Skip to content

chore(deps): update dependency black to v25 [security]#126

Open
ZxBot wants to merge 1 commit intodevelfrom
renovate/pypi-black-vulnerability
Open

chore(deps): update dependency black to v25 [security]#126
ZxBot wants to merge 1 commit intodevelfrom
renovate/pypi-black-vulnerability

Conversation

@ZxBot
Copy link
Copy Markdown
Contributor

@ZxBot ZxBot commented Mar 13, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
black (changelog) ~=24.10.0~=25.12.0 age confidence

GitHub Vulnerability Alerts

CVE-2026-32274

Impact

Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations.

Patches

Fixed in Black 26.3.1.

Workarounds

Do not allow untrusted user input into the value of the --python-cell-magics option.

Severity
  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Release Notes

psf/black (black)

v25.12.0

Compare Source

Highlights
  • Black no longer supports running with Python 3.9 (#​4842)
Stable style
  • Fix bug where comments preceding # fmt: off/# fmt: on blocks were incorrectly
    removed, particularly affecting Jupytext's # %% [markdown] comments (#​4845)
  • Fix crash when multiple # fmt: skip comments are used in a multi-part if-clause, on
    string literals, or on dictionary entries with long lines (#​4872)
  • Fix possible crash when fmt: directives aren't on the top level (#​4856)
Preview style
  • Fix fmt: skip skipping the line after instead of the line it's on (#​4855)
  • Remove unnecessary parentheses from the left-hand side of assignments while preserving
    magic trailing commas and intentional multiline formatting (#​4865)
  • Fix fix_fmt_skip_in_one_liners crashing on with statements (#​4853)
  • Fix fix_fmt_skip_in_one_liners crashing on annotated parameters (#​4854)
  • Fix new lines being added after imports with # fmt: skip on them (#​4894)
Packaging
  • Releases now include arm64 Windows binaries and wheels (#​4814)
Integrations
  • Add output-file input to GitHub Action psf/black to write formatter output to a
    file for artifact capture and log cleanliness (#​4824)

v25.11.0

Compare Source

Highlights
  • Enable base 3.14 support (#​4804)
  • Add support for the new Python 3.14 t-string syntax introduced by PEP 750 (#​4805)
Stable style
  • Fix bug where comments between # fmt: off and # fmt: on were reformatted (#​4811)
  • Comments containing fmt directives now preserve their exact formatting instead of
    being normalized (#​4811)
Preview style
  • Move multiline_string_handling from --unstable to --preview (#​4760)
  • Fix bug where module docstrings would be treated as normal strings if preceded by
    comments (#​4764)
  • Fix bug where python 3.12 generics syntax split line happens weirdly (#​4777)
  • Standardize type comments to form # type: <value> (#​4645)
  • Fix fix_fmt_skip_in_one_liners preview feature to respect # fmt: skip for compound
    statements with semicolon-separated bodies (#​4800)
Configuration
  • Add no_cache option to control caching behavior. (#​4803)
Packaging
  • Releases now include arm64 Linux binaries (#​4773)
Output
  • Write unchanged content to stdout when excluding formatting from stdin using pipes
    (#​4610)
Blackd
  • Implemented BlackDClient. This simple python client allows to easily send formatting
    requests to blackd (#​4774)
Integrations
  • Enable 3.14 base CI (#​4804)
  • Enhance GitHub Action psf/black to support the required-version major-version-only
    "stability" format when using pyproject.toml (#​4770)
  • Improve error message for vim plugin users. It now handles independently vim version
  • Vim: Warn on unsupported Vim and Python versions independently (#​4772)
  • Vim: Print the import paths when importing black fails (#​4675)
  • Vim: Fix handling of virtualenvs that have a different Python version (#​4675)

v25.9.0

Compare Source

Highlights
  • Remove support for pre-python 3.7 await/async as soft keywords/variable names
    (#​4676)
Stable style
  • Fix crash while formatting a long del statement containing tuples (#​4628)
  • Fix crash while formatting expressions using the walrus operator in complex with
    statements (#​4630)
  • Handle # fmt: skip followed by a comment at the end of file (#​4635)
  • Fix crash when a tuple appears in the as clause of a with statement (#​4634)
  • Fix crash when tuple is used as a context manager inside a with statement (#​4646)
  • Fix crash when formatting a \ followed by a \r followed by a comment (#​4663)
  • Fix crash on a \\r\n (#​4673)
  • Fix crash on await ... (where ... is a literal Ellipsis) (#​4676)
  • Fix crash on parenthesized expression inside a type parameter bound (#​4684)
  • Fix crash when using line ranges excluding indented single line decorated items
    (#​4670)
Preview style
  • Fix a bug where one-liner functions/conditionals marked with # fmt: skip would still
    be formatted (#​4552)
  • Improve multiline_string_handling with ternaries and dictionaries (#​4657)
  • Fix a bug where string_processing would not split f-strings directly after
    expressions (#​4680)
  • Wrap the in clause of comprehensions across lines if necessary (#​4699)
  • Remove parentheses around multiple exception types in except and except* without
    as. (#​4720)
  • Add \r style newlines to the potential newlines to normalize file newlines both from
    and to (#​4710)
Parser
  • Rewrite tokenizer to improve performance and compliance (#​4536)
  • Fix bug where certain unusual expressions (e.g., lambdas) were not accepted in type
    parameter bounds and defaults. (#​4602)
Performance
  • Avoid using an extra process when running with only one worker (#​4734)
Integrations
  • Fix the version check in the vim file to reject Python 3.8 (#​4567)
  • Enhance GitHub Action psf/black to read Black version from an additional section in
    pyproject.toml: [project.dependency-groups] (#​4606)
  • Build gallery docker image with python3-slim and reduce image size (#​4686)
Documentation
  • Add FAQ entry for windows emoji not displaying (#​4714)

v25.1.0

Compare Source

Highlights

This release introduces the new 2025 stable style (#​4558), stabilizing the following
changes:

  • Normalize casing of Unicode escape characters in strings to lowercase (#​2916)
  • Fix inconsistencies in whether certain strings are detected as docstrings (#​4095)
  • Consistently add trailing commas to typed function parameters (#​4164)
  • Remove redundant parentheses in if guards for case blocks (#​4214)
  • Add parentheses to if clauses in case blocks when the line is too long (#​4269)
  • Whitespace before # fmt: skip comments is no longer normalized (#​4146)
  • Fix line length computation for certain expressions that involve the power operator
    (#​4154)
  • Check if there is a newline before the terminating quotes of a docstring (#​4185)
  • Fix type annotation spacing between * and more complex type variable tuple (#​4440)

The following changes were not in any previous release:

  • Remove parentheses around sole list items (#​4312)
  • Generic function definitions are now formatted more elegantly: parameters are split
    over multiple lines first instead of type parameter definitions (#​4553)
Stable style
  • Fix formatting cells in IPython notebooks with magic methods and starting or trailing
    empty lines (#​4484)
  • Fix crash when formatting with statements containing tuple generators/unpacking
    (#​4538)
Preview style
  • Fix/remove string merging changing f-string quotes on f-strings with internal quotes
    (#​4498)
  • Collapse multiple empty lines after an import into one (#​4489)
  • Prevent string_processing and wrap_long_dict_values_in_parens from removing
    parentheses around long dictionary values (#​4377)
  • Move wrap_long_dict_values_in_parens from the unstable to preview style (#​4561)
Packaging
  • Store license identifier inside the License-Expression metadata field, see
    PEP 639. (#​4479)
Performance
  • Speed up the is_fstring_start function in Black's tokenizer (#​4541)
Integrations
  • If using stdin with --stdin-filename set to a force excluded path, stdin won't be
    formatted. (#​4539)

Configuration

📅 Schedule: (in timezone Europe/Rome)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@ZxBot ZxBot changed the title chore(deps): update dependency black to v25 [security] chore(deps): update dependency black to v25 [security] - autoclosed Mar 27, 2026
@ZxBot ZxBot closed this Mar 27, 2026
@ZxBot ZxBot deleted the renovate/pypi-black-vulnerability branch March 27, 2026 04:05
@ZxBot ZxBot changed the title chore(deps): update dependency black to v25 [security] - autoclosed chore(deps): update dependency black to v25 [security] Mar 31, 2026
@ZxBot ZxBot reopened this Mar 31, 2026
@ZxBot ZxBot force-pushed the renovate/pypi-black-vulnerability branch 2 times, most recently from 7ff1656 to 1281205 Compare March 31, 2026 03:34
@ZxBot ZxBot force-pushed the renovate/pypi-black-vulnerability branch from 1281205 to d10dbbe Compare April 9, 2026 03:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

renovate security vulnerability

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ZxBot