build(deps): bump the pip group with 11 updates

[dependabot]

Bumps the pip group with 11 updates:

Package	From	To
tzdata	2025.2	2025.3
mypy	1.18.2	1.19.1
ruff	0.14.6	0.14.14
bandit	1.9.2	1.9.3
zizmor	1.17.0	1.22.0
semgrep	1.144.0	1.149.0
basedpyright	1.34.0	1.37.2
types-setuptools	80.9.0.20250822	80.10.0.20260124
pytest	8.4.2	9.0.2
coverage[toml]	7.12.0	7.13.2
pre-commit	4.5.0	4.5.1

Updates tzdata from 2025.2 to 2025.3

Release notes

Sourced from tzdata's releases.

2025.3: Release of upstream tzdata 2025c

Version 2025.3

Upstream version 2025c released 2025-12-10T22:42:37+00:00

Briefly:

Several code changes for compatibility with FreeBSD.

Changes to past timestamps

Baja California agreed with California’s DST rules in 1953 and in 1961 through 1975, instead of observing standard time all year. (Thanks to Alois Treindl.)

Changes to commentary

The leapseconds file contains commentary about the IERS and NIST last-modified and expiration timestamps for leap second data. (Thanks to Judah Levine.)

Commentary now also uses characters from the set –‘’“”•≤ as this can be useful and should work with current applications. This also affects data in iso3166.tab and zone1970.tab, which now contain strings like “Côte d’Ivoire” instead of “Côte d'Ivoire”.

Changelog

Sourced from tzdata's changelog.

Version 2025.3

Upstream version 2025c released 2025-12-10T22:42:37+00:00

Briefly:

Several code changes for compatibility with FreeBSD.

Changes to past timestamps

Baja California agreed with California’s DST rules in 1953 and in 1961 through 1975, instead of observing standard time all year. (Thanks to Alois Treindl.)

Changes to commentary

The leapseconds file contains commentary about the IERS and NIST last-modified and expiration timestamps for leap second data. (Thanks to Judah Levine.)

Commentary now also uses characters from the set –‘’“”•≤ as this can be useful and should work with current applications. This also affects data in iso3166.tab and zone1970.tab, which now contain strings like “Côte d’Ivoire” instead of “Côte d'Ivoire”.

---

Commits

• d14cebc Update tzdata to version '2025c'
• 4045188 Bump actions/checkout from 5 to 6 in the actions group (#117)
• 9b58dd1 Stop requiring pytest-subtests for python>3.9, it has been incorporated int...
• 7dc1b6c Update pre-commit repos
• a9c68ae Add newlines to update PR description and commit (#106)
• d619f31 Test Python 3.14t
• b5ab93f Verify signatures of tarballs (#108)
• 6f866b8 Use raw strings for regex
• b1b3051 Fix dependabot config
• dddc234 Commit
• Additional commits viewable in compare view

Updates mypy from 1.18.2 to 1.19.1

Changelog

Sourced from mypy's changelog.

Mypy 1.19.1

• Fix noncommutative joins with bounded TypeVars (Shantanu, PR 20345)
• Respect output format for cached runs by serializing raw errors in cache metas (Ivan Levkivskyi, PR 20372)
• Allow types.NoneType in match cases (A5rocks, PR 20383)
• Fix mypyc generator regression with empty tuple (BobTheBuidler, PR 20371)
• Fix crash involving Unpack-ed TypeVarTuple (Shantanu, PR 20323)
• Fix crash on star import of redefinition (Ivan Levkivskyi, PR 20333)
• Fix crash on typevar with forward ref used in other module (Ivan Levkivskyi, PR 20334)
• Fail with an explicit error on PyPy (Ivan Levkivskyi, PR 20389)

Acknowledgements

Thanks to all mypy contributors who contributed to this release:

• A5rocks
• BobTheBuidler
• bzoracler
• Chainfire
• Christoph Tyralla
• David Foster
• Frank Dana
• Guo Ci
• iap
• Ivan Levkivskyi
• James Hilton-Balfe
• jhance
• Joren Hammudoglu
• Jukka Lehtosalo
• KarelKenens
• Kevin Kannammalil
• Marc Mueller
• Michael Carlstrom
• Michael J. Sullivan
• Piotr Sawicki
• Randolf Scholz
• Shantanu
• Sigve Sebastian Farstad
• sobolevn
• Stanislav Terliakov
• Stephen Morton
• Theodore Ando
• Thiago J. Barbalho
• wyattscarpenter

I’d also like to thank my employer, Dropbox, for supporting mypy development.

Mypy 1.18

We’ve just uploaded mypy 1.18.1 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features, performance

... (truncated)

Commits

• 412c19a Bump version to 1.19.1
• 20aea0a Update changelog for 1.19.1 (#20414)
• 2b23b50 Serialize raw errors in cache metas (#20372)
• f60f90f Fail on PyPy in main instead of setup.py (#20389)
• 58d485b Fail with an explicit error on PyPy (#20384)
• a4b31a2 Allow types.NoneType in match cases (#20383)
• 8a6eff4 [mypyc] fix generator regression with empty tuple (#20371)
• 70eceea Fix noncommutative joins with bounded TypeVars (#20345)
• 3890fc4 Fix crash involving Unpack-ed TypeVarTuple (#20323)
• c93d917 Fix crash on star import of redefinition (#20333)
• Additional commits viewable in compare view

Updates ruff from 0.14.6 to 0.14.14

Release notes

Sourced from ruff's releases.

0.14.14

Release Notes

Released on 2026-01-22.

Preview features

• Preserve required parentheses in lambda bodies (#22747)
• Combine range suppression code diagnostics (#22613)
• [airflow] Second positional argument to Asset/Dataset should not be a dictionary (AIR303) (#22453)
• [ruff] Detect duplicate entries in __all__ (RUF068) (#22114)

Bug fixes

• [pyupgrade] Allow shadowing non-builtin bindings (UP029) (#22749)
• [pyupgrade] Apply UP045 to string arguments of typing.cast (#22320)
• [flake8-pie] Detect duplicated declared class fields in PIE794 (#22717)

Rule changes

• [flake8-pyi] Fix inconsistent handling of forward references for __new__, __enter__, __aenter__ in PYI034 (#22798)
• [flake8-pytest-style] Support check parameter in PT011 (#22725)
• [ruff] Add exception for ctypes.Structure._fields_ (RUF012) (#22559)
• Many fixes are now marked unsafe if they would remove comments:
  • [flake8-bugbear] B009, B010, B013, B014, B033
  • [flake8-simplify] SIM910, SIM911
  • [pyupgrade] UP007, UP039, UP041, UP045
  • [refurb] FURB105, FURB116, FURB136, FURB140, FURB145, FURB154, FURB157, FURB164,FURB181, FURB188
  • [ruff] RUF019, RUF020

Documentation

• Add --exit-non-zero-on-format to formatter exit codes section (#22761)
• Update contributing guide for adding a new rule (#22779)
• [FastAPI] Document fix safety for FAST001 (#22655)
• [flake8-async] Tweak explanation to focus on latency/efficiency tradeoff (ASYNC110) (#22715)
• [pandas-vet] Make example error out-of-the-box (PD002) (#22561)
• [refurb] Make the example work out of box (FURB101) (#22770)
• [refurb] Make the example work out of box (FURB103) (#22769)

Contributors

• @​alejsdev
• @​ntBre
• @​caiquejjx
• @​chirizxc
• @​denyszhak
• @​sjyangkevin
• @​MeGaGiGaGon
• @​leandrobbraga

... (truncated)

Changelog

Sourced from ruff's changelog.

0.14.14

Released on 2026-01-22.

Preview features

• Preserve required parentheses in lambda bodies (#22747)
• Combine range suppression code diagnostics (#22613)
• [airflow] Second positional argument to Asset/Dataset should not be a dictionary (AIR303) (#22453)
• [ruff] Detect duplicate entries in __all__ (RUF068) (#22114)

Bug fixes

• [pyupgrade] Allow shadowing non-builtin bindings (UP029) (#22749)
• [pyupgrade] Apply UP045 to string arguments of typing.cast (#22320)
• [flake8-pie] Detect duplicated declared class fields in PIE794 (#22717)

Rule changes

• [flake8-pyi] Fix inconsistent handling of forward references for __new__, __enter__, __aenter__ in PYI034 (#22798)
• [flake8-pytest-style] Support check parameter in PT011 (#22725)
• [ruff] Add exception for ctypes.Structure._fields_ (RUF012) (#22559)
• Many fixes are now marked unsafe if they would remove comments:
  • [flake8-bugbear] B009, B010, B013, B014, B033
  • [flake8-simplify] SIM910, SIM911
  • [pyupgrade] UP007, UP039, UP041, UP045
  • [refurb] FURB105, FURB116, FURB136, FURB140, FURB145, FURB154, FURB157, FURB164,FURB181, FURB188
  • [ruff] RUF019, RUF020

Documentation

• Add --exit-non-zero-on-format to formatter exit codes section (#22761)
• Update contributing guide for adding a new rule (#22779)
• [FastAPI] Document fix safety for FAST001 (#22655)
• [flake8-async] Tweak explanation to focus on latency/efficiency tradeoff (ASYNC110) (#22715)
• [pandas-vet] Make example error out-of-the-box (PD002) (#22561)
• [refurb] Make the example work out of box (FURB101) (#22770)
• [refurb] Make the example work out of box (FURB103) (#22769)

Contributors

• @​alejsdev
• @​ntBre
• @​caiquejjx
• @​chirizxc
• @​denyszhak
• @​sjyangkevin
• @​MeGaGiGaGon
• @​leandrobbraga
• @​MichaReiser

... (truncated)

Commits

• 8b2e7b3 Prepare release v0.14.14 (#22813)
• 4c7d1f5 [ty] Infer TypedDict types with >=1 required key as being always truthy (#2...
• b7de434 add CCfW hooks (#22803)
• b912dfc [pyupgrade] Apply UP045 to string arguments of typing.cast (#22320)
• 1ff062d [ty] Improve completion rankings for raise-from/except contexts (#22775)
• 7e408a5 Update dependency wrangler to v4.59.1 (#22793)
• ceb876b [flake8-pyi] Fix inconsistent handling of forward references for __new__,...
• c5b4ee6 [ty] Support solving generics involving PEP 695 type aliases (#22678)
• b9a6129 [ty] Improve support for kwarg splats in dictionary literals (#22781)
• f516d47 Update contributing guide for adding a new rule (#22779)
• Additional commits viewable in compare view

Updates bandit from 1.9.2 to 1.9.3

Release notes

Sourced from bandit's releases.

1.9.3

What's Changed

• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in PyCQA/bandit#1334
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in PyCQA/bandit#1335
• Fix B608 to detect VALUES( without space by @​kfess in PyCQA/bandit#1337
• Add check for hardcoded passwords in dicts. by @​alanverresen in PyCQA/bandit#1338
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in PyCQA/bandit#1341
• Update tox tests for Python 3.10 by @​willschlitzer in PyCQA/bandit#1346
• Bump docker/setup-buildx-action from 3.11.1 to 3.12.0 by @​dependabot[bot] in PyCQA/bandit#1347
• Limit B614 to torch.load deserializers by @​dibussoc in PyCQA/bandit#1348

New Contributors

• @​kfess made their first contribution in PyCQA/bandit#1337
• @​alanverresen made their first contribution in PyCQA/bandit#1338
• @​willschlitzer made their first contribution in PyCQA/bandit#1346
• @​dibussoc made their first contribution in PyCQA/bandit#1348

Full Changelog: PyCQA/bandit@1.9.2...1.9.3

Commits

• 765f00d Limit B614 to torch.load deserializers (#1348)
• 06fbbab Bump docker/setup-buildx-action from 3.11.1 to 3.12.0 (#1347)
• 36d6f3c Update tox tests for Python 3.10 (#1346)
• da0d338 [pre-commit.ci] pre-commit autoupdate (#1341)
• 649b9bd Add check for hardcoded passwords in dicts. (#1338)
• 3c56109 Fix B608 to detect VALUES( without space (#1337)
• b790ce2 [pre-commit.ci] pre-commit autoupdate (#1335)
• 0b73bbe Bump actions/checkout from 5 to 6 (#1334)
• See full diff in compare view

Updates zizmor from 1.17.0 to 1.22.0

Release notes

Sourced from zizmor's releases.

v1.22.0

Changes ⚠️🔗

• The misfeature audit now only shows non-"well known" shell: findings when running with the "auditor" persona (#1532)

Bug Fixes 🐛🔗

• Fixed a bug where inputs containing CRLF line endings were not patched correctly by the unpinned-uses audit (#1536)

v1.21.0

New Features 🌈🔗

• New audit: misfeature detects usage of GitHub Actions features that are considered "misfeatures." (#1517)

Enhancements 🌱🔗

• zizmor now uses exit code 3 to signal an audit that has failed because no input files were collected. See the exit code documentation for details (#1515)

• The unpinned-uses audit now supports auto-fixes for many findings (#1525)

Changes ⚠️🔗

• The obfuscation audit no longer flags shell: cmd. That check has been moved to the new misfeature audit. Users may need to update their ignore comments and/or configuration (#1517)

Bug Fixes 🐛🔗

• The unpinned-uses audit now flags reusable workflows that are unpinned, in addition to actions (#1509)

  Many thanks to @​johnbillion for implementing this fix!

v1.20.0

Enhancements 🌱🔗

• The excessive-permissions audit is now aware of the artifact-metadata and models permissions (#1461)

• The cache-poisoning audit is now aware of the ramsey/composer-install action (#1489)

• The unpinned-images audit is now significantly more precise in the presence of matrix references, e.g. image: ${{ matrix.image }} (#1482)

Changes ⚠️🔗

• The default policy for the unpinned-uses audit has changed from allowing ref-pinning for first-party actions (those under actions/* and similar) to requiring hash-pinning. This makes the default policy more strict, as well as more consistent across the actions ecosystem.

  Users who with to retain the old (permissive policy) for first-party actions may configure it explicitly in their zizmor.yml:

zizmor.yml
rules:
unpinned-uses:
</tr></table>

... (truncated)

Changelog

Sourced from zizmor's changelog.

1.22.0

Changes ⚠️

• The [misfeature] audit now only shows non-"well known" #!yaml shell: findings when running with the "auditor" persona (#1532)

Bug Fixes 🐛

• Fixed a bug where inputs containing CRLF line endings were not patched correctly by the [unpinned-uses] audit (#1536)

1.21.0

New Features 🌈

• New audit: [misfeature] detects usage of GitHub Actions features that are considered "misfeatures." (#1517)

Enhancements 🌱

• zizmor now uses exit code 3 to signal an audit that has failed because no input files were collected. See the [exit code] documentation for details (#1515)

• The [unpinned-uses] audit now supports auto-fixes for many findings (#1525)

Changes ⚠️

• The [obfuscation] audit no longer flags #!yaml shell: cmd. That check has been moved to the new [misfeature] audit. Users may need to update their ignore comments and/or configuration (#1517)

Bug Fixes 🐛

• The [unpinned-uses] audit now flags reusable workflows that are unpinned, in addition to actions (#1509)

  Many thanks to @​johnbillion for implementing this fix!

1.20.0

Enhancements 🌱

• The [excessive-permissions] audit is now aware of the artifact-metadata and models permissions (#1461)

• The [cache-poisoning] audit is now aware of the @​ramsey/composer-install action (#1489)

... (truncated)

Commits

• 94308f6 zizmor 1.22.0 (#1539)
• 951d2c8 Add 'crater' tests (#1538)
• 13c1b65 Handle CRLF in EmplaceComment (#1536)
• 601bbba Bump trophies (#1535)
• de617a2 Drop 'custom shell' finding to auditor persona (#1532)
• 5175a6c zizmor 1.21.0 (#1529)
• b3f84f4 yamlpatch 0.10.0 (#1528)
• 20b24ff yamlpath 0.33.0 (#1527)
• 4815c16 Support auto-fixes for unpinned-uses (#1525)
• e611eae Document hk integration (#1522)
• Additional commits viewable in compare view

Updates semgrep from 1.144.0 to 1.149.0

Release notes

Sourced from semgrep's releases.

Release v1.149.0

1.149.0 - 2026-01-21

Added

• Added a warning in --debug mode when a user runs a parallel scan with a larger value for -j/--jobs than the number of CPUs we detect the host has made available to Semgrep. Additionally, a suggested starting value for -j/--jobs is reported to give the user a place to start tuning their scan. (saf-2474)
• Upload symbol analysis on a per-subproject basis during supply chain scans. (sc-3038)

Changed

• The MCP server no longer supports SSE transport. (saf-2462)

Fixed

• pro: Improved virtual method resolution in Java (code-9210)
• pro: Improved virtual method resolution in Scala (code-9212)
• Improve performance of scan planning, a part of the Python CLI, by reducing the cost of re-hashing Target objects. Performance should improve on large repo scans proportionally to the number of files in the repo. (gh-5407)
• semgrep ci no longer applies autofixes to disk, even when the "Suggest autofixes" toggle in the app is enabled. (saf-2446)

Release v1.148.0

1.148.0 - 2026-01-14

Added

• Performance: subproject discovery in Supply Chain scans is no longer significantly slowed down by the presence of Git-untracked files resulting in faster diff scans in such cases. (sc-subproject-speedup)

Fixed

• pro: Improved virtual method resolution in Java (code-9174)
• pro: Improved handling of parse errors during inter-file analysis. Now, these errors should be adequately reported back to users and in the JSON output. (code-9216)
• Dataflow now accounts for Python for/else and while/else loops. (gh-8405)
• Fix rare "bad file descriptor" when performing Git operations on Windows (saf-2358)

... (truncated)

Changelog

Sourced from semgrep's changelog.

1.149.0 - 2026-01-21

Added

• Added a warning in --debug mode when a user runs a parallel scan with a larger value for -j/--jobs than the number of CPUs we detect the host has made available to Semgrep. Additionally, a suggested starting value for -j/--jobs is reported to give the user a place to start tuning their scan. (saf-2474)
• Upload symbol analysis on a per-subproject basis during supply chain scans. (sc-3038)

Changed

• The MCP server no longer supports SSE transport. (saf-2462)

Fixed

• pro: Improved virtual method resolution in Java (code-9210)
• pro: Improved virtual method resolution in Scala (code-9212)
• Improve performance of scan planning, a part of the Python CLI, by reducing the cost of re-hashing Target objects. Performance should improve on large repo scans proportionally to the number of files in the repo. (gh-5407)
• semgrep ci no longer applies autofixes to disk, even when the "Suggest autofixes" toggle in the app is enabled. (saf-2446)

1.148.0 - 2026-01-14

Added

• Performance: subproject discovery in Supply Chain scans is no longer significantly slowed down by the presence of Git-untracked files resulting in faster diff scans in such cases. (sc-subproject-speedup)

Fixed

• pro: Improved virtual method resolution in Java (code-9174)
• pro: Improved handling of parse errors during inter-file analysis. Now, these errors should be adequately reported back to users and in the JSON output. (code-9216)
• Dataflow now accounts for Python for/else and while/else loops. (gh-8405)
• Fix rare "bad file descriptor" when performing Git operations on Windows (saf-2358)

... (truncated)

Commits

• 50257f6 chore: release version 1.149.0
• c8c60d5semgrep/semgrep-proprietary#5423
• 2a8672d chore: remove toxsemgrep/semgrep-proprietary#5421
• 23c3421 chore: don't version semgrep.opam/OSS/dune-project. (semgrep/semgrep-prop...
• b91705a fix(ci): Update setup-ocaml action for Cygwin issue (semgrep/semgrep-propriet...
• 203b28d fix(ci): fix jsonnet templating s.t env isn't at job-level (semgrep/semgrep-p...
• 1a1017d fix(ci): Fix benchmarking regression PR comment (semgrep/semgrep-proprietary#...
• b7584b8 feat(perf): cache Targetsemgrep/semgrep-proprietary#5407
• 7e33fcfsemgrep/semgrep-proprietary#5382
• e922050 Cron - update semgrep-rules and semgrep-rules-pro submodules (semgrep/semgrep...
• Additional commits viewable in compare view

Updates basedpyright from 1.34.0 to 1.37.2

Commits

• 80b91e2 1.37.2
• ff32e9b bump python dependencies
• 1e3c703 No hover messages or jump-to-definition for literals (#1706)
• c94cbca fix reference to non-existent baseline mode in the docs
• b5a482d 1.37.1
• 532288f ignore lint errors in new script from upstream
• a3c2773 fix fix:syncpack npm script
• b9a3d2f fix mismatched npm package versions
• 6bfe3fc fix type errors/lint erros from merge
• ac32e65 update npm lockfile
• Additional commits viewable in compare view

Updates types-setuptools from 80.9.0.20250822 to 80.10.0.20260124

Commits

• See full diff in compare view

Updates pytest from 8.4.2 to 9.0.2

Release notes

Sourced from pytest's releases.

9.0.2

pytest 9.0.2 (2025-12-06)

Bug fixes

• #13896: The terminal progress feature added in pytest 9.0.0 has been disabled by default, except on Windows, due to compatibility issues with some terminal emulators.

  You may enable it again by passing -p terminalprogress. We may enable it by default again once compatibility improves in the future.

  Additionally, when the environment variable TERM is dumb, the escape codes are no longer emitted, even if the plugin is enabled.

• #13904: Fixed the TOML type of the tmp_path_retention_count settings in the API reference from number to string.

• #13946: The private config.inicfg attribute was changed in a breaking manner in pytest 9.0.0. Due to its usage in the ecosystem, it is now restored to working order using a compatibility shim. It will be deprecated in pytest 9.1 and removed in pytest 10.

• #13965: Fixed quadratic-time behavior when handling unittest subtests in Python 3.10.

Improved documentation

• #4492: The API Reference now contains cross-reference-able documentation of pytest's command-line flags <command-line-flags>.

9.0.1

pytest 9.0.1 (2025-11-12)

Bug fixes

• #13895: Restore support for skipping tests via raise unittest.SkipTest.
• #13896: The terminal progress plugin added in pytest 9.0 is now automatically disabled when iTerm2 is detected, it generated desktop notifications instead of the desired functionality.
• #13904: Fixed the TOML type of the verbosity settings in the API reference from number to string.
• #13910: Fixed UserWarning: Do not expect file_or_dir on some earlier Python 3.12 and 3.13 point versions.

Packaging updates and notes for downstreams

• #13933: The tox configuration has been adjusted to make sure the desired version string can be passed into its package_env through the SETUPTOOLS_SCM_PRETEND_VERSION_FOR_PYTEST environment variable as a part of the release process -- by webknjaz.

Contributor-facing changes

• #13891, #13942: The CI/CD part of the release automation is now capable of creating GitHub Releases without having a Git checkout on disk -- by bluetech and webknjaz.
• #13933: The tox configuration has been adjusted to make sure the desired version string can be passed into its package_env through the SETUPTOOLS_SCM_PRETEND_VERSION_FOR_PYTEST environment variable as a part of the release process -- by webknjaz.

... (truncated)

Commits

• 3d10b51 Prepare release version 9.0.2
• 188750b Merge pull request #14030 from pytest-dev/patchback/backports/9.0.x/1e4b01d1f...
• b7d7bef Merge pull request #14014 from bluetech/compat-note
• bd08e85 Merge pull request #14013 from pytest-dev/patchback/backports/9.0.x/922b60377...
• bc78386 Add CLI options reference documentation (#13930)
• 5a4e398 Fix docs typo (#14005) (#14008)
• d7ae6df Merge pull request #14006 from pytest-dev/maintenance/update-plugin-list-tmpl...
• 556f6a2 pre-commit: fix rst-lint after new release (#13999) (#14001)
• c60fbe6 Fix quadratic-time behavior when handling unittest subtests in Python 3.10 ...
• 73d9b01 Merge pull request #13995 from nicoddemus/patchback/backports/9.0.x/1b5200c0f...
• Additional commits viewable in compare view

Updates coverage[toml] from 7.12.0 to 7.13.2

Release notes

Sourced from coverage[toml]'s releases.

7.13.2

Version 7.13.2 — 2026-01-25

• Fix: when Python is installed via symlinks, for example with Homebrew, the standard library files could be incorrectly included in coverage reports. This is now fixed, closing issue 2115.
• Fix: if a data file is created with no read permissions, the combine step would fail completely. Now a warning is issued and the file is skipped. Closes issue 2117.

➡️  PyPI page: coverage 7.13.2. :arrow_right:  To install: python3 -m pip install coverage==7.13.2

7.13.1

Version 7.13.1 — 2025-12-28

• Added: the JSON report now includes a "start_line" key for function and class regions, indicating the first line of the region in the source. Closes issue 2110.
• Added: The debug data command now takes file names as arguments on the command line, so you can inspect specific data files without needing to set the COVERAGE_FILE environment variable.
• Fix: the JSON report used to report module docstrings as executed lines, which no other report did, as described in issue 2105. This is now fixed, thanks to Jianrong Zhao.
• Fix: coverage.py uses a more disciplined approach to detecting where third-party code is installed, and avoids measuring it. This shouldn’t change any behavior. If you find that it does, please get in touch.
• Performance: data files that will be combined now record their hash as part of the file name. This lets us skip duplicate data more quickly, speeding the combining step.
• Docs: added a section explaining more about what is considered a missing branch and how it is reported: Examples of missing branches, as requested in issue 1597. Thanks to Ayisha Mohammed.
• Tests: the test suite misunderstood what core was being tested if COVERAGE_CORE wasn’t set on 3.14+. This is now fixed, closing issue 2109.

➡️  PyPI page: coverage 7.13.1. :arrow_right:  To install: python3 -m pip install coverage==7.13.1

7.13.0

Version 7.13.0 — 2025-12-08

• Feature: coverage.py now supports .coveragerc.toml configuration files. These files use TOML syntax and take priority over pyproject.toml but lower priority than .coveragerc files. Closes issue 1643 thanks to Olena Yefymenko.
• Fix: we now include a permanent .pth file which is installed with the code, fixing issue 2084. In 7.12.1b1 this was done incorrectly: it didn’t work when using the source wheel (py3-none-any). This is now fixed. Thanks, Henry Schreiner.
• Deprecated: when coverage.py is installed, it creates three command entry points: coverage, coverage3, and coverage-3.10 (if installed for Python 3.10). The second and third of these are not needed and will eventually be removed. They still work for now, but print a message about their deprecation.

➡️  PyPI page: coverage 7.13.0. :arrow_right:  To install: python3 -m pip install coverage==7.13.0

7.12.1b1

Version 7.12.1b1 — 2025-11-30

• Fix: coverage.py now includes a permanent .pth file in the distribution which is installed with the code. This fixes issue 2084: failure to patch for subprocess measurement when site-packages is not writable.

➡️  PyPI page: coverage 7.12.1b1. :arrow_right:  To install: python3 -m pip install coverage==7.12.1b1

Changelog

Sourced from coverage[toml]'s changelog.

Version 7.13.2 — 2026-01-25

• Fix: when Python is installed via symlinks, for example with Homebrew, the standard library files could be incorrectly included in coverage reports. This is now fixed, closing issue 2115_.

• Fix: if a data file is created with no read permissions, the combine step would fail completely. Now a warning is issued and the file is skipped. Closes issue 2117_.

.. _issue 2115: coveragepy/coveragepy#2115 .. _issue 2117: coveragepy/coveragepy#2117

.. _changes_7-13-1:

Version 7.13.1 — 2025-12-28

• Added: the JSON report now includes a "start_line" key for function and class regions, indicating the first line of the region in the source. Closes issue 2110_.

• Added: The debug data command now takes file names as arguments on the command line, so you can inspect specific data files without needing to set the COVERAGE_FILE environment variable.

• Fix: the JSON report used to report module docstrings as executed lines, which no other report did, as described in issue 2105_. This is now fixed, thanks to Jianrong Zhao.

• Fix: coverage.py uses a more disciplined approach to detecting where third-party code is installed, and avoids measuring it. This shouldn't change any behavior. If you find that it does, please get in touch.

• Performance: data files that will be combined now record their hash as part of the file name. This lets us skip duplicate data more quickly, speeding the combining step.

• Docs: added a section explaining more about what is considered a missing branch and how it is reported: :ref:branch_explain, as requested in issue 1597. Thanks to Ayisha Mohammed <pull 2092_>.

• Tests: the test suite misunderstood what core was being tested if COVERAGE_CORE wasn't set on 3.14+. This is now fixed, closing issue 2109_.

.. _issue 1597: coveragepy/coveragepy#1597 .. _pull 2092: coveragepy/coveragepy#2092

... (truncated)

Commits

• 513e971 docs: sample HTML for 7.13.2
• 27a8230 docs: prep for 7.13.2
• 27d8daa refactor: plural does more
• a2f248c fix: stdlib might be through a symlink. #2115
• bc52a22 debug: re-organize Matchers to sho...

  Description has been truncated

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml