deps(python): bump the pip group across 1 directory with 2 updates

[dependabot]

Bumps the pip group with 2 updates in the /dependencies/python directory: ruff and zizmor.

Updates ruff from 0.15.17 to 0.15.18

Release notes

Sourced from ruff's releases.

0.15.18

Release Notes

Released on 2026-06-18.

Preview features

• Handle nested ruff:ignore comments (#25791)
• Stop displaying severity in output (#26050)
• Use human-readable names in CLI output (#25937)
• Use human-readable names in LSP and playground diagnostics (#26058)
• [pydocstyle] Prevent property docstrings starting with verbs (D421) (#23775)
• [flake8-pyi] Extend PYI033 to Python files (#26129)

Bug fixes

• Detect equivalent numeric mapping keys (#26009)
• Detect mapping keys equivalent to booleans (#25982)
• Detect repeated signed and complex dictionary keys (#26007)

Rule changes

• [flake8-pyi] Rename PYI033 to legacy-type-comment (#26131)

Performance

• Use ThinVec for call keywords (#25999)
• Inline parser recovery context checks (#26038)
• Match parser keywords as bytes (#26037)
• Move value parsing out of lexing (#25360)

Server

• Render subdiagnostics and secondary annotations as related information (#26011)

Documentation

• Update fix availability for always-fixable rules (#26091)
• [flake8-tidy-imports] Add fix safety section (TID252) (#17491)

Parser

• Reject __debug__ lambda parameters (#26022)
• Reject _ as a match-pattern target (#25977)
• Reject multiple starred names in sequence patterns (#25976)
• Reject parenthesized star imports (#26021)
• Reject starred comprehension targets (#26023)
• Reject unparenthesized generator expressions in class bases (#25978)
• Reject yield expressions after commas (#26024)
• Validate function type parameter default order (#25981)

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.18

Released on 2026-06-18.

Preview features

• Handle nested ruff:ignore comments (#25791)
• Stop displaying severity in output (#26050)
• Use human-readable names in CLI output (#25937)
• Use human-readable names in LSP and playground diagnostics (#26058)
• [pydocstyle] Prevent property docstrings starting with verbs (D421) (#23775)
• [flake8-pyi] Extend PYI033 to Python files (#26129)

Bug fixes

• Detect equivalent numeric mapping keys (#26009)
• Detect mapping keys equivalent to booleans (#25982)
• Detect repeated signed and complex dictionary keys (#26007)

Rule changes

• [flake8-pyi] Rename PYI033 to legacy-type-comment (#26131)

Performance

• Use ThinVec for call keywords (#25999)
• Inline parser recovery context checks (#26038)
• Match parser keywords as bytes (#26037)
• Move value parsing out of lexing (#25360)

Server

• Render subdiagnostics and secondary annotations as related information (#26011)

Documentation

• Update fix availability for always-fixable rules (#26091)
• [flake8-tidy-imports] Add fix safety section (TID252) (#17491)

Parser

• Reject __debug__ lambda parameters (#26022)
• Reject _ as a match-pattern target (#25977)
• Reject multiple starred names in sequence patterns (#25976)
• Reject parenthesized star imports (#26021)
• Reject starred comprehension targets (#26023)
• Reject unparenthesized generator expressions in class bases (#25978)
• Reject yield expressions after commas (#26024)
• Validate function type parameter default order (#25981)

... (truncated)

Commits

• 6686f63 Bump 0.15.18 (#26135)
• efbb732 [ty] Suggest keyword-only arguments between variadic parameters (#26134)
• c256d5f [ty] Support Annotated[Any, ...] as a class base (#26133)
• 19a4bea [flake8-pyi] Rename PYI033 to legacy-type-comment (#26131)
• 1d9866c Bump ecosystem-analyzer commit (#26130)
• 8656c73 [ty] Compact indexed AST node storage (#25998)
• c17c8d9 [ty] Garbage-collect cached constraint sets (#26116)
• ef0fb8f [ty] Fix bound TypeVar default cycle recovery (#26124)
• b83c024 [flake8-pyi] Extend PYI033 to Python files in preview (#26129)
• e8a5e38 Update Rust crate zip to v8 (#26078)
• Additional commits viewable in compare view

Updates zizmor from 1.25.2 to 1.26.1

Release notes

Sourced from zizmor's releases.

v1.26.1

This is a small corrective release for 1.26.0.

v1.26.0

New Features 🌈🔗

• New audit: typosquat-uses detects uses: clauses that reference likely typoed actions (#1985)

  Many thanks to @​andrew for proposing and implementing this improvement!

• New audit: unsound-ternary detects pseudo-ternary expressions that don't evaluate as expected (#2085)

  Many thanks to @​terror for proposing and implementing this improvement!

• New audit: adhoc-packages detects run: steps that install packages in an ad-hoc manner (#2061)

  Many thanks to @​connorshea for proposing and implementing this improvement!

Enhancements 🌱🔗

• The cache-poisoning audit now detects additional cache disablement heuristics (#2053)

• The known-vulnerable-actions audit is now configurable. See the configuration documentation for details (#2084)

• The excessive-permissions audit is now aware of the code-quality permission (#2088)

• The unpinned-uses audit's auto-fix now uses the fully qualified version tag (e.g. # v6.0.2) when fixing a major-version ref (e.g. @​v6) (#2127)

Performance Improvements 🚄🔗

• Most online audits are significantly faster, thanks to more precise retry handling (#2036) Bug Fixes 🐛🔗

• Fixed a bug where zizmor's LSP would not recognize dependabot.yaml files in its default configuration (#2026)

  Many thanks to @​fionn for implementing this fix!

• Fixed a bug where ref-version-mismatch would fail to fully match some version comments (#2040)

• Fixed a bug where dependabot-cooldown would fail to honor the user's configured days when performing autofixes (#2055)

• Steps and jobs gated by statically-false if: conditions (e.g. if: false, if: ${{ false }}) are now skipped during auditing, since they cannot execute (#2059, #2069)

• Fixed a bug where ref-version-mismatch would fail to identify some valid version comments (#2073)

• Fixed a bug where unpinned-images would incorrectly flag empty matrix expansions as unpinned container image references (#2102)

• Fixed a bug where unpinned-images would incorrectly flag some matrix expansions as unpinned (#2098)

• The SARIF (--format=sarif) and GitHub Annotations (--format=github) output formats now provide more correct/useful paths, particularly when the user provides a relative path as input to zizmor rather than zizmor . (#1748, #2095)

... (truncated)

Changelog

Sourced from zizmor's changelog.

1.26.1

This is a small corrective release for 1.26.0.

1.26.0

New Features 🌈

• New audit: [typosquat-uses] detects #!yaml uses: clauses that reference likely typoed actions (#1985)

  Many thanks to @​andrew for proposing and implementing this improvement!

• New audit: [unsound-ternary] detects pseudo-ternary expressions that don't evaluate as expected (#2085)

  Many thanks to @​terror for proposing and implementing this improvement!

• New audit: [adhoc-packages] detects #!yaml run: steps that install packages in an ad-hoc manner (#2061)

  Many thanks to @​connorshea for proposing and implementing this improvement!

Enhancements 🌱

• The [cache-poisoning] audit now detects additional cache disablement heuristics (#2053)

• The [known-vulnerable-actions] audit is now configurable. See the configuration documentation for details (#2084)

• The [excessive-permissions] audit is now aware of the code-quality permission (#2088)

• The [unpinned-uses] audit's auto-fix now uses the fully qualified version tag (e.g. # v6.0.2) when fixing a major-version ref (e.g. @v6) (#2127)

Performance Improvements 🚄

• Most online audits are significantly faster, thanks to more precise retry handling (#2036)

Bug Fixes 🐛

• Fixed a bug where zizmor's LSP would not recognize dependabot.yaml files in its default configuration (#2026)

  Many thanks to @​fionn for implementing this fix!

• Fixed a bug where [ref-version-mismatch] would fail to fully match some version comments (#2040)

... (truncated)

Commits

• 597db4d zizmor 1.26.1 (#2137)
• 97037cd zizmor 1.26.0 (#2136)
• 3fecda6 Bump trophies (#2135)
• cdaf536 Add InputGroup::root (#2095)
• d7672f9 docs: fix release note references (#2132)
• 5420162 docs: pin manual uvx zizmor examples (#2131)
• e9d4a44 feat(unpinned-uses): pin to full version when fixing a major ref (#2127)
• e638658 [BOT] update JSON schemas from SchemaStore (#2126)
• 2c47399 chore(deps): bump http from 1.4.1 to 1.4.2 in the cargo group (#2125)
• cd68f65 chore(deps): bump the github-actions group across 1 directory with 3 updates ...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions