⬆️(dependencies) update python dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
PyMuPDF (changelog)	==1.26.7 → ==1.27.1
WeasyPrint (changelog)	==66.0 → ==68.1
cryptography (changelog)	==46.0.3 → ==46.0.5
cssselect	==1.3.0 → ==1.4.0
django-admin-sortable2	==2.3 → ==2.3.1
django-money	==3.5.4 → ==3.6.0
dockerflow	==2024.4.2 → ==2026.1.26
gunicorn (changelog)	==23.0.0 → ==25.1.0
markdown (changelog)	==3.10 → ==3.10.2
pdbpp	==0.12.0.post1 → ==0.12.1
psycopg (changelog)	==3.3.2 → ==3.3.3
pyfakefs (changelog)	==6.0.0 → ==6.1.2
pylint (changelog)	==3.3.8 → ==4.0.5
pytest (changelog)	==8.4.2 → ==9.0.2
pytest-django (changelog)	==4.11.1 → ==4.12.0
pytest-subtests	==0.14.1 → ==0.15.0
responses (changelog)	==0.25.8 → ==0.26.0
rich	==14.2.0 → ==14.3.3
ruff (source, changelog)	==0.14.13 → ==0.15.2
sentry-sdk (changelog)	==2.49.0 → ==2.53.0

---

Release Notes

pymupdf/pymupdf (PyMuPDF)

v1.27.1: PyMuPDF-1.27.1 released

Compare Source

Wheels for Windows, Linux and MacOS, and the sdist, are available on
https://pypi.org and can be installed in the usual way, for example:

python -m pip install --upgrade pymupdf

[Linux-aarch64 wheels will be built and uploaded later.]

Changes in version 1.27.1 (2026-02-11)

• Use MuPDF-1.27.1.

• Fixed issues:

  • Fixed #​4599
  • Fixed #​4751
  • Fixed #​4762
  • Fixed #​4790
  • Fixed #​4857
  • Fixed #​4886

• Other:

  • Added pymupdf.TEXT_CLIP.
  • Removed support for mupdf < 1.26.
  • New arg raise_on_repair in Document.save().
  • New method Document.repair().

Kozea/WeasyPrint (WeasyPrint)

v68.1

Compare Source

Bug fixes

• #​2662: Don’t crash when SVG clip paths are not in defs tags
• #​2665: Fix position of box bounding box
• #​2663: Fix transparency with Acrobat and Edge
• #​2666: Don’t rely on random default font to define test page size
• #​2670: Fix pattern detection of URL schemes
• #​2671: Improve API compatibility between URLFetcherResponse and addinfourl
• #​2672: Fix charset for old URL fetcher requests
• #​2675, #​2673: Fix calc for many properties

Contributors

• Guillaume Ayoub

Backers and sponsors

• Spacinov
• Syslifters
• Kobalt
• Simon Sapin
• Grip Angebotssoftware
• Manuel Barkhau
• Simonsoft
• KontextWork
• Menutech
• TrainingSparkle
• Healthchecks.io
• Method B
• FieldHub
• Hammerbacher
• Yanal-Yves Fargialla
• Morntag
• Piloterr
• Xavid
• Charlie S.
• Prothesis Dental Solutions
• Kai DeLorenzo

v68.0

Compare Source

This is a security update (CVE-2025-68616).

We strongly recommend to upgrade WeasyPrint to the latest version if you use the default_url_fetcher function in your custom URL fetcher, or if you use the allowed_protocols parameter of the default_url_fetcher function.

Read about this release on our blog.

Security

• Always use URL fetcher for HTTP redirects

Python API

• default_url_fetcher() is deprecated, use the new URLFetcher class instead, see URL Fetchers for more information about URL fetchers
• DocumentMetadata.generate_rdf_metadata is now a method that can be overridden instead of a parameter, see Factur-X / ZUGFeRD (Electronic Invoices) for examples to create e-invoices

Features

• #​2609, #​2603, #​351: Refactor URL fetcher API
• #​2632: Support legacy 0 value for angles
• #​2627: Add font-face support to SVG
• #​2646, #​2255: Add font shorthand support for SVG text elements
• #​2590, #​1749: Honor language-specific rules for text-transform
• #​2645, #​2613: Improve SVG and SVG emojis rendering
• #​2658, #​2583: Add CLI for Factur-X / ZUGFeRD e-invoices

Bug fixes

• #​2649: Refactor URL fetcher API
• #​2643, #​2628: Handle box-sizing: border-box in grid layout
• #​2641, #​1875: Process whitespace after checking all pending targets
• #​2488, #​2485: Preserve page groups during layout repagination
• #​2642, #​2631: Don’t use isolated transparency groups
• #​2637: Fix repeating radial gradients rendering
• #​2622: Fix validation of colors
• #​2626: Share grid items rendering advancement between a box and its copies
• #​2621: Correctly handle fallback values of attr()
• #​2619: Fix SVG fonts
• #​2629: Always define extra skip height that may be used after
• #​2648: Fix numbers validation in font-feature-settings
• #​2648: Fix keyword values for text-decoration-thickness
• #​2661: Respect inline images when defining minimum table width

Documentation

• #​2638: Update Python command for Windows installation steps

Contributors

• Guillaume Ayoub
• Jurriaan Pruis
• Mohamed Hamed
• Alexandra Usatenko
• Andrea Corna
• Aoishik Khan
• Joe

Backers and sponsors

• Spacinov
• Syslifters
• Kobalt
• Simon Sapin
• Grip Angebotssoftware
• Manuel Barkhau
• Simonsoft
• KontextWork
• Menutech
• TrainingSparkle
• Healthchecks.io
• Method B
• FieldHub
• Hammerbacher
• Yanal-Yves Fargialla
• Morntag
• Piloterr
• Xavid
• Charlie S.
• Prothesis Dental Solutions
• Kai DeLorenzo

v67.0

Compare Source

Read about this release on our blog.

Dependencies

• Python 3.10+ is now needed, Python 3.9 is not supported anymore
• tinycss2 1.5.0+ is now needed
• fontTools 4.59.2+ is now needed

Features

• #​2560, #​640, #​844, #​1091, #​2517: Support CMYK colors, PDF/X, color profiles and light-dark() function
• #​2558, #​1175: Support ::first-line, with financial support from Karte Technology
• #​2552: Support CSS layers, with financial support from Code & Co.
• #​2564, #​2599, #​2397: Allow page breaks in grid rows, with financial support from Ocean Recap
• #​2568, #​357: Support calc() and other mathematical functions
• #​2575, #​2574: Support PDF/A-1a, PDF/A-2a and PDF/A-3a
• #​2611, #​2573: Support PDF/A-4e and PDF/A-4f
• #​2523: Display tofu for missing glyphs
• #​2581: Add option to disable protocols in URL resolution
• #​2570: Support rch, cap, rcap, rex, ic and ric font-relative units
• #​2547, #​2140: Support "only" keyword in media queries

Bug fixes

• #​2516, #​1510: Fix rendering of first line of text with nested right float
• #​2510, #​1073, #​2507: Avoid Pango crashes and font mismatches with @font-face rules referencing local fonts
• #​2532, #​2531: Use fonttools instancer instead of deprecated mutator API
• #​2541: Fix syntax of functions
• #​2543: Allow font-related units to access @font-face fonts
• #​2525: Respect top margins and avoid overlapping footnotes for columns, with financial support from Code & Co.
• #​2536: Remove Subtype key from font descriptor
• #​2539: Fix min width for SVGs with intrinsic ratio but no intrinsic size
• #​2537, #​2533: Fix order of operators when drawing SVGs
• #​2538: Don’t crash with nested unknown functions
• #​2542: Don’t crash when lh and rlh are used for line height or font size
• #​2540, #​2528: Use locale encoding instead of filesystem encoding for font paths
• #​2563, #​2479: Don’t avoid float collisions for atomic flex items
• #​2569: Don’t be case-sensitive for units
• #​2567, #​2566: Add x-default attribute for metadata description to be compliant with PDF/A
• #​2586, #​2571: Improve formatting contexts management
• #​2600: Fix SVG image aspect ratio when only width or height is specified
• #​2612, #​2595: Clean block layout and fix corner cases
• #​2522: Ignore preserveAspectRatio when SVG has no viewBox
• #​2544: Allow to use a variable twice in a function
• #​2555: Fix flex gap in right-to-left context
• #​2591: Respect non-auto widths and fix padding of grid items
• #​2601: Don’t crash when tagged tables are not displayed as tables
• #​2607: Fix rendering of multiline textareas with PDF forms
• #​2106: Force variable initialization to avoid crashes during column layout
• #​2618, #​2617: Fix rendering of relative grid and flex items

Documentation

• #​2535: #​2534: Removed reference to defunct site

Contributors

• Guillaume Ayoub
• Fazle Rabbi Ferdaus
• Lucie Anglade
• Luca Vercelli
• ChickenF622
• Ernie Chu
• Mark Pullin
• Malte Laukötter
• Markus Mohanty
• Yvonne Kothmeier
• Jarom Ort
• kuypan

Backers and sponsors

• Spacinov
• Syslifters
• Kobalt
• Simon Sapin
• Grip Angebotssoftware
• Manuel Barkhau
• Simonsoft
• KontextWork
• Menutech
• TrainingSparkle
• Healthchecks.io
• Method B
• FieldHub
• Hammerbacher
• Yanal-Yves Fargialla
• Morntag
• Piloterr
• Xavid
• Charlie S.
• Prothesis Dental Solutions
• Kai DeLorenzo

pyca/cryptography (cryptography)

v46.0.5

Compare Source

v46.0.4

Compare Source

scrapy/cssselect (cssselect)

v1.4.0

Compare Source

Released on 2026-01-29.

• Dropped support for Python 3.9 and PyPy 3.10.

• Added support for Python 3.14 and PyPy 3.11.

• Switched the build system to hatchling.

• CI fixes and improvements.

jrief/django-admin-sortable2 (django-admin-sortable2)

v2.3.1

Compare Source

• fix #​370: django-compress and django-sass-processor raises errors during run of compress or compilescss
  management command.

django-money/django-money (django-money)

v3.6.0

Compare Source

Changelog: https://django-money.readthedocs.io/en/latest/changes.html

mozilla-services/python-dockerflow (dockerflow)

v2026.1.26

Compare Source

benoitc/gunicorn (gunicorn)

v25.1.0: Gunicorn 25.1.0

Compare Source

New Features

• Control Interface (gunicornc): Add interactive control interface for managing
  running Gunicorn instances, similar to birdc for BIRD routing daemon
  (PR #​3505)

  • Unix socket-based communication with JSON protocol
  • Interactive mode with readline support and command history
  • Commands: show all/workers/dirty/config/stats/listeners
  • Worker management: worker add/remove/kill, dirty add/remove
  • Server control: reload, reopen, shutdown
  • New settings: --control-socket, --control-socket-mode, --no-control-socket
  • New CLI tool: gunicornc for connecting to control socket
  • See Control Interface Guide for details

• Dirty Stash: Add global shared state between workers via dirty.stash
  (PR #​3503)

  • In-memory key-value store accessible by all workers
  • Supports get, set, delete, clear, keys, and has operations
  • Useful for sharing state like feature flags, rate limits, or cached data

• Dirty Binary Protocol: Implement efficient binary protocol for dirty arbiter IPC
  using TLV (Type-Length-Value) encoding
  (PR #​3500)

  • More efficient than JSON for binary data
  • Supports all Python types: str, bytes, int, float, bool, None, list, dict
  • Better performance for large payloads

• Dirty TTIN/TTOU Signals: Add dynamic worker scaling for dirty arbiters
  (PR #​3504)

  • Send SIGTTIN to increase dirty workers
  • Send SIGTTOU to decrease dirty workers
  • Respects minimum worker constraints from app configurations

Changes

• ASGI Worker: Promoted from beta to stable
• Dirty Arbiters: Now marked as beta feature

Documentation

• Fix Markdown formatting in /configure documentation

v25.0.3

Compare Source

What's Changed

Bug Fixes

• Fix RuntimeError when StopIteration raised in ASGI coroutine (#​3484)
• Fix passing maxsplit in re.split() as positional argument (deprecated in Python 3.13)

Documentation

• Updated sponsorship section and homepage

Full Changelog: benoitc/gunicorn@25.0.2...25.0.3

v25.0.2: Release 25.0.2

Compare Source

Bug Fixes

• Fix ASGI concurrent request failures through nginx proxy by normalizing
  sockaddr tuples to handle both 2-tuple (IPv4) and 4-tuple (IPv6) formats
  (PR #​3485)

• Fix graceful disconnect handling for ASGI worker to properly handle
  client disconnects without raising exceptions
  (PR #​3485)

• Fix lazy import of dirty module for gevent compatibility - prevents
  import errors when concurrent.futures is imported before gevent monkey-patching
  (PR #​3483)

Changes

• Refactor: Extract _normalize_sockaddr utility function for consistent
  socket address handling across workers

• Add license headers to all Python source files

• Update copyright year to 2026 in LICENSE and NOTICE files

v25.0.1

Compare Source

Bug Fixes

• Fix ASGI streaming responses (SSE) hanging: add chunked transfer encoding for
  HTTP/1.1 responses without Content-Length header. Without chunked encoding,
  clients wait for connection close to determine end-of-response.

Changes

• Update celery_alternative example to use FastAPI with native ASGI worker and
  uvloop for async task execution

Testing

• Add ASGI compliance test suite with Docker-based integration tests covering HTTP,
  WebSocket, streaming, lifespan, framework integration (Starlette, FastAPI),
  HTTP/2, and concurrency scenarios

v25.0.0: Gunicorn 25.0.0

Compare Source

New Features

• Dirty Arbiters: Separate process pool for executing long-running, blocking
  operations (AI model loading, heavy computation) without blocking HTTP workers
  (PR #​3460)

  • Inspired by Erlang's dirty schedulers
  • Asyncio-based with Unix socket IPC
  • Stateful workers that persist loaded resources
  • New settings: --dirty-app, --dirty-workers, --dirty-timeout,
    --dirty-threads, --dirty-graceful-timeout
  • Lifecycle hooks: on_dirty_starting, dirty_post_fork,
    dirty_worker_init, dirty_worker_exit

• Per-App Worker Allocation for Dirty Arbiters: Control how many dirty workers
  load each app for memory optimization with heavy models
  (PR #​3473)

  • Set workers class attribute on DirtyApp (e.g., workers = 2)
  • Or use config format module:class:N (e.g., myapp:HeavyModel:2)
  • Requests automatically routed to workers with the target app
  • New exception DirtyNoWorkersAvailableError for graceful error handling
  • Example: 8 workers × 10GB model = 80GB → with workers=2: 20GB (75% savings)

• HTTP/2 Support (Beta): Native HTTP/2 (RFC 7540) support for improved performance
  with modern clients (PR #​3468)

  • Multiplexed streams over a single connection
  • Header compression (HPACK)
  • Flow control and stream prioritization
  • Works with gthread, gevent, and ASGI workers
  • New settings: --http-protocols, --http2-max-concurrent-streams,
    --http2-initial-window-size, --http2-max-frame-size, --http2-max-header-list-size
  • Requires SSL/TLS and h2 library: pip install gunicorn[http2]
  • New example: examples/http2_gevent/ with Docker and tests

• HTTP 103 Early Hints: Support for RFC 8297 Early Hints to enable browsers to
  preload resources before the final response
  (PR #​3468)

  • WSGI: environ['wsgi.early_hints'](headers) callback
  • ASGI: http.response.informational message type
  • Works with both HTTP/1.1 and HTTP/2

• uWSGI Protocol for ASGI Worker: The ASGI worker now supports receiving requests
  via the uWSGI binary protocol from nginx
  (PR #​3467)

Bug Fixes

• Fix HTTP/2 ALPN negotiation for gevent and eventlet workers when
  do_handshake_on_connect is False (the default). The TLS handshake is now
  explicitly performed before checking selected_alpn_protocol().

• Fix setproctitle initialization with systemd socket activation
  (#​3465)

• Fix Expect: 100-continue handling: ignore the header for HTTP/1.0 requests
  since 100-continue is only valid for HTTP/1.1+
  (PR #​3463)

• Fix missing _expected_100_continue attribute in UWSGIRequest

• Disable setproctitle on macOS to prevent segfaults during process title updates

• Publish full exception traceback when the application fails to load
  (#​3462)

• Fix ASGI: quick shutdown on SIGINT/SIGQUIT, graceful on SIGTERM

Deprecations

• Eventlet Worker: The eventlet worker is deprecated and will be removed in
  Gunicorn 26.0. Eventlet itself is no longer actively maintained.
  Please migrate to gevent, gthread, or another supported worker type.

Changes

• Remove obsolete Makefile targets
  (PR #​3471)
• Replace RST with markdown documentation format

v24.1.1

Compare Source

Bug Fixes

• Fix forwarded_allow_ips and proxy_allow_ips to remain as strings for backward
  compatibility with external tools like uvicorn. Network validation now uses strict
  mode to detect invalid CIDR notation (e.g., 192.168.1.1/24 where host bits are set)
  (#​3458,
  PR #​3459)

---

Full Changelog: benoitc/gunicorn@24.1.0...24.1.1

v24.1.0: Gunicorn 24.1.0

Compare Source

New Features

• Official Docker Image: Gunicorn now publishes official Docker images to GitHub Container Registry (PR #​3454)

  • Available at ghcr.io/benoitc/gunicorn
  • Based on Python 3.12 slim image
  • Uses recommended worker formula (2 × CPU + 1)
  • Configurable via environment variables

• PROXY Protocol v2 Support: Extended PROXY protocol implementation to support the binary v2 format in addition to the existing text-based v1 format (PR #​3451)

  • New --proxy-protocol modes: off, v1, v2, auto
  • auto mode (default when enabled) detects v1 or v2 automatically
  • v2 binary format is more efficient and supports additional metadata
  • Works with HAProxy, AWS NLB/ALB, and other PROXY protocol v2 sources

• CIDR Network Support: --forwarded-allow-ips and --proxy-allow-from now accept CIDR notation (e.g., 192.168.0.0/16) for specifying trusted networks (PR #​3449)

• Socket Backlog Metric: New gunicorn.socket.backlog gauge metric reports the current socket backlog size on Linux systems (PR #​3450)

• InotifyReloader Enhancement: The inotify-based reloader now watches newly imported modules, not just those loaded at startup (PR #​3447)

Bug Fixes

• Fix signal handling regression where SIGCLD alias caused "Unhandled signal: cld" errors on Linux when workers fail during boot (#​3453)
• Fix socket blocking mode on keepalive connections preventing SSL handshake failures with async workers (PR #​3452)
• Use smaller buffer size in finish_body() for faster timeout detection on slow or abandoned connections (PR #​3453)
• Handle SSLWantReadError in finish_body() to prevent worker hangs during SSL renegotiation (PR #​3448)
• Log SIGTERM as info level instead of warning to reduce noise in orchestrated environments (PR #​3446)
• Print exception details to stderr when worker fails to boot (PR #​3443)
• Fix unreader.unread() to prepend data to buffer instead of appending (PR #​3442)
• Prevent RecursionError when pickling Config objects (PR #​3441)
• Use proper exception chaining with raise from in glogging.py (PR #​3440)

Installation

pip install gunicorn==24.1.0

Or use the official Docker image:

docker pull ghcr.io/benoitc/gunicorn:24.1.0

v24.0.0

Compare Source

New Features

• ASGI Worker (Beta): Native asyncio-based ASGI support for running async Python frameworks like FastAPI, Starlette, and Quart without external dependencies

  • HTTP/1.1 with keepalive connections
  • WebSocket support
  • Lifespan protocol for startup/shutdown hooks
  • Optional uvloop for improved performance

• uWSGI Binary Protocol: Support for receiving requests from nginx via uwsgi_pass directive

• Documentation Migration: Migrated to MkDocs with Material theme

Security

• eventlet: Require eventlet >= 0.40.3 (CVE-2021-21419, CVE-2025-58068)
• gevent: Require gevent >= 24.10.1 (CVE-2023-41419, CVE-2024-3219)
• tornado: Require tornado >= 6.5.0 (CVE-2025-47287)

Install

pip install gunicorn==24.0.0

Python-Markdown/markdown (markdown)

v3.10.2

Compare Source

Fixed

• Fix a regression related to comment handling (#​1590).
• More reliable fix for </ (#​1593).

v3.10.1

Compare Source

Fixed

• Ensure nested elements inside inline comments are properly unescaped (#​1571).
• Make the docs build successfully with mkdocstrings-python 2.0 (#​1575).
• Fix infinite loop when multiple bogus or unclosed HTML comments appear in input (#​1578).
• Fix another infinite loop when handling bad comments (#​1586).

bretello/pdbpp (pdbpp)

v0.12.1

Compare Source

What’s Changed

Fixes

• fix backtrace (bt) not showing with sticky enabled (#​80) @​bretello

Improvements

• pdb hijacking now works correctly when using editable installs (add custom editable_wheel command to hijack pdb in editable installs (#​82) @​bretello)

Other

• minor cleanups (#​81) @​bretello
• build(deps): bump actions/cache from 3 to 5 (#​75) @​dependabot[bot]

psycopg/psycopg (psycopg)

v3.3.3

Compare Source

pytest-dev/pyfakefs (pyfakefs)

v6.1.2: pyfakefs release version 6.1.2

Compare Source

Fixes a regression caused by the introduced weak references.

v6.1.1

Compare Source

Fixes a packaging issue in latest version.

Fixes

• fixed packaging issue: tests had not been added to sdist
  (see #​1278)

v6.1.0

Compare Source

Changes back-link references to weak references.

Changes

• added more support for PyPy 3
• Caution: many back-link references have been replaced by weak references;
  this may have unwanted consequences (crashes) for some untested workflows

Infrastructure

• added PyPy 3.11 to CI, added PyPy builds for all OSes
• use only pyproject.toml for dependencies, moved tox configuration into pyproject.toml

Fixes

• fixed a problem accessing size from a FakeFileWrapper object
  (see #​1276)
• fixed a problem with readable raising an error on a file object.
  (see #​1265)
• avoid memory accumulation in consecutive tests by using weak references
  (see #​1267)

pylint-dev/pylint (pylint)

v4.0.5

Compare Source

What's new in Pylint 4.0.5?

Release date: 2026-02-20

False Positives Fixed

• Fix possibly-used-before-assignment false positive when using self.fail() in tests.

  Closes #​10743

• Fixed false positive for logging-unsupported-format when no arguments are provided to logging functions.

  According to Python's logging documentation, no formatting is performed when no arguments are supplied, so strings like logging.error("%test") are valid.

  Closes #​10752

• Fix a false positive for invalid-name where a dataclass field typed with Final
  was evaluated against the class_const regex instead of the class_attribute regex.

  Closes #​10790

• Avoid emitting unspecified-encoding (W1514) when py-version is 3.15+.

  Refs #​10791

Other Bug Fixes

• Fix --known_third_party config being ignored.

  Closes #​10801

• Fixed dynamic color mapping for "fail-on" messages when using multiple reporter/output formats.

  Closes #​10825

• dependency on isort is now set to <9, permitting to use isort 8.

  Closes #​10857

v4.0.4

Compare Source

What's new in Pylint 4.0.4?

Release date: 2025-11-30

False Positives Fixed

• Fixed false positive for invalid-name where module-level constants were incorrectly classified as variables when a class-level attribute with the same name exists.

  Closes #​10719

• Fix a false positive for invalid-name on an UPPER_CASED name inside an if branch that assigns an object.

  Closes #​10745

v4.0.3

Compare Source

What's new in Pylint 4.0.3?

Release date: 2025-11-13

False Positives Fixed

• Add Enum dunder methods _generate_next_value_, _missing_, _numeric_repr_, _add_alias_, and _add_value_alias_ to the list passed to --good-dunder-names.

  Closes #​10435

• Fixed false positive for invalid-name with typing.Annotated.

  Closes #​10696

• Fix false positive for f-string-without-interpolation with template strings
  when using format spec.

  Closes #​10702

• Fix a false positive when an UPPER_CASED class attribute was raising an
  invalid-name when typed with Final.

  Closes #​10711

• Fix a false positive for unbalanced-tuple-unpacking when a tuple is assigned to a function call and the structure of the function's return value is ambiguous.

  Closes #​10721

Other Bug Fixes

• Make 'ignore' option work as expected again.

  Closes #​10669

• Fix crash for consider-using-assignment-expr when a variable annotation without assignment
  is used as the if test expression.

  Closes #​10707

• Fix crash for prefer-typing-namedtuple and consider-math-not-float when
  a slice object is called.

  Closes #​10708

v4.0.2

Compare Source

False Positives Fixed

• Fix false positive for invalid-name on a partially uninferable module-level constant.

  Closes #​10652

• Fix a false positive for invalid-name on exclusive module-level assignments
  composed of three or more branches. We won't raise disallowed-name on module-level names that can't be inferred
  until a further refactor to remove this false negative is done.

  Closes #​10664

• Fix false positive for invalid-name for TypedDict instances.

  Closes #​10672

v4.0.1

Compare Source

What's new in Pylint 4.0.1?

Release date: 2025-10-14

False Positives Fixed

• Exclude __all__ and __future__.annotations from unused-variable.

  Closes #​10019

• Fix false-positive for bare-name-capture-pattern if a case guard is used.

  Closes #​10647

• Check enums created with the Enum() functional syntax to pass against the
  --class-rgx for the invalid-name check, like other enums.

  Closes #​10660

v4.0.0

Compare Source

• Pylint now supports Python 3.14.

• Pylint's inference engine (astroid) is now much more precise,
  understanding implicit booleanness and ternary expressions. (Thanks @​zenlyj!)

Consider this example:

class Result:
    errors: dict | None = None

result = Result()
if result.errors:
    result.errors[field_key]

##### inference engine understands result.errors cannot be None
##### pylint no longer raises unsubscriptable-object

The required astroid version is now 4.0.0. See the astroid changelog for additional fixes, features, and performance improvements applicable to pylint.

• Handling of invalid-name at the module level was patchy. Now,
  module-level constants that are reassigned are treated as variables and checked
  against --variable-rgx rather than --const-rgx. Module-level lists,
  sets, and objects can pass against either regex.

Here, LIMIT is reassigned, so pylint only uses --variable-rgx:

LIMIT = 500  # [invalid-name]
if sometimes:
    LIMIT = 1  # [invalid-name]

If this is undesired, refactor using exclusive assignment so that it is
evident that this assignment happens only once:

if sometimes:
    LIMIT = 1
else:
    LIMIT = 500  # exclusive assignment: uses const regex, no warning

Lists, sets, and objects still pass against either const-rgx or variable-rgx
even if reassigned, but are no longer completely skipped:

MY_LIST = []
my_list = []
My_List = []  # [invalid-name]

Remember to adjust the regexes and allow lists to your liking.

Breaking Changes

• invalid-name now distinguishes module-level constants that are assigned only once
  from those that are reassigned and now applies --variable-rgx to the latter. Values
  other than literals (lists, sets, objects) can pass against either the constant or
  variable regexes (e.g. "LOGGER" or "logger" but not "LoGgEr").

  Remember that --good-names or --good-names-rgxs can be provided to explicitly
  allow good names.

  Closes #​3585

• The unused pylintrc argument to PyLinter.__init__() is deprecated
  and will be removed.

  Refs #​6052

• Commented out code blocks such as # bar() # TODO: remove dead code will no longer emit fixme.

  Refs #​9255

• pyreverse Run was changed to no longer call sys.exit() in its __init__.
  You should now call Run(args).run() which will return the exit code instead.
  Having a class that always raised a SystemExit exception was considered a bug.

  Normal usage of pyreverse through the CLI will not be affected by this change.

  Refs #​9689

• The suggestion-mode option was removed, as pylint now always emits user-friendly hints instead
  of false-positive error messages. You should remove it from your conf if it's defined.

  Refs #​9962

• The async.py checker module has been renamed to async_checker.py since async is a Python keyword
  and cannot be imported directly. This allows for better testing and extensibility of the async checker functionality.

  Refs #​10071

• The message-id of continue-in-finally was changed from E0116 to W0136. The warning is
  now emitted for every Python version since it will raise a syntax warning in Python 3.14.
  See PEP 765 - Disallow return/break/continue that exit a finally block.

  Refs #​10480

• Removed support for nmp.NaN alias for numpy.NaN being recognized in ':ref:nan-comparison'. Use np or numpy instead.

  Refs #​10583

• Version requirement for isort has been bumped to >=5.0.0.
  The internal compatibility for older isort versions exposed via pylint.utils.IsortDriver has
  been removed.

  Refs #​10637

New Features

• comparison-of-constants now uses the unicode from the ast instead of reformatting from
  the node's values preventing some bad formatting due to utf-8 limitation. The message now uses
  " instead of ' to better work with what the python ast returns.

  Refs #​8736

• Enhanced pyreverse to properly distinguish between UML relationship types (association, aggregation, composition) based on object ownership semantics. Type annotations without assignment are now treated as associations, parameter assignments as aggregations, and object instantiation as compositions.

  Closes #​9045
  Closes #​9267

• The fixme check can now search through docstrings as well as comments, by using
  check-fixme-in-docstring = true in the [tool.pylint.miscellaneous] section.

  Closes #​9255

• The use-implicit-booleaness-not-x checks now distinguish between comparisons
  used in boolean contexts and those that are not, enabling them to provide more accurate refactoring suggestions.

  Closes #​9353

• The verbose option now outputs the filenames of the files that have been checked.
  Previously, it only included the number of checked and skipped files.

  Closes #​9357

• colorized reporter now colorizes messages/categories that have been configured as fail-on in red inverse.
  This makes it easier to quickly find the errors that are causing pylint CI job failures.

  Closes #​9898

• Enhanced support for @​property decorator in pyreverse to correctly display return types of annotated properties when generating class diagrams.

  Closes #​10057

• Add --max-depth option to pyreverse to control diagram complexity. A depth of 0 shows only top-level packages, 1 shows one level of subpackages, etc.
  This helps manage visualization of large codebases by limiting the depth of displayed packages and classes.

  Refs #​10077

• Handle deferred evaluation of annotations in Python 3.14.

  Closes #​10149

• Enhanced pyreverse to properly detect aggregations for comprehensions (list, dict, set, generator).

  Closes #​10236

• pyreverse: add support for colorized output when using output format mmd (MermaidJS) and html.

  Closes #​10242

• pypy 3.11 is now officially supported.

  Refs #​10287

• Add support for Python 3.14.

  Refs #​10467

• Add naming styles for ParamSpec and TypeVarTuple that align with the TypeVar style.

  Refs #​10541

New Checks

• Add match-statements checker and the following message:
  bare-name-capture-pattern.
  This will emit an error message when a name capture pattern is used in a match statement which would make the remaining patterns unreachable.
  This code is a SyntaxError at runtime.

  Closes #​7128

---

Configuration

📅 Schedule: Branch creation - "before 7am on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.