Update maintenance

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
actions/checkout	action	patch	v6.0.0 → v6.0.2
actions/setup-python	action	minor	v6.1.0 → v6.2.0
black (changelog)		minor	==25.11.0 → ==25.12.0
filelock		patch	==3.20.0 → ==3.20.3
pathspec		patch	==1.0.3 → ==1.0.4
pglast (changelog)	install	minor	==7.10 → ==7.11
pglast (changelog)		minor	==7.10 → ==7.11
platformdirs (changelog)		patch	==4.5.0 → ==4.5.1
pyparsing		minor	==3.2.5 → ==3.3.2
step-security/harden-runner	action	minor	v2.13.3 → v2.14.2
tomli (changelog)		minor	==2.3.0 → ==2.4.0
tox (changelog)		minor	==4.32.0 → ==4.34.1
virtualenv		minor	==20.35.4 → ==20.36.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

v6.0.1

Compare Source

actions/setup-python (actions/setup-python)

v6.2.0

Compare Source

psf/black (black)

v25.12.0

Compare Source

Highlights

• Black no longer supports running with Python 3.9 (#​4842)

Stable style

• Fix bug where comments preceding # fmt: off/# fmt: on blocks were incorrectly
  removed, particularly affecting Jupytext's # %% [markdown] comments (#​4845)
• Fix crash when multiple # fmt: skip comments are used in a multi-part if-clause, on
  string literals, or on dictionary entries with long lines (#​4872)
• Fix possible crash when fmt: directives aren't on the top level (#​4856)

Preview style

• Fix fmt: skip skipping the line after instead of the line it's on (#​4855)
• Remove unnecessary parentheses from the left-hand side of assignments while preserving
  magic trailing commas and intentional multiline formatting (#​4865)
• Fix fix_fmt_skip_in_one_liners crashing on with statements (#​4853)
• Fix fix_fmt_skip_in_one_liners crashing on annotated parameters (#​4854)
• Fix new lines being added after imports with # fmt: skip on them (#​4894)

Packaging

• Releases now include arm64 Windows binaries and wheels (#​4814)

Integrations

• Add output-file input to GitHub Action psf/black to write formatter output to a
  file for artifact capture and log cleanliness (#​4824)

tox-dev/py-filelock (filelock)

v3.20.3

Compare Source

What's Changed

• Fix TOCTOU symlink vulnerability in SoftFileLock by @​gaborbernat in tox-dev/filelock#465

Full Changelog: tox-dev/filelock@3.20.2...3.20.3

v3.20.2

Compare Source

What's Changed

• Support Unix systems without O_NOFOLLOW by @​mwilliamson in tox-dev/filelock#463
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in tox-dev/filelock#464

New Contributors

• @​mwilliamson made their first contribution in tox-dev/filelock#463

Full Changelog: tox-dev/filelock@3.20.1...3.20.2

v3.20.1

Compare Source

What's Changed

• CVE-2025-68146: Fix TOCTOU symlink vulnerability in lock file creation by @​gaborbernat in tox-dev/filelock#461

Full Changelog: tox-dev/filelock@3.20.0...3.20.1

cpburnz/python-pathspec (pathspec)

v1.0.4

Compare Source

• Issue #​103_: Using re2 fails if pyre2 is also installed.

.. _Issue #​103: #​103

lelit/pglast (pglast)

v7.11

Compare Source

tox-dev/platformdirs (platformdirs)

v4.5.1

Compare Source

What's Changed

• Fix no-ctypes fallback on windows by @​youknowone in #​403

Full Changelog: tox-dev/platformdirs@4.5.0...4.5.1

pyparsing/pyparsing (pyparsing)

v3.3.2

Compare Source

• Defined pyparsing-specific warning classes so that they can be selectively enabled
  or disabled without affecting warnings raised by other libraries in the same Python
  app:

  • PyparsingWarning - base warning for all pyparsing-specific warnings (inherits
    from UserWarning)
  • PyparsingDeprecationWarning - warning for using deprecated features (inherits
    from PyparsingWarning and DeprecationWarning)
  • PyparsingDiagnosticWarning - warning raised when pyparsing diagnostics are
    enabled and a diagnostic feature is used (inherits from PyparsingWarning)

• Added as_datetime parse action to pyparsing.common - a more generalized
  version of the convert_to_datetime parse action (supports any expression that extracts
  date/time fields into "year", "month", "day", etc. results names), and validates
  that the parsed fields represent a valid date and time.

• Added iso8601_date_validated and iso8601_datetime_validated expressions to
  pyparsing.common, which return a Python datetime.datetime

• Various performance improvements in ParseResults class and core functions, with
  10-20% performance overall.

• Added regex_inverter web page (using PyScript) to demonstrate using the inv_regex.py
  example.

• Expanded regex forms handled by the examples/inv_regex.py example:

  • named capturing groups (?P<name>)
  • partial repetition ({m,} and {,n})
  • negated character classes ([^...])

• Added SPy (Simplified Python) parser to examples.

v3.3.1

Compare Source

• Added license info to metadata, following PEP-639. Thanks to Gedalia Pasternak and
  Marc Mueller for submitted issue and PR. Fixes #​626.

v3.3.0

Compare Source

===========================================================================================
The version 3.3.0 release will begin emitting DeprecationWarnings for pyparsing methods
that have been renamed to PEP8-compliant names (introduced in pyparsing 3.0.0, in August,
2021, with legacy names retained as aliases). In preparation, I added in pyparsing
3.2.2 a utility for finding and replacing the legacy method names with the new names.
This utility is located at pyparsing/tools/cvt_pep8_names.py. This script will scan all
Python files specified on the command line, and if the -u option is selected, will
replace all occurrences of the old method names with the new PEP8-compliant names,
updating the files in place.

Here is an example that converts all the files in the pyparsing /examples directory:

  python -m pyparsing.tools.cvt_pyparsing_pep8_names -u examples/*.py

step-security/harden-runner (step-security/harden-runner)

v2.14.2

Compare Source

What's Changed

Security fix: Fixed a medium severity vulnerability where outbound network connections using sendto, sendmsg, and sendmmsg socket system calls could bypass audit logging when using egress-policy: audit. This issue only affects the Community Tier in audit mode; block mode and Enterprise Tier were not affected. See GHSA-cpmj-h4f6-r6pq for details.

Full Changelog: step-security/harden-runner@v2.14.1...v2.14.2

v2.14.1

Compare Source

What's Changed

1. In some self-hosted environments, the agent could briefly fall back to public DNS resolvers during startup if the system DNS was not yet available. This behavior was unintended for GitHub-hosted runners and has now been fixed to prevent any use of public DNS resolvers.

2. Fixed npm audit vulnerabilities

Full Changelog: step-security/harden-runner@v2.14.0...v2.14.1

v2.14.0

Compare Source

What's Changed

• Selective installation: Harden-Runner now skips installation on GitHub-hosted runners when the repository has a custom property skip_harden_runner, allowing organizations to opt out specific repos.
• Avoid double install: The action no longer installs Harden-Runner if it’s already present on a GitHub-hosted runner, which could happen when a composite action also installs it.

Full Changelog: step-security/harden-runner@v2.13.3...v2.14.0

hukkin/tomli (tomli)

v2.4.0

Compare Source

• Added
  • TOML v1.1.0 compatibility
  • Binary wheels for Windows arm64

tox-dev/tox (tox)

v4.34.1

Compare Source

What's Changed

• fix: wheel corruption when running parallel tox processes by @​gaborbernat in #​3667

Full Changelog: tox-dev/tox@4.34.0...4.34.1

v4.34.0

Compare Source

What's Changed

• feat: Support depenedcy groups with self references by @​Czaki in #​3666

Full Changelog: tox-dev/tox@4.33.0...4.34.0

v4.33.0

Compare Source

What's Changed

• Pass LOCALAPPDATA by default on Windows (#​3639) by @​clint-lawrence in #​3640
• Docs: Add caution about ranges like py{39-314} by @​ferdnyc in #​3652
• CLI Parser: Drop epilog message for Sphinx help by @​ferdnyc in #​3653
• 📚 Integrate sphinx-issues extension by @​webknjaz in #​3655
• Fix sphinx doc build by @​gaborbernat in #​3662
• feat: add conditional set_env support via PEP-496 markers by @​gaborbernat in #​3663

New Contributors

• @​clint-lawrence made their first contribution in #​3640
• @​ferdnyc made their first contribution in #​3652

Full Changelog: tox-dev/tox@4.32.0...4.33.0

pypa/virtualenv (virtualenv)

v20.36.1

Compare Source

What's Changed

• release 20.36.0 by @​gaborbernat in #​3011
• fix: resolve TOCTOU vulnerabilities in app_data and lock directory creation by @​gaborbernat in #​3013

Full Changelog: pypa/virtualenv@20.36.0...20.36.1

v20.36.0

Compare Source

What's Changed

• release 20.35.3 by @​gaborbernat in #​2981
• fix: Prevent NameError when accessing _DISTUTILS_PATCH during file ov… by @​gracetyy in #​2982
• Upgrade pip and fix 3.15 picking old wheel by @​gaborbernat in #​2989
• release 20.35.4 by @​gaborbernat in #​2990
• fix: wrong path on migrated venv by @​sk1234567891 in #​2996
• test_too_many_open_files: assert on errno.EMFILE instead of strerror by @​pltrz in #​3001
• fix: update filelock dependency version to 3.20.1 to fix CVE CVE-2025-68146 by @​pythonhubdev in #​3002
• fix: resolve EncodingWarning in tox upgrade environment by @​gaborbernat in #​3007
• Fix Interpreter discovery bug wrt. Microsoft Store shortcut using Latin-1 by @​rahuldevikar in #​3006
• Add support for PEP 440 version specifiers in the --python flag. by @​rahuldevikar in #​3008

New Contributors

• @​gracetyy made their first contribution in #​2982
• @​sk1234567891 made their first contribution in #​2996
• @​pltrz made their first contribution in #​3001
• @​pythonhubdev made their first contribution in #​3002
• @​rahuldevikar made their first contribution in #​3006

Full Changelog: pypa/virtualenv@20.35.3...20.36.0

---

Configuration

📅 Schedule: Branch creation - "every month" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}