Deps: Bump the python-packages group with 3 updates

[dependabot]

Bumps the python-packages group with 3 updates: pygments, ruff and starlette.

Updates pygments from 2.19.1 to 2.19.2

Release notes

Sourced from pygments's releases.

2.19.2

• Lua: Fix regression introduced in 2.19.0 (#2882, #2839)

Changelog

Sourced from pygments's changelog.

Version 2.19.2

(released June 21st, 2025)

• Lua: Fix regression introduced in 2.19.0 (#2882, #2839)

Commits

• cfca62e Prepare v2.19.2 release.
• 6688300 Disable pyodide (currently broken.)
• 66997c3 Update ruff version.
• 94dda77 Update CHANGES.
• 26634c8 Merge pull request #2882 from thavelick/fix_lua_runaway_regex
• b6a51ec fix lua regex causing runaway backtracking.
• edef94d Investigation for #2839.
• fb6a00e Merge pull request #2837 from dlazin/sql-cleanup
• bf7aa23 Clean up sql.py
• See full diff in compare view

Updates ruff from 0.11.13 to 0.12.0

Release notes

Sourced from ruff's releases.

0.12.0

Release Notes

Check out the blog post for a migration guide and overview of the changes!

Breaking changes

• Detection of more syntax errors

  Ruff now detects version-related syntax errors, such as the use of the match statement on Python versions before 3.10, and syntax errors emitted by CPython's compiler, such as irrefutable match patterns before the final case arm.

• New default Python version handling for syntax errors

  Ruff will default to the latest supported Python version (3.13) when checking for the version-related syntax errors mentioned above to prevent false positives in projects without a Python version configured. The default in all other cases, like applying lint rules, is unchanged and remains at the minimum supported Python version (3.9).

• Updated f-string formatting

  Ruff now formats multi-line f-strings with format specifiers to avoid adding a line break after the format specifier. This addresses a change to the Python grammar in version 3.13.4 that made such a line break a syntax error.

• rust-toolchain.toml is no longer included in source distributions

  The rust-toolchain.toml is used to specify a higher Rust version than Ruff's minimum supported Rust version (MSRV) for development and building release artifacts. However, when present in source distributions, it would also cause downstream package maintainers to pull in the same Rust toolchain, even if their available toolchain was MSRV-compatible.

Removed Rules

The following rules have been removed:

• suspicious-xmle-tree-usage (S320)

Deprecated Rules

The following rules have been deprecated:

• pandas-df-variable-name

Stabilization

... (truncated)

Changelog

Sourced from ruff's changelog.

0.12.0

Check out the blog post for a migration guide and overview of the changes!

Breaking changes

• Detection of more syntax errors

  Ruff now detects version-related syntax errors, such as the use of the match statement on Python versions before 3.10, and syntax errors emitted by CPython's compiler, such as irrefutable match patterns before the final case arm.

• New default Python version handling for syntax errors

  Ruff will default to the latest supported Python version (3.13) when checking for the version-related syntax errors mentioned above to prevent false positives in projects without a Python version configured. The default in all other cases, like applying lint rules, is unchanged and remains at the minimum supported Python version (3.9).

• Updated f-string formatting

  Ruff now formats multi-line f-strings with format specifiers to avoid adding a line break after the format specifier. This addresses a change to the Python grammar in version 3.13.4 that made such a line break a syntax error.

• rust-toolchain.toml is no longer included in source distributions

  The rust-toolchain.toml is used to specify a higher Rust version than Ruff's minimum supported Rust version (MSRV) for development and building release artifacts. However, when present in source distributions, it would also cause downstream package maintainers to pull in the same Rust toolchain, even if their available toolchain was MSRV-compatible.

Removed Rules

The following rules have been removed:

• suspicious-xmle-tree-usage (S320)

Deprecated Rules

The following rules have been deprecated:

• pandas-df-variable-name

Stabilization

... (truncated)

Commits

• 87f0feb Bump 0.12.0 (#18724)
• 685eac1 Revert "[ty] Offer "Did you mean...?" suggestions for unresolved from impor...
• a93992f [flake8-return] Stabilize only add return None at the end when fixing `im...
• 50f8480 [pyupgrade] Stabilize non-pep695-generic-function (UP047) (#18524)
• 6754e94 [pyupgrade] Stabilize non-pep695-generic-class (UP046) (#18519)
• 33c8c75 [pandas-vet] Deprecate pandas-df-variable-name (PD901) (#18618)
• 34dc8e0 [flake8-bandit] Remove suspicious-xmle-tree-usage (S320) (#18617)
• b01195b Stabilize dataclass-enum (RUF049) (#18570)
• ce176b1 Stabilize unnecessary-dict-index-lookup (PLR1733) (#18571)
• 7072cf6 Remove rust-toolchain.toml from sdist (#17925)
• Additional commits viewable in compare view

Updates starlette from 0.47.0 to 0.47.1

Release notes

Sourced from starlette's releases.

Version 0.47.1

Fixed

• Use Self in TestClient.__enter__ #2951
• Allow async exception handlers to type-check #2949

---

Full Changelog: Kludex/starlette@0.47.0...0.47.1

Changelog

Sourced from starlette's changelog.

0.47.1 (June 21, 2025)

Fixed

• Use Self in TestClient.__enter__ #2951.
• Allow async exception handlers to type-check #2949.

Commits

• fa53554 Version 0.47.1 (#2952)
• e741635 Use Self in TestClient.__enter__ (#2951)
• 739ea49 Allow async exception handlers to type-check (#2949)
• 78da9b9 Bump the python-packages group with 6 updates (#2948)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA b4abfcf.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Package	Version	Score	Details
pip/pygments	2.19.2	🟢 5.5	Details Check Score Reason Maintained 🟢 3 3 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 3 Code-Review ⚠️ 2 Found 7/26 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Packaging ⚠️ -1 packaging workflow not detected Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing 🟢 10 project is fuzzed Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/ruff	0.12.0	Unknown	Unknown
pip/starlette	0.47.1	🟢 6.1	Details Check Score Reason Maintained 🟢 10 15 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 6 Found 16/26 approved changesets -- score normalized to 6 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• poetry.lock

[github-actions]

Conventional Commits Report

Type	Number
Dependencies	1

🚀 Conventional commits found.