Bump mypy from 1.19.1 to 1.20.1

[dependabot]

Bumps mypy from 1.19.1 to 1.20.1.

Changelog

Sourced from mypy's changelog.

Mypy 1.20.1

• Always disable sync in SQLite cache (Ivan Levkivskyi, PR 21184)
• Temporarily skip few base64 tests (Ivan Levkivskyi, PR 21193)
• Revert dict.__or__ typeshed change (Ivan Levkivskyi, PR 21186)
• Fix narrowing for match case with variadic tuples (Shantanu, PR 21192)
• Avoid narrowing type[T] in type calls (Shantanu, PR 21174)
• Fix regression for catching empty tuple in except (Shantanu, PR 21153)
• Fix reachability for frozenset and dict view narrowing (Shantanu, PR 21151)
• Fix narrowing with chained comparison (Shantanu, PR 21150)
• Avoid narrowing to unreachable at module level (Shantanu, PR 21144)
• Allow dangerous identity comparisons to Any typed variables (Shantanu, PR 21142)
• --warn-unused-config should not be a strict flag (Ivan Levkivskyi, PR 21139)

Acknowledgements

Thanks to all mypy contributors who contributed to this release:

• A5rocks
• Aaron Wieczorek
• Adam Turner
• Ali Hamdan
• asce
• BobTheBuidler
• Brent Westbrook
• Brian Schubert
• bzoracler
• Chris Burroughs
• Christoph Tyralla
• Colin Watson
• Donghoon Nam
• E. M. Bray
• Emma Smith
• Ethan Sarp
• George Ogden
• getzze
• grayjk
• Gregor Riepl
• Ivan Levkivskyi
• James Hilliard
• James Le Cuirot
• Jeremy Nimmer
• Joren Hammudoglu
• Kai (Kazuya Ito)
• kaushal trivedi
• Kevin Kannammalil
• Lukas Geiger
• Łukasz Langa
• Marc Mueller
• Michael R. Crusoe
• michaelm-openai

... (truncated)

Commits

• c60e8bf Bump version to 1.20.1
• 842e492 Always disable sync in SQLite cache (#21184)
• e82a046 Temporarily skip few base64 tests (#21193)
• f7fa418 Revert dict.or typeshed change (#21186)
• a2e8ee1 Fix narrowing for match case with variadic tuples (#21192)
• 521f88f Avoid narrowing type[T] in type calls (#21174)
• a4876e9 Fix regression for catching empty tuple in except (#21153)
• 6fccffc Fix reachability for frozenset and dict view narrowing (#21151)
• de50419 Fix narrowing with chained comparison (#21150)
• eafcf18 Avoid narrowing to unreachable at module level (#21144)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	mypy@​1.19.1 ⏵ 1.20.1	+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): pypi mypy is 100.0% likely to have a medium risk anomaly Notes: No clear evidence of intentional malware (no network exfiltration, credential theft, persistence, or cryptomining logic is present). However, the module is inherently high-risk if inputs/workspace are untrusted: it dynamically executes setup.py via exec(file_contents), compiles test-generated code into native extensions, and then executes them through a subprocess-driven driver. Treat this as test-only/controlled-environment code; in an attacker-influenced supply-chain scenario, it could enable arbitrary local code execution through the exec() and build/run pipeline. Confidence: 1.00 Severity: 0.60 From: pyproject.toml → pypi/mypy@1.20.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/mypy@1.20.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): pypi mypy is 100.0% likely to have a medium risk anomaly Notes: No clear evidence of intentional malware (no network exfiltration, credential theft, persistence, or cryptomining logic is present). However, the module is inherently high-risk if inputs/workspace are untrusted: it dynamically executes setup.py via exec(file_contents), compiles test-generated code into native extensions, and then executes them through a subprocess-driven driver. Treat this as test-only/controlled-environment code; in an attacker-influenced supply-chain scenario, it could enable arbitrary local code execution through the exec() and build/run pipeline. Confidence: 1.00 Severity: 0.60 From: pyproject.toml → pypi/mypy@1.20.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/mypy@1.20.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): pypi mypy is 100.0% likely to have a medium risk anomaly Notes: No clear evidence of intentional malware (no network exfiltration, credential theft, persistence, or cryptomining logic is present). However, the module is inherently high-risk if inputs/workspace are untrusted: it dynamically executes setup.py via exec(file_contents), compiles test-generated code into native extensions, and then executes them through a subprocess-driven driver. Treat this as test-only/controlled-environment code; in an attacker-influenced supply-chain scenario, it could enable arbitrary local code execution through the exec() and build/run pipeline. Confidence: 1.00 Severity: 0.60 From: pyproject.toml → pypi/mypy@1.20.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/mypy@1.20.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): pypi mypy is 100.0% likely to have a medium risk anomaly Notes: No clear evidence of intentional malware (no network exfiltration, credential theft, persistence, or cryptomining logic is present). However, the module is inherently high-risk if inputs/workspace are untrusted: it dynamically executes setup.py via exec(file_contents), compiles test-generated code into native extensions, and then executes them through a subprocess-driven driver. Treat this as test-only/controlled-environment code; in an attacker-influenced supply-chain scenario, it could enable arbitrary local code execution through the exec() and build/run pipeline. Confidence: 1.00 Severity: 0.60 From: pyproject.toml → pypi/mypy@1.20.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/mypy@1.20.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): pypi mypy is 100.0% likely to have a medium risk anomaly Notes: No clear evidence of intentional malware (no network exfiltration, credential theft, persistence, or cryptomining logic is present). However, the module is inherently high-risk if inputs/workspace are untrusted: it dynamically executes setup.py via exec(file_contents), compiles test-generated code into native extensions, and then executes them through a subprocess-driven driver. Treat this as test-only/controlled-environment code; in an attacker-influenced supply-chain scenario, it could enable arbitrary local code execution through the exec() and build/run pipeline. Confidence: 1.00 Severity: 0.60 From: pyproject.toml → pypi/mypy@1.20.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/mypy@1.20.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): pypi mypy is 100.0% likely to have a medium risk anomaly Notes: No clear evidence of intentional malware (no network exfiltration, credential theft, persistence, or cryptomining logic is present). However, the module is inherently high-risk if inputs/workspace are untrusted: it dynamically executes setup.py via exec(file_contents), compiles test-generated code into native extensions, and then executes them through a subprocess-driven driver. Treat this as test-only/controlled-environment code; in an attacker-influenced supply-chain scenario, it could enable arbitrary local code execution through the exec() and build/run pipeline. Confidence: 1.00 Severity: 0.60 From: pyproject.toml → pypi/mypy@1.20.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/mypy@1.20.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): pypi mypy is 100.0% likely to have a medium risk anomaly Notes: No clear evidence of intentional malware (no network exfiltration, credential theft, persistence, or cryptomining logic is present). However, the module is inherently high-risk if inputs/workspace are untrusted: it dynamically executes setup.py via exec(file_contents), compiles test-generated code into native extensions, and then executes them through a subprocess-driven driver. Treat this as test-only/controlled-environment code; in an attacker-influenced supply-chain scenario, it could enable arbitrary local code execution through the exec() and build/run pipeline. Confidence: 1.00 Severity: 0.60 From: pyproject.toml → pypi/mypy@1.20.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/mypy@1.20.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): pypi mypy is 100.0% likely to have a medium risk anomaly Notes: No clear evidence of intentional malware (no network exfiltration, credential theft, persistence, or cryptomining logic is present). However, the module is inherently high-risk if inputs/workspace are untrusted: it dynamically executes setup.py via exec(file_contents), compiles test-generated code into native extensions, and then executes them through a subprocess-driven driver. Treat this as test-only/controlled-environment code; in an attacker-influenced supply-chain scenario, it could enable arbitrary local code execution through the exec() and build/run pipeline. Confidence: 1.00 Severity: 0.60 From: pyproject.toml → pypi/mypy@1.20.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/mypy@1.20.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): pypi mypy is 100.0% likely to have a medium risk anomaly Notes: No clear evidence of intentional malware (no network exfiltration, credential theft, persistence, or cryptomining logic is present). However, the module is inherently high-risk if inputs/workspace are untrusted: it dynamically executes setup.py via exec(file_contents), compiles test-generated code into native extensions, and then executes them through a subprocess-driven driver. Treat this as test-only/controlled-environment code; in an attacker-influenced supply-chain scenario, it could enable arbitrary local code execution through the exec() and build/run pipeline. Confidence: 1.00 Severity: 0.60 From: pyproject.toml → pypi/mypy@1.20.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/mypy@1.20.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): pypi mypy is 100.0% likely to have a medium risk anomaly Notes: No clear evidence of intentional malware (no network exfiltration, credential theft, persistence, or cryptomining logic is present). However, the module is inherently high-risk if inputs/workspace are untrusted: it dynamically executes setup.py via exec(file_contents), compiles test-generated code into native extensions, and then executes them through a subprocess-driven driver. Treat this as test-only/controlled-environment code; in an attacker-influenced supply-chain scenario, it could enable arbitrary local code execution through the exec() and build/run pipeline. Confidence: 1.00 Severity: 0.60 From: pyproject.toml → pypi/mypy@1.20.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/mypy@1.20.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): pypi mypy is 100.0% likely to have a medium risk anomaly Notes: No clear evidence of intentional malware (no network exfiltration, credential theft, persistence, or cryptomining logic is present). However, the module is inherently high-risk if inputs/workspace are untrusted: it dynamically executes setup.py via exec(file_contents), compiles test-generated code into native extensions, and then executes them through a subprocess-driven driver. Treat this as test-only/controlled-environment code; in an attacker-influenced supply-chain scenario, it could enable arbitrary local code execution through the exec() and build/run pipeline. Confidence: 1.00 Severity: 0.60 From: pyproject.toml → pypi/mypy@1.20.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/mypy@1.20.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): pypi mypy is 100.0% likely to have a medium risk anomaly Notes: No clear evidence of intentional malware (no network exfiltration, credential theft, persistence, or cryptomining logic is present). However, the module is inherently high-risk if inputs/workspace are untrusted: it dynamically executes setup.py via exec(file_contents), compiles test-generated code into native extensions, and then executes them through a subprocess-driven driver. Treat this as test-only/controlled-environment code; in an attacker-influenced supply-chain scenario, it could enable arbitrary local code execution through the exec() and build/run pipeline. Confidence: 1.00 Severity: 0.60 From: pyproject.toml → pypi/mypy@1.20.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/mypy@1.20.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): pypi mypy is 100.0% likely to have a medium risk anomaly Notes: No clear evidence of intentional malware (no network exfiltration, credential theft, persistence, or cryptomining logic is present). However, the module is inherently high-risk if inputs/workspace are untrusted: it dynamically executes setup.py via exec(file_contents), compiles test-generated code into native extensions, and then executes them through a subprocess-driven driver. Treat this as test-only/controlled-environment code; in an attacker-influenced supply-chain scenario, it could enable arbitrary local code execution through the exec() and build/run pipeline. Confidence: 1.00 Severity: 0.60 From: pyproject.toml → pypi/mypy@1.20.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/mypy@1.20.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): pypi mypy is 100.0% likely to have a medium risk anomaly Notes: No clear evidence of intentional malware (no network exfiltration, credential theft, persistence, or cryptomining logic is present). However, the module is inherently high-risk if inputs/workspace are untrusted: it dynamically executes setup.py via exec(file_contents), compiles test-generated code into native extensions, and then executes them through a subprocess-driven driver. Treat this as test-only/controlled-environment code; in an attacker-influenced supply-chain scenario, it could enable arbitrary local code execution through the exec() and build/run pipeline. Confidence: 1.00 Severity: 0.60 From: pyproject.toml → pypi/mypy@1.20.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/mypy@1.20.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): pypi mypy is 100.0% likely to have a medium risk anomaly Notes: No clear evidence of intentional malware (no network exfiltration, credential theft, persistence, or cryptomining logic is present). However, the module is inherently high-risk if inputs/workspace are untrusted: it dynamically executes setup.py via exec(file_contents), compiles test-generated code into native extensions, and then executes them through a subprocess-driven driver. Treat this as test-only/controlled-environment code; in an attacker-influenced supply-chain scenario, it could enable arbitrary local code execution through the exec() and build/run pipeline. Confidence: 1.00 Severity: 0.60 From: pyproject.toml → pypi/mypy@1.20.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/mypy@1.20.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): pypi mypy is 100.0% likely to have a medium risk anomaly Notes: No clear evidence of intentional malware (no network exfiltration, credential theft, persistence, or cryptomining logic is present). However, the module is inherently high-risk if inputs/workspace are untrusted: it dynamically executes setup.py via exec(file_contents), compiles test-generated code into native extensions, and then executes them through a subprocess-driven driver. Treat this as test-only/controlled-environment code; in an attacker-influenced supply-chain scenario, it could enable arbitrary local code execution through the exec() and build/run pipeline. Confidence: 1.00 Severity: 0.60 From: pyproject.toml → pypi/mypy@1.20.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/mypy@1.20.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): pypi mypy is 100.0% likely to have a medium risk anomaly Notes: No clear evidence of intentional malware (no network exfiltration, credential theft, persistence, or cryptomining logic is present). However, the module is inherently high-risk if inputs/workspace are untrusted: it dynamically executes setup.py via exec(file_contents), compiles test-generated code into native extensions, and then executes them through a subprocess-driven driver. Treat this as test-only/controlled-environment code; in an attacker-influenced supply-chain scenario, it could enable arbitrary local code execution through the exec() and build/run pipeline. Confidence: 1.00 Severity: 0.60 From: pyproject.toml → pypi/mypy@1.20.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/mypy@1.20.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): pypi mypy is 100.0% likely to have a medium risk anomaly Notes: No clear evidence of intentional malware (no network exfiltration, credential theft, persistence, or cryptomining logic is present). However, the module is inherently high-risk if inputs/workspace are untrusted: it dynamically executes setup.py via exec(file_contents), compiles test-generated code into native extensions, and then executes them through a subprocess-driven driver. Treat this as test-only/controlled-environment code; in an attacker-influenced supply-chain scenario, it could enable arbitrary local code execution through the exec() and build/run pipeline. Confidence: 1.00 Severity: 0.60 From: pyproject.toml → pypi/mypy@1.20.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/mypy@1.20.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): pypi mypy is 100.0% likely to have a medium risk anomaly Notes: No clear evidence of intentional malware (no network exfiltration, credential theft, persistence, or cryptomining logic is present). However, the module is inherently high-risk if inputs/workspace are untrusted: it dynamically executes setup.py via exec(file_contents), compiles test-generated code into native extensions, and then executes them through a subprocess-driven driver. Treat this as test-only/controlled-environment code; in an attacker-influenced supply-chain scenario, it could enable arbitrary local code execution through the exec() and build/run pipeline. Confidence: 1.00 Severity: 0.60 From: pyproject.toml → pypi/mypy@1.20.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/mypy@1.20.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): pypi mypy is 100.0% likely to have a medium risk anomaly Notes: No clear evidence of intentional malware (no network exfiltration, credential theft, persistence, or cryptomining logic is present). However, the module is inherently high-risk if inputs/workspace are untrusted: it dynamically executes setup.py via exec(file_contents), compiles test-generated code into native extensions, and then executes them through a subprocess-driven driver. Treat this as test-only/controlled-environment code; in an attacker-influenced supply-chain scenario, it could enable arbitrary local code execution through the exec() and build/run pipeline. Confidence: 1.00 Severity: 0.60 From: pyproject.toml → pypi/mypy@1.20.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/mypy@1.20.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): pypi mypy is 100.0% likely to have a medium risk anomaly Notes: No clear evidence of intentional malware (no network exfiltration, credential theft, persistence, or cryptomining logic is present). However, the module is inherently high-risk if inputs/workspace are untrusted: it dynamically executes setup.py via exec(file_contents), compiles test-generated code into native extensions, and then executes them through a subprocess-driven driver. Treat this as test-only/controlled-environment code; in an attacker-influenced supply-chain scenario, it could enable arbitrary local code execution through the exec() and build/run pipeline. Confidence: 1.00 Severity: 0.60 From: pyproject.toml → pypi/mypy@1.20.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/mypy@1.20.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 9 more rows in the dashboard

View full report

[dependabot]

Superseded by #155.