Skip to content

Bump the production-dependencies group with 3 updates#1968

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/production-dependencies-5fa21d3539
Open

Bump the production-dependencies group with 3 updates#1968
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/production-dependencies-5fa21d3539

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 27, 2026

Bumps the production-dependencies group with 3 updates: filelock, identify and virtualenv.

Updates filelock from 3.25.2 to 3.29.0

Release notes

Sourced from filelock's releases.

3.29.0

What's Changed

Full Changelog: tox-dev/filelock@3.28.0...3.29.0

3.28.0

What's Changed

Full Changelog: tox-dev/filelock@3.27.0...3.28.0

3.27.0

What's Changed

Full Changelog: tox-dev/filelock@3.26.1...3.27.0

3.26.1

What's Changed

New Contributors

Full Changelog: tox-dev/filelock@3.26.0...3.26.1

3.26.0

What's Changed

Full Changelog: tox-dev/filelock@3.25.2...3.26.0

Changelog

Sourced from filelock's changelog.

########### Changelog ###########

3.29.0 (2026-04-19)

  • ✨ feat(soft): enable stale lock detection on Windows :pr:534
  • 🐛 fix(async): use single-thread executor for lock consistency :pr:533
  • build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 :pr:530 - by :user:dependabot[bot]

3.28.0 (2026-04-14)

  • 🐛 fix(ci): unbreak release workflow, publish to PyPI again :pr:529

3.26.1 (2026-04-09)

  • 🐛 fix(asyncio): add exit to BaseAsyncFileLock and fix del loop handling :pr:518 - by :user:naarob
  • build(deps): bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 :pr:525 - by :user:dependabot[bot]

3.26.0 (2026-04-06)

  • ✨ feat(soft): add PID inspection and lock breaking :pr:524
  • [pre-commit.ci] pre-commit autoupdate :pr:523 - by :user:pre-commit-ci[bot]
  • build(deps): bump astral-sh/setup-uv from 7.6.0 to 8.0.0 :pr:522 - by :user:dependabot[bot]
  • Remove persist-credentials: false from release job :pr:520
  • [pre-commit.ci] pre-commit autoupdate :pr:519 - by :user:pre-commit-ci[bot]
  • 🔒 ci(workflows): add zizmor security auditing :pr:517
  • [pre-commit.ci] pre-commit autoupdate :pr:516 - by :user:pre-commit-ci[bot]
  • [pre-commit.ci] pre-commit autoupdate :pr:514 - by :user:pre-commit-ci[bot]

3.25.2 (2026-03-11)

  • 🐛 fix(unix): suppress EIO on close in Docker bind mounts :pr:513

3.25.1 (2026-03-09)

  • [pre-commit.ci] pre-commit autoupdate :pr:510 - by :user:pre-commit-ci[bot]
  • 🐛 fix(win): restore best-effort lock file cleanup on release :pr:511

... (truncated)

Commits
  • 469b47f Release 3.29.0
  • e85d072 ✨ feat(soft): enable stale lock detection on Windows (#534)
  • f5ee171 🐛 fix(async): use single-thread executor for lock consistency (#533)
  • 2a95458 build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 (#530)
  • 55de20c Release 3.28.0
  • 476b0e4 🐛 fix(ci): unbreak release workflow, publish to PyPI again (#529)
  • 824713e ✨ feat(rw): add SoftReadWriteLock for NFS and HPC clusters (#528)
  • 9879de9 [pre-commit.ci] pre-commit autoupdate (#527)
  • 4cfab49 Release 3.26.1
  • 734c9f2 🐛 fix(asyncio): add exit to BaseAsyncFileLock and fix del loop handli...
  • Additional commits viewable in compare view

Updates identify from 2.6.18 to 2.6.19

Commits
  • b39f637 v2.6.19
  • c976888 Merge pull request #588 from hofbi/patch-1
  • 6110d73 Add support for 'tif' file extension
  • ccbd337 Merge pull request #587 from pre-commit/pre-commit-ci-update-config
  • f5af264 [pre-commit.ci] pre-commit autoupdate
  • a0be598 Merge pull request #586 from pre-commit/pre-commit-ci-update-config
  • b184043 [pre-commit.ci] pre-commit autoupdate
  • See full diff in compare view

Updates virtualenv from 21.2.1 to 21.2.4

Release notes

Sourced from virtualenv's releases.

21.2.4

What's Changed

Full Changelog: pypa/virtualenv@21.2.3...21.2.4

21.2.3

Full Changelog: pypa/virtualenv@21.2.2...21.2.3

21.2.2

What's Changed

Full Changelog: pypa/virtualenv@21.2.1...21.2.2

Changelog

Sourced from virtualenv's changelog.

Bugfixes - 21.2.4

  • Security hardening: validate each entry of a seed wheel archive before extracting it so a tampered wheel cannot escape the app-data image directory via an absolute path or .. traversal. (:issue:3118)
  • Security hardening: verify the SHA-256 of every bundled seed wheel when it is loaded so a corrupted or tampered file on disk fails loud instead of being handed to pip. The hash table is generated alongside BUNDLE_SUPPORT by tasks/upgrade_wheels.py. (:issue:3119)
  • Security hardening: validate the distribution name and version specifier passed to pip download when acquiring a seed wheel so extras, pip flags, or shell metacharacters cannot be smuggled into the subprocess command line. (:issue:3120)
  • Security hardening: replace the string-prefix containment check in virtualenv.util.zipapp with Path.relative_to so the zipapp extraction helpers refuse any path that does not resolve under the archive root. (:issue:3121)
  • Security hardening: do not silently fall back to an unverified HTTPS context when the periodic update request to PyPI fails TLS verification. The returned metadata drives which wheel version virtualenv considers "up to date", so accepting an unverified response lets a network-level attacker suppress security updates. Set VIRTUALENV_PERIODIC_UPDATE_INSECURE=1 to restore the previous behavior on hosts with broken trust stores. (:issue:3122)

v21.2.3 (2026-04-14)

No significant changes.

v21.2.2 (2026-04-13)

Bugfixes - 21.2.2

  • Bump python-discovery minimum to >=1.2.2 to include normalize_isa support - by :user:rahuldevikar. (:issue:3117)

v21.2.1 (2026-04-09)

Commits
  • 15063c1 release 21.2.4
  • 754602d 🐛 fix(seed): validate wheel zip entries before extraction (#3118)
  • 43deabf 🐛 fix(seed): verify sha256 of bundled wheels on load (#3119)
  • 4e412b0 🐛 fix(seed): validate distribution and version before pip download (#3120)
  • 1309818 🐛 fix(zipapp): enforce ROOT containment with Path.relative_to (#3121)
  • 48f6fdc 🐛 fix(periodic-update): refuse unverified HTTPS to PyPI by default (#3122)
  • a5fb4a2 release 21.2.3
  • 7f91a9a release 21.2.2
  • 33348d6 bump python-discovery minimum to 1.2.2 (#3117)
  • d73ff7c [pre-commit.ci] pre-commit autoupdate (#3116)
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the production-dependencies group with 3 updates
7c80166 
Bumps the production-dependencies group with 3 updates: [filelock](https://github.com/tox-dev/py-filelock), [identify](https://github.com/pre-commit/identify) and [virtualenv](https://github.com/pypa/virtualenv).


Updates `filelock` from 3.25.2 to 3.29.0
- [Release notes](https://github.com/tox-dev/py-filelock/releases)
- [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst)
- [Commits](tox-dev/filelock@3.25.2...3.29.0)

Updates `identify` from 2.6.18 to 2.6.19
- [Commits](pre-commit/identify@v2.6.18...v2.6.19)

Updates `virtualenv` from 21.2.1 to 21.2.4
- [Release notes](https://github.com/pypa/virtualenv/releases)
- [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst)
- [Commits](pypa/virtualenv@21.2.1...21.2.4)

---
updated-dependencies:
- dependency-name: filelock
  dependency-version: 3.29.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: identify
  dependency-version: 2.6.19
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: virtualenv
  dependency-version: 21.2.4
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Apr 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants