Bump build from 1.4.4 to 1.5.0

[dependabot]

Bumps build from 1.4.4 to 1.5.0.

Release notes

Sourced from build's releases.

1.5.0

What's Changed

• ci: try to improve release docs by @​henryiii in pypa/build#1051
• feat: drop 3.9, require 3.10+ by @​henryiii in pypa/build#1036
• chore: tox toml by @​henryiii in pypa/build#1033
• fix: api should not ignore installed, only CLI by @​henryiii in pypa/build#1056

Full Changelog: pypa/build@1.4.4...1.5.0

Changelog

Sourced from build's changelog.

#################### 1.5.0 (2026-04-30) ####################

---

Features

---

• Drop Python 3.9 support - by :user:henryiii (:issue:1036)

---

Bugfixes

---

• Make --ignore-installed opt-in from the API via fresh=True - by :user:henryiii (:issue:1056)

---

Miscellaneous

---

• :issue:1033

#################### 1.4.4 (2026-04-22) ####################

---

Bugfixes

---

• Fix release pipeline generating CHANGELOG.rst entries with inconsistent heading levels, which broke sphinx -W and pinned Read the Docs stable at 1.4.0 - by :user:gaborbernat. (:issue:1031)
• Revert :pr:1039 from build 1.4.3, no longer check direct_url (for now) - by :user:henryiii (:issue:1039)
• Add --ignore-installed to pip install command to prevent issues with packages already present in the isolated build environment - by :user:henryiii (:issue:1037) (:issue:1040)
• Partial revert of :pr:973, keeping log messages in one entry, multiple lines. (:issue:1044)

---

Miscellaneous

---

• :issue:1048, :issue:1049

#################### 1.4.3 (2026-04-10) ####################

---

Features

---

... (truncated)

Commits

• 615d04c chore: prepare for 1.5.0
• 776f702 fix: api should not ignore installed, only CLI (#1056)
• 42da4c4 pre-commit: bump repositories (#1055)
• b445cd2 chore: tox toml (#1033)
• c44c143 feat: drop 3.9, require 3.10+ (#1036)
• a9bb456 build(deps): bump astral-sh/setup-uv from 8.0.0 to 8.1.0 in the actions group...
• cb33511 ci: try to improve release docs (#1051)
• See full diff in compare view

[github-actions]

🤖 Claude Code Review

Code Review: Bump build from 1.4.4 to 1.5.0

This is a single-line dependency version bump in pyproject.toml.

---

Code Quality

• ✅ Style guide: No code style concerns for a version string change.
• ✅ No commented-out code: N/A
• ✅ Meaningful variable names: N/A
• ✅ DRY principle: N/A
• ✅ Defects: No logic errors. The build package is a dev/build tool dependency, not a runtime dependency. Bumping from 1.4.4 → 1.5.0 is a minor version bump, indicating backwards-compatible new features per semver. Low risk.

Testing

• ✅ Unit/integration tests: No test changes needed for a build tooling version bump.
• ✅ Coverage: N/A

Documentation

• ❌ CHANGELOG.md: No CHANGELOG.md update is included. Dependency bumps are typically recorded in the changelog.

Security

• ✅ No hardcoded credentials: N/A
• ✅ No license files: N/A
• ✅ No sensitive data: N/A

---

Summary

One issue to address:

1. CHANGELOG.md not updated — Dependency bumps should be logged. Add an entry for the build 1.4.4 → 1.5.0 upgrade.

Otherwise this is a clean, low-risk version bump with no concerns.

Automated code review analyzing defects and coding standards

[github-actions]

🤖 Claude Code Review

---

Code Review: Bump build from 1.4.4 to 1.5.0

This diff is a single-line dependency version bump in pyproject.toml.

---

Code Quality

• ✅ Style guide — No code logic changed; not applicable.
• ✅ No commented-out code — None present.
• ✅ Meaningful variable names — N/A.
• ✅ DRY principle — N/A.
• ✅ Defects / logic errors — The change is a straightforward minor version bump of a development-only dependency (build is in the development group). No runtime or production code is affected. No concerns.
• ✅ CLAUDE.md — N/A for this change.

---

Testing

• ✅ — No new functions or endpoints introduced; no tests required for a dev dependency bump.

---

Documentation

• ✅ README — No update needed.
• ✅ API docs — N/A.
• ✅ Inline comments — N/A.
• ❌ CHANGELOG.md — The CHANGELOG.md is present but contains only a placeholder ([1.0.0] - yyyy-mm-dd). While this bump is a dependency update and not a feature/fix, the project's changelog is not being maintained. This is a pre-existing gap rather than a regression from this PR, but worth flagging.

---

Security

• ✅ No hardcoded credentials — None.
• ✅ Input validation — N/A.
• ✅ Error handling — N/A.
• ✅ No sensitive data in logs — N/A.
• ✅ No license files (.lic) — None present.

---

Summary

This is a clean, minimal dependency bump with no concerns. The only flag is the unmaintained CHANGELOG.md (placeholder dates), which is a pre-existing issue not introduced by this PR. The change is safe to merge.

Automated code review analyzing defects and coding standards

[github-actions]

🤖 Claude Code Review

---

Code Review: build 1.4.4 → 1.5.0 Dependency Bump

Code Quality

• ✅ Style guide: Single-line change in pyproject.toml, no style concerns.
• ✅ No commented-out code: Clean diff.
• ✅ Meaningful variable names: N/A.
• ✅ DRY principle: N/A.
• ✅ Defects / bugs / security: The build package is a development-only tool used for packaging (pyproject.toml → [dependency-groups].development). It is not a runtime dependency and does not affect production code paths. The 1.4.4 → 1.5.0 bump is a minor version increment; no known vulnerabilities are associated with either version.
• ✅ CLAUDE.md: No issues. The project instructions reference pip install --group all . which will pick up this updated pin correctly.

Testing

• ✅ N/A — this is a development tooling dependency with no testable code changes.

Documentation

• ✅ README: No update needed.
• ✅ API docs: No update needed.
• ✅ Inline comments: N/A.
• ❌ CHANGELOG.md (CHANGELOG.md:8): The changelog has a placeholder entry ([1.0.0] - yyyy-mm-dd) that has never been filled in, and this bump is not recorded there. Dependency bumps of this nature are typically noted under an unreleased section. Consider adding an entry such as:

  ## [Unreleased]
  ### Changed
  - Bump `build` from 1.4.4 to 1.5.0

• ✅ Markdown formatting: CHANGELOG.md appears CommonMark-compliant.

Security

• ✅ No hardcoded credentials: None present.
• ✅ Input validation: N/A.
• ✅ Error handling: N/A.
• ✅ No sensitive data in logs: N/A.
• ✅ No license files (.lic / AQAAAD): None detected.

---

Summary: The change is correct and low-risk. The only actionable finding is the missing CHANGELOG entry — the placeholder yyyy-mm-dd date on line 8 also suggests the changelog has never been maintained and should be initialized before this project ships.

Automated code review analyzing defects and coding standards