build(deps-dev): bump the python-dependencies group across 1 directory with 4 updates

[dependabot]

Updates the requirements on lizard, ruff, tox and hatchling to permit the latest version.
Updates lizard to 1.23.0

Release notes

Sourced from lizard's releases.

1.23.0

New Features

• Python — structural pattern matching (match/case, PEP 634, Python 3.10+) is now counted correctly for cyclomatic complexity (including --modified mode)

Bug Fixes

• C/C++: stop raw string literals (R"(…)") from swallowing following code in the tokenizer (issue #478, PR #479)

Published to PyPI via GitHub Actions (release.yml).

Changelog

Sourced from lizard's changelog.

1.23.0

New Features

• Python — structural pattern matching (match/case, PEP 634, Python 3.10+) is now counted correctly:
  • Each case arm adds +1 to cyclomatic complexity (like an if/elif branch)
  • case guards (case x if cond:) count the if as a normal condition
  • case and match used as plain variable names (assignments, attribute access, function calls, subscripts, tuple unpacking, annotated assignments) are not counted — soft-keyword disambiguation via lookahead in preprocess
  • --modified: an entire match/case block counts as 1, consistent with switch/case in C-family languages

Bug Fixes

• C/C++: stop raw string literals (R"(…)") from swallowing following code in the tokenizer (issue #478, PR #479)

1.22.2

Bug Fixes

• TypeScript: handle function stack correctly when starting a new function (avoids incorrect nesting / metrics)
• Duplicate finder: avoid double-counting overlapping duplicate code ranges (PR #474)

Security

• Demo Flask app (index.py): enable debug only when FLASK_DEBUG is set, not by default (PR #475)

1.22.1

Bug Fixes

• TypeScript: prevent IndexError when parsing nested template literals (issue #471, PR #472)

1.22.0

Improvements

• TypeScript, TSX, and JSX — parsing and metrics are much closer to real code (PRs #467, #468):
  • TSX/JSX use the same TypeScriptStates path as .ts (tokenizer-only layer for JSX), so class methods and CCN are no longer wrong or double-counted.
  • Skips that reduce false functions: interface { … } method signatures, type … = value types, abstract method declarations without bodies; ES2022 private names #foo in tokenization; smarter parameters (type keyword noise, commas inside Map<…>, etc.).
  • Class field arrows (handleClick = () => {}) are reported under the field name instead of (anonymous); better call vs definition and class-body cases (typed fields, static / async fields, LWC-style async x => fields, field = CONST.PROP;, JSX attribute expressions).

1.21.7

Bug Fixes

• Java: treat record as a contextual keyword (field and method name record are no longer parsed as a record class); track brace depth for field array/object initializers so = { } does not end the class body before a static block (issue #470)

1.21.6

Improvements

• Release workflow: clarify how PyPI matches trusted publishers (repository owner id, workflow file, environment); add optional PYPI_API_TOKEN secret for token-based upload when OIDC is not used

1.21.5

Improvements

• Release workflow: publish to PyPI without a GitHub Environment so trusted publishing matches PyPI’s default GitHub publisher settings (owner, repository, release.yml, empty environment name)

1.21.4

... (truncated)

Commits

• 06284ec Release 1.23.0
• 414f806 fix(clike): improve handling of C++ raw string literals in tokenizer
• 6c3ea38 Merge pull request #479 from StressTestor/fix/478-cpp-raw-string-overmatch
• bfaa1b1 fix(clike): stop C++ raw string literals from swallowing following code
• 82c8e7a Merge pull request #477 from ixnes/fix/python_match_case
• 0d22cc7 added support for python match-case statements for normal and modified cyclom...
• bd261a1 Release 1.22.2
• 147b163 fix: handle function stack correctly when starting a new function in TypeScri...
• a1d1cac Merge pull request #475 from tomaioo/fix/security/flask-debug-mode-enabled-in...
• 142c7c5 fix(security): 2 improvements across 1 files
• Additional commits viewable in compare view

Updates ruff to 0.15.16

Release notes

Sourced from ruff's releases.

0.15.16

Release Notes

Released on 2026-06-04.

Preview features

• [flake8-async] Implement yield-in-context-manager-in-async-generator (ASYNC119) (#24644)
• [pylint] Narrow diagnostic range and exclude cases without exception handlers (PLW0717) (#25440)
• [ruff] Treat yield before break from a terminal loop as terminal (RUF075) (#25447)

Bug fixes

• [eradicate] Avoid flagging ruff:ignore comments as code (ERA001) (#25537)
• [eradicate] Fix ERA001/RUF100 conflict when noqa is on commented-out code (#25414)
• [pyflakes] Avoid removing the format call when it would change behavior (F523) (#25320)
• [pylint] Avoid syntax errors in invalid character replacements in f-strings before Python 3.12 (PLE2510, PLE2512, PLE2513, PLE2514, PLE2515) (#25544)
• [pyupgrade] Avoid converting format calls with more kinds of side effects (UP032) (#25484)

Rule changes

• [flake8-pytest-style] Avoid fixes for ambiguous argnames and argvalues combinations (PT006) (#24776)

Performance

• Drop excess capacity from statement suites during parsing (#25368)

Documentation

• [pydocstyle] Improve discoverability of rules enabled for each convention (#24973)
• [ruff] Restore example code for Python versions before 3.15 (RUF017) (#25439)
• Fix typo bin/active → bin/activate in tutorial (#25473)

Other changes

• Shrink additional parser AST collections (#25465)

Contributors

• @​Redslayer112
• @​koriyoshi2041
• @​George-Ogden
• @​TejasAmle
• @​anishgirianish
• @​ntBre
• @​MichaReiser
• @​loganrosen
• @​RafaelJohn9
• @​adityasingh2400

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.16

Released on 2026-06-04.

Preview features

• [flake8-async] Implement yield-in-context-manager-in-async-generator (ASYNC119) (#24644)
• [pylint] Narrow diagnostic range and exclude cases without exception handlers (PLW0717) (#25440)
• [ruff] Treat yield before break from a terminal loop as terminal (RUF075) (#25447)

Bug fixes

• [eradicate] Avoid flagging ruff:ignore comments as code (ERA001) (#25537)
• [eradicate] Fix ERA001/RUF100 conflict when noqa is on commented-out code (#25414)
• [pyflakes] Avoid removing the format call when it would change behavior (F523) (#25320)
• [pylint] Avoid syntax errors in invalid character replacements in f-strings before Python 3.12 (PLE2510, PLE2512, PLE2513, PLE2514, PLE2515) (#25544)
• [pyupgrade] Avoid converting format calls with more kinds of side effects (UP032) (#25484)

Rule changes

• [flake8-pytest-style] Avoid fixes for ambiguous argnames and argvalues combinations (PT006) (#24776)

Performance

• Drop excess capacity from statement suites during parsing (#25368)

Documentation

• [pydocstyle] Improve discoverability of rules enabled for each convention (#24973)
• [ruff] Restore example code for Python versions before 3.15 (RUF017) (#25439)
• Fix typo bin/active → bin/activate in tutorial (#25473)

Other changes

• Shrink additional parser AST collections (#25465)

Contributors

• @​Redslayer112
• @​koriyoshi2041
• @​George-Ogden
• @​TejasAmle
• @​anishgirianish
• @​ntBre
• @​MichaReiser
• @​loganrosen
• @​RafaelJohn9
• @​adityasingh2400

0.15.15

... (truncated)

Commits

• 6c498ab Bump 0.15.16 (#25635)
• e51e132 [flake8-async] Implement yield-in-context-manager-in-async-generator (`AS...
• 7c6dcd9 [ty] Add caching for pattern match narrowing (#25613)
• 27058fc [ty] Compact retained definition and expression identities (#25606)
• bf80d05 Fix CODEOWNERS syntax (#25622)
• 10ccd51 Shrink additional parser AST collections (#25465)
• 0d7135f [ty] Upgrade Salsa (#25545)
• 49493a3 [ty] Show type alias value on hover (#25381)
• 85207d3 [ty] sys.implementation.version is not sys.version_info (#25608)
• a8a0614 [ty] Avoid retaining duplicate function signatures (#25609)
• Additional commits viewable in compare view

Updates tox to 4.55.1

Release notes

Sourced from tox's releases.

v4.55.1

What's Changed

• 🐛 fix(config): propagate overrides through config references by @​tales-aparecida in tox-dev/tox#3951

New Contributors

• @​tales-aparecida made their first contribution in tox-dev/tox#3951

Full Changelog: tox-dev/tox@4.55.0...4.55.1

Changelog

Sourced from tox's changelog.

Bug fixes - 4.55.1

• TOX_OVERRIDE (and -x/--override) now propagates through configuration references. Previously, overriding a base value that was later referenced via {[section]key} (ini) or {replace = "ref", of = [...]} (toml) was ignored because reference resolution read the raw file value, bypassing the override system - by :user:tales-aparecida. (:issue:3950) (:issue:3950)

---

v4.55.0 (2026-05-28)

---

Features - 4.55.0

• Automatically pass the TERMINFO environment variable to tox subprocesses if the output is a TTY. This variable is used by Ghostty to communicate terminal capabilities to programs. (:issue:3946)

Bug fixes - 4.55.0

• When the constraints configuration option is set, constrain_package_deps and use_frozen_constraints are now ignored. Previously, both the user-provided constraints file and the auto-generated constraints file were passed to pip during install_package_deps, which could cause resolver conflicts when the same package appeared in both files - by :user:gaborbernat. (:issue:3945) (:issue:3945)

---

v4.54.0 (2026-05-12)

---

Features - 4.54.0

• Declare the runtime dependencies of the tox.pytest plugin (pytest, devpi-process and pytest-mock) under a new testing extra, so plugin authors can pull them in via tox[testing] - by :user:gaborbernat. (:issue:3938, :issue:3940)

Bug fixes - 4.54.0

• Extend the generated TOML schema to cover every replace table form (env, ref, posargs, glob, if), including conditional replacements used inside commands. A guard test asserts the schema stays in sync with the loader implementation so future replace types cannot be added without a corresponding schema entry. (:issue:3939)

---

v4.53.1 (2026-05-02)

---

Bug fixes - 4.53.1

... (truncated)

Commits

• 7ebde0c release 4.55.1
• 9ac5479 🐛 fix(config): propagate overrides through config references (#3951)
• 28972a9 [pre-commit.ci] pre-commit autoupdate (#3949)
• 928b7f0 release 4.55.0
• a43427f 🐛 fix(pip): skip constrain_package_deps when constraints is set (#3948)
• 27b68b3 [pre-commit.ci] pre-commit autoupdate (#3947)
• 4e6627c feat: Also pass TERMINFO when in an interactive shell (#3946)
• 10c431c [pre-commit.ci] pre-commit autoupdate (#3943)
• c86e876 👷 ci(schemastore): sync fork before pushing branch (#3942)
• See full diff in compare view

Updates hatchling to 1.30.1

Release notes

Sourced from hatchling's releases.

Hatchling v1.30.1

Fixed

• Default core metadata version kept at 2.4 until more tools support 2.5

Commits

• 37b00c3 release Hatchling v1.30.1 (#2298)
• 0446d99 Update history for new patch release of hatchling after fixing default metada...
• 4f5cdf0 Make 2.4 metadata default until other tools support it. (#2296)
• 0497be0 Fix draft release uploads. (#2293)
• 3aae0fa Fix hatchling to use Metadata 2.4 (#2291)
• 5ee4189 release Hatch v1.17.0 (#2290)
• 6109ee7 release Hatchling v1.30.0 (#2289)
• 246e22b Block duplicate files in wheel archives (closes #2066) (#2269)
• d2afcb6 Update docs as pre-release for 1.17.0 (#2287)
• 818d284 Feat hatch check command with new sub command for types (#2278)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions