security(deps-dev): bump the python-dependencies group with 3 updates

[dependabot]

Bumps the python-dependencies group with 3 updates: hypothesis, ruff and matplotlib.

Updates hypothesis from 6.152.1 to 6.152.3

Release notes

Sourced from hypothesis's releases.

Hypothesis for Python - version 6.152.3

The "hypothesis-urandom" backend now reads from "/dev/urandom" with buffering disabled, which improves the control of those hooking "/dev/urandom" to change or read Hypothesis's random decisions.

The canonical version of these notes (with links) is on readthedocs.

Hypothesis for Python - version 6.152.2

This release further improves printing of generated values, building on the changes in version 6.151.11.

Principle changes:

• In many cases where we would have printed a complex expression producing a value, we now print the repr (or a pretty-printed version of it).

• Additionally, in some cases where we would print a complex expression that involved a lambda, we are now able to simplify that expression into a more readable one.

The canonical version of these notes (with links) is on readthedocs.

Commits

• 609de04 Bump hypothesis-python version to 6.152.3 and update changelog
• 902f1ba Merge pull request #4720 from Liam-DeVoe/urandom-disable-buffering
• da81118 claude: open /dev/urandom with buffering=0 in URandomProvider
• 80fada3 Merge pull request #4714 from HypothesisWorks/DRMacIver/uv
• 634e2be Let tox auto-provision tox-uv instead of pinning it in tools.txt
• 5265564 Seed pip into tox-uv envs
• d6caeb8 Use uv instead of pyenv for build-time Python installs and tox
• c727ead Bump hypothesis-python version to 6.152.2 and update changelog
• 36d74b7 Merge pull request #4711 from HypothesisWorks/DRMacIver/is-code-owner
• bbc8963 Merge pull request #4712 from HypothesisWorks/DRMacIver/fix-build
• Additional commits viewable in compare view

Updates ruff from 0.15.11 to 0.15.12

Release notes

Sourced from ruff's releases.

0.15.12

Release Notes

Released on 2026-04-24.

Preview features

• Implement #ruff:file-ignore file-level suppressions (#23599)
• Implement #ruff:ignore logical-line suppressions (#23404)
• Revert preview changes to displayed diagnostic severity in LSP (#24789)
• [airflow] Implement task-branch-as-short-circuit (AIR004) (#23579)
• [flake8-bugbear] Fix break/continue handling in loop-iterator-mutation (B909) (#24440)
• [pylint] Fix PLC2701 for type parameter scopes (#24576)

Rule changes

• [pandas-vet] Suggest .array as well in PD011 (#24805)

CLI

• Respect default Unix permissions for cache files (#24794)

Documentation

• [pylint] Fix PLR0124 description not to claim self-comparison always returns the same value (#24749)
• [pyupgrade] Expand docs on reusable TypeVars and scoping (UP046) (#24153)
• Improve rules table accessibility (#24711)

Contributors

• @​dylwil3
• @​AlexWaygood
• @​woodruffw
• @​avasis-ai
• @​Dev-iL
• @​denyszhak
• @​ShipItAndPray
• @​anishgirianish
• @​augustelalande
• @​amyreese
• @​majiayu000

Install ruff 0.15.12

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/ruff/releases/download/0.15.12/ruff-installer.sh | sh

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.12

Released on 2026-04-24.

Preview features

• Implement #ruff:file-ignore file-level suppressions (#23599)
• Implement #ruff:ignore logical-line suppressions (#23404)
• Revert preview changes to displayed diagnostic severity in LSP (#24789)
• [airflow] Implement task-branch-as-short-circuit (AIR004) (#23579)
• [flake8-bugbear] Fix break/continue handling in loop-iterator-mutation (B909) (#24440)
• [pylint] Fix PLC2701 for type parameter scopes (#24576)

Rule changes

• [pandas-vet] Suggest .array as well in PD011 (#24805)

CLI

• Respect default Unix permissions for cache files (#24794)

Documentation

• [pylint] Fix PLR0124 description not to claim self-comparison always returns the same value (#24749)
• [pyupgrade] Expand docs on reusable TypeVars and scoping (UP046) (#24153)
• Improve rules table accessibility (#24711)

Contributors

• @​dylwil3
• @​AlexWaygood
• @​woodruffw
• @​avasis-ai
• @​Dev-iL
• @​denyszhak
• @​ShipItAndPray
• @​anishgirianish
• @​augustelalande
• @​amyreese
• @​majiayu000

Commits

• 66f93cf Bump 0.15.12 (#24815)
• 476a4d0 [ty] Complete support for more detailed diagnostics on possibly unbound error...
• ed669ea Implement #ruff:file-ignore file-level suppressions (#23599)
• e73d952 [ty] Include inferred type in invalid-key concise diagnostic for union/inte...
• 80feb29 [ty] report only dead annotation-only locals as unused (#24811)
• 0fbf2bc Drop deprecated license classifier (#24808)
• 43b174c [ty] Infer lambda parameter types with Callable type context (#24317)
• 4f449ae [ty] Add error context for intersection types (#24772)
• 5b4e753 [ty] Add support for goto in literal enum member inlay hint (#24792)
• e7cc762 [ty] Add error context for TypedDict assignments (#24790)
• Additional commits viewable in compare view

Updates matplotlib from 3.10.8 to 3.10.9

Release notes

Sourced from matplotlib's releases.

v3.10.9

This is a micro release of the v3.10.x series. Highlights of this release include:

• Various minor bug and doc fixes
• Security hardening validation of cyclers - Removing eval usage
• Security hardening in Latex and PS calls - Removing shell escapes

Commits

• dd8d78b REL: v3.10.9
• 2fb1891 REL: Release prep v3.10.9
• d0e923a Merge branch 'v3.10.8-doc' into v3.10.x
• 1637932 Merge pull request #31558 from meeseeksmachine/auto-backport-of-pr-31556-on-v...
• a83faac Backport PR #31556: FIX: Inverted PyErr_Occurred check in enum type caster (_...
• a4f57ab Merge pull request #31545 from ksunden/backport-of-pr-31282-on-v3.10.x
• 063288d Merge pull request #31544 from ksunden/backport-of-pr-31248-on-v3.10.x
• b2ed196 Backport PR #31248: SEC: Remove eval() from validate_cycler
• acc6024 Merge pull request #31282 from scottshambaugh/tex_no_shell
• e3fb541 Merge pull request #31078 from meeseeksmachine/auto-backport-of-pr-31075-on-v...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 3 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA b31d41b.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

uv.lock

Package	Version	License	Issue Type
hypothesis	6.152.3	Null	Unknown License
matplotlib	3.10.9	Null	Unknown License
ruff	0.15.12	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
pip/hypothesis	6.152.3	Unknown	Unknown
pip/matplotlib	3.10.9	Unknown	Unknown
pip/ruff	0.15.12	Unknown	Unknown

Scanned Files

• uv.lock

[github-actions]

✅ AW Dependabot PR Review completed successfully!

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.56%. Comparing base (f0bb36b) to head (b31d41b).

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #564      +/-   ##
==========================================
+ Coverage   63.91%   66.56%   +2.65%     
==========================================
  Files         250      262      +12     
  Lines       15409    16639    +1230     
  Branches     2163     2260      +97     
==========================================
+ Hits         9848    11076    +1228     
  Misses       5274     5274              
- Partials      287      289       +2     

Flag	Coverage Δ		*Carryforward flag
pester	83.13% <ø> (ø)		Carriedforward from 1ef1dd9
pytest-data-pipeline	100.00% <ø> (ø)		Carriedforward from 1ef1dd9
pytest-dataviewer	65.12% <ø> (ø)		Carriedforward from 1ef1dd9
pytest-dm-tools	100.00% <ø> (ø)		Carriedforward from 1ef1dd9
pytest-evaluation	99.83% <ø> (?)
pytest-fuzz	4.97% <ø> (ø)		Carriedforward from 1ef1dd9
pytest-inference	0.00% <ø> (ø)		Carriedforward from 1ef1dd9
pytest-training	82.14% <ø> (ø)		Carriedforward from 1ef1dd9
vitest	51.08% <ø> (ø)		Carriedforward from 1ef1dd9

*This pull request uses carry forward flags. Click here to find out more.
see 12 files with indirect coverage changes

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

✅ AW Dependabot PR Review completed successfully!