Update maintenance

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
actions/checkout	action	patch	v6.0.2 → v6.0.3
black (changelog)		minor	==26.3.1 → ==26.5.1
click (changelog)		minor	==8.3.3 → ==8.4.1
distlib		patch	==0.4.0 → ==0.4.1
filelock		patch	==3.29.0 → ==3.29.1
pglast (changelog)	install	minor	==7.13 → ==7.14
pglast (changelog)		minor	==7.13 → ==7.14
platformdirs (changelog)		minor	==4.9.6 → ==4.10.0
slackapi/slack-github-action	action	patch	v3.0.2 → v3.0.3
step-security/harden-runner	action	patch	v2.19.0 → v2.19.4
tox (changelog)		minor	==4.53.0 → ==4.55.1
virtualenv		minor	==21.3.0 → ==21.4.2

---

Release Notes

actions/checkout (actions/checkout)

v6.0.3

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

psf/black (black)

v26.5.1

Compare Source

Stable style

• Fix unstable formatting of annotated assignments whose subscript annotation contains
  an inline comment (e.g. x: list[ # pyright: ignore[...]) (#​5130)
• Preserve inline comments (including # type: ignore) immediately before a
  # fmt: skip line, avoiding AST equivalence failures (#​5139)

Packaging

• Correct the version in the published executables (#​5137)

Documentation

• Add Neovim integration guide covering conform.nvim, ALE, and simple command approaches
  (#​5124)

v26.5.0

Compare Source

Highlights

• Add support for unpacking in comprehensions (PEP 798) and for lazy imports (PEP 810),
  both new syntactic features in Python 3.15 (#​5048)
• Python 3.15 is now supported. Compiled wheels are not yet provided for Python 3.15, so
  performance may be slower than on existing Python versions. Wheels will be provided
  once Python 3.15 is later in its release cycle. (#​5127)

Stable style

• Fix # fmt: skip being ignored in nested if expressions with parenthesized in
  clauses (#​4903)
• Add syntactic support for Python 3.15 (#​5048)
• Fix crash when an f-string follows a # fmt: off comment inside brackets (#​5097)
• Preserve multiline compound statement headers when # fmt: skip is placed on the
  colon line (#​5117)

Preview style

• Improve heuristics around whether blank lines should appear before, within and after
  groups of same-name decorated functions (such as @overload groups) in .pyi stub
  files (#​5021)
• Fix blank lines being removed between a function and a decorated class in .pyi stub
  files (#​5092)
• Prevent string merger from creating unsplittable long lines when a pragma comment
  (e.g. # type: ignore) follows the closing bracket (#​5096)

Packaging

• Run CI on 3.15 (#​5127)

Output

• Improve parse error readability by showing multi-line output with an error pointer.
  (#​5068)
• Add SourceASTParseError to distinguish source parse failures from internal safety
  errors, improving error reporting when Black's lenient parser accepts input that
  ast.parse() rejects (#​5080)

Blackd

• Return HTTP 400 (Bad Request) for source parse failures instead of HTTP 500, keeping
  HTTP 500 only for genuine internal safety errors (#​5080)

Integrations

• Added documentation for doctest formatting tools and updated the integrations index to
  match (#​4916)

Documentation

• Use "Version X.Y.Z" headings in changelog for stable permalink anchors on ReadTheDocs
  (#​5063)
• Note in the editor integrations that the SublimeText sublack plugin is archived and
  unmaintained (#​5082)

pallets/click (click)

v8.4.1

Compare Source

Released 2026-05-21

• get_parameter_source() is available during eager callbacks and type
  conversion again. :issue:3458 :issue:3484
• Zsh completion scripts parse correctly on Windows. :issue:3277 :pr:3466
• Shell completion of Choice Enum values produces a valid completion
  result. :issue:3015
• Fix empty byte-string handling in echo. :issue:3487
• Fix closed file error with echo_via_pager. :issue:3449

v8.4.0

Compare Source

Released 2026-05-17

• :class:ParamType typing improvements. :pr:3371

  • :class:ParamType is now a generic abstract base class,
    parameterized by its converted value type.
  • :meth:~ParamType.convert return types are narrowed on all
    concrete types (str for :class:STRING, int for
    :class:INT, etc.).
  • :meth:~ParamType.to_info_dict returns specific
    :class:~typing.TypedDict subclasses instead of
    dict[str, Any].
  • :class:CompositeParamType and the number-range base are now
    generic with abstract methods.

• Refactor convert_type to extract type inference into a private
  _guess_type helper, and add :func:typing.overload signatures.
  :pr:3372

• :class:Parameter typing improvements. :pr:2805

  • :class:Parameter is now an abstract base class, making explicit
    that it cannot be instantiated directly.
  • :attr:Parameter.name is now str instead of str | None.
    When expose_value=False, the name is set to "" instead
    of None.
  • The ctx parameter of :meth:Parameter.get_error_hint is now
    typed as Context | None, matching the runtime behavior.

• Split string values from default_map for parameters with nargs > 1
  or :class:Tuple type, matching environment variable behavior.
  :issue:2745 :pr:3364

• Auto-detect type=UNPROCESSED for flag_value of non-basic types
  (not str, int, float, or bool), so programmer-provided
  Python objects like classes and enum members are passed through unchanged
  instead of being stringified. Previously type=click.UNPROCESSED had
  to be set explicitly. :issue:2012 :pr:3363

• The error hint now uses :meth:Command.get_help_option_names to pick
  non-shadowed help option names, so Try '... -h' no longer points to a
  subcommand option that shadows -h. The longest surviving name is
  shown (--help over -h) for readability. :issue:2790 :pr:3208

• Fix readline functionality on non-Windows platforms. Prompt text is now
  passed directly to readline instead of being printed separately, allowing
  proper backspace, line editing, and line wrapping behavior. :issue:2968
  :pr:2969

• Use :func:os.startfile on Windows to open URLs in :func:open_url,
  replacing the start built-in which cannot be invoked without
  shell=True. :issue:3164 :pr:3186

• Fix Fish shell completion errors when option help text contains newlines.
  :issue:3043 :pr:3126

• Add :class:NoSuchCommand exception with suggestions for misspelled
  commands. :issue:3107 :pr:3228

• Use :class:ValueError message when conversion in :class:FuncParamType would
  fail. :issue:3105 :pr:3211

• Add click.get_pager_file for file-like access to an output
  pager. :pr:1572 :pr:3405

• :func:~click.formatting.wrap_text now measures line width in visible
  characters, ignoring ANSI escape sequences. :pr:3420

• Fix :meth:HelpFormatter.write_usage emitting only a blank line when
  called without args. The usage prefix and program name are now
  written even when no arguments follow, and the trailing separator
  space is stripped so the line ends at the program name.
  :issue:3360 :pr:3434

• Show custom error messages from types when :func:prompt with
  hide_input=True fails validation, instead of always showing a
  generic message. Built-in type messages mask the input value.
  :issue:2809 :pr:3256

• Add capture parameter to :class:CliRunner with two modes: sys
  (default) and fd. fd redirects file descriptors 1 and 2
  via :func:os.dup2 so output that bypasses sys.stdout (stale stream
  references, C extensions, subprocesses, faulthandler) is captured
  with proper isolation. :issue:854 :issue:2412 :issue:2468
  :issue:2497 :issue:2761 :issue:2827 :issue:2865 :pr:3391

• Revert the 8.3.3 change that exposed the original file descriptor
  via fileno() on the redirected CliRunner streams in the default
  capture mode. os.dup2(w, sys.stdout.fileno()) calls inside a CLI no
  longer mutate the host runner's stdout, which broke Pytest's fd-level
  capture teardown. C-level consumers that need a real fd should use
  capture="fd". :issue:3384 :pr:3391

• Mark additional built-in strings with gettext() to extend translation
  coverage. :pr:2902

• Fix feature switch groups (several flag_value options sharing one
  parameter name) silently dropping an explicit default when a sibling
  option without an explicit default was declared first. Arbitration is now
  source-aware: a more explicit :class:ParameterSource always wins, and
  within ParameterSource.DEFAULT, an option that received an explicit
  default= keyword wins over a sibling whose default was auto-derived.
  The 8.3.x first-wins fallback for remaining ties was reverted to the
  pre-8.3.x last-wins fallback. :issue:3403 :pr:3404

• Fix missing space between option help text and the (DEPRECATED)
  label, and localize the option label so it matches the command label.
  The label and the DeprecationWarning reason suffix are now produced
  by shared helpers. :pr:3423

• Document short option stacking (-abc is parsed as -a -b -c) and
  clarify that multi-character short option names are not supported.
  :issue:2779 :pr:3431

pypa/distlib (distlib)

v0.4.1

Compare Source

tox-dev/py-filelock (filelock)

v3.29.1

Compare Source

What's Changed

• docs: fix API docs of release() by @​MrAnno in tox-dev/filelock#540
• docs: clarify per-thread scope of FileLock configuration by @​Gares95 in tox-dev/filelock#543
• chore: improve filelock maintenance path by @​lphuc2250gma in tox-dev/filelock#542
• chore: improve filelock maintenance path by @​lphuc2250gma in tox-dev/filelock#544
• chore: improve filelock maintenance path by @​lphuc2250gma in tox-dev/filelock#545
• 🐛 fix(soft): refuse to follow symlinks when reading the lock file by @​dxbjavid in tox-dev/filelock#548

New Contributors

• @​MrAnno made their first contribution in tox-dev/filelock#540
• @​Gares95 made their first contribution in tox-dev/filelock#543
• @​lphuc2250gma made their first contribution in tox-dev/filelock#542
• @​dxbjavid made their first contribution in tox-dev/filelock#548

Full Changelog: tox-dev/filelock@3.29.0...3.29.1

lelit/pglast (pglast)

v7.14

Compare Source

tox-dev/platformdirs (platformdirs)

v4.10.0

Compare Source

What's Changed

• chore: improve platformdirs maintenance path by @​lphuc2250gma in #​488
• ✨ feat: add user_projects_dir for $XDG_PROJECTS_DIR by @​gaborbernat in #​490
• ✨ feat: add user_publicshare_dir, user_templates_dir, user_fonts_dir, user_preference_dir by @​gaborbernat in #​491

New Contributors

• @​lphuc2250gma made their first contribution in #​488

Full Changelog: tox-dev/platformdirs@4.9.6...4.10.0

slackapi/slack-github-action (slackapi/slack-github-action)

v3.0.3

Compare Source

step-security/harden-runner (step-security/harden-runner)

v2.19.4

Compare Source

What's Changed

• Improvements for HTTPS Monitoring for the Enterprise tier of Harden Runner

Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4

v2.19.3

Compare Source

What's Changed

• Default to audit mode when api-key missing with use-policy-store by @​varunsh-coder in #​665

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

Compare Source

What's Changed

• Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2

v2.19.1

Compare Source

What's Changed

• fix: detect ubuntu-slim runners early and bail out by @​devantler in #​657

What the fix changes

• Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

• Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).
• Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers
If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

• @​devantler made their first contribution in #​657

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

tox-dev/tox (tox)

v4.55.1

Compare Source

What's Changed

• 🐛 fix(config): propagate overrides through config references by @​tales-aparecida in #​3951

New Contributors

• @​tales-aparecida made their first contribution in #​3951

Full Changelog: tox-dev/tox@4.55.0...4.55.1

v4.55.0

Compare Source

What's Changed

• 👷 ci(schemastore): sync fork before pushing branch by @​gaborbernat in #​3942
• feat: Also pass TERMINFO when in an interactive shell by @​edgarrmondragon in #​3946
• 🐛 fix(pip): skip constrain_package_deps when constraints is set by @​gaborbernat in #​3948

Full Changelog: tox-dev/tox@4.54.0...4.55.0

v4.54.0

Compare Source

What's Changed

• 🧪 test(conftest): strip broken nspkg.pth files under py3.15 by @​gaborbernat in #​3937
• ✨ feat(packaging): declare tox.pytest deps via a testing extra by @​gaborbernat in #​3940
• 🐛 fix(schema): cover every replace form in the TOML schema by @​gaborbernat in #​3941

Full Changelog: tox-dev/tox@4.53.1...4.54.0

v4.53.1

Compare Source

What's Changed

• 🐛 fix(security): harden user-facing logs and untrusted inputs by @​gaborbernat in #​3924
• 🐛 fix(type): correct argparse override signatures for ty 0.0.33 by @​gaborbernat in #​3932
• fix: allow deps arrays in TOML schema by @​cyphercodes in #​3931

New Contributors

• @​cyphercodes made their first contribution in #​3931

Full Changelog: tox-dev/tox@4.53.0...4.53.1

pypa/virtualenv (virtualenv)

v21.4.2

Compare Source

What's Changed

• 🐛 fix(activation): silence deactivate hash -r under set -e by @​gaborbernat in #​3152

Full Changelog: pypa/virtualenv@21.4.1...21.4.2

v21.4.1

Compare Source

What's Changed

• 🐛 fix(create): debug build venvlauncher lookup on Windows 3.13+ by @​gaborbernat in #​3151

Full Changelog: pypa/virtualenv@21.4.0...21.4.1

v21.4.0

Compare Source

What's Changed

• Fix Mermaid flowchart rendering by @​Herrtian in #​3147
• ♻️ refactor(create): remove dead code and document droppable paths by @​gaborbernat in #​3149
• ✨ feat(create): support Windows debug builds and remove dead code by @​gaborbernat in #​3150

New Contributors

• @​Herrtian made their first contribution in #​3147

Full Changelog: pypa/virtualenv@21.3.3...21.4.0

v21.3.3

Compare Source

What's Changed

• Accept GraalPy implementation name. by @​timfel in #​3144

Full Changelog: pypa/virtualenv@21.3.2...21.3.3

v21.3.2

Compare Source

What's Changed

• add 3.16 to embedded wheel versions by @​asottile in #​3140
• 🐛 fix(upgrade): regen embedded init with correct MAX and 3.16 by @​gaborbernat in #​3143

Full Changelog: pypa/virtualenv@21.3.1...21.3.2

v21.3.1

Compare Source

What's Changed

• 👷 ci: retry transient apt failures on Linux by @​gaborbernat in #​3139
• 🐛 fix(seed): bump embedded pip to 26.1.1 by @​gaborbernat in #​3138

Full Changelog: pypa/virtualenv@21.3.0...21.3.1

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "every month"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}