Update all non-major dependencies

[renovate-coveo]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
coveo-functools (source)	2.0.33 -> 2.0.34
flake8 (changelog)	7.0.0 -> 7.1.1
mypy (source, changelog)	1.9.0 -> 1.11.1
packaging	24.0 -> 24.1
pytest (changelog)	8.1.1 -> 8.3.2
tomlkit	0.12.4 -> 0.13.0

---

Release Notes

pycqa/flake8 (flake8)

v7.1.1

Compare Source

v7.1.0

Compare Source

python/mypy (mypy)

v1.11.1

Compare Source

v1.11.0

Compare Source

v1.10.1

Compare Source

• Fix error reporting on cached run after uninstallation of third party library (Shantanu, PR 17420)

v1.10.0

Compare Source

pypa/packaging (packaging)

v24.1

Compare Source

What's Changed

• pyupgrade/black/isort/flake8 → ruff by @​DimitriPapadopoulos in https://github.com/pypa/packaging/pull/769
• Add support for Python 3.13 and drop EOL 3.7 by @​hugovk in https://github.com/pypa/packaging/pull/783
• Bump the github-actions group with 4 updates by @​dependabot in https://github.com/pypa/packaging/pull/782
• Fix typo in _parser docstring by @​pradyunsg in https://github.com/pypa/packaging/pull/784
• Modernise type annotations using FA rules from ruff by @​pradyunsg in https://github.com/pypa/packaging/pull/785
• Document markers.default_environment() by @​edgarrmondragon in https://github.com/pypa/packaging/pull/753
• Bump the github-actions group with 3 updates by @​dependabot in https://github.com/pypa/packaging/pull/789
• Work around platform.python_version() returning non PEP 440 compliant version for non-tagged CPython builds by @​sbidoul in https://github.com/pypa/packaging/pull/802

New Contributors

• @​dependabot made their first contribution in https://github.com/pypa/packaging/pull/782
• @​edgarrmondragon made their first contribution in https://github.com/pypa/packaging/pull/753

Full Changelog: pypa/packaging@24.0...24.1

pytest-dev/pytest (pytest)

v8.3.2

Compare Source

pytest 8.3.2 (2024-07-24)

Bug fixes

• #​12652: Resolve regression [conda]{.title-ref} environments where no longer being automatically detected.

  -- by RonnyPfannschmidt{.interpreted-text role="user"}

v8.3.1

Compare Source

pytest 8.3.1 (2024-07-20)

The 8.3.0 release failed to include the change notes and docs for the release. This patch release remedies this. There are no other changes.

v8.3.0

Compare Source

pytest 8.3.0 (2024-07-20)

New features

• #​12231: Added [--xfail-tb]{.title-ref} flag, which turns on traceback output for XFAIL results.

  • If the [--xfail-tb]{.title-ref} flag is not given, tracebacks for XFAIL results are NOT shown.
  • The style of traceback for XFAIL is set with [--tb]{.title-ref}, and can be [auto|long|short|line|native|no]{.title-ref}.
  • Note: Even if you have [--xfail-tb]{.title-ref} set, you won't see them if [--tb=no]{.title-ref}.

  Some history:

  With pytest 8.0, [-rx]{.title-ref} or [-ra]{.title-ref} would not only turn on summary reports for xfail, but also report the tracebacks for xfail results. This caused issues with some projects that utilize xfail, but don't want to see all of the xfail tracebacks.

  This change detaches xfail tracebacks from [-rx]{.title-ref}, and now we turn on xfail tracebacks with [--xfail-tb]{.title-ref}. With this, the default [-rx]{.title-ref}/ [-ra]{.title-ref} behavior is identical to pre-8.0 with respect to xfail tracebacks. While this is a behavior change, it brings default behavior back to pre-8.0.0 behavior, which ultimately was considered the better course of action.

• #​12281: Added support for keyword matching in marker expressions.

  Now tests can be selected by marker keyword arguments.
  Supported values are int{.interpreted-text role="class"}, (unescaped) str{.interpreted-text role="class"}, bool{.interpreted-text role="class"} & None{.interpreted-text role="data"}.

  See marker examples <marker_keyword_expression_example>{.interpreted-text role="ref"} for more information.

  -- by lovetheguitar{.interpreted-text role="user"}

• #​12567: Added --no-fold-skipped command line option.

  If this option is set, then skipped tests in short summary are no longer grouped
  by reason but all tests are printed individually with their nodeid in the same
  way as other statuses.

  -- by pbrezina{.interpreted-text role="user"}

Improvements in existing functionality

• #​12469: The console output now uses the "third-party plugins" terminology,
  replacing the previously established but confusing and outdated
  reference to setuptools <setuptools:index>{.interpreted-text role="std:doc"}
  -- by webknjaz{.interpreted-text role="user"}.

• #​12544, #​12545: Python virtual environment detection was improved by
  checking for a pyvenv.cfg{.interpreted-text role="file"} file, ensuring reliable detection on
  various platforms -- by zachsnickers{.interpreted-text role="user"}.

• #​2871: Do not truncate arguments to functions in output when running with [-vvv]{.title-ref}.

• #​389: The readability of assertion introspection of bound methods has been enhanced
  -- by farbodahm{.interpreted-text role="user"}, webknjaz{.interpreted-text role="user"}, obestwalter{.interpreted-text role="user"}, flub{.interpreted-text role="user"}
  and glyphack{.interpreted-text role="user"}.

  Earlier, it was like:

  =================================== FAILURES ===================================
  _____________________________________ test _____________________________________
  
      def test():
  >       assert Help().fun() == 2
  E       assert 1 == 2
  E        +  where 1 = <bound method Help.fun of <example.Help instance at 0x256a830>>()
  E        +    where <bound method Help.fun of <example.Help instance at 0x256a830>> = <example.Help instance at 0x256a830>.fun
  E        +      where <example.Help instance at 0x256a830> = Help()
  
  example.py:7: AssertionError
  =========================== 1 failed in 0.03 seconds ===========================

  And now it's like:

  =================================== FAILURES ===================================
  _____________________________________ test _____________________________________
  
      def test():
  >       assert Help().fun() == 2
  E       assert 1 == 2
  E        +  where 1 = fun()
  E        +    where fun = <test_local.Help object at 0x1074be230>.fun
  E        +      where <test_local.Help object at 0x1074be230> = Help()
  
  test_local.py:13: AssertionError
  =========================== 1 failed in 0.03 seconds ===========================

• #​7662: Added timezone information to the testsuite timestamp in the JUnit XML report.

Bug fixes

• #​11706: Fixed reporting of teardown errors in higher-scoped fixtures when using [--maxfail]{.title-ref} or [--stepwise]{.title-ref}.

  Originally added in pytest 8.0.0, but reverted in 8.0.2 due to a regression in pytest-xdist.
  This regression was fixed in pytest-xdist 3.6.1.

• #​11797: pytest.approx{.interpreted-text role="func"} now correctly handles Sequence <collections.abc.Sequence>{.interpreted-text role="class"}-like objects.

• #​12204, #​12264: Fixed a regression in pytest 8.0 where tracebacks get longer and longer when multiple
  tests fail due to a shared higher-scope fixture which raised -- by bluetech{.interpreted-text role="user"}.

  Also fixed a similar regression in pytest 5.4 for collectors which raise during setup.

  The fix necessitated internal changes which may affect some plugins:

  • FixtureDef.cached_result[2] is now a tuple (exc, tb)
    instead of exc.
  • SetupState.stack failures are now a tuple (exc, tb)
    instead of exc.

• #​12275: Fixed collection error upon encountering an abstract <abc>{.interpreted-text role="mod"} class, including abstract [unittest.TestCase]{.title-ref} subclasses.

• #​12328: Fixed a regression in pytest 8.0.0 where package-scoped parameterized items were not correctly reordered to minimize setups/teardowns in some cases.

• #​12424: Fixed crash with [assert testcase is not None]{.title-ref} assertion failure when re-running unittest tests using plugins like pytest-rerunfailures. Regressed in 8.2.2.

• #​12472: Fixed a crash when returning category "error" or "failed" with a custom test status from pytest_report_teststatus{.interpreted-text role="hook"} hook -- pbrezina{.interpreted-text role="user"}.

• #​12505: Improved handling of invalid regex patterns in pytest.raises(match=r'...') <pytest.raises>{.interpreted-text role="func"} by providing a clear error message.

• #​12580: Fixed a crash when using the cache class on Windows and the cache directory was created concurrently.

• #​6962: Parametrization parameters are now compared using [==]{.title-ref} instead of [is]{.title-ref} ([is]{.title-ref} is still used as a fallback if the parameter does not support [==]{.title-ref}).
  This fixes use of parameters such as lists, which have a different [id]{.title-ref} but compare equal, causing fixtures to be re-computed instead of being cached.

• #​7166: Fixed progress percentages (the [ 87%] at the edge of the screen) sometimes not aligning correctly when running with pytest-xdist -n.

Improved documentation

• #​12153: Documented using PYTEST_VERSION{.interpreted-text role="envvar"} to detect if code is running from within a pytest run.

• #​12469: The external plugin mentions in the documentation now avoid mentioning
  setuptools entry-points <setuptools:index>{.interpreted-text role="std:doc"} as the concept is
  much more generic nowadays. Instead, the terminology of "external",
  "installed", or "third-party" plugins (or packages) replaces that.

  -- by webknjaz{.interpreted-text role="user"}

• #​12577: [CI]{.title-ref} and [BUILD_NUMBER]{.title-ref} environment variables role is discribed in
  the reference doc. They now also appear when doing [pytest -h]{.title-ref}
  -- by MarcBresson{.interpreted-text role="user"}.

Contributor-facing changes

• #​12467: Migrated all internal type-annotations to the python3.10+ style by using the [annotations]{.title-ref} future import.

  -- by RonnyPfannschmidt{.interpreted-text role="user"}

• #​11771, #​12557: The PyPy runtime version has been updated to 3.9 from 3.8 that introduced
  a flaky bug at the garbage collector which was not expected to fix there
  as the 3.8 is EoL.

  -- by x612skm{.interpreted-text role="user"}

• #​12493: The change log draft preview integration has been refactored to use a
  third party extension sphinxcontib-towncrier. The previous in-repo
  script was putting the change log preview file at
  doc/en/_changelog_towncrier_draft.rst{.interpreted-text role="file"}. Said file is no longer
  ignored in Git and might show up among untracked files in the
  development environments of the contributors. To address that, the
  contributors can run the following command that will clean it up:

  $ git clean -x -i -- doc/en/_changelog_towncrier_draft.rst

  -- by webknjaz{.interpreted-text role="user"}

• #​12498: All the undocumented tox environments now have descriptions.
  They can be listed in one's development environment by invoking
  tox -av in a terminal.

  -- by webknjaz{.interpreted-text role="user"}

• #​12501: The changelog configuration has been updated to introduce more accurate
  audience-tailored categories. Previously, there was a trivial
  change log fragment type with an unclear and broad meaning. It was
  removed and we now have contrib, misc and packaging in
  place of it.

  The new change note types target the readers who are downstream
  packagers and project contributors. Additionally, the miscellaneous
  section is kept for unspecified updates that do not fit anywhere else.

  -- by webknjaz{.interpreted-text role="user"}

• #​12502: The UX of the GitHub automation making pull requests to update the
  plugin list has been updated. Previously, the maintainers had to close
  the automatically created pull requests and re-open them to trigger the
  CI runs. From now on, they only need to click the [Ready for review]{.title-ref}
  button instead.

  -- by webknjaz{.interpreted-text role="user"}

• #​12522: The :pull: RST role has been replaced with a shorter
  :pr: due to starting to use the implementation from
  the third-party sphinx-issues{.interpreted-text role="pypi"} Sphinx extension
  -- by webknjaz{.interpreted-text role="user"}.

• #​12531: The coverage reporting configuration has been updated to exclude
  pytest's own tests marked as expected to fail from the coverage
  report. This has an effect of reducing the influence of flaky
  tests on the resulting number.

  -- by webknjaz{.interpreted-text role="user"}

• #​12533: The extlinks Sphinx extension is no longer enabled. The :bpo:
  role it used to declare has been removed with that. BPO itself has
  migrated to GitHub some years ago and it is possible to link the
  respective issues by using their GitHub issue numbers and the
  :issue: role that the sphinx-issues extension implements.

  -- by webknjaz{.interpreted-text role="user"}

• #​12562: Possible typos in using the :user: RST role is now being linted
  through the pre-commit tool integration -- by webknjaz{.interpreted-text role="user"}.

v8.2.2

Compare Source

pytest 8.2.2 (2024-06-04)

Bug Fixes

• #​12355: Fix possible catastrophic performance slowdown on a certain parametrization pattern involving many higher-scoped parameters.
• #​12367: Fix a regression in pytest 8.2.0 where unittest class instances (a fresh one is created for each test) were not released promptly on test teardown but only on session teardown.
• #​12381: Fix possible "Directory not empty" crashes arising from concurent cache dir (.pytest_cache) creation. Regressed in pytest 8.2.0.

Improved Documentation

• #​12290: Updated Sphinx theme to use Furo instead of Flask, enabling Dark mode theme.
• #​12356: Added a subsection to the documentation for debugging flaky tests to mention
  lack of thread safety in pytest as a possible source of flakyness.
• #​12363: The documentation webpages now links to a canonical version to reduce outdated documentation in search engine results.

v8.2.1

Compare Source

pytest 8.2.1 (2024-05-19)

Improvements

• #​12334: Support for Python 3.13 (beta1 at the time of writing).

Bug Fixes

• #​12120: Fix [PermissionError]{.title-ref} crashes arising from directories which are not selected on the command-line.
• #​12191: Keyboard interrupts and system exits are now properly handled during the test collection.
• #​12300: Fixed handling of 'Function not implemented' error under squashfuse_ll, which is a different way to say that the mountpoint is read-only.
• #​12308: Fix a regression in pytest 8.2.0 where the permissions of automatically-created .pytest_cache directories became rwx------ instead of the expected rwxr-xr-x.

Trivial/Internal Changes

• #​12333: pytest releases are now attested using the recent Artifact Attestation support from GitHub, allowing users to verify the provenance of pytest's sdist and wheel artifacts.

v8.2.0

Compare Source

pytest 8.2.0 (2024-04-27)

Deprecations

• #​12069: A deprecation warning is now raised when implementations of one of the following hooks request a deprecated py.path.local parameter instead of the pathlib.Path parameter which replaced it:

  • pytest_ignore_collect{.interpreted-text role="hook"} - the path parameter - use collection_path instead.
  • pytest_collect_file{.interpreted-text role="hook"} - the path parameter - use file_path instead.
  • pytest_pycollect_makemodule{.interpreted-text role="hook"} - the path parameter - use module_path instead.
  • pytest_report_header{.interpreted-text role="hook"} - the startdir parameter - use start_path instead.
  • pytest_report_collectionfinish{.interpreted-text role="hook"} - the startdir parameter - use start_path instead.

  The replacement parameters are available since pytest 7.0.0.
  The old parameters will be removed in pytest 9.0.0.

  See legacy-path-hooks-deprecated{.interpreted-text role="ref"} for more details.

Features

• #​11871: Added support for reading command line arguments from a file using the prefix character @, like e.g.: pytest @​tests.txt. The file must have one argument per line.

  See Read arguments from file <args-from-file>{.interpreted-text role="ref"} for details.

Improvements

• #​11523: pytest.importorskip{.interpreted-text role="func"} will now issue a warning if the module could be found, but raised ImportError{.interpreted-text role="class"} instead of ModuleNotFoundError{.interpreted-text role="class"}.

  The warning can be suppressed by passing exc_type=ImportError to pytest.importorskip{.interpreted-text role="func"}.

  See import-or-skip-import-error{.interpreted-text role="ref"} for details.

• #​11728: For unittest-based tests, exceptions during class cleanup (as raised by functions registered with TestCase.addClassCleanup <unittest.TestCase.addClassCleanup>{.interpreted-text role="meth"}) are now reported instead of silently failing.

• #​11777: Text is no longer truncated in the short test summary info section when -vv is given.

• #​12112: Improved namespace packages detection when consider_namespace_packages{.interpreted-text role="confval"} is enabled, covering more situations (like editable installs).

• #​9502: Added PYTEST_VERSION{.interpreted-text role="envvar"} environment variable which is defined at the start of the pytest session and undefined afterwards. It contains the value of pytest.__version__, and among other things can be used to easily check if code is running from within a pytest run.

Bug Fixes

• #​12065: Fixed a regression in pytest 8.0.0 where test classes containing setup_method and tests using @staticmethod or @classmethod would crash with AttributeError: 'NoneType' object has no attribute 'setup_method'.

  Now the request.instance <pytest.FixtureRequest.instance>{.interpreted-text role="attr"} attribute of tests using @staticmethod and @classmethod is no longer None, but a fresh instance of the class, like in non-static methods.
  Previously it was None, and all fixtures of such tests would share a single self.

• #​12135: Fixed issue where fixtures adding their finalizer multiple times to fixtures they request would cause unreliable and non-intuitive teardown ordering in some instances.

• #​12194: Fixed a bug with --importmode=importlib and --doctest-modules where child modules did not appear as attributes in parent modules.

• #​1489: Fixed some instances where teardown of higher-scoped fixtures was not happening in the reverse order they were initialized in.

Trivial/Internal Changes

• #​12069: pluggy>=1.5.0 is now required.
• #​12167: cache <cache>{.interpreted-text role="ref"}: create supporting files (CACHEDIR.TAG, .gitignore, etc.) in a temporary directory to provide atomic semantics.

v8.1.2

Compare Source

pytest 8.1.2 (2024-04-26)

Bug Fixes

• #​12114: Fixed error in pytest.approx{.interpreted-text role="func"} when used with [numpy]{.title-ref} arrays and comparing with other types.

sdispater/tomlkit (tomlkit)

v0.13.0

Compare Source

Changed

• Expect a tomlkit-specific error instead of TypeError from a custom encoder. (#​355)
• Drop support for Python older than 3.8. Remove 3.7 from the CI matrix.

Fixed

• Fix the incompatiblity with 3.13 because of the datetime.replace() change. (#​333)
• Revert the change of parsing out-of-order tables. (#​347)
• Keep the nested out-of-order table. (#​361)

v0.12.5

Compare Source

Fixed

• Remove the extra minus sign added to the float value after calculation. (#​341)
• Fix unexpected newline added after accessing the out-of-order table. (#​343)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by the Coveo Renovate Bot

[github-actions]

Dependency Review

The following issues were found:

• ❌ 1 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ❌ 1 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.

See the Details below.

Vulnerabilities

poetry.lock

Name	Version	Vulnerability	Severity
setuptools	69.5.1	setuptools vulnerable to Command Injection via package URL	high

Only included vulnerabilities with severity high or higher.

License Issues

poetry.lock

Package	Version	License	Issue Type
mypy	1.11.1	MIT AND NOASSERTION AND Python-2.0	Invalid SPDX License
flake8	7.1.0	Null	Unknown License
pycodestyle	2.12.0	Null	Unknown License

Allowed Licenses: 0BSD, Apache-2.0, Apache-2.0 AND MIT, Apache-2.0 AND BSD-3-Clause AND Python-2.0, Beerware, BlueOak-1.0.0, BSD-1-Clause, BSD-2-Clause, BSD-2-Clause-Patent, BSD-2-Clause-Views, BSD-2-Clause AND MIT, BSD-3-Clause, BSD-3-Clause-Attribution, BSD-3-Clause-Clear, BSL-1.0, CC-BY-3.0, CC-BY-4.0, CC0-1.0, CNRI-Python, curl, HPND, IBM-pibs, ImageMagick, ISC, JSON, MIT, MIT-0, MIT AND ISC, MIT AND Python-2.0, MIT-advertising, mpi-permissive, NCSA, ODC-By-1.0, PDDL-1.0, Plexus, PostgreSQL, PSF-2.0, Python-2.0, Python-2.0.1, SAX-PD, Unlicense, UPL-1.0, W3C, Wsuipa, WTFPL, X11, X11-distribute-modifications-variant, Xerox, Zlib, ZPL-2.1

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
pip/setuptools	69.5.1	🟢 5.8	Details Check Score Reason Code-Review ⚠️ 2 Found 5/20 approved changesets -- score normalized to 2 Maintained 🟢 10 30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Binary-Artifacts ⚠️ 0 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing 🟢 10 project is fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/setuptools	69.2.0	🟢 5.8	Details Check Score Reason Code-Review ⚠️ 2 Found 5/20 approved changesets -- score normalized to 2 Maintained 🟢 10 30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Binary-Artifacts ⚠️ 0 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing 🟢 10 project is fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/flake8	7.1.0	🟢 6	Details Check Score Reason Code-Review 🟢 5 Found 5/9 approved changesets -- score normalized to 5 Maintained 🟢 10 5 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/mypy	1.11.1	🟢 5.4	Details Check Score Reason Code-Review 🟢 6 Found 20/29 approved changesets -- score normalized to 6 Maintained 🟢 10 30 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
pip/packaging	24.1	🟢 7.5	Details Check Score Reason Maintained 🟢 10 7 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 22/27 approved changesets -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 10 all dependencies are pinned Binary-Artifacts 🟢 4 binaries present in source code Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing 🟢 10 project is fuzzed Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST 🟢 9 SAST tool detected but not run on all commits
pip/pluggy	1.5.0	🟢 6.1	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 16 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/pycodestyle	2.12.0	🟢 5.4	Details Check Score Reason Code-Review 🟢 6 Found 5/8 approved changesets -- score normalized to 6 Maintained 🟢 10 11 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/pytest	8.3.2	🟢 6.2	Details Check Score Reason Code-Review 🟢 8 Found 7/8 approved changesets -- score normalized to 8 Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Security-Policy ⚠️ 0 security policy file not detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/tomlkit	0.13.0	Unknown	Unknown
pip/flake8	7.0.0	🟢 6	Details Check Score Reason Code-Review 🟢 5 Found 5/9 approved changesets -- score normalized to 5 Maintained 🟢 10 5 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/mypy	1.9.0	🟢 5.4	Details Check Score Reason Code-Review 🟢 6 Found 20/29 approved changesets -- score normalized to 6 Maintained 🟢 10 30 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
pip/packaging	24.0	🟢 7.5	Details Check Score Reason Maintained 🟢 10 7 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 22/27 approved changesets -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 10 all dependencies are pinned Binary-Artifacts 🟢 4 binaries present in source code Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing 🟢 10 project is fuzzed Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST 🟢 9 SAST tool detected but not run on all commits
pip/pluggy	1.4.0	🟢 6.1	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 16 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/pycodestyle	2.11.1	🟢 5.4	Details Check Score Reason Code-Review 🟢 6 Found 5/8 approved changesets -- score normalized to 6 Maintained 🟢 10 11 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/pytest	8.1.1	🟢 6.2	Details Check Score Reason Code-Review 🟢 8 Found 7/8 approved changesets -- score normalized to 8 Maintained 🟢 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Security-Policy ⚠️ 0 security policy file not detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/tomlkit	0.12.4	Unknown	Unknown

Scanned Manifest Files

poetry.lock

• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]

pyproject.toml

• [email protected]
• [email protected]