GHA: Bump the pip-dependencies group across 2 directories with 5 updates

[dependabot]

Updates the requirements on ruff, impacket, cryptography, filelock and pytest to permit the latest version.
Updates ruff from 0.15.7 to 0.15.12

Release notes

Sourced from ruff's releases.

0.15.12

Release Notes

Released on 2026-04-24.

Preview features

• Implement #ruff:file-ignore file-level suppressions (#23599)
• Implement #ruff:ignore logical-line suppressions (#23404)
• Revert preview changes to displayed diagnostic severity in LSP (#24789)
• [airflow] Implement task-branch-as-short-circuit (AIR004) (#23579)
• [flake8-bugbear] Fix break/continue handling in loop-iterator-mutation (B909) (#24440)
• [pylint] Fix PLC2701 for type parameter scopes (#24576)

Rule changes

• [pandas-vet] Suggest .array as well in PD011 (#24805)

CLI

• Respect default Unix permissions for cache files (#24794)

Documentation

• [pylint] Fix PLR0124 description not to claim self-comparison always returns the same value (#24749)
• [pyupgrade] Expand docs on reusable TypeVars and scoping (UP046) (#24153)
• Improve rules table accessibility (#24711)

Contributors

• @​dylwil3
• @​AlexWaygood
• @​woodruffw
• @​avasis-ai
• @​Dev-iL
• @​denyszhak
• @​ShipItAndPray
• @​anishgirianish
• @​augustelalande
• @​amyreese
• @​majiayu000

Install ruff 0.15.12

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/ruff/releases/download/0.15.12/ruff-installer.sh | sh

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.12

Released on 2026-04-24.

Preview features

• Implement #ruff:file-ignore file-level suppressions (#23599)
• Implement #ruff:ignore logical-line suppressions (#23404)
• Revert preview changes to displayed diagnostic severity in LSP (#24789)
• [airflow] Implement task-branch-as-short-circuit (AIR004) (#23579)
• [flake8-bugbear] Fix break/continue handling in loop-iterator-mutation (B909) (#24440)
• [pylint] Fix PLC2701 for type parameter scopes (#24576)

Rule changes

• [pandas-vet] Suggest .array as well in PD011 (#24805)

CLI

• Respect default Unix permissions for cache files (#24794)

Documentation

• [pylint] Fix PLR0124 description not to claim self-comparison always returns the same value (#24749)
• [pyupgrade] Expand docs on reusable TypeVars and scoping (UP046) (#24153)
• Improve rules table accessibility (#24711)

Contributors

• @​dylwil3
• @​AlexWaygood
• @​woodruffw
• @​avasis-ai
• @​Dev-iL
• @​denyszhak
• @​ShipItAndPray
• @​anishgirianish
• @​augustelalande
• @​amyreese
• @​majiayu000

0.15.11

Released on 2026-04-16.

Preview features

• [ruff] Ignore RUF029 when function is decorated with asynccontextmanager (#24642)
• [airflow] Implement airflow-xcom-pull-in-template-string (AIR201) (#23583)
• [flake8-bandit] Fix S103 false positives and negatives in mask analysis (#24424)

... (truncated)

Commits

• 66f93cf Bump 0.15.12 (#24815)
• 476a4d0 [ty] Complete support for more detailed diagnostics on possibly unbound error...
• ed669ea Implement #ruff:file-ignore file-level suppressions (#23599)
• e73d952 [ty] Include inferred type in invalid-key concise diagnostic for union/inte...
• 80feb29 [ty] report only dead annotation-only locals as unused (#24811)
• 0fbf2bc Drop deprecated license classifier (#24808)
• 43b174c [ty] Infer lambda parameter types with Callable type context (#24317)
• 4f449ae [ty] Add error context for intersection types (#24772)
• 5b4e753 [ty] Add support for goto in literal enum member inlay hint (#24792)
• e7cc762 [ty] Add error context for TypedDict assignments (#24790)
• Additional commits viewable in compare view

Updates impacket to 0.13.0

Release notes

Sourced from impacket's releases.

Impacket 0.13.0

Project's main page at https://www.coresecurity.com/core-labs/open-source-tools/impacket

ChangeLog for 0.13.0:

1. Library improvements

   • Major SMB client/server refactor adds setInfo support, CIFS datetime helpers, and safer default share access to enable remote attribute and timestamp management. (@​covertivy)
   • Introduced per-structure encoding selectors and UTF-8-aware SMB structures so non-Latin resource names round-trip correctly. (@​alexisbalbachan)
   • Strengthened LDAP/Kerberos handling with channel binding plus signing, schema alignment with ldap3, and LDAPS-based LAPS retrieval against Windows Server 2025 DCs. (@​zblurx, @​alexisbalbachan, @​Ibrahim8879)
   • Improved DCE/RPC coverage with Netlogon authenticator fixes, updated DRS bind flags, expanded EVEN6 decoding, and a new ICPR interface to support relay-aware RPC workflows. (@​ThePirateWhoSmellsOfSunflowers, @​h3-josh-the-engineer, @​NtAlexio2, @​rtpt-romankarwacik)
   • Corrected SMB negotiation edge cases by fixing response padding, Unicode pipe lookups, and keyboard interrupts in SMB servers. (@​rtpt-erikgeiser, @​Abyss-emmm, @​exploide)
   • SMB Server enhancements to align Impacket's implementation with standard (@​jborean93)

2. Authentication & relay tooling

   • Added WinRMS relay clients/servers. (@​Defte_)
   • Improved IPv6 support, richer logging, and consistent console status reporting, plus an identity log to track compromised principals ( @​gabrielg5)
   • Introduced an RPC relay server with Endpoint Mapper discovery . (@​rtpt-romankarwacik)
   • Delivered SCCM Management/Distribution Point relay attacks. (@​q-roland)
   • Enhanced shadow credentials, SOCKS plugins, and target rotation with better IPv6 awareness and stability. (@​anadrianmanrique, @​gabrielg5)
   • Added options to strip SSP from Net-NTLMv1 captures and write relay-captured hashes for cracking workflows. (@​TurtleARM, @​p0rtL6)

3. Examples improvements

   • secretsdump.py gained a WMI shadow snapshot path, export hive boot key recovery, safer DRS flags, user-status reporting, and refined NTDS parsing. (@​PeterGabaldon, @​MaxToffy, @​h3-josh-the-engineer, @​Markb1337, @​snovvcrash)
   • MSSQL tooling gained channel binding tokens, restored reliable connections, richer linked-server file transfers, and inline command execution. (@​Defte_, @​rtpt-romankarwacik, @​trietend, @​kiriknik, @​Signum21)
   • Directory ACL helpers (dacledit, owneredit, rbcd, ldapshell) picked up mask selection, safer queries, and consistent -dc-host handling. (@​dadevel, @​shellinvictus, @​Fabrizzio53, @​ICheer_No0M, @​gabrielg5)
   • SMB operator utilities add reconnect and autocomplete options in smbclient and prevent smbexec from hanging on completion. (@​daddycocoaman, @​trietend, @​Vincent550102)
   • Remote access helpers such as rdp_check and wmiexec now support IPv6 targets and display created Process IDs for easier triage. (@​gabrielg5, @​alexisbalbachan)

4. New examples

   • attrib.py manipulates file attributes over SMB to showcase the new setInfo workflow. (@​covertivy)
   • filetime.py inspects and updates SMB file timestamps using the refreshed SMBConnection APIs. (@​covertivy)
   • badsuccessor.py demonstrates the AD CS “bad successor” attack path. (@​fulc2um)
   • regsecrets.py extracts LSA secrets from remote registry hives through [MS-RRP]. (@​laxaa, @​laxa)
   • samedit.py edits local SAM password hashes offline. (@​iorpim)
   • CheckLDAPStatus.py checks LDAP signing status and LDAPS channel binding status. (@​zblurx)

5. Project & packaging

   • Added the impacket.mssql namespace, relaxed the pyOpenSSL pin, and declared Python 3.13 support while dropping 3.8. (@​anadrianmanrique, @​Defte_)
   • Replaced pkg_resources with importlib.metadata for lightweight version discovery. (@​AdrianVollmer)

As always, thanks a lot to all these contributors that make this library better every day (up to now):

@​Abyss-emmm, @​AdrianVollmer, @​NeffIsBack, @​NtAlexio2, @​rtpt-alexanderneumann, @​asareynolds, @​dadevel, @​TurtleARM, @​Defte_, @​rtpt-erikgeiser, @​Fabrizzio53, @​fluffy-kaiju, @​gabrielg5, @​ICheer_No0M, @​exploide, @​jborean93, @​nitbx, @​laxaa, @​daddycocoaman, @​lucas0817, @​Markb1337, @​MaxToffy, @​Ibrahim8879, @​Narmjep, @​NuclearFizzler, @​iorpim, @​CipherCloak, @​PeterGabaldon, @​b1two, @​covertivy, @​rtpt-romankarwacik, @​ryanq47, @​SAERXCIT, @​Signum21, @​ThePirateWhoSmellsOfSunflowers, @​Vincent550102, @​anadrianmanrique, @​alexisbalbachan, @​d0gkiller87, @​Ridter, @​fulc2um, @​gjhami, @​h3-josh-the-engineer, @​kiriknik, @​marcobarlottini, @​p0rtL6, @​q-roland, @​shellinvictus, @​trietend, @​zblurx.

Changelog

Sourced from impacket's changelog.

Impacket v0.13.0 (Oct 2025):

1. Library improvements

   • Major SMB client/server refactor adds setInfo support, CIFS datetime helpers, and safer default share access to enable remote attribute and timestamp management. (@​covertivy)

   • Introduced per-structure encoding selectors and UTF-8-aware SMB structures so non-Latin resource names round-trip correctly. (@​alexisbalbachan)

   • Strengthened LDAP/Kerberos handling with channel binding plus signing, schema alignment with ldap3, and LDAPS-based LAPS retrieval against Windows Server 2025 DCs. (@​zblurx, @​alexisbalbachan, @​Ibrahim8879)

   • Improved DCE/RPC coverage with Netlogon authenticator fixes, updated DRS bind flags, expanded EVEN6 decoding, and a new ICPR interface to support relay-aware RPC workflows. (@​ThePirateWhoSmellsOfSunflowers, @​h3-josh-the-engineer, @​NtAlexio2, @​rtpt-romankarwacik)

   • Corrected SMB negotiation edge cases by fixing response padding, Unicode pipe lookups, and keyboard interrupts in SMB servers. (@​rtpt-erikgeiser, @​Abyss-emmm, @​exploide)

   • SMB Server enhancements to align Impacket's implementation with standard (@​jborean93)

2. Authentication & relay tooling

   • Added WinRMS relay clients/servers. (@​Defte_)

   • Improved IPv6 support, richer logging, and consistent console status reporting, plus an identity log to track compromised principals ( @​gabrielg5)

   • Introduced an RPC relay server with Endpoint Mapper discovery . (@​rtpt-romankarwacik)

   • Delivered SCCM Management/Distribution Point relay attacks. (@​q-roland)

   • Enhanced shadow credentials, SOCKS plugins, and target rotation with better IPv6 awareness and stability. (@​anadrianmanrique, @​gabrielg5)

   • Added options to strip SSP from Net-NTLMv1 captures and write relay-captured hashes for cracking workflows. (@​TurtleARM, @​p0rtL6)

3. Examples improvements

   • secretsdump.py gained a WMI shadow snapshot path, export hive boot key recovery, safer DRS flags, user-status reporting, and refined NTDS parsing. (@​PeterGabaldon, @​MaxToffy, @​h3-josh-the-engineer, @​Markb1337, @​snovvcrash)

   • MSSQL tooling gained channel binding tokens, restored reliable connections, richer linked-server file transfers, and inline command execution. (@​Defte_, @​rtpt-romankarwacik, @​trietend, @​kiriknik, @​Signum21)

   • Directory ACL helpers (dacledit, owneredit, rbcd, ldapshell) picked up mask selection, safer queries, and consistent -dc-host handling. (@​dadevel, @​shellinvictus, @​Fabrizzio53, @​ICheer_No0M, @​gabrielg5)

   • SMB operator utilities add reconnect and autocomplete options in smbclient and prevent smbexec from hanging on completion. (@​daddycocoaman, @​trietend, @​Vincent550102)

   • Remote access helpers such as rdp_check and wmiexec now support IPv6 targets and display created Process IDs for easier triage. (@​gabrielg5, @​alexisbalbachan)

4. New examples

... (truncated)

Commits

• See full diff in compare view

Updates cryptography from 46.0.6 to 46.0.7

Changelog

Sourced from cryptography's changelog.

46.0.7 - 2026-04-07

* **SECURITY ISSUE**: Fixed an issue where non-contiguous buffers could be
  passed to APIs that accept Python buffers, which could lead to buffer
  overflow. **CVE-2026-39892**
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.6.
.. _v46-0-6:

Commits

• 622d672 46.0.7 release (#14602)
• See full diff in compare view

Updates filelock from 3.25.2 to 3.29.0

Release notes

Sourced from filelock's releases.

3.29.0

What's Changed

• 🐛 fix(async): use single-thread executor for lock consistency by @​gaborbernat in tox-dev/filelock#533
• ✨ feat(soft): enable stale lock detection on Windows by @​gaborbernat in tox-dev/filelock#534

Full Changelog: tox-dev/filelock@3.28.0...3.29.0

3.28.0

What's Changed

• 🐛 fix(ci): unbreak release workflow, publish to PyPI again by @​gaborbernat in tox-dev/filelock#529

Full Changelog: tox-dev/filelock@3.27.0...3.28.0

3.27.0

What's Changed

• ✨ feat(rw): add SoftReadWriteLock for NFS and HPC clusters by @​gaborbernat in tox-dev/filelock#528

Full Changelog: tox-dev/filelock@3.26.1...3.27.0

3.26.1

What's Changed

• 🐛 fix(asyncio): add exit to BaseAsyncFileLock and fix del loop handling by @​naarob in tox-dev/filelock#518

New Contributors

• @​naarob made their first contribution in tox-dev/filelock#518

Full Changelog: tox-dev/filelock@3.26.0...3.26.1

3.26.0

What's Changed

• 🔒 ci(workflows): add zizmor security auditing by @​gaborbernat in tox-dev/filelock#517
• 🔧 fix(ci): restore git credentials for release job by @​gaborbernat in tox-dev/filelock#520
• ✨ feat(soft): add PID inspection and lock breaking by @​gaborbernat in tox-dev/filelock#524

Full Changelog: tox-dev/filelock@3.25.2...3.26.0

Changelog

Sourced from filelock's changelog.

########### Changelog ###########

---

3.29.0 (2026-04-19)

---

• ✨ feat(soft): enable stale lock detection on Windows :pr:534
• 🐛 fix(async): use single-thread executor for lock consistency :pr:533
• build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 :pr:530 - by :user:dependabot[bot]

---

3.28.0 (2026-04-14)

---

• 🐛 fix(ci): unbreak release workflow, publish to PyPI again :pr:529

---

3.26.1 (2026-04-09)

---

• 🐛 fix(asyncio): add exit to BaseAsyncFileLock and fix del loop handling :pr:518 - by :user:naarob
• build(deps): bump pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0 :pr:525 - by :user:dependabot[bot]

---

3.26.0 (2026-04-06)

---

• ✨ feat(soft): add PID inspection and lock breaking :pr:524
• [pre-commit.ci] pre-commit autoupdate :pr:523 - by :user:pre-commit-ci[bot]
• build(deps): bump astral-sh/setup-uv from 7.6.0 to 8.0.0 :pr:522 - by :user:dependabot[bot]
• Remove persist-credentials: false from release job :pr:520
• [pre-commit.ci] pre-commit autoupdate :pr:519 - by :user:pre-commit-ci[bot]
• 🔒 ci(workflows): add zizmor security auditing :pr:517
• [pre-commit.ci] pre-commit autoupdate :pr:516 - by :user:pre-commit-ci[bot]
• [pre-commit.ci] pre-commit autoupdate :pr:514 - by :user:pre-commit-ci[bot]

---

3.25.2 (2026-03-11)

---

• 🐛 fix(unix): suppress EIO on close in Docker bind mounts :pr:513

---

3.25.1 (2026-03-09)

---

• [pre-commit.ci] pre-commit autoupdate :pr:510 - by :user:pre-commit-ci[bot]
• 🐛 fix(win): restore best-effort lock file cleanup on release :pr:511

... (truncated)

Commits

• 469b47f Release 3.29.0
• e85d072 ✨ feat(soft): enable stale lock detection on Windows (#534)
• f5ee171 🐛 fix(async): use single-thread executor for lock consistency (#533)
• 2a95458 build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 (#530)
• 55de20c Release 3.28.0
• 476b0e4 🐛 fix(ci): unbreak release workflow, publish to PyPI again (#529)
• 824713e ✨ feat(rw): add SoftReadWriteLock for NFS and HPC clusters (#528)
• 9879de9 [pre-commit.ci] pre-commit autoupdate (#527)
• 4cfab49 Release 3.26.1
• 734c9f2 🐛 fix(asyncio): add exit to BaseAsyncFileLock and fix del loop handli...
• Additional commits viewable in compare view

Updates pytest from 9.0.2 to 9.0.3

Release notes

Sourced from pytest's releases.

9.0.3

pytest 9.0.3 (2026-04-07)

Bug fixes

• #12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.

• #13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.

  Previously this resulted in an internal assertion failure during plugin loading.

  Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.

• #13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.

• #14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.

• #14343: Fixed use of insecure temporary directory (CVE-2025-71176).

Improved documentation

• #13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
• #13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
• #14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
• #14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes

• #12689: The test reports are now published to Codecov from GitHub Actions. The test statistics is visible on the web interface.

  -- by aleguy02

Commits

• a7d58d7 Prepare release version 9.0.3
• 089d981 Merge pull request #14366 from bluetech/revert-14193-backport
• 8127eaf Revert "Fix: assertrepr_compare respects dict insertion order (#14050) (#14193)"
• 99a7e60 Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/95d8423bd...
• ddee02a Merge pull request #14343 from bluetech/cve-2025-71176-simple
• 74eac69 doc: Update training info (#14298) (#14301)
• f92dee7 Merge pull request #14267 from pytest-dev/patchback/backports/9.0.x/d6fa26c62...
• 7ee58ac Merge pull request #12378 from Pierre-Sassoulas/fix-implicit-str-concat-and-d...
• 37da870 Merge pull request #14259 from mitre88/patch-4 (#14268)
• c34bfa3 Add explanation for string context diffs (#14257) (#14266)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions