to 7.1.6
  • 1f7c9fb Partially update docs requirements.
  • 241aec9 Merge pull request #1441 from python-jsonschema/pre-commit-ci-update-config
  • 2818efb Apache-2.0 -> nongpl
  • Additional commits viewable in compare view

Updates mozilla-repo-urls from 0.1.1 to 0.2.2

Updates mozilla-taskgraph from 4.1.1 to 4.1.2

Release notes

Sourced from mozilla-taskgraph's releases.

4.1.2

What's Changed

Full Changelog: mozilla-releng/mozilla-taskgraph@4.1.1...4.1.2

Changelog

Sourced from mozilla-taskgraph's changelog.

4.1.2 (2026-05-01)

Fix

  • mark compatible with Taskgraph v23.x
  • ensure head_rev always matches the one the action task is running from
Commits
  • e525efc chore: version bump v4.1.2
  • 5eb8d4b chore(deps): lock file maintenance (pep621) (#206)
  • d1dc204 chore(deps): update pre-commit hooks
  • a0cad17 chore(renovate): ensure taskgraph bump in uv.lock and .taskcluster.yml happen...
  • 06fee6f chore(deps): lock file maintenance (pep621)
  • 4279abe chore(deps): update debian:13 docker digest to 35b8ff7
  • 7738eb4 chore(deps): update debian:13-slim docker digest to cedb1ef
  • 91d4a1c chore(deps): update mozillareleases/taskgraph docker tag to v21
  • a7d191b fix(deps): update dependency taskcluster-taskgraph to v21
  • 5e5c905 chore(renovate): ensure renovate only ever widens dependencies
  • Additional commits viewable in compare view

Updates taskcluster-taskgraph from 20.0.0 to 23.0.0

Release notes

Sourced from taskcluster-taskgraph's releases.

23.0.0

What's Changed

Full Changelog: taskcluster/taskgraph@22.0.0...23.0.0

22.0.0

What's Changed

Full Changelog: taskcluster/taskgraph@21.0.0...22.0.0

21.0.0

What's Changed

Full Changelog: taskcluster/taskgraph@20.0.0...21.0.0

Changelog

Sourced from taskcluster-taskgraph's changelog.

[23.0.0] - 2026-05-04

Added

  • Support for defining schemas as dicts (in addition to the class-based approach)
  • New disabled_actions graph configuration to prevent specific actions from being generated

Changed

  • BREAKING CHANGE: Converted parameter schema from voluptuous to msgspec

Fixed

  • taskgraph full -J --tasks <regex> now displays full dependencies instead of a filtered subset
  • fetch-content now percent-encodes artifact names, fixing downloads of artifacts containing spaces or other special characters

[22.0.0] - 2026-04-16

Fixed

  • Decision task now fetches refs/notes/decision-parameters itself

Removed

  • BREAKING CHANGE: Removed ability for run-task to fetch arbitrary extra refs
  • BREAKING CHANGE: Removed docker-worker feature: relengapi-proxy

[21.0.0] - 2026-04-13

Added

  • Ability for run-task to fetch arbitrary extra refs
  • Ability for Decision task to override params via Git notes

Fixed

  • Improved index route verification

Changed

  • BREAKING CHANGE: run-task and decision images now use Debian 13

Removed

  • BREAKING CHANGE: Removed docker-worker features: dind, privileged, loopback-audio
Commits
  • a7abf47 chore: version bump Taskgraph 23.0.0
  • 53aa1ca chore: pre-commit autoupdate
  • b4aa5f5 feat!: convert parameter schema from voluptuous to msgspec
  • a63271c fix: ensure taskgraph full -J --tasks \<regex> shows all dependencies
  • c2bd792 docs: add howto guide for defining schemas
  • 4560e87 refactor: use Schema.from_dict in from_deps transforms
  • 6ad3d0f feat: support defining schemas as dicts
  • 195eef8 Add a way to prevent some actions from getting generated (#938)
  • 1ab9c53 Percent encode artifact names in fetch-content (#927)
  • b885924 chore: version bump Taskgraph 22.0.0
  • Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request
Dependency Name Ignore Conditions
taskcluster-taskgraph [>= 8.a, < 9]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the build-tools-pip group with 5 updates
39a77cb 
Bumps the build-tools-pip group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [jinja2](https://github.com/pallets/jinja) | `3.1.2` | `3.1.6` |
| [jsonschema](https://github.com/python-jsonschema/jsonschema) | `4.20.0` | `4.26.0` |
| mozilla-repo-urls | `0.1.1` | `0.2.2` |
| [mozilla-taskgraph](https://github.com/mozilla-releng/mozilla-taskgraph) | `4.1.1` | `4.1.2` |
| [taskcluster-taskgraph](https://github.com/taskcluster/taskgraph) | `20.0.0` | `23.0.0` |


Updates `jinja2` from 3.1.2 to 3.1.6
- [Release notes](https://github.com/pallets/jinja/releases)
- [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst)
- [Commits](pallets/jinja@3.1.2...3.1.6)

Updates `jsonschema` from 4.20.0 to 4.26.0
- [Release notes](https://github.com/python-jsonschema/jsonschema/releases)
- [Changelog](https://github.com/python-jsonschema/jsonschema/blob/main/CHANGELOG.rst)
- [Commits](python-jsonschema/jsonschema@v4.20.0...v4.26.0)

Updates `mozilla-repo-urls` from 0.1.1 to 0.2.2

Updates `mozilla-taskgraph` from 4.1.1 to 4.1.2
- [Release notes](https://github.com/mozilla-releng/mozilla-taskgraph/releases)
- [Changelog](https://github.com/mozilla-releng/mozilla-taskgraph/blob/main/CHANGELOG.md)
- [Commits](mozilla-releng/mozilla-taskgraph@4.1.1...4.1.2)

Updates `taskcluster-taskgraph` from 20.0.0 to 23.0.0
- [Release notes](https://github.com/taskcluster/taskgraph/releases)
- [Changelog](https://github.com/taskcluster/taskgraph/blob/main/CHANGELOG.md)
- [Commits](taskcluster/taskgraph@20.0.0...23.0.0)

---
updated-dependencies:
- dependency-name: jinja2
  dependency-version: 3.1.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: build-tools-pip
- dependency-name: jsonschema
  dependency-version: 4.26.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: build-tools-pip
- dependency-name: mozilla-repo-urls
  dependency-version: 0.2.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: build-tools-pip
- dependency-name: mozilla-taskgraph
  dependency-version: 4.1.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: build-tools-pip
- dependency-name: taskcluster-taskgraph
  dependency-version: 23.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: build-tools-pip
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 1, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 1, 2026 16:57
@dependabot dependabot Bot requested review from ahal and removed request for a team June 1, 2026 16:57
@oskirby oskirby mentioned this pull request Jun 4, 2026
Draft
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ahal ahal Awaiting requested review from ahal ahal is a code owner automatically assigned from mozilla-mobile/releng

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants