Bump the python-dependencies group across 1 directory with 7 updates

[dependabot]

Updates the requirements on alembic, python-dotenv, pytest, pytest-mock, pytest-cov, black and bandit to permit the latest version.
Updates alembic to 1.18.1

Release notes

Sourced from alembic's releases.

1.18.1

Released: January 14, 2026

bug

• [bug] [autogenerate] Fixed issue in new plugin system where the configured logger was not correctly using the __name__ token to identify the logger.

  References: #1779

• [bug] [operations] Revised the change regarding SQLAlchemy 2.1 and deprecation warnings related to isolate_from_table=True. Further developments in release 2.1 have revised how this parameter will be modified.

Commits

• See full diff in compare view

Updates python-dotenv to 1.2.1

Release notes

Sourced from python-dotenv's releases.

v1.2.1

What's Changed

• Support reading .env from FIFOs (Unix) by @​sidharth-sudhir in theskumar/python-dotenv#586
• Update CI to use trusted publishing on PyPI

New Contributors

• @​sidharth-sudhir made their first contribution in theskumar/python-dotenv#586

Full Changelog: theskumar/python-dotenv@v1.2.0...v1.2.1

Changelog

Sourced from python-dotenv's changelog.

[1.2.1] - 2025-10-26

• Move more config to pyproject.toml, removed setup.cfg
• Add support for reading .env from FIFOs (Unix) by [@​sidharth-sudhir] in #586

[1.2.0] - 2025-10-26

• Upgrade build system to use PEP 517 & PEP 518 to use build and pyproject.toml by [@​EpicWink] in #583
• Add support for Python 3.14 by [@​23f3001135] in #579
• Add support for disabling of load_dotenv() using PYTHON_DOTENV_DISABLED env var. by [@​matthewfranglen] in #569

[1.1.1] - 2025-06-24

Fixed

• CLI: Ensure find_dotenv work reliably on python 3.13 by [@​theskumar] in #563
• CLI: revert the use of execvpe on Windows by [@​wrongontheinternet] in #566

[1.1.0] - 2025-03-25

Feature

• Add support for python 3.13
• Enhance dotenv run, switch to execvpe for better resource management and signal handling (#523) by [@​eekstunt]

Fixed

• find_dotenv and load_dotenv now correctly looks up at the current directory when running in debugger or pdb (#553 by [@​randomseed42])

Misc

• Drop support for Python 3.8

[1.0.1] - 2024-01-23

Fixed

• Gracefully handle code which has been imported from a zipfile (#456 by [@​samwyma])
• Allow modules using load_dotenv to be reloaded when launched in a separate thread (#497 by [@​freddyaboulton])
• Fix file not closed after deletion, handle error in the rewrite function (#469 by [@​Qwerty-133])

Misc

• Use pathlib.Path in tests (#466 by [@​eumiro])
• Fix year in release date in changelog.md (#454 by [@​jankislinger])
• Use https in README links (#474 by [@​Nicals])

[1.0.0] - 2023-02-24

Fixed

... (truncated)

Commits

• eaf2a91 Do not remove .coverage file
• 8716196 Bump version: 1.2.0 → 1.2.1
• b87807f Update changelog
• 3af77d3 Support reading .env from FIFOs (Unix) (#586)
• 467ee22 Fix test failures after moving config to pyproject.toml
• 76999e7 Move more config pyproject.toml
• 222ce2c Update to use trusted publisher on pypi
• 8ed4f79 Update docs requirements
• 5bf8822 Bump version: 1.1.1 → 1.2.0
• 1fe11cc upadate changelog
• Additional commits viewable in compare view

Updates pytest to 9.0.2

Release notes

Sourced from pytest's releases.

9.0.2

pytest 9.0.2 (2025-12-06)

Bug fixes

• #13896: The terminal progress feature added in pytest 9.0.0 has been disabled by default, except on Windows, due to compatibility issues with some terminal emulators.

  You may enable it again by passing -p terminalprogress. We may enable it by default again once compatibility improves in the future.

  Additionally, when the environment variable TERM is dumb, the escape codes are no longer emitted, even if the plugin is enabled.

• #13904: Fixed the TOML type of the tmp_path_retention_count settings in the API reference from number to string.

• #13946: The private config.inicfg attribute was changed in a breaking manner in pytest 9.0.0. Due to its usage in the ecosystem, it is now restored to working order using a compatibility shim. It will be deprecated in pytest 9.1 and removed in pytest 10.

• #13965: Fixed quadratic-time behavior when handling unittest subtests in Python 3.10.

Improved documentation

• #4492: The API Reference now contains cross-reference-able documentation of pytest's command-line flags <command-line-flags>.

Commits

• 3d10b51 Prepare release version 9.0.2
• 188750b Merge pull request #14030 from pytest-dev/patchback/backports/9.0.x/1e4b01d1f...
• b7d7bef Merge pull request #14014 from bluetech/compat-note
• bd08e85 Merge pull request #14013 from pytest-dev/patchback/backports/9.0.x/922b60377...
• bc78386 Add CLI options reference documentation (#13930)
• 5a4e398 Fix docs typo (#14005) (#14008)
• d7ae6df Merge pull request #14006 from pytest-dev/maintenance/update-plugin-list-tmpl...
• 556f6a2 pre-commit: fix rst-lint after new release (#13999) (#14001)
• c60fbe6 Fix quadratic-time behavior when handling unittest subtests in Python 3.10 ...
• 73d9b01 Merge pull request #13995 from nicoddemus/patchback/backports/9.0.x/1b5200c0f...
• Additional commits viewable in compare view

Updates pytest-mock to 3.15.1

Release notes

Sourced from pytest-mock's releases.

v3.15.1

2025-09-16

• #529: Fixed itertools._tee object has no attribute error -- now duplicate_iterators=True must be passed to mocker.spy to duplicate iterators.

Changelog

Sourced from pytest-mock's changelog.

3.15.1

2025-09-16

• [#529](https://github.com/pytest-dev/pytest-mock/issues/529) <https://github.com/pytest-dev/pytest-mock/issues/529>_: Fixed itertools._tee object has no attribute error -- now duplicate_iterators=True must be passed to mocker.spy to duplicate iterators.

3.15.0

2025-09-04

• Python 3.8 (EOL) is no longer supported.
• [#524](https://github.com/pytest-dev/pytest-mock/issues/524) <https://github.com/pytest-dev/pytest-mock/pull/524>_: Added spy_return_iter to mocker.spy, which contains a duplicate of the return value of the spied method if it is an Iterator.

3.14.1 (2025-05-26)

• [#503](https://github.com/pytest-dev/pytest-mock/issues/503) <https://github.com/pytest-dev/pytest-mock/pull/503>_: Python 3.14 is now officially supported.

3.14.0 (2024-03-21)

• [#415](https://github.com/pytest-dev/pytest-mock/issues/415) <https://github.com/pytest-dev/pytest-mock/pull/415>_: MockType and AsyncMockType can be imported from pytest_mock for type annotation purposes.

• [#420](https://github.com/pytest-dev/pytest-mock/issues/420) <https://github.com/pytest-dev/pytest-mock/issues/420>_: Fixed a regression which would cause mocker.patch.object to not being properly cleared between tests.

3.13.0 (2024-03-21)

• [#417](https://github.com/pytest-dev/pytest-mock/issues/417) <https://github.com/pytest-dev/pytest-mock/pull/417>_: spy now has spy_return_list, which is a list containing all the values returned by the spied function.
• pytest-mock now requires pytest>=6.2.5.
• [#410](https://github.com/pytest-dev/pytest-mock/issues/410) <https://github.com/pytest-dev/pytest-mock/pull/410>: pytest-mock's setup.py file is removed. If you relied on this file, e.g. to install pytest using setup.py install, please see Why you shouldn't invoke setup.py directly <https://blog.ganssle.io/articles/2021/10/setup-py-deprecated.html#summary> for alternatives.

3.12.0 (2023-10-19)

• Added support for Python 3.12.
• Dropped support for EOL Python 3.7.
• mocker.resetall() now also resets mocks created by mocker.create_autospec ([#390](https://github.com/pytest-dev/pytest-mock/issues/390)_).

.. _#390: pytest-dev/pytest-mock#390

3.11.1 (2023-06-15)

(This release source code is identical to 3.11.0 except a small internal fix to deployment/CI)

... (truncated)

Commits

• e1b5c62 Release 3.15.1
• 184eb19 Set spy_return_iter only when explicitly requested (#537)
• 4fa0088 [pre-commit.ci] pre-commit autoupdate (#536)
• f5aff33 Fix test failure with pytest 8+ and verbose mode (#535)
• adc4187 Bump actions/setup-python from 5 to 6 in the github-actions group (#533)
• 95ad570 [pre-commit.ci] pre-commit autoupdate (#532)
• e696bf0 Fix standalone mock support (#531)
• 5b29b03 Fix gen-release-notes script
• 7d22ef4 Merge pull request #528 from pytest-dev/release-3.15.0
• 90b29f8 Update CHANGELOG for 3.15.0
• Additional commits viewable in compare view

Updates pytest-cov to 7.0.0

Changelog

Sourced from pytest-cov's changelog.

7.0.0 (2025-09-09)

• Dropped support for subprocesses measurement.

  It was a feature added long time ago when coverage lacked a nice way to measure subprocesses created in tests. It relied on a .pth file, there was no way to opt-out and it created bad interations with coverage's new patch system <https://coverage.readthedocs.io/en/latest/config.html#run-patch>_ added in 7.10 <https://coverage.readthedocs.io/en/7.10.6/changes.html#version-7-10-0-2025-07-24>_.

  To migrate to this release you might need to enable the suprocess patch, example for .coveragerc:

  .. code-block:: ini

  [run] patch = subprocess

  This release also requires at least coverage 7.10.6.

• Switched packaging to have metadata completely in pyproject.toml and use hatchling <https://pypi.org/project/hatchling/>_ for building. Contributed by Ofek Lev in [#551](https://github.com/pytest-dev/pytest-cov/issues/551) <https://github.com/pytest-dev/pytest-cov/pull/551>_ with some extras in [#716](https://github.com/pytest-dev/pytest-cov/issues/716) <https://github.com/pytest-dev/pytest-cov/pull/716>_.

• Removed some not really necessary testing deps like six.

6.3.0 (2025-09-06)

• Added support for markdown reports. Contributed by Marcos Boger in [#712](https://github.com/pytest-dev/pytest-cov/issues/712) <https://github.com/pytest-dev/pytest-cov/pull/712>_ and [#714](https://github.com/pytest-dev/pytest-cov/issues/714) <https://github.com/pytest-dev/pytest-cov/pull/714>_.
• Fixed some formatting issues in docs. Anonymous contribution in [#706](https://github.com/pytest-dev/pytest-cov/issues/706) <https://github.com/pytest-dev/pytest-cov/pull/706>_.

6.2.1 (2025-06-12)

• Added a version requirement for pytest's pluggy dependency (1.2.0, released 2023-06-21) that has the required new-style hookwrapper API.

• Removed deprecated license classifier (packaging).

• Disabled coverage warnings in two more situations where they have no value:

  • "module-not-measured" in workers
  • "already-imported" in subprocesses

6.2.0 (2025-06-11)

• The plugin now adds 3 rules in the filter warnings configuration to prevent common coverage warnings being raised as obscure errors::

  default:unclosed database in <sqlite3.Connection object at:ResourceWarning once::PytestCovWarning

... (truncated)

Commits

• 224d896 Bump version: 6.3.0 → 7.0.0
• 73424e3 Cleanup the docs a bit.
• 36f1cc2 Bump pins in template.
• f299c59 Bump the github-actions group with 2 updates
• 25f0b2e Update docs/config.rst
• bb23eac Improve configuration docs
• a19531e Switch from build/pre-commit to uv/prek - this should make this faster.
• 82f9993 Update changelog.
• 211b5cd Fix links.
• 97aadd7 Update some ci config, reformat and apply some lint fixes.
• Additional commits viewable in compare view

Updates black to 26.1.0

Release notes

Sourced from black's releases.

26.1.0

Highlights

Introduces the 2026 stable style (#4892), stabilizing the following changes:

• always_one_newline_after_import: Always force one blank line after import statements, except when the line after the import is a comment or an import statement (#4489)
• fix_fmt_skip_in_one_liners: Fix # fmt: skip behavior on one-liner declarations, such as def foo(): return "mock" # fmt: skip, where previously the declaration would have been incorrectly collapsed (#4800)
• fix_module_docstring_detection: Fix module docstrings being treated as normal strings if preceded by comments (#4764)
• fix_type_expansion_split: Fix type expansions split in generic functions (#4777)
• multiline_string_handling: Make expressions involving multiline strings more compact (#1879)
• normalize_cr_newlines: Add \r style newlines to the potential newlines to normalize file newlines both from and to (#4710)
• remove_parens_around_except_types: Remove parentheses around multiple exception types in except and except* without as (#4720)
• remove_parens_from_assignment_lhs: Remove unnecessary parentheses from the left-hand side of assignments while preserving magic trailing commas and intentional multiline formatting (#4865)
• standardize_type_comments: Format type comments which have zero or more spaces between # and type: or between type: and value to # type: (value) (#4645)

The following change was not in any previous stable release:

• Regenerated the _width_table.py and added tests for the Khmer language (#4253)

This release alo bumps pathspec to v1 and fixes inconsistencies with Git's .gitignore logic (#4958). Now, files will be ignored if a pattern matches them, even if the parent directory is directly unignored. For example, Black would previously format exclude/not_this/foo.py with this .gitignore:

exclude/
!exclude/not_this/

Now, exclude/not_this/foo.py will remain ignored. To ensure exclude/not_this/ and all of it's children are included in formatting (and in Git), use this .gitignore:

*/exclude/*
!*/exclude/not_this/

This new behavior matches Git. The leading */ are only necessary if you wish to ignore matching subdirectories (like the previous behavior did), and not just matching root

... (truncated)

Changelog

Sourced from black's changelog.

26.1.0

Highlights

Introduces the 2026 stable style (#4892), stabilizing the following changes:

• always_one_newline_after_import: Always force one blank line after import statements, except when the line after the import is a comment or an import statement (#4489)
• fix_fmt_skip_in_one_liners: Fix # fmt: skip behavior on one-liner declarations, such as def foo(): return "mock" # fmt: skip, where previously the declaration would have been incorrectly collapsed (#4800)
• fix_module_docstring_detection: Fix module docstrings being treated as normal strings if preceded by comments (#4764)
• fix_type_expansion_split: Fix type expansions split in generic functions (#4777)
• multiline_string_handling: Make expressions involving multiline strings more compact (#1879)
• normalize_cr_newlines: Add \r style newlines to the potential newlines to normalize file newlines both from and to (#4710)
• remove_parens_around_except_types: Remove parentheses around multiple exception types in except and except* without as (#4720)
• remove_parens_from_assignment_lhs: Remove unnecessary parentheses from the left-hand side of assignments while preserving magic trailing commas and intentional multiline formatting (#4865)
• standardize_type_comments: Format type comments which have zero or more spaces between # and type: or between type: and value to # type: (value) (#4645)

The following change was not in any previous stable release:

• Regenerated the _width_table.py and added tests for the Khmer language (#4253)

This release alo bumps pathspec to v1 and fixes inconsistencies with Git's .gitignore logic (#4958). Now, files will be ignored if a pattern matches them, even if the parent directory is directly unignored. For example, Black would previously format exclude/not_this/foo.py with this .gitignore:

exclude/
!exclude/not_this/

Now, exclude/not_this/foo.py will remain ignored. To ensure exclude/not_this/ and all of it's children are included in formatting (and in Git), use this .gitignore:

*/exclude/*
!*/exclude/not_this/

This new behavior matches Git. The leading */ are only necessary if you wish to ignore

... (truncated)

Commits

• 6305bf1 Prepare 2026.1.0 release (#4892)
• e71305b Bump pypa/cibuildwheel from 3.3.0 to 3.3.1 (#4961)
• 21a2a8c Fix Shutdown multiprocessing Manager in schedule_formatting (#4952)
• e3146ce Bump docker/setup-buildx-action from 3.11.1 to 3.12.0 (#4919)
• fe1fbc4 Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#4923)
• 2b4b7fc Bump actions/download-artifact from 6.0.0 to 7.0.0 (#4922)
• d745be6 docs: document --force-exclude for pre-commit workflows (#4957)
• b41acd6 Various CI and doc refactors (#4928)
• 6f43612 Handle pathspec v1 changes (#4958)
• 200c550 Bump furo from 2025.9.25 to 2025.12.19 in /docs (#4933)
• Additional commits viewable in compare view

Updates bandit to 1.9.3

Release notes

Sourced from bandit's releases.

1.9.3

What's Changed

• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in PyCQA/bandit#1334
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in PyCQA/bandit#1335
• Fix B608 to detect VALUES( without space by @​kfess in PyCQA/bandit#1337
• Add check for hardcoded passwords in dicts. by @​alanverresen in PyCQA/bandit#1338
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in PyCQA/bandit#1341
• Update tox tests for Python 3.10 by @​willschlitzer in PyCQA/bandit#1346
• Bump docker/setup-buildx-action from 3.11.1 to 3.12.0 by @​dependabot[bot] in PyCQA/bandit#1347
• Limit B614 to torch.load deserializers by @​dibussoc in PyCQA/bandit#1348

New Contributors

• @​kfess made their first contribution in PyCQA/bandit#1337
• @​alanverresen made their first contribution in PyCQA/bandit#1338
• @​willschlitzer made their first contribution in PyCQA/bandit#1346
• @​dibussoc made their first contribution in PyCQA/bandit#1348

Full Changelog: PyCQA/bandit@1.9.2...1.9.3

Commits

• 765f00d Limit B614 to torch.load deserializers (#1348)
• 06fbbab Bump docker/setup-buildx-action from 3.11.1 to 3.12.0 (#1347)
• 36d6f3c Update tox tests for Python 3.10 (#1346)
• da0d338 [pre-commit.ci] pre-commit autoupdate (#1341)
• 649b9bd Add check for hardcoded passwords in dicts. (#1338)
• 3c56109 Fix B608 to detect VALUES( without space (#1337)
• b790ce2 [pre-commit.ci] pre-commit autoupdate (#1335)
• 0b73bbe Bump actions/checkout from 5 to 6 (#1334)
• ea0d187 Check whether Constant value is str (#1333)
• 8bf7594 Argparse Python 3.14 enhancements (#1331)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions