Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^25.12.0→^26.0.0GitHub Vulnerability Alerts
CVE-2026-32274
Impact
Black writes a cache file, the name of which is computed from various formatting options. The value of the
--python-cell-magicsoption was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations.Patches
Fixed in Black 26.3.1.
Workarounds
Do not allow untrusted user input into the value of the
--python-cell-magicsoption.Release Notes
psf/black (black)
v26.3.1Compare Source
Stable style
exact-length placeholders for short magics and aborting if a placeholder can no longer
be unmasked safely (#5038)
Configuration
--python-cell-magicsso custommagic names cannot affect cache paths (#5038)
Blackd
and request body limits, and bound executor submissions to improve backpressure
(#5039)
v26.3.0Compare Source
Stable style
# type: ignorecomments would be merged with othercomments on the same line, preventing AST equivalence failures (#4888)
Preview style
ifguards incaseblocks were incorrectly split when the pattern hada trailing comma (#4884)
string_processingcrashing on unassigned long string literals with trailingcommas (one-item tuples) (#4929)
Packaging
frozen environments (#4930)
Performance
uvloop.install()in favor ofuvloop.new_event_loop()(#4996)
maybe_install_uvloopfunction tomaybe_use_uvloopto simplify loopinstallation and creation of either a uvloop/winloop evenloop or default eventloop
(#4996)
Output
version, since AST safety checks cannot parse newer syntax. Also replace the
misleading "INTERNAL ERROR" message with an actionable error explaining the version
mismatch (#4983)
Blackd
windows when winloop is installed. (#4996)
Integrations
blackrequirements in the GitHub Action whenuse_pyprojectisenabled so that only version specifiers are accepted and direct references such as
black @​ https://...are rejected. Users should upgrade to the latest version of theaction as soon as possible. This update is received automatically when using
psf/black@stable, and is independent of the version of Black installed by theaction. (#5031)
Documentation
wrap_comprehension_in,simplify_power_operator_hugging, andwrap_long_dict_values_in_parensfeatures(#4987)
v26.1.0Compare Source
Highlights
Introduces the 2026 stable style (#4892), stabilizing the following changes:
always_one_newline_after_import: Always force one blank line after importstatements, except when the line after the import is a comment or an import statement
(#4489)
fix_fmt_skip_in_one_liners: Fix# fmt: skipbehavior on one-liner declarations,such as
def foo(): return "mock" # fmt: skip, where previously the declaration wouldhave been incorrectly collapsed (#4800)
fix_module_docstring_detection: Fix module docstrings being treated as normalstrings if preceded by comments (#4764)
fix_type_expansion_split: Fix type expansions split in generic functions (#4777)multiline_string_handling: Make expressions involving multiline strings more compact(#1879)
normalize_cr_newlines: Add\rstyle newlines to the potential newlines tonormalize file newlines both from and to (#4710)
remove_parens_around_except_types: Remove parentheses around multiple exceptiontypes in
exceptandexcept*withoutas(#4720)remove_parens_from_assignment_lhs: Remove unnecessary parentheses from the left-handside of assignments while preserving magic trailing commas and intentional multiline
formatting (#4865)
standardize_type_comments: Format type comments which have zero or more spacesbetween
#andtype:or betweentype:and value to# type: (value)(#4645)The following change was not in any previous stable release:
_width_table.pyand added tests for the Khmer language (#4253)This release alo bumps
pathspecto v1 and fixes inconsistencies with Git's.gitignorelogic (#4958). Now, files will be ignored if a pattern matches them, evenif the parent directory is directly unignored. For example, Black would previously
format
exclude/not_this/foo.pywith this.gitignore:Now,
exclude/not_this/foo.pywill remain ignored. To ensureexclude/not_this/andall of it's children are included in formatting (and in Git), use this
.gitignore:This new behavior matches Git. The leading
*/are only necessary if you wish to ignorematching subdirectories (like the previous behavior did), and not just matching root
directories.
Output
Integrations
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.