Scheduled weekly dependency update for week 05

[pyup-bot]

Update black from 25.12.0 to 26.1.0.

Changelog

26.1.0

Highlights

Introduces the 2026 stable style (4892), stabilizing the following changes:

- `always_one_newline_after_import`: Always force one blank line after import
statements, except when the line after the import is a comment or an import statement
(4489)
- `fix_fmt_skip_in_one_liners`: Fix ` fmt: skip` behavior on one-liner declarations,
such as `def foo(): return "mock"  fmt: skip`, where previously the declaration would
have been incorrectly collapsed (4800)
- `fix_module_docstring_detection`: Fix module docstrings being treated as normal
strings if preceded by comments (4764)
- `fix_type_expansion_split`: Fix type expansions split in generic functions (4777)
- `multiline_string_handling`: Make expressions involving multiline strings more compact
(1879)
- `normalize_cr_newlines`: Add `\r` style newlines to the potential newlines to
normalize file newlines both from and to (4710)
- `remove_parens_around_except_types`: Remove parentheses around multiple exception
types in `except` and `except*` without `as` (4720)
- `remove_parens_from_assignment_lhs`: Remove unnecessary parentheses from the left-hand
side of assignments while preserving magic trailing commas and intentional multiline
formatting (4865)
- `standardize_type_comments`: Format type comments which have zero or more spaces
between `` and `type:` or between `type:` and value to ` type: (value)` (4645)

The following change was not in any previous stable release:

- Regenerated the `_width_table.py` and added tests for the Khmer language (4253)

This release alo bumps `pathspec` to v1 and fixes inconsistencies with Git's
`.gitignore` logic (4958). Now, files will be ignored if a pattern matches them, even
if the parent directory is directly unignored. For example, Black would previously
format `exclude/not_this/foo.py` with this `.gitignore`:


exclude/
!exclude/not_this/


Now, `exclude/not_this/foo.py` will remain ignored. To ensure `exclude/not_this/` and
all of it's children are included in formatting (and in Git), use this `.gitignore`:


*/exclude/*
!*/exclude/not_this/


This new behavior matches Git. The leading `*/` are only necessary if you wish to ignore
matching subdirectories (like the previous behavior did), and not just matching root
directories.

Output

- Explicitly shutdown the multiprocessing manager when run in diff mode too (4952)

Integrations

- Upgraded PyPI upload workflow to use Trusted Publishing (4611)

Links

• PyPI: https://pypi.org/project/black
• Changelog: https://data.safetycli.com/changelogs/black/

Update certifi from 2025.11.12 to 2026.1.4.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/certifi
• Repo: https://github.com/certifi/python-certifi

Update coverage from 7.13.0 to 7.13.2.

Changelog

7.13.2

---------------------------

- Fix: when Python is installed via symlinks, for example with Homebrew, the
standard library files could be incorrectly included in coverage reports.
This is now fixed, closing `issue 2115`_.

- Fix: if a data file is created with no read permissions, the combine step
would fail completely. Now a warning is issued and the file is skipped.
Closes `issue 2117`_.

.. _issue 2115: https://github.com/coveragepy/coveragepy/issues/2115
.. _issue 2117: https://github.com/coveragepy/coveragepy/issues/2117


.. _changes_7-13-1:

7.13.1

---------------------------

- Added: the JSON report now includes a ``"start_line"`` key for function and
class regions, indicating the first line of the region in the source. Closes
`issue 2110`_.

- Added: The ``debug data`` command now takes file names as arguments on the
command line, so you can inspect specific data files without needing to set
the ``COVERAGE_FILE`` environment variable.

- Fix: the JSON report used to report module docstrings as executed lines,
which no other report did, as described in `issue 2105`_. This is now fixed,
thanks to Jianrong Zhao.

- Fix: coverage.py uses a more disciplined approach to detecting where
third-party code is installed, and avoids measuring it. This shouldn't change
any behavior. If you find that it does, please get in touch.

- Performance: data files that will be combined now record their hash as part
of the file name. This lets us skip duplicate data more quickly, speeding the
combining step.

- Docs: added a section explaining more about what is considered a missing
branch and how it is reported: :ref:`branch_explain`, as requested in `issue
1597`_. Thanks to `Ayisha Mohammed <pull 2092_>`_.

- Tests: the test suite misunderstood what core was being tested if
``COVERAGE_CORE`` wasn't set on 3.14+. This is now fixed, closing `issue
2109`_.

.. _issue 1597: https://github.com/coveragepy/coveragepy/issues/1597
.. _pull 2092: https://github.com/coveragepy/coveragepy/pull/2092
.. _issue 2105: https://github.com/coveragepy/coveragepy/issues/2105
.. _issue 2109: https://github.com/coveragepy/coveragepy/issues/2109
.. _issue 2110: https://github.com/coveragepy/coveragepy/issues/2110

.. _changes_7-13-0:

Links

• PyPI: https://pypi.org/project/coverage
• Changelog: https://data.safetycli.com/changelogs/coverage/
• Repo: https://github.com/coveragepy/coveragepy

Update docutils from 0.22.3 to 0.22.4.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/docutils

Update filelock from 3.20.0 to 3.20.3.

Changelog

3.20.3

<!-- Release notes generated using configuration in .github/release.yml at main -->

What's Changed
* Fix TOCTOU symlink vulnerability in SoftFileLock by gaborbernat in https://github.com/tox-dev/filelock/pull/465


**Full Changelog**: https://github.com/tox-dev/filelock/compare/3.20.2...3.20.3

3.20.2

<!-- Release notes generated using configuration in .github/release.yml at main -->

What's Changed
* Support Unix systems without O_NOFOLLOW by mwilliamson in https://github.com/tox-dev/filelock/pull/463
* [pre-commit.ci] pre-commit autoupdate by pre-commit-ci[bot] in https://github.com/tox-dev/filelock/pull/464

New Contributors
* mwilliamson made their first contribution in https://github.com/tox-dev/filelock/pull/463

**Full Changelog**: https://github.com/tox-dev/filelock/compare/3.20.1...3.20.2

3.20.1

<!-- Release notes generated using configuration in .github/release.yml at main -->

What's Changed
* CVE-2025-68146: Fix TOCTOU symlink vulnerability in lock file creation by gaborbernat in https://github.com/tox-dev/filelock/pull/461


**Full Changelog**: https://github.com/tox-dev/filelock/compare/3.20.0...3.20.1

Links

• PyPI: https://pypi.org/project/filelock
• Changelog: https://data.safetycli.com/changelogs/filelock/

Update tox from 4.32.0 to 4.34.1.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/tox
• Changelog: https://data.safetycli.com/changelogs/tox/

Update tqdm from 4.67.1 to 4.67.2.

The bot wasn't able to find a changelog for this release. Got an idea?

Links

• PyPI: https://pypi.org/project/tqdm
• Changelog: https://data.safetycli.com/changelogs/tqdm/

Update urllib3 from 2.6.2 to 2.6.3.

Changelog

2.6.3

==================

- Fixed a high-severity security issue where decompression-bomb safeguards of
the streaming API were bypassed when HTTP redirects were followed.
(`GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>`__)
- Started treating ``Retry-After`` times greater than 6 hours as 6 hours by
default. (`3743 <https://github.com/urllib3/urllib3/issues/3743>`__)
- Fixed ``urllib3.connection.VerifiedHTTPSConnection`` on Emscripten.
(`3752 <https://github.com/urllib3/urllib3/issues/3752>`__)

Links

• PyPI: https://pypi.org/project/urllib3
• Changelog: https://data.safetycli.com/changelogs/urllib3/

Update virtualenv from 20.35.4 to 20.36.1.

Changelog

20.36.1

<!-- Release notes generated using configuration in .github/release.yml at 20.36.1 -->

What's Changed

20.36.0

<!-- Release notes generated using configuration in .github/release.yml at 20.36.0 -->

What's Changed

Links

• PyPI: https://pypi.org/project/virtualenv
• Changelog: https://data.safetycli.com/changelogs/virtualenv/

[pyup-bot]

Closing this in favor of #324