Update all dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change	Pending	Age	Confidence
PyCQA/flake8	repository	minor	7.0.0 → 7.3.0
actions/cache	action	major	v4 → v5
actions/checkout	action	major	v4 → v6	v7.0.0 (+1)
actions/download-artifact	action	major	v4 → v8
actions/setup-python	action	major	v5 → v6
actions/upload-artifact	action	major	v4 → v7
autoflake	dev	pin	^2.2.1 → 2.3.3
autopep8	dev	pin	^2.0.4 → 2.3.2
black (changelog)	dev	pin	^24.0.0 → 24.10.0
cbor2 (changelog)	dependencies	major	~5.6.0 → ~6.1.0
coverage	dev	pin	^7.0.0 → 7.14.1
docformatter	dev	pin	^1.7.5 → 1.7.8
flake8 (changelog)	dev	pin	^7.0.0 → 7.3.0
html2text	dev	pin	^2024.0.0 → 2024.2.26
igorshubovych/markdownlint-cli	repository	minor	v0.40.0 → v0.49.0
isort (changelog)	dev	pin	^5.12.0 → 5.13.2
pre-commit	dev	pin	^3.0.0 → 3.8.0
pre-commit/pre-commit-hooks	repository	major	v4.6.0 → v6.0.0
pycqa/isort	repository	major	5.13.2 → 8.0.1
pytest-repeat	dev	pin	^0.9.3 → 0.9.4
python-poetry/poetry	repository	major	1.8.3 → 2.4.1
python/black	repository	major	24.4.2 → 26.5.1
sphinx (changelog)	dev	pin	^7.0.0 → 7.4.7
sphinx-rtd-theme	dev	pin	^2.0.0 → 2.0.0

Note: The pre-commit manager in Renovate is not supported by the pre-commit maintainers or community. Please do not report any problems there, instead create a Discussion in the Renovate repository if you have any questions.

---

Release Notes

PyCQA/flake8 (PyCQA/flake8)

v7.3.0

Compare Source

v7.2.0

Compare Source

v7.1.2

Compare Source

v7.1.1

Compare Source

v7.1.0

Compare Source

actions/cache (actions/cache)

v5.0.5

Compare Source

What's Changed

• Update ts-http-runtime dependency by @​yacaovsnc in #​1747

Full Changelog: actions/cache@v5...v5.0.5

v5.0.4

Compare Source

What's Changed

• Add release instructions and update maintainer docs by @​Link- in #​1696
• Potential fix for code scanning alert no. 52: Workflow does not contain permissions by @​Link- in #​1697
• Fix workflow permissions and cleanup workflow names / formatting by @​Link- in #​1699
• docs: Update examples to use the latest version by @​XZTDean in #​1690
• Fix proxy integration tests by @​Link- in #​1701
• Fix cache key in examples.md for bun.lock by @​RyPeck in #​1722
• Update dependencies & patch security vulnerabilities by @​Link- in #​1738

New Contributors

• @​XZTDean made their first contribution in #​1690
• @​RyPeck made their first contribution in #​1722

Full Changelog: actions/cache@v5...v5.0.4

v5.0.3

Compare Source

What's Changed

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

Full Changelog: actions/cache@v5...v5.0.3

v5.0.2: v.5.0.2

Compare Source

v5.0.2

What's Changed

When creating cache entries, 429s returned from the cache service will not be retried.

v5.0.1

Compare Source

[!IMPORTANT]
actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

If you are using self-hosted runners, ensure they are updated before upgrading.

---

v5.0.1

What's Changed

• fix: update @​actions/cache for Node.js 24 punycode deprecation by @​salmanmkc in #​1685
• prepare release v5.0.1 by @​salmanmkc in #​1686

v5.0.0

What's Changed

• Upgrade to use node24 by @​salmanmkc in #​1630
• Prepare v5.0.0 release by @​salmanmkc in #​1684

Full Changelog: actions/cache@v5...v5.0.1

v5.0.0

Compare Source

[!IMPORTANT]
actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

If you are using self-hosted runners, ensure they are updated before upgrading.

---

What's Changed

• Upgrade to use node24 by @​salmanmkc in #​1630
• Prepare v5.0.0 release by @​salmanmkc in #​1684

Full Changelog: actions/cache@v4.3.0...v5.0.0

v5

Compare Source

actions/checkout (actions/checkout)

v6.0.3

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

v6.0.1

Compare Source

• Add worktree support for persist-credentials includeIf by @​ericsciple in #​2327

v6.0.0

Compare Source

• Persist creds to a separate file by @​ericsciple in #​2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in #​2248

v6

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

v5.0.1

Compare Source

• Port v6 cleanup to v5 by @​ericsciple in #​2301

v5.0.0

Compare Source

• Update actions checkout to use node 24 by @​salmanmkc in #​2226

v5

Compare Source

• Port v6 cleanup to v5 by @​ericsciple in #​2301

actions/download-artifact (actions/download-artifact)

v8.0.1

Compare Source

What's Changed

• Support for CJK characters in the artifact name by @​danwkennedy in #​471
• Add a regression test for artifact name + content-type mismatches by @​danwkennedy in #​472

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

Compare Source

v8 - What's new

[!IMPORTANT]
actions/download-artifact@​v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT]
Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @​actions/* packages, we've upgraded the package to ESM.

What's Changed

• Don't attempt to un-zip non-zipped downloads by @​danwkennedy in #​460
• Add a setting to specify what to do on hash mismatch and default it to error by @​danwkennedy in #​461

Full Changelog: actions/download-artifact@v7...v8.0.0

v8

Compare Source

v7.0.0

Compare Source

v7 - What's new

[!IMPORTANT]
actions/download-artifact@​v7 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in #​440
• Download Artifact Node24 support by @​salmanmkc in #​415
• fix: update @​actions/artifact to fix Node.js 24 punycode deprecation by @​salmanmkc in #​451
• prepare release v7.0.0 for Node.js 24 support by @​salmanmkc in #​452

New Contributors

• @​patrikpolyak made their first contribution in #​440
• @​salmanmkc made their first contribution in #​415

Full Changelog: actions/download-artifact@v6.0.0...v7.0.0

v7

Compare Source

v6.0.0

Compare Source

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README for download-artifact v5 changes by @​yacaovsnc in #​417
• Update README with artifact extraction details by @​yacaovsnc in #​424
• Readme: spell out the first use of GHES by @​danwkennedy in #​431
• Bump @actions/artifact to v4.0.0
• Prepare v6.0.0 by @​danwkennedy in #​438

New Contributors

• @​danwkennedy made their first contribution in #​431

Full Changelog: actions/download-artifact@v5...v6.0.0

v6

Compare Source

v5.0.0

Compare Source

What's Changed

• Update README.md by @​nebuk89 in #​407
• BREAKING fix: inconsistent path behavior for single artifact downloads by ID by @​GrantBirki in #​416

v5.0.0

🚨 Breaking Change

This release fixes an inconsistency in path behavior for single artifact downloads by ID. If you're downloading single artifacts by ID, the output path may change.

What Changed

Previously, single artifact downloads behaved differently depending on how you specified the artifact:

• By name: name: my-artifact → extracted to path/ (direct)
• By ID: artifact-ids: 12345 → extracted to path/my-artifact/ (nested)

Now both methods are consistent:

• By name: name: my-artifact → extracted to path/ (unchanged)
• By ID: artifact-ids: 12345 → extracted to path/ (fixed - now direct)

Migration Guide

✅ No Action Needed If:

• You download artifacts by name
• You download multiple artifacts by ID
• You already use merge-multiple: true as a workaround

⚠️ Action Required If:

You download single artifacts by ID and your workflows expect the nested directory structure.

Before v5 (nested structure):

- uses: actions/download-artifact@v4
  with:
    artifact-ids: 12345
    path: dist

# Files were in: dist/my-artifact/

Where my-artifact is the name of the artifact you previously uploaded

To maintain old behavior (if needed):

- uses: actions/download-artifact@v5
  with:
    artifact-ids: 12345
    path: dist/my-artifact  # Explicitly specify the nested path

New Contributors

• @​nebuk89 made their first contribution in #​407

Full Changelog: actions/download-artifact@v4...v5.0.0

v5

Compare Source

actions/setup-python (actions/setup-python)

v6.2.0

Compare Source

What's Changed

Dependency Upgrades

• Upgrade dependencies to Node 24 compatible versions by @​salmanmkc in #​1259
• Upgrade urllib3 from 2.5.0 to 2.6.3 in /__tests__/data by @​dependabot in #​1253 and #​1264

Full Changelog: actions/setup-python@v6...v6.2.0

v6.1.0

Compare Source

What's Changed

Enhancements:

• Add support for pip-install input by @​gowridurgad in #​1201
• Add graalpy early-access and windows builds by @​timfel in #​880

Dependency and Documentation updates:

• Enhanced wording and updated example usage for allow-prereleases by @​yarikoptic in #​979
• Upgrade urllib3 from 1.26.19 to 2.5.0 and document breaking changes in v6 by @​dependabot in #​1139
• Upgrade typescript from 5.4.2 to 5.9.3 and Documentation update by @​dependabot in #​1094
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 & Documentation update for pip-install input by @​dependabot in #​1199
• Upgrade requests from 2.32.2 to 2.32.4 by @​dependabot in #​1130
• Upgrade prettier from 3.5.3 to 3.6.2 by @​dependabot in #​1234
• Upgrade @​types/node from 24.1.0 to 24.9.1 and update macos-13 to macos-15-intel by @​dependabot in #​1235

New Contributors

• @​yarikoptic made their first contribution in #​979

Full Changelog: actions/setup-python@v6...v6.1.0

v6.0.0

Compare Source

What's Changed

Breaking Changes

• Upgrade to node 24 by @​salmanmkc in #​1164

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Enhancements:

• Add support for pip-version by @​priyagupta108 in #​1129
• Enhance reading from .python-version by @​krystof-k in #​787
• Add version parsing from Pipfile by @​aradkdj in #​1067

Bug fixes:

• Clarify pythonLocation behaviour for PyPy and GraalPy in environment variables by @​aparnajyothi-y in #​1183
• Change missing cache directory error to warning by @​aparnajyothi-y in #​1182
• Add Architecture-Specific PATH Management for Python with --user Flag on Windows by @​aparnajyothi-y in #​1122
• Include python version in PyPy python-version output by @​cdce8p in #​1110
• Update docs: clarification on pip authentication with setup-python by @​priya-kinthali in #​1156

Dependency updates:

• Upgrade idna from 2.9 to 3.7 in /tests/data by @​dependabot[bot] in #​843
• Upgrade form-data to fix critical vulnerabilities #​182 & #​183 by @​aparnajyothi-y in #​1163
• Upgrade setuptools to 78.1.1 to fix path traversal vulnerability in PackageIndex.download by @​aparnajyothi-y in #​1165
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in #​1181
• Upgrade @​actions/tool-cache from 2.0.1 to 2.0.2 by @​dependabot[bot] in #​1095

New Contributors

• @​krystof-k made their first contribution in #​787
• @​cdce8p made their first contribution in #​1110
• @​aradkdj made their first contribution in #​1067

Full Changelog: actions/setup-python@v5...v6.0.0

v6

Compare Source

actions/upload-artifact (actions/upload-artifact)

v7.0.1

Compare Source

What's Changed

• Update the readme with direct upload details by @​danwkennedy in #​795
• Readme: bump all the example versions to v7 by @​danwkennedy in #​796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in #​797

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in #​754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in #​762
• Support direct file uploads by @​danwkennedy in #​764

New Contributors

• @​Link- made their first contribution in #​754

Full Changelog: actions/upload-artifact@v6...v7.0.0

v7

Compare Source

v6.0.0

Compare Source

v6 - What's new

[!IMPORTANT]
actions/upload-artifact@​v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

• Upload Artifact Node 24 support by @​salmanmkc in #​719
• fix: update @​actions/artifact for Node.js 24 punycode deprecation by @​salmanmkc in #​744
• prepare release v6.0.0 for Node.js 24 support by @​salmanmkc in #​745

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

v6

Compare Source

v5.0.0

Compare Source

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README.md by @​GhadimiR in #​681
• Update README.md by @​nebuk89 in #​712
• Readme: spell out the first use of GHES by @​danwkennedy in #​727
• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in #​725
• Bump @actions/artifact to v4.0.0
• Prepare v5.0.0 by @​danwkennedy in #​734

New Contributors

• @​GhadimiR made their first contribution in #​681
• @​nebuk89 made their first contribution in #​712
• @​danwkennedy made their first contribution in #​727
• @​patrikpolyak made their first contribution in #​725

Full Changelog: actions/upload-artifact@v4...v5.0.0

v5

Compare Source

agronholm/cbor2 (cbor2)

v6.1.2

Compare Source

• Fixed incorrect tracking of string references for definite-length text strings of length greater than 65536 (#​308; PR by @​sahvx655-wq)
• Fixed cbor2.load() crash caused by incorrect handling of internal read buffer extension during stream deserialization. (#​307; PR by @​noderyos)

v6.1.1

Compare Source

• Fixed cbor2.load() returning corrupted data for payloads exceeding 4096 bytes (#​304)

v6.1.0

Compare Source

• Added the allow_duplicate_keys parameter to CBORDecoder, load and loads (default: True). When set to False, a CBORDecodeError is raised upon encountering a duplicate key within the same map. (#​283)
• Added support for decoding from any object supporting the buffer API (e.g. memoryview or bytearray) in addition to bytes (#​297)
• Fixed compatibility issues with 32-bit systems (#​300)

v6.0.1

Compare Source

• Fixed an error in the mutability logic during decoding, leading to values being decoded as immutable in unexpected places (#​295)

v6.0.0

Compare Source

• No changes since v6.0.0rc1

v5.9.0

Compare Source

• Added the max_depth decoder parameter to limit the maximum allowed nesting level of containers, with a default value of 400 levels (CVE-2026-26209)
• Changed the default read_size from 4096 to 1 for backwards compatibility. The buffered reads introduced in 5.8.0 could cause issues when code needs to access the stream position after decoding. Users can opt-in to faster decoding by passing read_size=4096 when they don't need to access the stream directly after decoding. Added a direct read path for read_size=1 to avoid buffer management overhead. (#​275; PR by @​andreer)
• Fixed C encoder not respecting string referencing when encoding string-type datetimes (tag 0) (#​254)
• Fixed a missed check for an exception in the C implementation of CBOREncoder.encode_shared() (#​287)
• Fixed two reference/memory leaks in the C extension's long string decoder (#​290 PR by @​killiancowan82)
• Fixed C decoder ignoring the str_errors setting when decoding strings, and improved string decoding performance by using stack allocation for small strings and eliminating unnecessary conditionals. Benchmarks show 9-17% faster deserialization. (#​255; PR by @​andreer)

v5.8.0

Compare Source

• Added readahead buffering to C decoder for improved performance. The decoder now uses a 4 KB buffer by default to reduce the number of read calls. Benchmarks show 20-140% performance improvements for decoding operations. (#​268; PR by @​andreer)
• Fixed Python decoder not preserving share index when decoding array items containing nested shareable tags, causing shared references to resolve to wrong objects (#​267; PR by @​andreer)
• Reset shared reference state at the start of each top-level encode/decode operation (#​266; PR by @​andreer)

v5.7.1

Compare Source

• Improved performance on decoding large definite bytestrings (#​240 <#​240>_; PR by @​dwpaley)
• Fixed a read(-1) vulnerability caused by boundary handling error (#​264 <#​264>_; PR by @​tylzh97)

v5.7.0

Compare Source

• Added support for Python 3.14 (no free-threading support yet, sorry)
• Dropped support for Python 3.8 (#​247 <#​247>_; PR by @​hugovk)
• Added support for encoding indefinite containers (#​256 <#​256>_; PR by @​CZDanol)
• Added complex number support (tag 43000) (#​249 <#​249>_; PR by @​chillenb)

igorshubovych/markdownlint-cli (igorshubovych/markdownlint-cli)

v0.49.0

Compare Source

• Update markdownlint dependency to 0.41.0
  • Improve MD022/MD028/MD035/MD042/MD051/MD060
  • Remove handling of inline directive syntax (frequent false positives)
  • Remove support for end-of-life Node version 20
• Update all dependencies via Dependabot

v0.48.0

Compare Source

• Update all dependencies via Dependabot

v0.47.0

Compare Source

• Add output and exit code support for warnings
• Update markdownlint dependency to 0.40.0
  • Improve MD011/MD013/MD051/MD060
• Update all dependencies via Dependabot

v0.46.0

Compare Source

• Replace glob dependency with tinyglobby (smaller and fewer dependencies)
• Update markdownlint dependency to 0.39.0
  • Add MD060/table-column-style
  • Improve MD001/MD007/MD009/MD010/MD029/MD033/MD037/MD059
• Update all dependencies via Dependabot

v0.45.0

Compare Source

• Update markdownlint dependency to 0.38.0
  • Add MD059/descriptive-link-text
  • Improve MD025/MD027/MD036/MD038/MD041/MD043/MD045/MD051/MD052
  • Remove support for end-of-life Node version 18
• Update all dependencies via Dependabot

v0.44.0

Compare Source

• Update markdownlint dependency to 0.37.4
  • Convert module to ECMAScript (breaking change)
  • Stop using require, convert to import
  • Improve MD032
• Update all dependencies via Dependabot

v0.43.0

Compare Source

• Update markdownlint dependency to 0.36.1
  • Improve MD051
  • Make micromark parser available to custom rules
  • Improve performance
• Update all dependencies via Dependabot

v0.42.0

Compare Source

• Update markdownlint dependency to 0.35.0
  • Add MD058/blanks-around-tables
  • Use micromark in MD001/MD003/MD009/MD010/MD013/MD014/MD019/MD021/MD023/MD024/MD025/MD039/MD042/MD043
  • Improve MD018/MD020/MD031/MD034/MD044
  • markdown-it parser no longer invoked by default
  • Improve performance
• Update all dependencies via Dependabot

v0.41.0: 0.41.0

Compare Source

• Change TOML parser to smol-toml which supports v1.0.0 of the specification
• Update all dependencies via Dependabot

pre-commit/pre-commit-hooks (pre-commit/pre-commit-hooks)

v6.0.0: pre-commit-hooks v6.0.0

Compare Source

Fixes

• check-shebang-scripts-are-executable: improve error message.
  • #​1115 PR by @​homebysix.

Migrating

• now requires python >= 3.9.
  • #​1098 PR by @​asottile.
• file-contents-sorter: disallow --unique and --ignore-case at the same
  time.
  • #​1095 PR by @​nemacysts.
  • #​794 issue by @​teksturi.
• Removed check-byte-order-marker and fix-encoding-pragma.
  • check-byte-order-marker: migrate to fix-byte-order-marker.
  • fix-encoding-pragma: migrate to pyupgrade.
  • #​1034 PR by @​mxr.
  • #​1032 issue by @​mxr.
  • #​522 PR by @​jgowdy.

v5.0.0: pre-commit-hooks v5.0.0

Compare Source

Features

• requirements-txt-fixer: also remove pkg_resources==....
  • #​850 PR by @​ericfrederich.
  • #​1030 issue by @​ericfrederich.
• check-illegal-windows-names: new hook!
  • #​1044 PR by @​ericfrederich.
  • #​589 issue by @​ericfrederich.
  • #​1049 PR by @​Jeffrey-Lim.
• pretty-format-json: continue processing even if a file has a json error.
  • #​1039 PR by @​amarvin.
  • #​1038 issue by @​amarvin.

Fixes

• destroyed-symlinks: set stages to [pre-commit, pre-push, manual]
  • PR #​1085 by @​AdrianDC.

Migrating

• pre-commit-hooks now requires pre-commit>=3.2.0.
• use non-deprecated names for stages.
  • #​1093 PR by @​asottile.

pycqa/isort (pycqa/isort)

v8.0.1

Compare Source

Changes

• Fix #​2461: Added compression to stdlibs for Python 3.14 in isort/stdlibs/py314.py (#​2463) @​FinlayTheBerry
• Fix unindented comments being corrupted in indented blocks (#​2459) @​worksbyfriday

v8.0.0

Compare Source

• Removed --old-finders and --magic-placement flags and old_finders configuration option. The legacy finder logic that relied on environment introspection has been removed ([#​2445](https://redi

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dustinblack]

This includes an update to poetry beyond our org standard version, so that will need to be removed from the PR first.