Skip to content

chore(deps): bump the pip group across 2 directories with 4 updates#629

Open
dependabot[bot] wants to merge 3 commits into
mainfrom
dependabot/pip/pip-f1d36037a9
Open

chore(deps): bump the pip group across 2 directories with 4 updates#629
dependabot[bot] wants to merge 3 commits into
mainfrom
dependabot/pip/pip-f1d36037a9

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps the pip group with 1 update in the / directory: checkov.
Bumps the pip group with 3 updates in the /src/500-application/506-ros2-connector directory: numpy, pytest and pytest-asyncio.

Updates checkov from 3.2.529 to 3.3.6

Release notes

Sourced from checkov's releases.

3.3.5

Feature

  • general: fix danger node version - #7589

Bug Fix

  • general: retry kustomize/helm install to survive transient GitHub failures - #7591
  • terraform: CKV_AZURE_190 override singular get_expected_value - #7592

3.3.2

Bug Fix

  • terraform_plan: handle computed log_bucket in CKV_GCP_62 and CKV_GCP_63 - #7582
  • terraform: pass CKV_GCP_123 when remove_default_node_pool is true - #7575

3.3.1

Feature

  • serverless: disable vars opt out - #7574

3.3.0

  • no noteworthy changes

3.2.534

Feature

  • general: fix regex to include hyphen - #7566

3.2.533

Bug Fix

  • general: increase domain allow list as it blocks prisma release - #7567
  • sca: Kustomize and Helm improvements - #7568
  • terraform: pin security-group module to 5.3.1 in linked-module test - #7570

3.2.532

Feature

  • general: verify ECDSA-P256 signatures on external custom checks before loading - #7556

3.2.531

Feature

  • terraform: add CKV_AWS_393 for GitHub OIDC trust on aws_iam_role - #7561

3.2.530

Bug Fix

  • serverless: disable env/file variable resolution by default - #7554
Changelog

Sourced from checkov's changelog.

CHANGELOG

Unreleased

3.3.5 - 2026-06-29

Feature

  • general: fix danger node version - #7589

Bug Fix

  • general: retry kustomize/helm install to survive transient GitHub failures - #7591
  • terraform: CKV_AZURE_190 override singular get_expected_value - #7592

3.3.2 - 2026-06-23

Bug Fix

  • terraform_plan: handle computed log_bucket in CKV_GCP_62 and CKV_GCP_63 - #7582
  • terraform: pass CKV_GCP_123 when remove_default_node_pool is true - #7575

3.3.1 - 2026-06-11

Feature

  • serverless: disable vars opt out - #7574

3.3.0 - 2026-06-10

  • no noteworthy changes

3.2.534 - 2026-06-09

Feature

  • general: fix regex to include hyphen - #7566

3.2.533 - 2026-06-04

Bug Fix

  • general: increase domain allow list as it blocks prisma release - #7567
  • sca: Kustomize and Helm improvements - #7568
  • terraform: pin security-group module to 5.3.1 in linked-module test - #7570

3.2.532 - 2026-06-02

Feature

... (truncated)

Commits
  • 4f04622 Merge 295d3c344d020ebf7b97b63d810e1d25a68309b1 into 9c6a42eabe339592684d196ad...
  • 9c6a42e fix(terraform): prevent crash in S3AllowsAnyPrincipal with unparsed v… (#7581)
  • d32961a chore: update release notes
  • 07a94fe Merge a5dfacf9f3fb4d597825bfbbb9794ee44431fb96 into 0896e312b080f94b4be25fd45...
  • b257af8 fix(terraform): CKV_AZURE_190 override singular get_expected_value (#7592)
  • 0896e31 feat(general): fix danger node version (#7589)
  • f47b0cd fix(general): retry kustomize/helm install to survive transient GitHub failur...
  • 2e66fad feat(general): fix danger node version (#7589)
  • 6b8a613 feat(general): fix danger node version (#7589)
  • 63dad53 chore: update release notes
  • Additional commits viewable in compare view

Updates numpy from 2.4.6 to 2.5.0

Release notes

Sourced from numpy's releases.

v2.5.0 (June 21, 2026)

NumPy 2.5.0 Release Notes

Numpy 2.5.0 is a transitional release. It drops support for Python 3.11, marking the end of distutils, and expires a large number of deprecations made in the 2.0.x release. It also improves free threading and brings sorting into compliance with the array-api standard with the addition of descending sorts. There is also a fair amount of preparation for Python 3.15, which will be supported starting with the first rc.

This release supports Python versions 3.12-3.14.

Highlights

  • Distutils has been removed,
  • Many expired deprecations, see below,
  • Many new deprecations, see below,
  • Many static typing improvements.
  • Improved support for free threading,
  • Support for descending sorts,

See New Features below for other additions.

Deprecations

  • numpy.char.chararray is deprecated. Use an ndarray with a string or bytes dtype instead.

    (gh-30605)

  • numpy.take now correctly checks if the result can be cast to the provided out=out under the same-kind rule. A DeprecationWarning is given now when this check fails. Previously, take incorrectly checked if out could be cast to the result (the wrong direction). This deprecation also affects compress and possibly other functions. (Future versions of NumPy may tighten the casting check further.)

    (gh-30615)

  • The numpy.char.[as]array functions are deprecated. Use an numpy.[as]array with a string or bytes dtype instead.

    (gh-30802)

  • Setting the dtype attribute is deprecated because mutating an array is unsafe if an array is shared, especially by multiple threads. As an alternative, you can create a view with a new dtype via array.view(dtype=new_dtype).

    (gh-29244)

... (truncated)

Changelog

Sourced from numpy's changelog.

This is a walkthrough of the NumPy 2.4.0 release on Linux, which will be the first feature release using the numpy/numpy-release <https://github.com/numpy/numpy-release>__ repository.

The commands can be copied into the command line, but be sure to replace 2.4.0 with the correct version. This should be read together with the :ref:general release guide <prepare_release>.

Facility preparation

Before beginning to make a release, use the requirements/*_requirements.txt files to ensure that you have the needed software. Most software can be installed with pip, but some will require apt-get, dnf, or whatever your system uses for software. You will also need a GitHub personal access token (PAT) to push the documentation. There are a few ways to streamline things:

  • Git can be set up to use a keyring to store your GitHub personal access token. Search online for the details.

Prior to release

Add/drop Python versions

When adding or dropping Python versions, multiple config and CI files need to be edited in addition to changing the minimum version in pyproject.toml. Make these changes in an ordinary PR against main and backport if necessary. We currently release wheels for new Python versions after the first Python RC once manylinux and cibuildwheel support that new Python version.

Backport pull requests

Changes that have been marked for this release must be backported to the maintenance/2.4.x branch.

Update 2.4.0 milestones

Look at the issues/prs with 2.4.0 milestones and either push them off to a later version, or maybe remove the milestone. You may need to add a milestone.

Check the numpy-release repo

... (truncated)

Commits
  • 6910b28 Merge pull request #31706 from charris/prepare-2.5.0-release
  • e0acd2b REL: Prepare for the NumPy 2.5.0 release.
  • 8d928b7 Merge pull request #31704 from charris/backport-31649
  • c2055ba MAINT: update openblas to 0.3.33.112.0 (#31649)
  • ce17c81 Merge pull request #31703 from charris/backport-31609
  • 3de6203 BUG: fix StringDType distinct-allocator bugs and add tests (#31609)
  • c723971 Merge pull request #31700 from charris/backport-31694
  • 64513b2 MAINT: Bump pypa/cibuildwheel from 3.4.1 to 4.1.0
  • 04707f0 Merge pull request #31698 from charris/try-fix-emscripten
  • 5cf0686 MAINT: Try to fix emscripten wheel build.
  • Additional commits viewable in compare view

Updates pytest from 9.0.3 to 9.1.1

Release notes

Sourced from pytest's releases.

9.1.1

pytest 9.1.1 (2026-06-19)

Bug fixes

  • #14220: Fixed a logic bug in pytest.RaisesGroup which would might cause it to display incorrect "It matches FooError() which was paired with BarError" messages.
  • #14591: Fixed a regression in pytest 9.1.0 which caused overriding a parametrized fixture with an indirect @​pytest.mark.parametrize to fail with "duplicate parametrization of '<fixture name>'".
  • #14606: Fixed list-item typing errors from mypy in @pytest.mark.parametrize <pytest.mark.parametrize ref> argvalues parameter.
  • #14608: Fixed a regression in pytest 9.1.0 where conftest.py files located in <invocation dir>/test* were no longer loaded as initial conftests when invoked without arguments. This could cause certain hooks (like pytest_addoption) in these files to not fire.

9.1.0

pytest 9.1.0 (2026-06-13)

Removals and backward incompatible breaking changes

  • #14533: When using --doctest-modules, autouse fixtures with module, package or session scope that are defined inline in Python test modules (not plugins or conftests) will now possibly execute twice.

    If this is undesirable, move the fixture definition to a conftest.py file if possible.

    Technical explanation for those interested: When using --doctest-modules, pytest possibly collects Python modules twice, once as pytest.Module and once as a DoctestModule (depending on the configuration). Due to improvements in pytest's fixture implementation, if e.g. the DoctestModule collects a fixture, it is now visible to it only, and not to the Module. This means that both need to register the fixtures independently.

Deprecations (removal in next major release)

  • #10819: Added a deprecation warning for class-scoped fixtures defined as instance methods (without @classmethod). Such fixtures set attributes on a different instance than the test methods use, leading to unexpected behavior. Use @classmethod decorator instead -- by yastcher.

    See 10819 and 14011.

  • #12882: Calling request.getfixturevalue() <pytest.FixtureRequest.getfixturevalue> during teardown to request a fixture that was not already requested is now deprecated and will become an error in pytest 10.

    See dynamic-fixture-request-during-teardown for details.

  • #13409: Using non-~collections.abc.Collection iterables (such as generators, iterators, or custom iterable objects) for the argvalues parameter in @pytest.mark.parametrize <pytest.mark.parametrize ref> and metafunc.parametrize <pytest.Metafunc.parametrize> is now deprecated.

    These iterables get exhausted after the first iteration, leading to tests getting unexpectedly skipped in cases such as running pytest.main() multiple times, using class-level parametrize decorators, or collecting tests multiple times.

    See parametrize-iterators for details and suggestions.

  • #13946: The private config.inicfg attribute is now deprecated. Use config.getini() <pytest.Config.getini> to access configuration values instead.

    See config-inicfg for more details.

  • #14004: Passing baseid to ~pytest.FixtureDef or nodeid strings to fixture registration APIs is now deprecated. These are internal pytest APIs that are used by some plugins.

... (truncated)

Commits
  • cf470ec Prepare release version 9.1.1
  • e0c8ce6 Merge pull request #14625 from pytest-dev/patchback/backports/9.1.x/a07c31a97...
  • 1b82d16 Merge pull request #14624 from pytest-dev/patchback/backports/9.1.x/b375b79ec...
  • 501c4bc Merge pull request #14596 from bluetech/doc-classmethod
  • b61f588 Merge pull request #14622 from chrisburr/fix-14608-initial-conftest-test-subdir
  • 9a567e0 [automated] Update plugin list (#14617) (#14618)
  • ef8b299 Merge pull request #14620 from pytest-dev/patchback/backports/9.1.x/680f9f3ed...
  • 66abd07 Merge pull request #14220 from bysiber/fix-stale-iexp-raisesgroup
  • 79fbf93 Merge pull request #14612 from pytest-dev/patchback/backports/9.1.x/974ed48b6...
  • 0d312eb Merge pull request #14611 from bluetech/parametrize-argvalues-typing
  • Additional commits viewable in compare view

Updates pytest-asyncio from 1.3.0 to 1.4.0

Release notes

Sourced from pytest-asyncio's releases.

pytest-asyncio v1.4.0

1.4.0 - 2026-05-26

Deprecated

  • Overriding the event_loop_policy fixture is deprecated. Use the pytest_asyncio_loop_factories hook instead. (#1419)

Added

  • Added the pytest_asyncio_loop_factories hook to parametrize asyncio tests with custom event loop factories.

    The hook returns a mapping of factory names to loop factories, and pytest.mark.asyncio(loop_factories=[...]) selects a subset of configured factories per test. When a single factory is configured, test names are unchanged.

    Synchronous @pytest_asyncio.fixture functions now see the correct event loop when custom loop factories are configured, even when test code disrupts the current event loop (e.g., via asyncio.run() or asyncio.set_event_loop(None)). (#1164)

Changed

  • Improved the readability of the warning message that is displayed when asyncio_default_fixture_loop_scope is unset (#1298)
  • Only import asyncio.AbstractEventLoopPolicy for type checking to avoid raising a DeprecationWarning. (#1394)
  • Updated minimum supported pytest version to v8.4.0. (#1397)

Fixed

  • Fixed a ResourceWarning: unclosed event loop warning that could occur when a synchronous test called asyncio.run() or otherwise unset the current event loop after pytest-asyncio had run an async test or fixture. (#724)

Notes for Downstream Packagers

  • Added dependency on sphinx-tabs >= 3.5 to organize documentation examples into tabs. (#1395)

pytest-asyncio v1.4.0a2

1.4.0a2 - 2026-05-02

Deprecated

  • Overriding the event_loop_policy fixture is deprecated. Use the pytest_asyncio_loop_factories hook instead. (#1419)

Added

  • Added the pytest_asyncio_loop_factories hook to parametrize asyncio tests with custom event loop factories.

    The hook returns a mapping of factory names to loop factories, and pytest.mark.asyncio(loop_factories=[...]) selects a subset of configured factories per test. When a single factory is configured, test names are unchanged on pytest 8.4+.

    Synchronous @pytest_asyncio.fixture functions now see the correct event loop when custom loop factories are configured, even when test code disrupts the current event loop (e.g., via asyncio.run() or asyncio.set_event_loop(None)). (#1164)

Changed

  • Improved the readability of the warning message that is displayed when asyncio_default_fixture_loop_scope is unset (#1298)
  • Only import asyncio.AbstractEventLoopPolicy for type checking to avoid raising a DeprecationWarning. (#1394)

... (truncated)

Commits
  • 6e14cd2 chore: Prepare release of v1.4.0.
  • 4b900fb Build(deps): Bump codecov/codecov-action from 6.0.0 to 6.0.1
  • ab9f632 Build(deps): Bump zipp from 3.23.1 to 4.1.0
  • a56fc77 Build(deps): Bump hypothesis from 6.152.6 to 6.152.8
  • e8bae9b Build(deps): Bump requests from 2.34.0 to 2.34.2
  • fc43340 Build(deps): Bump idna from 3.14 to 3.15
  • 762eaf5 Build(deps): Bump jaraco-functools from 4.4.0 to 4.5.0
  • b62e222 Build(deps): Bump click from 8.3.3 to 8.4.0
  • 9190447 Build(deps): Bump pydantic from 2.13.3 to 2.13.4
  • 82a393c ci: Remove unnecessary debug output.
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Dependency updates security Security-related changes or concerns labels Jun 22, 2026
@dependabot dependabot Bot requested a review from a team June 22, 2026 16:10
@dependabot @github

dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: pip. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@github-actions

github-actions Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown

Dependency Review

The following issues were found:
  • ❌ 1 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 6 package(s) with unknown licenses.
See the Details below.

Vulnerabilities

requirements.txt

NameVersionVulnerabilitySeverity
ecdsa0.19.2Minerva timing attack on P-256 in python-ecdsahigh
Only included vulnerabilities with severity high or higher.

License Issues

requirements.txt

PackageVersionLicenseIssue Type
numpy2.5.0NullUnknown License
checkov3.3.5NullUnknown License
ecdsa0.19.2NullUnknown License

src/500-application/506-ros2-connector/services/requirements.base.txt

PackageVersionLicenseIssue Type
numpy2.5.0NullUnknown License
pytest9.1.1NullUnknown License
pytest-asyncio1.4.0NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
pip/ecdsa 0.19.2 🟢 6
Details
CheckScoreReason
Maintained🟢 1010 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 3Found 5/15 approved changesets -- score normalized to 3
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing🟢 10project is fuzzed
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST🟢 8SAST tool detected but not run on all commits
pip/aiohttp 3.13.5 UnknownUnknown
pip/checkov 3.3.5 🟢 7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) out of 30 and 7 issue activity out of 30 found in the last 90 days -- score normalized to 10
Code-Review🟢 311 out of last 30 changesets reviewed before merge -- score normalized to 3
Vulnerabilities🟢 10no vulnerabilities detected
CII-Best-Practices⚠️ 2badge detected: in_progress
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
Token-Permissions⚠️ 0non read-only tokens detected in GitHub workflows
Security-Policy🟢 10security policy file detected
License🟢 10license file detected
Dependency-Update-Tool🟢 10update tool detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Fuzzing⚠️ 0project is not fuzzed
SAST🟢 10SAST tool is run on all commits
Binary-Artifacts🟢 10no binaries found in the repo
Packaging🟢 10publishing workflow detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
pip/numpy 2.5.0 UnknownUnknown
pip/numpy 2.5.0 UnknownUnknown
pip/pytest 9.1.1 UnknownUnknown
pip/pytest-asyncio 1.4.0 UnknownUnknown

Scanned Files

  • requirements.txt
  • src/500-application/506-ros2-connector/services/requirements.base.txt

@dependabot dependabot Bot force-pushed the dependabot/pip/pip-f1d36037a9 branch 2 times, most recently from c55b0aa to ae035ea Compare June 26, 2026 15:09
@katriendg

katriendg commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

@dependabot rebase

@dependabot dependabot Bot force-pushed the dependabot/pip/pip-f1d36037a9 branch from ae035ea to ba9204b Compare June 30, 2026 09:17
This was referenced Jun 30, 2026
Closed
Merged
bindsi pushed a commit that referenced this pull request Jun 30, 2026
@katriendg
ci(deps): allow-list ecdsa GHSA-wj6h-64fc-37mp in dependency review (#…
30c35cc 
…642)

## Description

The *Dependency Review* gate in the **PR Validation** workflow was
failing on the open Dependabot pip-group update (#629). Its only
high-severity finding was **ecdsa 0.19.2** (*GHSA-wj6h-64fc-37mp*,
"Minerva timing attack on P-256"), a **new transitive dependency**
introduced by the *checkov* 3.2.529 → 3.3.5 bump. The advisory has no
fixed upstream version, so no dependency bump can satisfy
`fail-on-severity: high`.

This change adds a narrowly-scoped `allow-ghsas` entry for that single
advisory to the *Dependency Review* step in
[.github/workflows/pr-validation.yml](.github/workflows/pr-validation.yml),
with inline comments documenting the rationale and a pointer to
re-evaluate when *checkov* drops the *ecdsa* dependency. No other
workflow settings change.

## Related Issue

Fixes #641

## Type of Change
<!-- What type of change does this PR introduce? Mark relevant options
with 'x' -->
- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] Blueprint modification or addition
- [ ] Component modification or addition
- [ ] Documentation update
- [x] CI/CD pipeline change
- [ ] Other (please describe):

## Implementation Details

Added `allow-ghsas: GHSA-wj6h-64fc-37mp` to the
`actions/dependency-review-action` step within the `dependency-scan`
job. The `fail-on-severity: high`, `warn-on-openssf-scorecard-level: 3`,
and `comment-summary-in-pr: on-failure` settings are unchanged, so the
gate still fails on every other high-or-higher advisory. Two preceding
comments record that *ecdsa* is affected by a side-channel with no
upstream fix, that it is transitive via *checkov*, and that the
suppression should be revisited when that dependency is dropped.

## Testing Performed
<!-- Describe the testing you have performed or plan to perform -->
- [ ] Terraform plan/apply
- [ ] Blueprint deployment test
- [ ] Unit tests
- [ ] Integration tests
- [ ] Bug fix includes regression test (see [Test
Policy](docs/contributing/testing-validation.md))
- [ ] Manual validation
- [ ] Other:

## Validation Steps

1. Re-run (or rebase) Dependabot PR #629 and confirm the **Dependency
Scan** check now passes.
2. Confirm an unrelated high-severity advisory still fails the gate (no
broadening of the suppression beyond *GHSA-wj6h-64fc-37mp*).

## Checklist
<!-- Mark relevant options with 'x' -->
- [ ] I have updated the documentation accordingly
- [ ] I have added tests to cover my changes
- [ ] All new and existing tests passed
- [ ] I have run `terraform fmt` on all Terraform code
- [ ] I have run `terraform validate` on all Terraform code
- [ ] I have run `az bicep format` on all Bicep code
- [ ] I have run `az bicep build` to validate all Bicep code
- [x] I have checked for any sensitive data/tokens that should not be
committed
- [ ] Lint checks pass (run applicable linters for changed file types)

## Security Review
<!-- Required for PRs touching security-sensitive paths:
     - SECURITY.md
     - src/000-cloud/010-security-identity/
     - deploy/
PRs modifying these paths require the `security-reviewed` label before
merge. -->

- [x] No credentials, secrets, or tokens are hardcoded or logged
- [x] RBAC and identity changes follow least-privilege principles
- [x] No new network exposure or public endpoints introduced without
justification
- [x] Dependency additions or updates have been reviewed for known
vulnerabilities
- [ ] Container image changes use pinned digests or SHA references

## Additional Notes

This intentionally suppresses one known advisory (*GHSA-wj6h-64fc-37mp*)
because no patched *ecdsa* release exists; the python-ecdsa maintainers
treat the Minerva side-channel as out of scope. The suppression mirrors
the existing transitive-with-no-fix pattern documented in
[osv-scanner.toml](osv-scanner.toml) (which feeds osv-scanner rather
than the Dependency Review action). Re-evaluate and remove the entry
once *checkov* no longer pulls in *ecdsa*.

## Screenshots (if applicable)
<!-- Add screenshots to show the changes, if applicable -->
@katriendg

katriendg commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

@dependabot rebase

@dependabot
chore(deps): bump the pip group across 2 directories with 4 updates
0c279fc 
Bumps the pip group with 1 update in the / directory: [checkov](https://github.com/bridgecrewio/checkov).
Bumps the pip group with 3 updates in the /src/500-application/506-ros2-connector directory: [numpy](https://github.com/numpy/numpy), [pytest](https://github.com/pytest-dev/pytest) and [pytest-asyncio](https://github.com/pytest-dev/pytest-asyncio).


Updates `checkov` from 3.2.529 to 3.3.6
- [Release notes](https://github.com/bridgecrewio/checkov/releases)
- [Changelog](https://github.com/bridgecrewio/checkov/blob/main/CHANGELOG.md)
- [Commits](bridgecrewio/checkov@3.2.529...3.3.6)

Updates `numpy` from 2.4.6 to 2.5.0
- [Release notes](https://github.com/numpy/numpy/releases)
- [Changelog](https://github.com/numpy/numpy/blob/main/doc/RELEASE_WALKTHROUGH.rst)
- [Commits](numpy/numpy@v2.4.6...v2.5.0)

Updates `pytest` from 9.0.3 to 9.1.1
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](pytest-dev/pytest@9.0.3...9.1.1)

Updates `pytest-asyncio` from 1.3.0 to 1.4.0
- [Release notes](https://github.com/pytest-dev/pytest-asyncio/releases)
- [Commits](pytest-dev/pytest-asyncio@v1.3.0...v1.4.0)

---
updated-dependencies:
- dependency-name: checkov
  dependency-version: 3.3.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: pip
- dependency-name: numpy
  dependency-version: 2.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: pip
- dependency-name: pytest
  dependency-version: 9.1.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: pip
- dependency-name: pytest-asyncio
  dependency-version: 1.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot Bot force-pushed the dependabot/pip/pip-f1d36037a9 branch from ba9204b to 0c279fc Compare June 30, 2026 13:26
katriendg added 2 commits June 30, 2026 14:20
@katriendg
ci(security): allow-list ecdsa GHSA-wj6h-64fc-37mp in grype
225dc6a 
ecdsa 0.19.2 is a new transitive dependency pulled in by checkov 3.3.6.
The package is unmaintained with no upstream fix for the Minerva timing
attack (P-256). Already allow-listed in dependency-review-action; adding
consistent coverage in grype config. Re-evaluate when checkov drops ecdsa.

Refs: #641
@katriendg
Merge branch 'main' into dependabot/pip/pip-f1d36037a9
4ba297b
@katriendg katriendg mentioned this pull request Jun 30, 2026
Open
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Dependency updates security Security-related changes or concerns

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@katriendg