Bump the ci-constraints group across 1 directory with 4 updates

[dependabot]

Bumps the ci-constraints group with 4 updates in the /ci directory: filelock, pip-audit, coverage and pytest.

Updates filelock from 3.29.0 to 3.29.4

Release notes

Sourced from filelock's releases.

3.29.4

What's Changed

• verify inode in break_lock_file before unlinking a stale lock by @​dxbjavid in tox-dev/filelock#561
• keep the read/write heartbeat alive on a transient touch error by @​dxbjavid in tox-dev/filelock#562

Full Changelog: tox-dev/filelock@3.29.3...3.29.4

3.29.3

What's Changed

• 🔧 ci(release): publish to PyPI on tag push by @​gaborbernat in tox-dev/filelock#557
• validate pid range in _parse_lock_holder by @​dxbjavid in tox-dev/filelock#556
• 🐛 fix(ci): restore release environment on tag job by @​gaborbernat in tox-dev/filelock#559
• 🐛 fix(ci): publish from release.yaml on tag push by @​gaborbernat in tox-dev/filelock#560

Full Changelog: tox-dev/filelock@3.29.2...3.29.3

3.29.2

What's Changed

• open marker reads non-blocking to refuse attacker-placed fifo by @​dxbjavid in tox-dev/filelock#549
• 🔒 fix(soft): harden stale-lock breaking and self-heal malformed locks by @​gaborbernat in tox-dev/filelock#551
• check hostname in is_lock_held_by_us by @​dxbjavid in tox-dev/filelock#553

Full Changelog: tox-dev/filelock@3.29.1...3.29.2

3.29.1

What's Changed

• docs: fix API docs of release() by @​MrAnno in tox-dev/filelock#540
• docs: clarify per-thread scope of FileLock configuration by @​Gares95 in tox-dev/filelock#543
• chore: improve filelock maintenance path by @​lphuc2250gma in tox-dev/filelock#542
• chore: improve filelock maintenance path by @​lphuc2250gma in tox-dev/filelock#544
• chore: improve filelock maintenance path by @​lphuc2250gma in tox-dev/filelock#545
• 🐛 fix(soft): refuse to follow symlinks when reading the lock file by @​dxbjavid in tox-dev/filelock#548

New Contributors

• @​MrAnno made their first contribution in tox-dev/filelock#540
• @​Gares95 made their first contribution in tox-dev/filelock#543
• @​lphuc2250gma made their first contribution in tox-dev/filelock#542
• @​dxbjavid made their first contribution in tox-dev/filelock#548

... (truncated)

Changelog

Sourced from filelock's changelog.

########### Changelog ###########

---

3.29.4 (2026-06-13)

---

• keep the read/write heartbeat alive on a transient touch error :pr:562 - by :user:dxbjavid
• verify inode in break_lock_file before unlinking a stale lock :pr:561 - by :user:dxbjavid

---

3.29.3 (2026-06-10)

---

• 🐛 fix(ci): restore release environment on tag job :pr:559
• validate pid range in _parse_lock_holder :pr:556 - by :user:dxbjavid
• 🔧 ci(release): publish to PyPI on tag push :pr:557
• build(deps): bump astral-sh/setup-uv from 8.1.0 to 8.2.0 :pr:558 - by :user:dependabot[bot]

---

3.29.2 (2026-06-10)

---

• build(deps): bump actions/checkout from 6.0.2 to 6.0.3 :pr:555 - by :user:dependabot[bot]
• [pre-commit.ci] pre-commit autoupdate :pr:554 - by :user:pre-commit-ci[bot]
• check hostname in is_lock_held_by_us :pr:553 - by :user:dxbjavid
• 🔒 fix(soft): harden stale-lock breaking and self-heal malformed locks :pr:551
• open marker reads non-blocking to refuse attacker-placed fifo :pr:549 - by :user:dxbjavid

---

3.29.1 (2026-06-03)

---

• 🐛 fix(soft): refuse to follow symlinks when reading the lock file :pr:548 - by :user:dxbjavid
• [pre-commit.ci] pre-commit autoupdate :pr:547 - by :user:pre-commit-ci[bot]
• [pre-commit.ci] pre-commit autoupdate :pr:546 - by :user:pre-commit-ci[bot]
• chore: improve filelock maintenance path :pr:545 - by :user:lphuc2250gma
• chore: improve filelock maintenance path :pr:544 - by :user:lphuc2250gma
• chore: improve filelock maintenance path :pr:542 - by :user:lphuc2250gma
• docs: clarify per-thread scope of FileLock configuration :pr:543 - by :user:Gares95
• [pre-commit.ci] pre-commit autoupdate :pr:541 - by :user:pre-commit-ci[bot]
• docs: fix API docs of release() :pr:540 - by :user:MrAnno
• [pre-commit.ci] pre-commit autoupdate :pr:539 - by :user:pre-commit-ci[bot]
• [pre-commit.ci] pre-commit autoupdate :pr:538 - by :user:pre-commit-ci[bot]
• [pre-commit.ci] pre-commit autoupdate :pr:537 - by :user:pre-commit-ci[bot]
• build(deps): bump astral-sh/setup-uv from 8.0.0 to 8.1.0 :pr:536 - by :user:dependabot[bot]
• [pre-commit.ci] pre-commit autoupdate :pr:535 - by :user:pre-commit-ci[bot]

---

... (truncated)

Commits

• f3c11c0 Release 3.29.4
• 5d663ee keep the read/write heartbeat alive on a transient touch error (#562)
• 406d0a2 verify inode in break_lock_file before unlinking a stale lock (#561)
• 85e73d7 🐛 fix(ci): publish from release.yaml on tag push (#560)
• f86dcb1 Release 3.29.3
• 643bdbe 🐛 fix(ci): restore release environment on tag job (#559)
• 7a8f74a validate pid range in _parse_lock_holder (#556)
• d1d49a0 🔧 ci(release): publish to PyPI on tag push (#557)
• b37e162 build(deps): bump astral-sh/setup-uv from 8.1.0 to 8.2.0 (#558)
• d9216de Release 3.29.2
• Additional commits viewable in compare view

Updates pip-audit from 2.10.0 to 2.10.1

Release notes

Sourced from pip-audit's releases.

v2.10.1

Fixed

• Fixed a KeyError crash when an OSV vulnerability record contains an affected entry that omits the optional ranges field (#1046)

Changelog

Sourced from pip-audit's changelog.

[2.10.1]

Fixed

• Fixed a KeyError crash when an OSV vulnerability record contains an affected entry that omits the optional ranges field (#1046)

Commits

• 8894eb8 Merge pull request #1056 from pypa/copilot/release-2101
• 1c625b7 Update version in README.md to 2.10.1
• fd2094b Prep 2.10.1 release
• 58d2488 build(deps): bump github/codeql-action from 4.35.2 to 4.36.1 (#1052)
• 8df9420 build(deps): bump zizmorcore/zizmor-action from 0.5.3 to 0.5.6 (#1044)
• 3f618d3 build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#1053)
• 4849132 Restrict OIDC token to publish job (#1050)
• c1eb69a Fix KeyError when OSV affected entry omits optional ranges field (#1046)
• 68de07f Merge pull request #1054 from pypa/fix/1047
• ef31c9e Formatting fixes
• Additional commits viewable in compare view

Updates coverage from 7.14.1 to 7.14.3

Changelog

Sourced from coverage's changelog.

Version 7.14.3 — 2026-06-22

• Fix: the default ... exclusion rule now also matches function bodies whose closing return-type bracket is on its own line (for example, after a long -> dict[ ... ] annotation that a formatter has split over multiple lines). Closes issue 2185, thanks Mengjia Shang <pull 2196_>.

• Fix: On 3.13t, we incorrectly issued Couldn't import C tracer errors. We can't import the C tracer because in 7.14.2 we stopped shipping compiled wheels for 3.13t. Thanks, Hugo van Kemenade <pull 2203_>_.

.. _issue 2185: coveragepy/coveragepy#2185 .. _pull 2196: coveragepy/coveragepy#2196 .. _pull 2203: coveragepy/coveragepy#2203

.. _changes_7-14-2:

Version 7.14.2 — 2026-06-20

• Fix: some messages were being written to stdout, making coverage json -o - useless for capturing JSON output. Now messages are written to stderr, fixing issue 2197_.

• Fix: CoverageData kept one SQLite connection per thread that recorded coverage, but never closed them when those threads terminated. On long runs with many short-lived threads this leaked one file descriptor per dead thread, eventually failing with OSError: [Errno 24] Too many open files. Connections belonging to terminated threads are now closed and dropped. Fixes issue 2192. Thanks, Matthew Lloyd <pull 2193_>.

• Fix: when using sys.monitoring, we were assuming we could use the COVERAGE_ID tool id. But other tools might also assume they could use that id. Pre-allocated ids don't really make sense, so now we search for a usable one instead. Fixes issue 2187_.

• Following the advice of cibuildwheel <no-13t_>_, we no longer distribute wheels for Python 3.13 free-threaded.

.. _issue 2187: coveragepy/coveragepy#2187 .. _issue 2192: coveragepy/coveragepy#2192 .. _pull 2193: coveragepy/coveragepy#2193 .. _issue 2197: coveragepy/coveragepy#2197 .. _no-13t: https://py-free-threading.github.io/ci/#building-free-threaded-wheels-with-cibuildwheel

.. _changes_7-14-1:

Commits

• 22f13ea docs: sample HTML for 7.14.3
• 2ca4e5f docs: prep for 7.14.3
• 01d714e docs: add changelog entry for #2203
• f36248d fix: don't emit 'Couldn't import C tracer' warning for 3.13t (#2203)
• 86d73d1 docs: thanks, Mengjia Shang
• 3d4ae3c docs: add the #2196 pr link to CHANGES
• f4b2b4d fix: exclude ... bodies after multi-line return-type annotations (#2185) (#...
• 1980ed0 chore: bump sigstore/gh-action-sigstore-python (#2201)
• bca3217 build: since we don't ship 3.13t, don't test it
• 77550d8 docs: oops, mismatched pull requests
• Additional commits viewable in compare view

Updates pytest from 9.0.3 to 9.1.1

Release notes

Sourced from pytest's releases.

9.1.1

pytest 9.1.1 (2026-06-19)

Bug fixes

• #14220: Fixed a logic bug in pytest.RaisesGroup which would might cause it to display incorrect "It matches FooError() which was paired with BarError" messages.
• #14591: Fixed a regression in pytest 9.1.0 which caused overriding a parametrized fixture with an indirect @​pytest.mark.parametrize to fail with "duplicate parametrization of '<fixture name>'".
• #14606: Fixed list-item typing errors from mypy in @pytest.mark.parametrize <pytest.mark.parametrize ref> argvalues parameter.
• #14608: Fixed a regression in pytest 9.1.0 where conftest.py files located in <invocation dir>/test* were no longer loaded as initial conftests when invoked without arguments. This could cause certain hooks (like pytest_addoption) in these files to not fire.

9.1.0

pytest 9.1.0 (2026-06-13)

Removals and backward incompatible breaking changes

• #14533: When using --doctest-modules, autouse fixtures with module, package or session scope that are defined inline in Python test modules (not plugins or conftests) will now possibly execute twice.

  If this is undesirable, move the fixture definition to a conftest.py file if possible.

  Technical explanation for those interested: When using --doctest-modules, pytest possibly collects Python modules twice, once as pytest.Module and once as a DoctestModule (depending on the configuration). Due to improvements in pytest's fixture implementation, if e.g. the DoctestModule collects a fixture, it is now visible to it only, and not to the Module. This means that both need to register the fixtures independently.

Deprecations (removal in next major release)

• #10819: Added a deprecation warning for class-scoped fixtures defined as instance methods (without @classmethod). Such fixtures set attributes on a different instance than the test methods use, leading to unexpected behavior. Use @classmethod decorator instead -- by yastcher.

  See 10819 and 14011.

• #12882: Calling request.getfixturevalue() <pytest.FixtureRequest.getfixturevalue> during teardown to request a fixture that was not already requested is now deprecated and will become an error in pytest 10.

  See dynamic-fixture-request-during-teardown for details.

• #13409: Using non-~collections.abc.Collection iterables (such as generators, iterators, or custom iterable objects) for the argvalues parameter in @pytest.mark.parametrize <pytest.mark.parametrize ref> and metafunc.parametrize <pytest.Metafunc.parametrize> is now deprecated.

  These iterables get exhausted after the first iteration, leading to tests getting unexpectedly skipped in cases such as running pytest.main() multiple times, using class-level parametrize decorators, or collecting tests multiple times.

  See parametrize-iterators for details and suggestions.

• #13946: The private config.inicfg attribute is now deprecated. Use config.getini() <pytest.Config.getini> to access configuration values instead.

  See config-inicfg for more details.

• #14004: Passing baseid to ~pytest.FixtureDef or nodeid strings to fixture registration APIs is now deprecated. These are internal pytest APIs that are used by some plugins.

... (truncated)

Commits

• cf470ec Prepare release version 9.1.1
• e0c8ce6 Merge pull request #14625 from pytest-dev/patchback/backports/9.1.x/a07c31a97...
• 1b82d16 Merge pull request #14624 from pytest-dev/patchback/backports/9.1.x/b375b79ec...
• 501c4bc Merge pull request #14596 from bluetech/doc-classmethod
• b61f588 Merge pull request #14622 from chrisburr/fix-14608-initial-conftest-test-subdir
• 9a567e0 [automated] Update plugin list (#14617) (#14618)
• ef8b299 Merge pull request #14620 from pytest-dev/patchback/backports/9.1.x/680f9f3ed...
• 66abd07 Merge pull request #14220 from bysiber/fix-stale-iexp-raisesgroup
• 79fbf93 Merge pull request #14612 from pytest-dev/patchback/backports/9.1.x/974ed48b6...
• 0d312eb Merge pull request #14611 from bluetech/parametrize-argvalues-typing
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions