Deps: Bump the python-packages group with 10 updates

[dependabot]

Updates the requirements on paramiko, lxml, coverage, sphinx, autohooks-plugin-ruff, autohooks-plugin-mypy, pontos, furo, types-paramiko and git-cliff to permit the latest version.
Updates paramiko to 4.0.0

Commits

• aad0370 Cut 4.0.0 in changelog
• 76f2406 Speling
• 8c4277c Fix syntax-warning-throwing unittest method call
• d3a9617 Test existence of root module dunder version
• 9579700 Nuke mentions of specific Python 3.x versions from docs etc
• dbfd52c Administrivia update: Python>=3.9, pyproject.toml, etc
• c2ba378 Remove outdated version check in GSS module
• 2af0dd7 I'm good at my job, honest
• e534b1a Fixes #973: remove DSA/DSS support
• 3523feb Tweak .gitignore to more safely ignore top level docs/
• Additional commits viewable in compare view

Updates lxml to 6.1.0

Changelog

Sourced from lxml's changelog.

6.1.0 (2026-04-17)

This release fixes a possible external entity injection (XXE) vulnerability in iterparse() and the ETCompatXMLParser.

Features added

• GH#486: The HTML ARIA accessibility attributes were added to the set of safe attributes in lxml.html.defs. This allows lxml_html_clean to pass them through. Patch by oomsveta.

• The default chunk size for reading from file-likes in iterparse() is now configurable with a new chunk_size argument.

Bugs fixed

• LP#2146291: The resolve_entities option was still set to True for iterparse and ETCompatXMLParser, allowing for external entity injection (XXE) when using these parsers without setting this option explicitly. The default was now changed to 'internal' only (as for the normal XML and HTML parsers since lxml 5.0). Issue found by Sihao Qiu as CVE-2026-41066.

6.0.4 (2026-04-12)

Bugs fixed

• LP#2148019: Spurious MemoryError during namespace cleanup.

6.0.3 (2026-04-09)

Bugs fixed

• Several out of memory error cases now raise MemoryError that were not handled before.

• Slicing with large step values (outside of +/- sys.maxsize) could trigger undefined C behaviour.

• LP#2125399: Some failing tests were fixed or disabled in PyPy.

• LP#2138421: Memory leak in error cases when setting the public_id or system_url of a document.

... (truncated)

Commits

• 43722f4 Update changelog.
• 8747040 Name version of option change in docstring.
• 6c36e6c Fix pypistats URL in download statistics script.
• c7d76d6 Change security policy to point to Github security advisories.
• 378ccf8 Update project income report.
• 315270b Docs: Reduce TOC depth of package pages and move module contents first.
• 6dbba7f Docs: Show current year in copyright line.
• e4385bf Update project income report.
• 5bed1e1 Validate file hashes in release download script.
• c13ee10 Prepare release of 6.1.0.
• Additional commits viewable in compare view

Updates coverage to 7.13.5

Changelog

Sourced from coverage's changelog.

Version 7.13.5 — 2026-03-17

• Fix: issue 2138_ describes a memory leak that happened when repeatedly using the Coverage API with in-memory data. This is now fixed.

• Fix: the markdown-formatted coverage report didn't fully escape special characters in file paths (issue 2141). This would be very unlikely to cause a problem, but now it's done properly, thanks to Ellie Ayla <pull 2142_>.

• Fix: the C extension wouldn't build on VS2019, but now it does (issue 2145_).

.. _issue 2138: coveragepy/coveragepy#2138 .. _issue 2141: coveragepy/coveragepy#2141 .. _pull 2142: coveragepy/coveragepy#2142 .. _issue 2145: coveragepy/coveragepy#2145

.. _changes_7-13-4:

Version 7.13.4 — 2026-02-09

• Fix: the third-party code fix in 7.13.3 required examining the parent directories where coverage was run. In the unusual situation that one of the parent directories is unreadable, a PermissionError would occur, as described in issue 2129_. This is now fixed.

• Fix: in test suites that change sys.path, coverage.py could fail with "RuntimeError: Set changed size during iteration" as described and fixed in pull 2130_. Thanks, Noah Fatsi.

• We now publish ppc64le wheels, thanks to Pankhudi Jain <pull 2121_>_.

.. _pull 2121: coveragepy/coveragepy#2121 .. _issue 2129: coveragepy/coveragepy#2129 .. _pull 2130: coveragepy/coveragepy#2130

.. _changes_7-13-3:

Version 7.13.3 — 2026-02-03

• Fix: in some situations, third-party code was measured when it shouldn't have been, slowing down test execution. This happened with layered virtual environments such as uv sometimes makes. The problem is fixed, closing issue 2082_. Now any directory on sys.path that is inside a virtualenv is considered third-party code.

... (truncated)

Commits

• c88da14 docs: sample HTML for 7.13.5
• e2ac3e1 build: sample HTML shouldn't include the status.json file
• 910f8f3 docs: prep for 7.13.5
• 3a4819c style: make workflows more uniform
• 2a53705 chore: bump the action-dependencies group across 1 directory with 4 updates (...
• e7c878d chore: make upgrade
• ab4db40 build: use --generate-hashes when pinning
• a438753 chore: make upgrade
• 7b33457 refactor: some leftover pyupgrade 3.10 bits
• 2ff968d refactor: this type wasn't used anywhere
• Additional commits viewable in compare view

Updates sphinx to 8.1.3

Release notes

Sourced from sphinx's releases.

Sphinx 8.1.3

Changelog: https://www.sphinx-doc.org/en/master/changes/8.1.html

Bugs fixed

• #13013: Restore support for cut_lines() with no object type. Patch by Adam Turner.

Changelog

Sourced from sphinx's changelog.

Release 8.1.3 (released Oct 13, 2024)

Bugs fixed

• #13013: Restore support for :func:!cut_lines with no object type. Patch by Adam Turner.

Release 8.1.2 (released Oct 12, 2024)

Bugs fixed

• #13012: Expose :exc:sphinx.errors.ExtensionError in sphinx.util for backwards compatibility. This will be removed in Sphinx 9, as exposing the exception in sphinx.util was never intentional. :exc:!ExtensionError has been part of sphinx.errors since Sphinx 0.9. Patch by Adam Turner.

Release 8.1.1 (released Oct 11, 2024)

Bugs fixed

• #13006: Use the preferred https://www.cve.org/ URL for the :rst:role::cve: <cve> role. Patch by Hugo van Kemenade.
• #13007: LaTeX: Improve resiliency when the required fontawesome or fontawesome5 packages are not installed. Patch by Jean-François B.

Release 8.1.0 (released Oct 10, 2024)

Dependencies

• #12756: Add lower-bounds to the sphinxcontrib-* dependencies. Patch by Adam Turner.
• #12833: Update the LaTeX parskip package from 2001 to 2018. Patch by Jean-François B.

Incompatible changes

• #12763: Remove unused internal class sphinx.util.Tee.

... (truncated)

Commits

• a1510de Bump to 8.1.3 final
• 62e9606 Restore support for cut_lines() with no object type (#13015)
• 5ae32ce Bump version
• a72b47b Bump to 8.1.2 final
• 39a45ad Expose ExtensionError in sphinx.util for backwards compatibility.
• 5a4859a Add docs about sphinx-autobuild (#13011)
• 05679ef Type-check the 'autodoc_intenum' example (#12827)
• 86d1d31 Prune CHANGES of unneeded sections
• b6269d3 Improve documentation for the Builder API (#13008)
• c46abc4 Improve clarity for master_doc and root_doc
• Additional commits viewable in compare view

Updates autohooks-plugin-ruff to 25.3.1

Release notes

Sourced from autohooks-plugin-ruff's releases.

autohooks-plugin-ruff 25.3.1

25.3.1 - 2025-03-12

Commits

• 00c89ea Automatic release to 25.3.1
• 6e04389 Fixed typo in repo URL
• 378724f Automatic adjustments after release [skip ci]
• 873ad36 Automatic release to 25.3.0
• dde6294 Deps: Bump the python-packages group with 2 updates
• 914c22e Deps: Bump ruff from 0.9.7 to 0.9.9 in the python-packages group
• 1cdd8cf Deps: Bump ruff from 0.9.6 to 0.9.7 in the python-packages group
• 4ff5cdb Deps: Bump the python-packages group with 3 updates
• 0d0aeaa Deps: Bump the python-packages group with 2 updates
• 930d35b Automatic adjustments after release [skip ci]
• See full diff in compare view

Updates autohooks-plugin-mypy to 23.10.0

Release notes

Sourced from autohooks-plugin-mypy's releases.

autohooks-plugin-mypy 23.10.0

23.10.0 - 2023-10-18

Added

• Auto-merge workflow, to enable squash auto-merge in open PRs (#66) 1d0c887
• Add action for reporting the conventional commits ac1fa90
• Add coverage as dev dependency 89e4e5c

Changed

• Update supported Python versions (#69) 8de2f7b
• Group dependabot updates fef898c
• Use generic reusable workflows b51a6a7
• Create conventional commits for dependabot 9000ba9
• Resolve deprecation warnings in GitHub workflows 0981783
• Use new pypi-upload action for releasing the Python package 09642a5

Bug Fixes

• Fix conventional commits workflow f51c796
• Set permission on conventional commits workflow (#26) 5f2c6ac

Dependencies

• Bump the python-packages group with 1 update (#68) c9951bc
• Bump the python-packages group with 4 updates (#67) 73ee696
• Bump the python-packages group with 1 update (#65) b474682
• Bump the github-actions group with 1 update 739751b
• Bump the python-packages group with 1 update 408d437
• Bump platformdirs from 3.5.3 to 3.10.0 d91cbb7
• Bump dill from 0.3.6 to 0.3.7 (#59) 58b3a08
• Bump exceptiongroup from 1.1.1 to 1.1.3 (#56) 021a01d
• Bump typed-ast from 1.5.4 to 1.5.5 (#55) 5715d79
• Bump tomlkit from 0.11.8 to 0.12.1 (#53) bddbcab
• Bump pathspec from 0.11.1 to 0.11.2 (#51) 7696861
• Bump certifi from 2023.5.7 to 2023.7.22 (#50) 60e1bec
• Bump pylint from 2.17.4 to 2.17.5 (#54) e068fdf
• Bump anyio from 3.7.0 to 3.7.1 (#49) a01dbbe
• Bump pygments from 2.15.1 to 2.16.1 (#48) 094a8ee
• Bump click from 8.1.3 to 8.1.7 (#47) d9efc40
• Bump rich from 13.4.1 to 13.5.2 (#52) e04603f
• Bump astroid from 2.15.5 to 2.15.6 (#46) e4b42ec
• Bump importlib-metadata from 6.6.0 to 6.7.0 (#45) 3927788
• Bump greenbone/actions from 2 to 3 3d78e9d
• Bump mypy from 1.3.0 to 1.4.1 81541fc
• Bump platformdirs from 3.5.1 to 3.5.3 f35ac3e
• Bump rich from 13.3.5 to 13.4.1 d5adcfe
• Bump typing-extensions from 4.6.2 to 4.6.3 25b4353
• Bump coverage from 7.2.5 to 7.2.7 6094002

Commits

• 6b64354 Automatic release to 23.10.0
• 8de2f7b Change: Update supported Python versions (#69)
• c9951bc Deps: Bump the python-packages group with 1 update (#68)
• 73ee696 Deps: Bump the python-packages group with 4 updates (#67)
• 1d0c887 Add: Auto-merge workflow, to enable squash auto-merge in open PRs (#66)
• b474682 Deps: Bump the python-packages group with 1 update (#65)
• 739751b Deps: Bump the github-actions group with 1 update
• 408d437 Deps: Bump the python-packages group with 1 update
• fef898c Change: Group dependabot updates
• d91cbb7 Deps: Bump platformdirs from 3.5.3 to 3.10.0
• Additional commits viewable in compare view

Updates pontos to 26.4.1

Release notes

Sourced from pontos's releases.

pontos 26.4.1

26.4.1 - 2026-04-21

Added

• "Status Change" event name 43d0a9fd
• Unit tests for SourceApi 12426032
• Unit tests for CVEApi af3bac29
• Unit tests for CVEApi 7540c7b9
• Unit tests for CPEMatchApi 85af5958
• Unit tests for CPEApi 30e7707b
• data field to ModelError 3528682d
• return_exceptions parameter to SourceApi 9eb0afc7
• return_exceptions parameter to CPEMatchApi 7b7492c9
• return_exceptions parameter to CPEApi e297438d
• return_exceptions parameter to CVEApi 30aa2252
• return_exceptions parameter to CVEChangesApi 39d898ee
• return_exceptions parameter to NVDResults and result_iterator_func 4d74277f

Changed

• Wrap _result_iterator body to deduplicate code a6fcd449
• Adjust return type hint and type definition 97e2fab5
• Fix SourceApi unit tests cdcf76fd
• Variable name a7249e69
• Fix typo in unit test class name e2e6538a
• Adjust unit tests of NVDResults 2079946f

Dependencies

• Bump the python-packages group with 3 updates dba0f5c4
• Bump the actions group across 1 directory with 4 updates 7d1a3333
• Bump the python-packages group with 7 updates ae06f64c

Commits

• 73fc212 Automatic release to 26.4.1
• 43d0a9f Add: "Status Change" event name
• a6fcd44 Change: Wrap _result_iterator body to deduplicate code
• 97e2fab Change: Adjust return type hint and type definition
• cdcf76f Change: Fix SourceApi unit tests
• a7249e6 Change: Variable name
• e2e6538 Change: Fix typo in unit test class name
• 1242603 Add: Unit tests for SourceApi
• af3bac2 Add: Unit tests for CVEApi
• 7540c7b Add: Unit tests for CVEApi
• Additional commits viewable in compare view

Updates furo to 2025.12.19

Release notes

Sourced from furo's releases.

2025.12.19

• Bump the supported Sphinx version range

Full Changelog: pradyunsg/furo@2025.09.25...2025.12.19

Changelog

Sourced from furo's changelog.

2025.12.19 -- Harmonious Honeydew

• ✨ Add support for Sphinx 9.
• Drop support for Sphinx 6.

2025.09.25 -- Gleaming Green

• Change the dark mode code back to native.

2025.07.19 -- Frozen Flame

• ✨ Switch to accessible-pygments themes
• ✨ Prefetch the sidebar logos
• ✨ Fix flickering header drop shadow on Safari
• Add rel=edit attribute to "Edit this page" link/icon
• Bump NodeJS and npm dependency versions
• Bump Saas & Webpack major versions
• Improve current page detection to be resilient to sticky elements above header
• Modernise Sass and use @use + @forward
• Remove top of code border-radius with captions
• Remove "debug printf" for headerTop value
• Use distinct images for light and dark mode in the documentation
• Use the modern Saas Modules

2024.08.06 -- Energetic Eminence

• ✨ Add support for Sphinx 8
• ✨ Add smoother transitions between breakpoints
• Increase specificity of table-wrapper selector
• Avoid page breaks inside paragraphs

2024.07.18 -- Dull Denim

• Improve how icons are handled and aligned.
• Improve scroll event handler.
• Hide the copybutton by default.
• Fix source_view_link configuration handling.
• Fix close tag on pencil icon.

2024.05.06 -- Cheerful Cerulean

• ✨ Add new custom icons for auto mode, reflecting the currently active theme.
• ✨ Add a view this page button.
• ✨ Add colours and highlighting to "version modified" API helpers.
• ✨ Add release information to various customisation knobs.
• Make all icons bigger and use a thinner stroke with them.

2024.04.27 -- Bold Burgundy

• Add a skip to content link.

... (truncated)

Commits

• dd9e9f9 Prepare release: 2025.12.19
• d43f7e9 Update changelog
• d27cab5 Bump the supported Sphinx version range
• 12f288e Back to development
• 7c5f8fa Prepare release: 2025.09.25
• 8bfdc54 Update changelog
• d92b62f Switch the dark mode theme back to native
• 83c3446 Add Blender to "used by" section (#898)
• 426ea05 Remove old scrollbar selectors (#892)
• d22d31c Remove trailing slash on void elements (#895)
• Additional commits viewable in compare view

Updates types-paramiko to 4.0.0.20260408

Commits

• See full diff in compare view

Updates git-cliff to 2.12.0

Release notes

Sourced from git-cliff's releases.

Release v2.12.0

2.12.0 - 2026-01-20

⛰️ Features

• (args) Add offline flag (#1321) - (f19f1cd)
• (args) Add --skip-tags cli argument (#1334) - (32cf8c5)
• (logging) Implement commit processing summary (#1355) - (aa01a09)

🐛 Bug Fixes

• (config) Respect the changelog.output configuration (#1349) - (cfcc5ae)
• (logging) Revert the noisy warn log level to trace (#1353) - (eb99e41)
• (remote) Avoid false first-time contributors when tag timestamp missing (#1348) - (de7cf02)
• (remote) Remove reqwest::Response::error_for_status (#1336) - (081ba68)

📚 Documentation

• (contributing) Clarify Rust toolchain requirements (#1344) - (97b0322)
• (install) Add mise alternative method installation (#1320) - (34b8d30)
• (website) Add highlights for 2.12.0 (#1356) - (0228f43)

⚙️ Miscellaneous Tasks

• (azure_devops) [breaking] Rename azureDevops variable to azure_devops (#1319) - (5d955c1)
• (ci) Fix codecov action inputs and skip upload for dependabot PRs (#1343) - (d7a47bb)
• (clippy) Fix pedantic lints (#1346) - (0260b0a)
• Update yarn.lock (#1322) - (0cec8a0)

New Contributors ❤️

• @​taladar made their first contribution in #1319
• @​barskern made their first contribution in #1321
• @​ooooo-create made their first contribution in #1334
• @​jylenhof made their first contribution in #1320

Changelog

Sourced from git-cliff's changelog.

2.12.0 - 2026-01-20

⛰️ Features

• (args) Add offline flag (#1321) - (f19f1cd)
• (args) Add --skip-tags cli argument (#1334) - (32cf8c5)
• (logging) Implement commit processing summary (#1355) - (aa01a09)

🐛 Bug Fixes

• (config) Respect the changelog.output configuration (#1349) - (cfcc5ae)
• (logging) Revert the noisy warn log level to trace (#1353) - (eb99e41)
• (remote) Avoid false first-time contributors when tag timestamp missing (#1348) - (de7cf02)
• (remote) Remove reqwest::Response::error_for_status (#1336) - (081ba68)

📚 Documentation

• (contributing) Clarify Rust toolchain requirements (#1344) - (97b0322)
• (install) Add mise alternative method installation (#1320) - (34b8d30)
• (website) Add highlights for 2.12.0 (#1356) - (0228f43)

⚙️ Miscellaneous Tasks

• (azure_devops) [breaking] Rename azureDevops variable to azure_devops (#1319) - (5d955c1)
• (ci) Fix codecov action inputs and skip upload for dependabot PRs (#1343) - (d7a47bb)
• (clippy) Fix pedantic lints (#1346) - (0260b0a)
• Update yarn.lock (#1322) - (0cec8a0)

New Contributors ❤️

• @​taladar made their first contribution in #1319
• @​barskern made their first contribution in #1321
• @​ooooo-create made their first contribution in #1334
• @​jylenhof made their first contribution in #1320

2.11.0 - 2025-12-14

⛰️ Features

• (changelog) Support failing on unmatched commits (#1298) - (a22a1a3)
• (integration) Add support for azure devops (#1283) - (ef65be6)
• (repo) Improve repository/directory path resolution (#1290) - (7b1825b)
• (template) Add split_regex, replace_regex, find_regex filters (#1287) - (8270084)

🐛 Bug Fixes

• (args) Set the include-path if workdir is set (#1293) - (50b8312)
• (bump) Write bumped version to stdout even when output config is set (#1307) - (314ff57)
• (remote) Use optional default branch for GitLab (#1305) - (d3cb938)
• (repo) Always discover repositories - (b4db79f)

... (truncated)

Commits

• 988e863 chore(release): prepare for v2.12.0
• 0228f43 docs(website): add highlights for 2.12.0 (#1356)
• aa01a09 feat(logging): implement commit processing summary (#1355)
• eb99e41 fix(logging): revert the noisy warn log level to trace (#1353)
• cfcc5ae fix(config): respect the changelog.output configuration (#1349)
• 5d955c1 chore(azure_devops)!: rename azureDevops variable to azure_devops (#1319)
• 0260b0a chore(clippy): fix pedantic lints (#1346)
• f19f1cd feat(args): add offline flag (#1321)
• de7cf02 fix(remote): avoid false first-time contributors when tag timestamp missing (...
• 97b0322 docs(contributing): clarify Rust toolchain requirements (#1344)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA bc14bd9.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

pyproject.toml

Package	Version	License	Issue Type
lxml	>= 6.1.0	Null	Unknown License
paramiko	>= 4.0.0	Null	Unknown License

Allowed Licenses:

0BSD, AGPL-3.0-or-later, Apache-2.0, BlueOak-1.0.0, BSD-2-Clause, BSD-3-Clause-Clear, BSD-3-Clause, BSL-1.0, bzip2-1.0.6, CAL-1.0, CC-BY-3.0, CC-BY-4.0, CC-BY-SA-4.0, CC0-1.0, EPL-2.0, GPL-1.0-or-later, GPL-2.0-only, GPL-2.0-or-later, GPL-2.0, GPL-3.0-only, GPL-3.0-or-later, GPL-3.0, ISC, LGPL-2.0-only, LGPL-2.0-or-later, LGPL-2.1-only, LGPL-2.1-or-later, LGPL-2.1, LGPL-3.0-only, LGPL-3.0, LGPL-3.0-or-later, MIT, MIT-CMU, MPL-1.1, MPL-2.0, OFL-1.1, PSF-2.0, Python-2.0, Python-2.0.1, Unicode-3.0, Unicode-DFS-2016, Unlicense, Zlib, ZPL-2.1

OpenSSF Scorecard

Package	Version	Score	Details
pip/lxml	>= 6.1.0	Unknown	Unknown
pip/paramiko	>= 4.0.0	Unknown	Unknown

Scanned Files

• pyproject.toml

[github-actions]

Conventional Commits Report

Type	Number
Dependencies	1

🚀 Conventional commits found.

[dependabot]

The group that created this PR has been removed from your configuration.