build(deps): bump the test-and-lint-dependencies group with 3 updates

[dependabot]

Bumps the test-and-lint-dependencies group with 3 updates: ruff, mypy and zizmor.

Updates ruff from 0.15.9 to 0.15.10

Release notes

Sourced from ruff's releases.

0.15.10

Release Notes

Released on 2026-04-09.

Preview features

• [flake8-logging] Allow closures in except handlers (LOG004) (#24464)
• [flake8-self] Make SLF diagnostics robust to non-self-named variables (#24281)
• [flake8-simplify] Make the fix for collapsible-if safe in preview (SIM102) (#24371)

Bug fixes

• Avoid emitting multi-line f-string elements before Python 3.12 (#24377)
• Avoid syntax error from E502 fixes in f-strings and t-strings (#24410)
• Strip form feeds from indent passed to dedent_to (#24381)
• [pyupgrade] Fix panic caused by handling of octals (UP012) (#24390)
• Reject multi-line f-string elements before Python 3.12 (#24355)

Rule changes

• [ruff] Treat f-string interpolation as potential side effect (RUF019) (#24426)

Server

• Add support for custom file extensions (#24463)

Documentation

• Document adding fixes in CONTRIBUTING.md (#24393)
• Fix JSON typo in settings example (#24517)

Contributors

• @​charliermarsh
• @​dylwil3
• @​silverstein
• @​anishgirianish
• @​shizukushq
• @​zanieb
• @​AlexWaygood

Install ruff 0.15.10

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/ruff/releases/download/0.15.10/ruff-installer.sh | sh

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.10

Released on 2026-04-09.

Preview features

• [flake8-logging] Allow closures in except handlers (LOG004) (#24464)
• [flake8-self] Make SLF diagnostics robust to non-self-named variables (#24281)
• [flake8-simplify] Make the fix for collapsible-if safe in preview (SIM102) (#24371)

Bug fixes

• Avoid emitting multi-line f-string elements before Python 3.12 (#24377)
• Avoid syntax error from E502 fixes in f-strings and t-strings (#24410)
• Strip form feeds from indent passed to dedent_to (#24381)
• [pyupgrade] Fix panic caused by handling of octals (UP012) (#24390)
• Reject multi-line f-string elements before Python 3.12 (#24355)

Rule changes

• [ruff] Treat f-string interpolation as potential side effect (RUF019) (#24426)

Server

• Add support for custom file extensions (#24463)

Documentation

• Document adding fixes in CONTRIBUTING.md (#24393)
• Fix JSON typo in settings example (#24517)

Contributors

• @​charliermarsh
• @​dylwil3
• @​silverstein
• @​anishgirianish
• @​shizukushq
• @​zanieb
• @​AlexWaygood

Commits

• 252f761 Bump 0.15.10 (#24519)
• 37a1ec8 [ty] Fix assignability of intersections with bounded typevars (#24502)
• f518cc9 [ty] Allow partially stringified type[…] annotations (#24518)
• 16c4090 docs: fix JSON typo in settings example (#24517)
• 99d97bd [ty] Tighten up a few edge cases in Concatenate type-expression parsing (#2...
• 2714e34 [ty] Enable pull-diagnostics by default in E2E tests (#24516)
• d8bc700 LSP: Add support for custom extensions (#24463)
• a45f96d [ty] stop special-casing str constructor (#24514)
• 87a0f01 [ruff] Treat f-string interpolation as potential side effect in RUF019 (#24426)
• e9ba848 [ty] Fix excess subscript argument inference for non-generic types (#24354)
• Additional commits viewable in compare view

Updates mypy from 1.20.0 to 1.20.1

Changelog

Sourced from mypy's changelog.

Mypy 1.20.1

• Always disable sync in SQLite cache (Ivan Levkivskyi, PR 21184)
• Temporarily skip few base64 tests (Ivan Levkivskyi, PR 21193)
• Revert dict.__or__ typeshed change (Ivan Levkivskyi, PR 21186)
• Fix narrowing for match case with variadic tuples (Shantanu, PR 21192)
• Avoid narrowing type[T] in type calls (Shantanu, PR 21174)
• Fix regression for catching empty tuple in except (Shantanu, PR 21153)
• Fix reachability for frozenset and dict view narrowing (Shantanu, PR 21151)
• Fix narrowing with chained comparison (Shantanu, PR 21150)
• Avoid narrowing to unreachable at module level (Shantanu, PR 21144)
• Allow dangerous identity comparisons to Any typed variables (Shantanu, PR 21142)
• --warn-unused-config should not be a strict flag (Ivan Levkivskyi, PR 21139)

Acknowledgements

Thanks to all mypy contributors who contributed to this release:

• A5rocks
• Aaron Wieczorek
• Adam Turner
• Ali Hamdan
• asce
• BobTheBuidler
• Brent Westbrook
• Brian Schubert
• bzoracler
• Chris Burroughs
• Christoph Tyralla
• Colin Watson
• Donghoon Nam
• E. M. Bray
• Emma Smith
• Ethan Sarp
• George Ogden
• getzze
• grayjk
• Gregor Riepl
• Ivan Levkivskyi
• James Hilliard
• James Le Cuirot
• Jeremy Nimmer
• Joren Hammudoglu
• Kai (Kazuya Ito)
• kaushal trivedi
• Kevin Kannammalil
• Lukas Geiger
• Łukasz Langa
• Marc Mueller
• Michael R. Crusoe
• michaelm-openai

... (truncated)

Commits

• c60e8bf Bump version to 1.20.1
• 842e492 Always disable sync in SQLite cache (#21184)
• e82a046 Temporarily skip few base64 tests (#21193)
• f7fa418 Revert dict.or typeshed change (#21186)
• a2e8ee1 Fix narrowing for match case with variadic tuples (#21192)
• 521f88f Avoid narrowing type[T] in type calls (#21174)
• a4876e9 Fix regression for catching empty tuple in except (#21153)
• 6fccffc Fix reachability for frozenset and dict view narrowing (#21151)
• de50419 Fix narrowing with chained comparison (#21150)
• eafcf18 Avoid narrowing to unreachable at module level (#21144)
• Additional commits viewable in compare view

Updates zizmor from 1.23.1 to 1.24.1

Release notes

Sourced from zizmor's releases.

v1.24.1

Bug Fixes 🐛🔗

• Fixed a bug where the ref-version-mismatch audit would incorrectly flag some version comments as not containing an appropriate version (#1900)

v1.24.0

New Features 🌈🔗

• zizmor now allows users to audit from stdin, by passing zizmor - (#1611)

Enhancements 🌱🔗

• The use-trusted-publishing audit now detects bun publish and bunx npm publish patterns (#1737)

  Many thanks to @​shaanmajid for proposing and implementing this improvement!

• zizmor's CLI help and usage output now uses a custom color scheme for improved readability (#1747)

• The secrets-outside-env audit is now configurable with an allowlist of secret names that should not be flagged, even when referenced outside of an environment (#1759)

  Many thanks to @​rmuir for proposing and implementing this improvement!

• The dependabot-cooldown audit now emits a pedantic finding whenever it encounters a cooldown used with a multi-ecosystem-group, as the two do not interact well (#1780)

• Recommend gh release upload as a replacement for svenstaro/upload-release-action in superfluous-actions (#1801)

• Recommend gh issue create as a replacement for dacbd/create-issue-action in superfluous-actions (#1873)

• The obfuscation audit now emits a finding for with: ${{ expr }} clauses cannot be analyzed (#1772)

• zizmor --help is now rendered with option groups for improved readability (#1831)

  Many thanks to @​deckstose for implementing this improvement!

• zizmor's SARIF output now uses codeflows instead of related locations, improving its rendering behavior on GitHub Advanced Security (#1843)

• The ref-version-mismatch audit now uses a more useful audit description for its findings (#1843)

• The unpinned-images audit now produces more precise findings for image references that are computed through expressions (#1756)

  Many thanks to @​miketheman for implementing this improvement!

• The ref-version-mismatch audit now detects missing version comments as well (#1849)

  Many thanks to @​shaanmajid for proposing and implementing this improvement!

Bug Fixes 🐛🔗

• Fixed a bug where the concurrency-limits audit reported findings at the job level instead of the workflow level (#1627)

... (truncated)

Changelog

Sourced from zizmor's changelog.

1.24.1

Bug Fixes 🐛

• Fixed a bug where the [ref-version-mismatch] audit would incorrectly flag some version comments as not containing an appropriate version (#1900)

1.24.0

New Features 🌈

• zizmor now allows users to audit from stdin, by passing zizmor - (#1611)

Enhancements 🌱

• The [use-trusted-publishing] audit now detects bun publish and bunx npm publish patterns (#1737)

  Many thanks to @​shaanmajid for proposing and implementing this improvement!

• zizmor's CLI help and usage output now uses a custom color scheme for improved readability (#1747)

• The [secrets-outside-env] audit is now configurable with an allowlist of secret names that should not be flagged, even when referenced outside of an environment (#1759)

  Many thanks to @​rmuir for proposing and implementing this improvement!

• The [dependabot-cooldown] audit now emits a pedantic finding whenever it encounters a cooldown used with a multi-ecosystem-group, as the two do not interact well (#1780)

• Recommend gh release upload as a replacement for @​svenstaro/upload-release-action in [superfluous-actions] (#1801)

• Recommend gh issue create as a replacement for @​dacbd/create-issue-action in [superfluous-actions] (#1873)

• The [obfuscation] audit now emits a finding for with: ${{ expr }} clauses cannot be analyzed (#1772)

• zizmor --help is now rendered with option groups for improved readability (#1831)

  Many thanks to @​deckstose for implementing this improvement!

• zizmor's SARIF output now uses codeflows instead of related locations, improving its rendering behavior on GitHub Advanced Security (#1843)

• The [ref-version-mismatch] audit now uses a more useful audit description

... (truncated)

Commits

• 2eaf42b ref-version-mismatch: handle version comments without v prefix (#1900)
• a3b72b8 chore(deps): bump the github-actions group with 3 updates (#1897)
• d5aba60 zizmor v1.24.0 (#1890)
• 1e762ac zizmor v1.24.0-rc3 (#1889)
• b79c9dc Fix release CI (#1888)
• eb113ad Unify crate versions and publishing (#1887)
• 91bcb96 Use the GitHub client's host correctly in two more places (#1881)
• 3ed8316 chore: use tracing for printing the welcome message (#1886)
• 484aced feat(ref-version-mismatch): detect missing version comments on SHA-pinned act...
• 7ee374f KATs for GitHub Actions expressions (#1857)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions