chore(deps): bump the all-dependencies group with 5 updates

[dependabot]

Bumps the all-dependencies group with 5 updates:

Package	From	To
hypothesis	6.151.9	6.151.10
ruff	0.15.7	0.15.8
tox	4.50.3	4.51.0
uv	0.10.12	0.11.2
cryptography	46.0.5	46.0.6

Updates hypothesis from 6.151.9 to 6.151.10

Release notes

Sourced from hypothesis's releases.

Hypothesis for Python - version 6.151.10

When shrinking takes more than five minutes, Hypothesis now prints the "@​seed" decorator alongside the slow-shrinking warning so you can reproduce the failure.

Thanks to Ian Hunt-Isaak for this contribution!

The canonical version of these notes (with links) is on readthedocs.

Commits

• dd619a8 Bump hypothesis-python version to 6.151.10 and update changelog
• 47bf92e Merge pull request #4685 from HypothesisWorks/create-pull-request/patch
• e87b8ba Update pinned dependencies
• d2a9a59 Merge pull request #4677 from ianhi/slow-shrink-seed
• 1d6046a format
• 36c2cae refactor and reword
• 3d54cdc Merge remote-tracking branch 'upstream/master' into slow-shrink-seed
• c1d70b8 Merge pull request #4679 from HypothesisWorks/create-pull-request/patch
• e1e0ba1 Update pinned dependencies
• 9fe714d Merge pull request #4678 from HypothesisWorks/create-pull-request/patch
• Additional commits viewable in compare view

Updates ruff from 0.15.7 to 0.15.8

Release notes

Sourced from ruff's releases.

0.15.8

Release Notes

Released on 2026-03-26.

Preview features

• [ruff] New rule unnecessary-if (RUF050) (#24114)
• [ruff] New rule useless-finally (RUF072) (#24165)
• [ruff] New rule f-string-percent-format (RUF073): warn when using % operator on an f-string (#24162)
• [pyflakes] Recognize frozendict as a builtin for Python 3.15+ (#24100)

Bug fixes

• [flake8-async] Use fully-qualified anyio.lowlevel import in autofix (ASYNC115) (#24166)
• [flake8-bandit] Check tuple arguments for partial paths in S607 (#24080)
• [pyflakes] Skip undefined-name (F821) for conditionally deleted variables (#24088)
• E501/W505/formatter: Exclude nested pragma comments from line width calculation (#24071)
• Fix %foo? parsing in IPython assignment expressions (#24152)
• analyze graph: resolve string imports that reference attributes, not just modules (#24058)

Rule changes

• [eradicate] ignore ty: ignore comments in ERA001 (#24192)
• [flake8-bandit] Treat sys.executable as trusted input in S603 (#24106)
• [flake8-self] Recognize Self annotation and self assignment in SLF001 (#24144)
• [pyflakes] F507: Fix false negative for non-tuple RHS in %-formatting (#24142)
• [refurb] Parenthesize generator arguments in FURB142 fixer (#24200)

Performance

• Speed up diagnostic rendering (#24146)

Server

• Warn when Markdown files are skipped due to preview being disabled (#24150)

Documentation

• Clarify extend-ignore and extend-select settings documentation (#24064)
• Mention AI policy in PR template (#24198)

Other changes

• Use trusted publishing for NPM packages (#24171)

Contributors

• @​bitloi
• @​Sim-hu

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.8

Released on 2026-03-26.

Preview features

• [ruff] New rule unnecessary-if (RUF050) (#24114)
• [ruff] New rule useless-finally (RUF072) (#24165)
• [ruff] New rule f-string-percent-format (RUF073): warn when using % operator on an f-string (#24162)
• [pyflakes] Recognize frozendict as a builtin for Python 3.15+ (#24100)

Bug fixes

• [flake8-async] Use fully-qualified anyio.lowlevel import in autofix (ASYNC115) (#24166)
• [flake8-bandit] Check tuple arguments for partial paths in S607 (#24080)
• [pyflakes] Skip undefined-name (F821) for conditionally deleted variables (#24088)
• E501/W505/formatter: Exclude nested pragma comments from line width calculation (#24071)
• Fix %foo? parsing in IPython assignment expressions (#24152)
• analyze graph: resolve string imports that reference attributes, not just modules (#24058)

Rule changes

• [eradicate] ignore ty: ignore comments in ERA001 (#24192)
• [flake8-bandit] Treat sys.executable as trusted input in S603 (#24106)
• [flake8-self] Recognize Self annotation and self assignment in SLF001 (#24144)
• [pyflakes] F507: Fix false negative for non-tuple RHS in %-formatting (#24142)
• [refurb] Parenthesize generator arguments in FURB142 fixer (#24200)

Performance

• Speed up diagnostic rendering (#24146)

Server

• Warn when Markdown files are skipped due to preview being disabled (#24150)

Documentation

• Clarify extend-ignore and extend-select settings documentation (#24064)
• Mention AI policy in PR template (#24198)

Other changes

• Use trusted publishing for NPM packages (#24171)

Contributors

• @​bitloi
• @​Sim-hu
• @​mvanhorn

... (truncated)

Commits

• c2a8815 Release 0.15.8 (#24217)
• d444d52 [ty] Infer lambda expressions with Callable type context (#22633)
• 9622285 [ty] Autocomplete arguments if in arguments node (#24167)
• d812662 Use the release environment in publish-docs (#24214)
• eda2355 [ty] Show Final source in final assignment diagnostic (#24194)
• 929eb52 [ty] Enforce Final attribute assignment rules for annotated and augmented wri...
• 34998be [ty] Fix typo in comment (#24211)
• 560aca0 [ty] Minor simplifications to some benchmark code (#24209)
• 683bae5 [ty] Track non-terminal-call constraints in global scope (#23245)
• 4704c2a [ty] Remove unnecessary intermediate collection in `StaticClassLiteral::field...
• Additional commits viewable in compare view

Updates tox from 4.50.3 to 4.51.0

Release notes

Sourced from tox's releases.

v4.51.0

What's Changed

• 🔒 ci(workflows): add zizmor security auditing by @​gaborbernat in tox-dev/tox#3896
• Add base_python_file config option by @​rahuldevikar in tox-dev/tox#3899
• prevent machine ISA from overriding explicit env factors by @​rahuldevikar in tox-dev/tox#3904
• 🐛 fix(config): fix handling of env_list in nested contexts by @​Daverball in tox-dev/tox#3905
• fix: enable persist-credentials for release workflow by @​rahuldevikar in tox-dev/tox#3907

New Contributors

• @​Daverball made their first contribution in tox-dev/tox#3905

Full Changelog: tox-dev/tox@4.50.3...4.51.0

Changelog

Sourced from tox's changelog.

Features - 4.51.0

• Add base_python_file configuration option to read the base Python version from a file (e.g. .python-version), similar to GitHub Actions' python-version-file - by :user:rahuldevikar (:issue:3894)

Bug fixes - 4.51.0

• Prevent implicit machine ISA (e.g. arm64, x86_64) from overriding explicit architecture factors in environment names, fixing cross-architecture conflicts in multiline factor conditionals - by :user:rahuldevikar. (:issue:3903)
• Nested environment list configuration values are now properly parsed, validated and expanded by the TOML parser. This allows you to use generative environment lists in tox-gh via the TOML format. Previously this was only possible with the INI format. - by :user:Daverball (:issue:3905)

Miscellaneous internal changes - 4.51.0

• Enable persist-credentials: true in the actions/checkout step of the prepare-release workflow so that git push operations succeed during automated releases - by :user:rahuldevikar. (:issue:3907)

---

v4.50.3 (2026-03-20)

---

Commits

• 5f1ec1a release 4.51.0
• b5f9b13 fix: enable persist-credentials for release workflow (#3907)
• 8c9c199 🐛 fix(config): fix handling of env_list in nested contexts (#3905)
• 451aa9c prevent machine ISA from overriding explicit env factors (#3904)
• 106f036 Add base_python_file config option (#3899)
• 16df4d8 🔒 ci(workflows): add zizmor security auditing (#3896)
• 140f8ae [pre-commit.ci] pre-commit autoupdate (#3893)
• See full diff in compare view

Updates uv from 0.10.12 to 0.11.2

Release notes

Sourced from uv's releases.

0.11.2

Release Notes

Released on 2026-03-26.

Enhancements

• Add a dedicated Windows PE editing error (#18710)
• Make uv self update fetch the manifest from the mirror first (#18679)
• Use uv reqwest client for self update (#17982)
• Show uv self update success and failure messages with --quiet (#18645)

Preview features

• Evaluate extras and groups when determining auditable packages (#18511)

Bug fixes

• Skip redundant project configuration parsing for uv run (#17890)

Install uv 0.11.2

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/uv/releases/download/0.11.2/uv-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://releases.astral.sh/github/uv/releases/download/0.11.2/uv-installer.ps1 | iex"

Download uv 0.11.2

File	Platform	Checksum
uv-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
uv-x86_64-apple-darwin.tar.gz	Intel macOS	checksum
uv-aarch64-pc-windows-msvc.zip	ARM64 Windows	checksum
uv-i686-pc-windows-msvc.zip	x86 Windows	checksum
uv-x86_64-pc-windows-msvc.zip	x64 Windows	checksum
uv-aarch64-unknown-linux-gnu.tar.gz	ARM64 Linux	checksum
uv-i686-unknown-linux-gnu.tar.gz	x86 Linux	checksum
uv-powerpc64-unknown-linux-gnu.tar.gz	PPC64 Linux	checksum
uv-powerpc64le-unknown-linux-gnu.tar.gz	PPC64LE Linux	checksum
uv-riscv64gc-unknown-linux-gnu.tar.gz	RISCV Linux	checksum
uv-s390x-unknown-linux-gnu.tar.gz	S390x Linux	checksum
uv-x86_64-unknown-linux-gnu.tar.gz	x64 Linux	checksum

... (truncated)

Changelog

Sourced from uv's changelog.

0.11.2

Released on 2026-03-26.

Enhancements

• Add a dedicated Windows PE editing error (#18710)
• Make uv self update fetch the manifest from the mirror first (#18679)
• Use uv reqwest client for self update (#17982)
• Show uv self update success and failure messages with --quiet (#18645)

Preview features

• Evaluate extras and groups when determining auditable packages (#18511)

Bug fixes

• Skip redundant project configuration parsing for uv run (#17890)

0.11.1

Released on 2026-03-24.

Bug fixes

• Add missing hash verification for riscv64gc-unknown-linux-musl (#18686)
• Fallback to direct download when direct URL streaming is unsupported (#18688)
• Revert treating 'Dynamic' values as case-insensitive (#18692)
• Remove torchdata from list of packages to source from the PyTorch index (#18703)
• Special-case == Python version request ranges (#9697)

Documentation

• Cover --python <dir> in "Using arbitrary Python environments" (#6457)
• Fix version annotations for PS_MODULE_PATH and UV_WORKING_DIR (#18691)

0.11.0

Released on 2026-03-23.

Breaking changes

This release includes changes to the networking stack used by uv. While we think that breakage will be rare, it is possible that these changes will result in the rejection of certificates previously trusted by uv so we have marked the change as breaking out of an abundance of caution.

The changes are largely driven by the upgrade of reqwest, which powers uv's HTTP clients, to v0.13 which included some breaking changes to TLS certificate verification.

The following changes are included:

• rustls-platform-verifier is used instead of rustls-native-certs and webpki for certificate verification

... (truncated)

Commits

• 02036a8 Bump version to 0.11.2 (#18732)
• d247329 Sync latest Python releases (#18720)
• 66c6591 Fetch the cargo-dist binary directly instead of using the installer (#18731)
• 4faa20e Use the release environment in publish-versions
• bfefb87 Use the release environment in publish-docs (#18727)
• 944f009 Mute stderr_important dead code warning (#18724)
• 11c89d9 Use uv reqwest client for self update (#17982)
• 25d5549 Evaluate extras and groups when determining auditable packages (#18511)
• 7447dd9 Remove unnecessary preview from uv init test (#18722)
• d9d0359 Make uv self update fetch the manifest from the mirror first (#18679)
• Additional commits viewable in compare view

Updates cryptography from 46.0.5 to 46.0.6

Changelog

Sourced from cryptography's changelog.

46.0.6 - 2026-03-25

* **SECURITY ISSUE**: Fixed a bug where name constraints were not applied
  to peer names during verification when the leaf certificate contains a
  wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug,
  including those used by the Web PKI. Credit to **Oleh Konko (1seal)** for
  reporting the issue. **CVE-2026-34073**
.. _v46-0-5:

Commits

• 91d7288 Cherry-pick #14542 (#14543)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions