Bump the all-minor-and-patch-dependency-updates group with 5 updates

[dependabot]

Bumps the all-minor-and-patch-dependency-updates group with 5 updates:

Package	From	To
bandit	1.8.5	1.8.6
ruff	0.12.1	0.12.7
tox	4.27.0	4.28.4
pandas	2.3.0	2.3.1
ray[default]	2.47.1	2.48.0

Updates bandit from 1.8.5 to 1.8.6

Release notes

Sourced from bandit's releases.

1.8.6

What's Changed

• Bump sigstore/cosign-installer from 3.8.2 to 3.9.0 by @​dependabot in PyCQA/bandit#1279
• Bump docker/setup-buildx-action from 3.10.0 to 3.11.1 by @​dependabot in PyCQA/bandit#1278
• added hint to FreeBSD package in doc/source/integrations.rst by @​daniel-mohr in PyCQA/bandit#1282
• Bump sigstore/cosign-installer from 3.9.0 to 3.9.1 by @​dependabot in PyCQA/bandit#1284
• Huggingface revision pinning by @​lukehinds in PyCQA/bandit#1281

New Contributors

• @​daniel-mohr made their first contribution in PyCQA/bandit#1282

Full Changelog: PyCQA/bandit@1.8.5...1.8.6

Commits

• 2d0b675 Huggingface revision pinning (#1281)
• 4cd1337 Bump sigstore/cosign-installer from 3.9.0 to 3.9.1 (#1284)
• ffed1bb added hint to FreeBSD package in doc/source/integrations.rst (#1282)
• 090ba0f Bump docker/setup-buildx-action from 3.10.0 to 3.11.1 (#1278)
• 33c6789 Bump sigstore/cosign-installer from 3.8.2 to 3.9.0 (#1279)
• See full diff in compare view

Updates ruff from 0.12.1 to 0.12.7

Release notes

Sourced from ruff's releases.

0.12.7

Release Notes

This is a follow-up release to 0.12.6. Because of an issue in the package metadata, 0.12.6 failed to publish fully to PyPI and has been yanked. Similarly, there is no GitHub release or Git tag for 0.12.6. The contents of the 0.12.7 release are identical to 0.12.6, except for the updated metadata.

0.12.6 Release Notes

Preview features

• [flake8-commas] Add support for trailing comma checks in type parameter lists (COM812, COM819) (#19390)
• [pylint] Implement auto-fix for missing-maxsplit-arg (PLC0207) (#19387)
• [ruff] Offer fixes for RUF039 in more cases (#19065)

Bug fixes

• Support .pyi files in ruff analyze graph (#19611)
• [flake8-pyi] Preserve inline comment in ellipsis removal (PYI013) (#19399)
• [perflint] Ignore rule if target is global or nonlocal (PERF401) (#19539)
• [pyupgrade] Fix UP030 to avoid modifying double curly braces in format strings (#19378)
• [refurb] Ignore decorated functions for FURB118 (#19339)
• [refurb] Mark int and bool cases for Decimal.from_float as safe fixes (FURB164) (#19468)
• [ruff] Fix RUF033 for named default expressions (#19115)

Rule changes

• [flake8-blind-except] Change BLE001 to permit logging.critical(..., exc_info=True) (#19520)

Performance

• Add support for specifying minimum dots in detected string imports (#19538)

Contributors

• @​AlexWaygood
• @​BurntSushi
• @​CodeMan62
• @​DimitriPapadopoulos
• @​IDrokin117
• @​Luunynliny
• @​MichaReiser
• @​UnboundVariable
• @​carljm
• @​charliermarsh
• @​clockback
• @​danparizher
• @​dcreager
• @​dhruvmanila
• @​dylwil3
• @​github-actions
• @​junhsonjb
• @​mtshiba

... (truncated)

Changelog

Sourced from ruff's changelog.

0.12.7

This is a follow-up release to 0.12.6. Because of an issue in the package metadata, 0.12.6 failed to publish fully to PyPI and has been yanked. Similarly, there is no GitHub release or Git tag for 0.12.6. The contents of the 0.12.7 release are identical to 0.12.6, except for the updated metadata.

0.12.6

Preview features

• [flake8-commas] Add support for trailing comma checks in type parameter lists (COM812, COM819) (#19390)
• [pylint] Implement auto-fix for missing-maxsplit-arg (PLC0207) (#19387)
• [ruff] Offer fixes for RUF039 in more cases (#19065)

Bug fixes

• Support .pyi files in ruff analyze graph (#19611)
• [flake8-pyi] Preserve inline comment in ellipsis removal (PYI013) (#19399)
• [perflint] Ignore rule if target is global or nonlocal (PERF401) (#19539)
• [pyupgrade] Fix UP030 to avoid modifying double curly braces in format strings (#19378)
• [refurb] Ignore decorated functions for FURB118 (#19339)
• [refurb] Mark int and bool cases for Decimal.from_float as safe fixes (FURB164) (#19468)
• [ruff] Fix RUF033 for named default expressions (#19115)

Rule changes

• [flake8-blind-except] Change BLE001 to permit logging.critical(..., exc_info=True) (#19520)

Performance

• Add support for specifying minimum dots in detected string imports (#19538)

0.12.5

Preview features

• [flake8-use-pathlib] Add autofix for PTH101, PTH104, PTH105, PTH121 (#19404)
• [ruff] Support byte strings (RUF055) (#18926)

Bug fixes

• Fix unreachable panic in parser (#19183)
• [flake8-pyi] Skip fix if all Union members are None (PYI016) (#19416)
• [perflint] Parenthesize generator expressions (PERF401) (#19325)
• [pylint] Handle empty comments after line continuation (PLR2044) (#19405)

Rule changes

• [pep8-naming] Fix N802 false positives for CGIHTTPRequestHandler and SimpleHTTPRequestHandler (#19432)

0.12.4

... (truncated)

Commits

• c5ac998 Bump 0.12.7 (#19627)
• 04a8f64 Revert license and license-files changes in pyproject.toml (#19624)
• 6e00adf Bump 0.12.6 (#19622)
• 864196b Add Checker::context method, deduplicate Unicode checks (#19609)
• ae26fa0 [flake8-pyi] Preserve inline comment in ellipsis removal (PYI013) (#19399)
• 88a6799 [ty] Add flow diagram for import resolution
• 941be52 [ty] Add comments to some core resolver functions
• 13624ce [ty] Add missing ticks and use consistent quoting
• edb2f8e [ty] Reflow some long lines
• 5e6ad84 [ty] Unexport helper function
• Additional commits viewable in compare view

Updates tox from 4.27.0 to 4.28.4

Release notes

Sourced from tox's releases.

4.28.4

What's Changed

• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in tox-dev/tox#3570
• Pass ssh-agent variables by default by @​daniilgankov in tox-dev/tox#3572

New Contributors

• @​daniilgankov made their first contribution in tox-dev/tox#3572

Full Changelog: tox-dev/tox@4.28.3...4.28.4

4.28.3

What's Changed

• Fix typo on cmd_build filter check expression by @​gaborbernat in tox-dev/tox#3569

Full Changelog: tox-dev/tox@4.28.2...4.28.3

4.28.2

What's Changed

• Don't pass in the filter argument to tar.extractall on old Python versions by @​gaborbernat in tox-dev/tox#3568

Full Changelog: tox-dev/tox@4.28.1...4.28.2

4.28.1

What's Changed

• Fix an issue number typo in changelog by @​hroncok in tox-dev/tox#3563
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in tox-dev/tox#3564
• Only use tarfile.data_filter when it's available by @​gaborbernat in tox-dev/tox#3566

Full Changelog: tox-dev/tox@4.28.0...4.28.1

4.28.0

What's Changed

• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in tox-dev/tox#3548
• [docs] Document how to require a plugin by @​stephenfin in tox-dev/tox#3552
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in tox-dev/tox#3554
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in tox-dev/tox#3558
• Add [testenv] constraints option by @​stephenfin in tox-dev/tox#3556

... (truncated)

Changelog

Sourced from tox's changelog.

v4.28.4 (2025-07-31)

Features - 4.28.4

- Pass ssh-agent variables ``SSH_AGENT_PID`` and ``SSH_AUTH_SOCK`` in ``pass_env`` by default.
  - by :user:`daniilgankov` (:issue:`3572`)
v4.28.3 (2025-07-25)
No significant changes.
v4.28.2 (2025-07-25)
Bugfixes - 4.28.2

• Don't pass in the filter argument to tar.extractall on old Python versions - by :user:gaborbernat. (:issue:3568)

v4.28.1 (2025-07-22)

Bugfixes - 4.28.1

- Use `tarfile.data_filter <https://docs.python.org/3/library/tarfile.html#tarfile.data_filter>`_ with ``extractall``
  only on supported Python versions:

&gt;= 3.11.4
&gt;= 3.10.12 and &lt; 3.11
&gt;= 3.9.17 and &lt; 3.10

by :user:gaborbernat. (:issue:3565)
v4.28.0 (2025-07-20)
Features - 4.28.0

• Added constraints to allow specifying constraints files for all dependencies. (:issue:3550)
• Allow disabling tox plugins via the TOX_DISABLED_EXTERNAL_PLUGINS environment variable - by :user:gaborbernat. (:issue:3468)

Improved Documentation - 4.28.0

- The ``min_version``/``minversion`` config option is deprecated in favor of the ``requires`` option. (:issue:`3553`)

Commits

• 611b751 release 4.28.4
• 9f2db71 Pass ssh-agent variables by default (#3572)
• c28c4b1 [pre-commit.ci] pre-commit autoupdate (#3570)
• 815ca31 release 4.28.3
• 8a59b92 Fix type on expression (#3569)
• ebfaab6 release 4.28.2
• ae930db Don't pass in hte filter argument to tar.extractall on old Python versions (#...
• c836ab2 release 4.28.1
• c343b26 Only use tarfile.data_filter when it's available (#3566)
• 753dd62 [pre-commit.ci] pre-commit autoupdate (#3564)
• Additional commits viewable in compare view

Updates pandas from 2.3.0 to 2.3.1

Release notes

Sourced from pandas's releases.

Pandas 2.3.1

We are pleased to announce the release of pandas 2.3.1. This release includes some improvements and fixes to the future string data type (preview feature for the upcoming pandas 3.0). We recommend that all users upgrade to this version.

See the full whatsnew for a list of all the changes. Pandas 2.3.1 supports Python 3.9 and higher.

The release will be available on the conda-forge channel:

conda install pandas --channel conda-forge

Or via PyPI:

python3 -m pip install --upgrade pandas

Please report any issues with the release on the pandas issue tracker.

Thanks to all the contributors who made this release possible.

Commits

• c888af6 RLS: 2.3.1
• 6aea302 Backport PR #61794 on branch 2.3.x (DOC: prepare 2.3.1 whatsnew notes for rel...
• a160ae6 [backport 2.3.x] BUG[string]: incorrect index downcast in DataFrame.join (#61...
• cf5db68 [backport 2.3.x] TST: update expected dtype for sum of decimals with pyarrow ...
• 50ad136 Backport PR #61795 on branch 2.3.x (DOC: add section about upcoming pandas 3....
• 6c762f3 Backport PR #61770 on branch 2.3.x (BUG: Fix unpickling of string dtypes of l...
• fd99ef7 Backport PR #61705 on branch 2.3.x (DOC: add pandas 3.0 migration guide for t...
• 4e5237d [backport 2.3.x] CI: clean up wheel build workarounds now that Cython 3.1.0 i...
• 4d42cd8 Revert "[2.3.x] DEPS: Drop Python 3.9 (#60792)" (#61755)
• 5d32ae9 BLD: Build wheels for 3.9 and musllinux-aarch64 for pandas 2.3 (#61569)
• Additional commits viewable in compare view

Updates ray[default] from 2.47.1 to 2.48.0

Release notes

Sourced from ray[default]'s releases.

Ray-2.48.0

Release Highlights

• Ray Data: This release features a new Delta Lake and Unity Catalog integration and performance improvements to various reading/writing operators.
• Ray Core: Enhanced GPU object support with intra-process communication and improved Autoscaler v2 functionality
• Ray Train: Improved hardware metrics integration with Grafana and enhanced collective operations support
• Ray Serve LLM: This release features early proof of concept for prefill-decode disaggregation deployment and LLM-aware request routing such as prefix-cache aware routing.
• Ray Data LLM: Improved throughput and CPU memory utilization for ray data workers.

Ray Libraries

Ray Data

🎉 New Features:

• Add reading from Delta Lake tables and Unity Catalog integration (#53701)
• Enhanced pin_memory support in iter_torch_batches (#53792)
• Add pin_memory to iter_torch_batches (#53792)

💫 Enhancements:

• Re-enabled sorting in Ray Data tests with performance improvements (#54475)
• Enhanced handling of mismatched columns and pandas.NA values (#53861, #53859)
• Improved read_text trailing newline semantics (#53860)
• Optimized backpressure handling with policy-based resource management (#54376)
• Enhanced write_parquet with support for both partition_by and row limits (#53930)
• Prevent filename collisions on write operations (#53890)
• Improved execution performance for One Hot encoding in preprocessors (#54022)

🔨 Fixes:

• Fixing map_groups issues (#54462)
• Prevented Op fusion for streaming repartition to avoid performance degradation (#54469)
• Fixed ActorPool autoscaler scaling up logic (#53983)
• Resolved empty dataset repartitioning issues (#54107)
• Fixed PyArrow overflow handling in data processing (#53971, #54390)
• Fixed IcebergDatasink to properly generate individual file uuids (#52956)
• Avoid OOMs with read_json(..., lines=True) (#54436)
• Handle HuggingFace parquet dataset resolve URLs (#54146)
• Fixed BlockMetadata derivation for Read operator (#53908)

📖 Documentation:

• Updated AggregateFnV2 documentation to clarify finalize method (#53835)
• Improved preprocessor and vectorizer API documentation

Ray Train

🎉 New Features:

• Added broadcast_from_rank_zero and barrier collective operations (#54066)

... (truncated)

Commits

• 0349122 cherrypick #54563 (#54613)
• 2b9ee0e cherrypick #54592 (#54612)
• bd91bf2 cherrypick #54518 (#54561)
• 4f3f8aa cherrypick #54386 (#54560)
• 9b85362 cherrypick #54511 (#54559)
• 9951891 cherrypick #54544 (#54558)
• 7c4ecdf [release] veresion change to 2.48.0 (#54557)
• e832bd8 [release] remove dask from byod 3.9 deps (#54521)
• 9813ed4 [serve] update test_request_timeout (#54519)
• 7ee91ad [Serve.llm] Make llm serve endpoints compatible with vLLM serve frontend (3/N...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.