Skip to content

Commit 9480fe7

Browse files
cq-botcq-bot
authored
fix(deps): Update dependency black to v26.3.1 [SECURITY] (#213)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [black](https://redirect.github.com/psf/black) ([changelog](https://redirect.github.com/psf/black/blob/main/CHANGES.md)) | `==26.1.0` → `==26.3.1` | ![age](https://developer.mend.io/api/mc/badges/age/pypi/black/26.3.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/black/26.1.0/26.3.1?slim=true) | ### GitHub Vulnerability Alerts #### [CVE-2026-32274](https://redirect.github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m) ### Impact Black writes a cache file, the name of which is computed from various formatting options. The value of the `--python-cell-magics` option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. ### Patches Fixed in Black 26.3.1. ### Workarounds Do not allow untrusted user input into the value of the `--python-cell-magics` option. --- ### Release Notes <details> <summary>psf/black (black)</summary> ### [`v26.3.1`](https://redirect.github.com/psf/black/blob/HEAD/CHANGES.md#2631) [Compare Source](https://redirect.github.com/psf/black/compare/26.3.0...26.3.1) ##### Stable style - Prevent Jupyter notebook magic masking collisions from corrupting cells by using exact-length placeholders for short magics and aborting if a placeholder can no longer be unmasked safely ([#&#8203;5038](https://redirect.github.com/psf/black/issues/5038)) ##### Configuration - Always hash cache filename components derived from `--python-cell-magics` so custom magic names cannot affect cache paths ([#&#8203;5038](https://redirect.github.com/psf/black/issues/5038)) ##### *Blackd* - Disable browser-originated requests by default, add configurable origin allowlisting and request body limits, and bound executor submissions to improve backpressure ([#&#8203;5039](https://redirect.github.com/psf/black/issues/5039)) ### [`v26.3.0`](https://redirect.github.com/psf/black/blob/HEAD/CHANGES.md#2630) [Compare Source](https://redirect.github.com/psf/black/compare/26.1.0...26.3.0) ##### Stable style - Don't double-decode input, causing non-UTF-8 files to be corrupted ([#&#8203;4964](https://redirect.github.com/psf/black/issues/4964)) - Fix crash on standalone comment in lambda default arguments ([#&#8203;4993](https://redirect.github.com/psf/black/issues/4993)) - Preserve parentheses when `# type: ignore` comments would be merged with other comments on the same line, preventing AST equivalence failures ([#&#8203;4888](https://redirect.github.com/psf/black/issues/4888)) ##### Preview style - Fix bug where `if` guards in `case` blocks were incorrectly split when the pattern had a trailing comma ([#&#8203;4884](https://redirect.github.com/psf/black/issues/4884)) - Fix `string_processing` crashing on unassigned long string literals with trailing commas (one-item tuples) ([#&#8203;4929](https://redirect.github.com/psf/black/issues/4929)) - Simplify implementation of the power operator "hugging" logic ([#&#8203;4918](https://redirect.github.com/psf/black/issues/4918)) ##### Packaging - Fix shutdown errors in PyInstaller builds on macOS by disabling multiprocessing in frozen environments ([#&#8203;4930](https://redirect.github.com/psf/black/issues/4930)) ##### Performance - Introduce winloop for windows as an alternative to uvloop ([#&#8203;4996](https://redirect.github.com/psf/black/issues/4996)) - Remove deprecated function `uvloop.install()` in favor of `uvloop.new_event_loop()` ([#&#8203;4996](https://redirect.github.com/psf/black/issues/4996)) - Rename `maybe_install_uvloop` function to `maybe_use_uvloop` to simplify loop installation and creation of either a uvloop/winloop evenloop or default eventloop ([#&#8203;4996](https://redirect.github.com/psf/black/issues/4996)) ##### Output - Emit a clear warning when the target Python version is newer than the running Python version, since AST safety checks cannot parse newer syntax. Also replace the misleading "INTERNAL ERROR" message with an actionable error explaining the version mismatch ([#&#8203;4983](https://redirect.github.com/psf/black/issues/4983)) ##### *Blackd* - Introduce winloop to be used when windows in use which enables blackd to run faster on windows when winloop is installed. ([#&#8203;4996](https://redirect.github.com/psf/black/issues/4996)) ##### Integrations - Remove unused gallery script ([#&#8203;5030](https://redirect.github.com/psf/black/issues/5030)) - Harden parsing of `black` requirements in the GitHub Action when `use_pyproject` is enabled so that only version specifiers are accepted and direct references such as `black @&#8203; https://...` are rejected. Users should upgrade to the latest version of the action as soon as possible. This update is received automatically when using `psf/black@stable`, and is independent of the version of Black installed by the action. ([#&#8203;5031](https://redirect.github.com/psf/black/issues/5031)) ##### Documentation - Expand preview style documentation with detailed examples for `wrap_comprehension_in`, `simplify_power_operator_hugging`, and `wrap_long_dict_values_in_parens` features ([#&#8203;4987](https://redirect.github.com/psf/black/issues/4987)) - Add detailed documentation for formatting Jupyter Notebooks ([#&#8203;5009](https://redirect.github.com/psf/black/issues/5009)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40Ni42IiwidXBkYXRlZEluVmVyIjoiNDMuNDYuNiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21lcmdlIiwic2VjdXJpdHkiXX0=-->
1 parent b56f0a0 commit 9480fe7

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

requirements.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
black==26.1.0
1+
black==26.3.1
22
grpcio-tools==1.78.0
33
grpcio==1.78.0
44
protobuf>=6.30.0

0 commit comments

Comments
 (0)