update: bump the pip-packages group across 1 directory with 4 updates

[dependabot[bot]]

Bumps the pip-packages group with 4 updates in the / directory: semgrep, mkdocs-material, pylint and pytest.

Updates semgrep from 1.74.0 to 1.75.0

Release notes

Sourced from semgrep's releases.

Release v1.75.0

1.75.0 - 2024-06-03

Added

• Pro: Semgrep can now track taint through tuple/list (un)packing intra-procedurally (i.e., within a single function). For example:

  t = ["ok", "taint"]
  x, y = t
  sink(x) # OK, no finding
  sink(y) # tainted, finding
  ``` (code-6935)
  

• Optional type matching is supported in the Pro engine for Python. For example, in Python, Optional[str], str | None, and Union[str, None] represent the same type but in different type expressions. The optional type match support enables matching between these expressions, allowing any optional type expression to match any other optional type expression when used with metavariable-type filtering. It's important to note that syntactic pattern matching still distinguishes between these types. (code-6939)

• Add support for pnpm v9 (pnpm)

• Added a new rule option decorators_order_matters, which allows users to make decorators/ non-keyword attributes matching stricter. The default matching for attributes is order-agnostic, but if this rule option is set to true, non-keyword attributes (e.g. decorators in Python) will be matched in order, while keyword attributes (e.g. static, inline, etc) are not affected.

  An example usage will be a rule to detect any decorator that is outside of the route() decorator in Flask, since any decorator outside of the route() decorator takes no effect.

  bad: another.func() takes no effect

  @​another.func("func") @​app.route("route") def f(): pass

  ok: route() is the outermost decorator

  @​app.route("route") @​another.func("func") def f(): pass (saf-435)

Fixed

• Pro: taint-mode: Fixed issue causing findings to be missed (false negatives) when a global or class field was tainted, and then used in a sink after two or more function calls.

  For example:

... (truncated)

Changelog

Sourced from semgrep's changelog.

1.75.0 - 2024-06-03

Added

• Pro: Semgrep can now track taint through tuple/list (un)packing intra-procedurally (i.e., within a single function). For example:

  t = ["ok", "taint"]
  x, y = t
  sink(x) # OK, no finding
  sink(y) # tainted, finding
  ``` (code-6935)
  

• Optional type matching is supported in the Pro engine for Python. For example, in Python, Optional[str], str | None, and Union[str, None] represent the same type but in different type expressions. The optional type match support enables matching between these expressions, allowing any optional type expression to match any other optional type expression when used with metavariable-type filtering. It's important to note that syntactic pattern matching still distinguishes between these types. (code-6939)

• Add support for pnpm v9 (pnpm)

• Added a new rule option decorators_order_matters, which allows users to make decorators/ non-keyword attributes matching stricter. The default matching for attributes is order-agnostic, but if this rule option is set to true, non-keyword attributes (e.g. decorators in Python) will be matched in order, while keyword attributes (e.g. static, inline, etc) are not affected.

  An example usage will be a rule to detect any decorator that is outside of the route() decorator in Flask, since any decorator outside of the route() decorator takes no effect.

  bad: another.func() takes no effect

  @​another.func("func") @​app.route("route") def f(): pass

  ok: route() is the outermost decorator

  @​app.route("route") @​another.func("func") def f(): pass (saf-435)

Fixed

• Pro: taint-mode: Fixed issue causing findings to be missed (false negatives) when a global or class field was tainted, and then used in a sink after two or more function calls.

  For example:

  class Test {
  

... (truncated)

Commits

• 2e0ca3f chore: Bump version to 1.75.0
• d10868a build-semgrep-pro: restore using the OSS from the PR (semgrep/semgrep-proprie...
• 0bd7ad4semgrep/semgrep-proprietary#1
• b9fb140 fix: Fall back when unable to infer type from svalue (semgrep/semgrep-proprie...
• 788cab2 feat: add new rule option for stricter attributes matching (semgrep/semgrep-p...
• a18fbf1semgrep/semgrep-proprietary#1621
• 5f49461semgrep/semgrep-proprietary#1592
• 92200a5 build-semgrep-pro: restore using the OSS from the PR
• c3f5e89semgrep/semgrep-proprietary#1624
• b64bfae Revert some of austin change, remove notty from semgrep.opam (semgrep/semgrep...
• Additional commits viewable in compare view

Updates mkdocs-material from 9.5.25 to 9.5.26

Release notes

Sourced from mkdocs-material's releases.

mkdocs-material-9.5.26

• Fixed #7232: Tab switches on scroll when linking tabs (9.5.19 regression)
• Fixed #7230: Blog author avatar broken when referring to local file

Changelog

Sourced from mkdocs-material's changelog.

mkdocs-material-9.5.26 (2024-06-06)

• Fixed #7232: Tab switches on scroll when linking tabs (9.5.19 regression)
• Fixed #7230: Blog author avatar broken when referring to local file

mkdocs-material-9.5.25+insiders-4.53.11 (2024-05-27)

• Fixed projects plugin crashing when serving before building subprojects

mkdocs-material-9.5.25 (2024-05-27)

• Fixed #7209: Tags plugin crashing on numeric tags

mkdocs-material-9.5.24+insiders-4.53.10 (2024-05-20)

• Fixed projects plugin crashing in serve mode when disabled
• Fixed projects plugin crashing when building nested projects

mkdocs-material-9.5.24+insiders-4.53.9 (2024-05-20)

• Fixed #7191: Tags listings not rendering when toc_depth is changed

mkdocs-material-9.5.24 (2024-05-20)

• Fixed #7187: Version selector title rendering issue

mkdocs-material-9.5.23 (2024-05-15)

• Fixed #7183: Edge case in anchor navigation when using instant navigation
• Fixed #6436: Version selector not showing version alias

mkdocs-material-9.5.22 (2024-05-12)

• Fixed #7170: Copy button adds empty lines for line spans (9.5.18 regression)
• Fixed #7160: Version switching doesn't stay on page (9.5.5 regression)
• Fixed #5619: Links in Mermaid.js diagrams not discernible

mkdocs-material-9.5.21 (2024-05-03)

• Fixed #7133: Ensure latest version of Mermaid.js is used
• Fixed #7125: Added warning for dotfiles in info plugin

mkdocs-material-9.5.20 (2024-04-29)

• Fixed deprecation warning in privacy plugin (9.5.19 regression)
• Fixed #7119: Tags plugin emits deprecation warning (9.5.19 regression)
• Fixed #7118: Social plugin crashes if fonts are disabled (9.5.19 regression)
• Fixed #7085: Social plugin crashes on Windows when downloading fonts

mkdocs-material-9.5.19+insiders-4.53.8 (2024-04-26)

... (truncated)

Commits

• f887197 Updated changelog
• 0d5a08c Prepare 9.5.26 release
• 1cc45d5 Fixed active tab stolen on scroll with linked content tabs
• b5b7e9d Updated dependencies
• c182598 Added distribution files
• 49ebb9b Improved accessibility of search partial (#7233)
• 5bd843b Updated dependencies
• 0fc36a1 Added support for local author avatars
• 2412a1b Documentation (#7221)
• 6c3f846 Updated custom styles
• Additional commits viewable in compare view

Updates pylint from 3.2.2 to 3.2.3

Commits

• 918d216 Bump pylint to 3.2.3, update changelog
• 8aba7d1 Fix false positive in use-yield-from when using yield return (#9700) (#9701)
• 192727b [multiple-statements] Make pylint compatible with black's 2024 style (#9697) ...
• 7e5e4f9 Fix a false positive for redefined-outer-name (#9678) (#9695)
• See full diff in compare view

Updates pytest from 8.2.1 to 8.2.2

Release notes

Sourced from pytest's releases.

8.2.2

pytest 8.2.2 (2024-06-04)

Bug Fixes

• #12355: Fix possible catastrophic performance slowdown on a certain parametrization pattern involving many higher-scoped parameters.
• #12367: Fix a regression in pytest 8.2.0 where unittest class instances (a fresh one is created for each test) were not released promptly on test teardown but only on session teardown.
• #12381: Fix possible "Directory not empty" crashes arising from concurent cache dir (.pytest_cache) creation. Regressed in pytest 8.2.0.

Improved Documentation

• #12290: Updated Sphinx theme to use Furo instead of Flask, enabling Dark mode theme.
• #12356: Added a subsection to the documentation for debugging flaky tests to mention lack of thread safety in pytest as a possible source of flakyness.
• #12363: The documentation webpages now links to a canonical version to reduce outdated documentation in search engine results.

Commits

• 329d371 Prepare release version 8.2.2
• 214d098 Merge pull request #12414 from bluetech/backport-12409
• 153a436 [8.2.x] fixtures: fix catastrophic performance problem in reorder_items
• b41d5a5 Merge pull request #12412 from pytest-dev/backport-12408-to-8.2.x
• 9bb73d7 [8.2.x] cacheprovider: fix "Directory not empty" crash from cache directory c...
• 4569a01 [8.2.x] doc: Update trainings/events (#12402)
• 1d103e5 [8.2.x] Clarify pytest_ignore_collect docs (#12386)
• 240a252 [8.2.x] Add html_baseurl to sphinx conf.py (#12372)
• a5ee3c4 Merge pull request #12370 from pytest-dev/backport-12368-to-8.2.x
• f7358ae [8.2.x] unittest: fix class instances no longer released on test teardown sin...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions

[github-actions[bot]]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 1da79b0b67d207a96c861d49aba08cfc37244c85.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Package	Version	Score	Details
pip/mkdocs-material	9.5.26	:green_circle: 5.3	Details Check Score Reason Code-Review :warning: 2 Found 6/30 approved changesets -- score normalized to 2 Maintained :green_circle: 10 30 commit(s) and 29 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices :warning: 0 no effort to earn an OpenSSF best practices badge detected License :green_circle: 10 license file detected Signed-Releases :warning: -1 no releases found Branch-Protection :warning: -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Dangerous-Workflow :green_circle: 10 no dangerous workflow patterns detected Token-Permissions :warning: 0 detected GitHub workflow tokens with excessive permissions Security-Policy :warning: 0 security policy file not detected Fuzzing :warning: 0 project is not fuzzed SAST :warning: 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts :green_circle: 10 no binaries found in the repo Packaging :green_circle: 10 packaging workflow detected Vulnerabilities :green_circle: 9 1 existing vulnerabilities detected Pinned-Dependencies :warning: 0 dependency not pinned by hash detected -- score normalized to 0
pip/pylint	3.2.3	:green_circle: 7	Details Check Score Reason Code-Review :green_circle: 8 Found 12/14 approved changesets -- score normalized to 8 Maintained :green_circle: 10 30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10 License :green_circle: 10 license file detected CII-Best-Practices :green_circle: 5 badge detected: Passing Branch-Protection :warning: -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases :warning: -1 no releases found Security-Policy :green_circle: 9 security policy file detected Packaging :warning: -1 packaging workflow not detected Token-Permissions :warning: 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow :green_circle: 10 no dangerous workflow patterns detected Binary-Artifacts :green_circle: 10 no binaries found in the repo Fuzzing :warning: 0 project is not fuzzed Vulnerabilities :green_circle: 10 0 existing vulnerabilities detected SAST :green_circle: 8 SAST tool detected but not run on all commits Pinned-Dependencies :warning: 0 dependency not pinned by hash detected -- score normalized to 0
pip/pytest	8.2.2	:green_circle: 6.3	Details Check Score Reason Code-Review :green_circle: 9 Found 12/13 approved changesets -- score normalized to 9 Maintained :green_circle: 10 30 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices :warning: 0 no effort to earn an OpenSSF best practices badge detected License :green_circle: 10 license file detected Signed-Releases :warning: 0 Project has not signed or included provenance with any releases. Branch-Protection :warning: -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Dangerous-Workflow :green_circle: 10 no dangerous workflow patterns detected Binary-Artifacts :green_circle: 10 no binaries found in the repo Token-Permissions :green_circle: 9 detected GitHub workflow tokens with excessive permissions Security-Policy :warning: 0 security policy file not detected Fuzzing :warning: 0 project is not fuzzed Packaging :green_circle: 10 packaging workflow detected Vulnerabilities :green_circle: 10 0 existing vulnerabilities detected SAST :warning: 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies :warning: 0 dependency not pinned by hash detected -- score normalized to 0
pip/semgrep	1.75.0	Unknown	Unknown
pip/mkdocs-material	9.5.25	:green_circle: 5.3	Details Check Score Reason Code-Review :warning: 2 Found 6/30 approved changesets -- score normalized to 2 Maintained :green_circle: 10 30 commit(s) and 29 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices :warning: 0 no effort to earn an OpenSSF best practices badge detected License :green_circle: 10 license file detected Signed-Releases :warning: -1 no releases found Branch-Protection :warning: -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Dangerous-Workflow :green_circle: 10 no dangerous workflow patterns detected Token-Permissions :warning: 0 detected GitHub workflow tokens with excessive permissions Security-Policy :warning: 0 security policy file not detected Fuzzing :warning: 0 project is not fuzzed SAST :warning: 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts :green_circle: 10 no binaries found in the repo Packaging :green_circle: 10 packaging workflow detected Vulnerabilities :green_circle: 9 1 existing vulnerabilities detected Pinned-Dependencies :warning: 0 dependency not pinned by hash detected -- score normalized to 0
pip/pylint	3.2.2	:green_circle: 7	Details Check Score Reason Code-Review :green_circle: 8 Found 12/14 approved changesets -- score normalized to 8 Maintained :green_circle: 10 30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10 License :green_circle: 10 license file detected CII-Best-Practices :green_circle: 5 badge detected: Passing Branch-Protection :warning: -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases :warning: -1 no releases found Security-Policy :green_circle: 9 security policy file detected Packaging :warning: -1 packaging workflow not detected Token-Permissions :warning: 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow :green_circle: 10 no dangerous workflow patterns detected Binary-Artifacts :green_circle: 10 no binaries found in the repo Fuzzing :warning: 0 project is not fuzzed Vulnerabilities :green_circle: 10 0 existing vulnerabilities detected SAST :green_circle: 8 SAST tool detected but not run on all commits Pinned-Dependencies :warning: 0 dependency not pinned by hash detected -- score normalized to 0
pip/pytest	8.2.1	:green_circle: 6.3	Details Check Score Reason Code-Review :green_circle: 9 Found 12/13 approved changesets -- score normalized to 9 Maintained :green_circle: 10 30 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices :warning: 0 no effort to earn an OpenSSF best practices badge detected License :green_circle: 10 license file detected Signed-Releases :warning: 0 Project has not signed or included provenance with any releases. Branch-Protection :warning: -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Dangerous-Workflow :green_circle: 10 no dangerous workflow patterns detected Binary-Artifacts :green_circle: 10 no binaries found in the repo Token-Permissions :green_circle: 9 detected GitHub workflow tokens with excessive permissions Security-Policy :warning: 0 security policy file not detected Fuzzing :warning: 0 project is not fuzzed Packaging :green_circle: 10 packaging workflow detected Vulnerabilities :green_circle: 10 0 existing vulnerabilities detected SAST :warning: 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies :warning: 0 dependency not pinned by hash detected -- score normalized to 0
pip/semgrep	1.74.0	Unknown	Unknown
pip/semgrep	1.75.0	Unknown	Unknown
pip/semgrep	1.74.0	Unknown	Unknown

Scanned Manifest Files

poetry.lock

• mkdocs-material@9.5.26
• pylint@3.2.3
• pytest@8.2.2
• semgrep@1.75.0
• mkdocs-material@9.5.25
• pylint@3.2.2
• pytest@8.2.1
• semgrep@1.74.0

pyproject.toml

• semgrep@1.75.0
• semgrep@1.74.0

[github-actions[bot]]

Coverage Report

File	Stmts	Miss	Cover	Missing
semgr8s
__main__.py	16	16	0%	5–29
app.py	78	3	96%	116, 176–177
k8s_api.py	22	2	91%	43–44
updater.py	29	2	93%	49–50
TOTAL	197	23	88%

Tests	Skipped	Failures	Errors	Time
18	0 :zzz:	0 :x:	0 :fire:	2.193s :stopwatch:

[dependabot[bot]]

Looks like these dependencies are no longer updatable, so this is no longer needed.