chore(deps): bump the python-minor-patch group across 1 directory with 3 updates

[dependabot]

Bumps the python-minor-patch group with 3 updates in the / directory: ruff, uv and hatch.

Updates ruff from 0.15.14 to 0.15.15

Release notes

Sourced from ruff's releases.

0.15.15

Release Notes

Released on 2026-05-28.

Preview features

• Fix Markdown closing fence handling (#25310)
• [pyflakes] Report duplicate imports in typing.TYPE_CHECKING block (F811) (#22560)

Bug fixes

• [pyflakes] Treat function-scope bare annotations as locals per PEP 526 (F821) (#21540)

Performance

• Avoid redundant TokenValue drops in the lexer (#25300)
• Reduce memory usage by dropping token-excess capacity and improve performance by approximating the initial tokens Vec size (#25354)
• Use ThinVec in AST to shrink Stmt (#25361)

Documentation

• Fix line-length example for --config option (#25389)
• [flake8-comprehensions] Document RecursionError edge case in __len__ (C416) (#25286)
• [mccabe] Improve example (C901) (#25287)
• [pyupgrade] Clarify fix safety docs (UP007, UP045) (#25288)
• [refurb] Document FURB192 exception change for empty sequences (#25317)
• [ruff] Document false negative for user-defined types (RUF013) (#25289)

Formatter

• Fix formatting of lambdas nested within f-strings (#25398)

Server

• Return code action for codeAction/resolve requests that contain no or no valid URL (#25365)

Other changes

• Expand semantic syntax errors for invalid walruses (#25415)

Contributors

• @​chirizxc
• @​ntBre
• @​adityasingh2400
• @​charliermarsh
• @​fallintoplace
• @​martin-schlossarek
• @​MichaReiser

... (truncated)

Changelog

Sourced from ruff's changelog.

0.15.15

Released on 2026-05-28.

Preview features

• Fix Markdown closing fence handling (#25310)
• [pyflakes] Report duplicate imports in typing.TYPE_CHECKING block (F811) (#22560)

Bug fixes

• [pyflakes] Treat function-scope bare annotations as locals per PEP 526 (F821) (#21540)

Performance

• Avoid redundant TokenValue drops in the lexer (#25300)
• Reduce memory usage by dropping token-excess capacity and improve performance by approximating the initial tokens Vec size (#25354)
• Use ThinVec in AST to shrink Stmt (#25361)

Documentation

• Fix line-length example for --config option (#25389)
• [flake8-comprehensions] Document RecursionError edge case in __len__ (C416) (#25286)
• [mccabe] Improve example (C901) (#25287)
• [pyupgrade] Clarify fix safety docs (UP007, UP045) (#25288)
• [refurb] Document FURB192 exception change for empty sequences (#25317)
• [ruff] Document false negative for user-defined types (RUF013) (#25289)

Formatter

• Fix formatting of lambdas nested within f-strings (#25398)

Server

• Return code action for codeAction/resolve requests that contain no or no valid URL (#25365)

Other changes

• Expand semantic syntax errors for invalid walruses (#25415)

Contributors

• @​chirizxc
• @​ntBre
• @​adityasingh2400
• @​charliermarsh
• @​fallintoplace
• @​martin-schlossarek
• @​MichaReiser
• @​Ruchir28

Commits

• db5aa0a Bump 0.15.15 (#25431)
• 366fe21 [ty] Improve diagnostics for syntax errors in forward annotations (#25158)
• e2e1e64 [ty] Remove excess capacity from more Salsa cached collections (#25411)
• 1bd77e1 [ty] Use diagnostic message as tie breaker when sorting (#25424)
• 7e1bc1e Add agent skills for working on ty (#25422)
• 574e107 Expand semantic syntax errors for invalid walruses (#25415)
• 4a7ca06 [ty] Display docs for matching parameter when hovering over the name of an ar...
• 5432709 Refine a few agents instructions (#25423)
• 3cb09eb [ty] Support typing.TypeForm (#25334)
• c8cd59f [ty] Infer class attributes assigned by metaclass initialization (#25342)
• Additional commits viewable in compare view

Updates uv from 0.11.17 to 0.11.18

Release notes

Sourced from uv's releases.

0.11.18

Release Notes

Released on 2026-06-01.

Performance

• Fix performance regression in unzip of local wheels (#19637)

Preview

• Add uv check to run ty from uv (#19605)

Bug fixes

• Update activation scripts with upstream fixes (#19628)

Other changes

• Bump MSRV to 1.94 (#19600)

Install uv 0.11.18

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://releases.astral.sh/github/uv/releases/download/0.11.18/uv-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://releases.astral.sh/github/uv/releases/download/0.11.18/uv-installer.ps1 | iex"

Download uv 0.11.18

File	Platform	Checksum
uv-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
uv-x86_64-apple-darwin.tar.gz	Intel macOS	checksum
uv-aarch64-pc-windows-msvc.zip	ARM64 Windows	checksum
uv-i686-pc-windows-msvc.zip	x86 Windows	checksum
uv-x86_64-pc-windows-msvc.zip	x64 Windows	checksum
uv-aarch64-unknown-linux-gnu.tar.gz	ARM64 Linux	checksum
uv-i686-unknown-linux-gnu.tar.gz	x86 Linux	checksum
uv-powerpc64le-unknown-linux-gnu.tar.gz	PPC64LE Linux	checksum
uv-riscv64gc-unknown-linux-gnu.tar.gz	RISCV Linux	checksum
uv-s390x-unknown-linux-gnu.tar.gz	S390x Linux	checksum
uv-x86_64-unknown-linux-gnu.tar.gz	x64 Linux	checksum

... (truncated)

Changelog

Sourced from uv's changelog.

0.11.18

Released on 2026-06-01.

Performance

• Fix performance regression in unzip of local wheels (#19637)

Preview

• Add uv check to run ty from uv (#19605)

Bug fixes

• Update activation scripts with upstream fixes (#19628)

Other changes

• Bump MSRV to 1.94 (#19600)

Commits

• e326669 Bump version to 0.11.18 (#19639)
• 6bc4fe6 Use --no-config during the release process (#19640)
• 94e66c3 [check] you're not special, ty (#19609)
• 5ba95e0 Fix performance regression in unzip of local wheels (#19637)
• ebd9dee Don't use --update with apt in CI (#19633)
• e91ebe8 Update activation scripts with upstream fixes (#19628)
• e5a0e18 Use Rust 1.94.0 features (#19612)
• f69c1b2 Add uv check to run ty from uv (#19605)
• 40cfa8e Add test coverage for both WSL1 and WSL2 (#19608)
• 81dabd5 Update Rust toolchain to 1.96 and MSRV to 1.94 (#19600)
• See full diff in compare view

Updates hatch from 1.16.5 to 1.17.0

Release notes

Sourced from hatch's releases.

Hatchling v1.17.0

Added:

• The app build target now embeds the project version in the name of binaries

Hatch v1.17.0

Changed:

• The hatch fmt command is now deprecated in favor of the new hatch check command group
• Migrate HTTP client from httpx to httpx2

Added:

• Add hatch check command group with subcommands for check code (linting), check fmt (formatting), and check types (type checking)
• Add hatch check types command for type checking using Pyrefly, with --summarize and --cover flags
• Add hatch env lock command to generate PEP 751 compliant lockfiles (pylock.toml) for environments
• Add hatch dep lock and hatch lock commands as shortcuts for locking the active environment
• Add hatch dep sync command for syncing dependencies from a lockfile
• Add pluggable dependency locker interface with built-in UV and pip implementations
• Add --cover-xml and --cover-xml-output flags to the hatch test command for generating XML coverage reports
• Add linehaul telemetry data to User-Agent header for PyPI download statistics
• Auto-create environment when locking if it doesn't exist

Fixed:

• Fix help output formatting for the run command

Commits

• 37b00c3 release Hatchling v1.30.1 (#2298)
• 0446d99 Update history for new patch release of hatchling after fixing default metada...
• 4f5cdf0 Make 2.4 metadata default until other tools support it. (#2296)
• 0497be0 Fix draft release uploads. (#2293)
• 3aae0fa Fix hatchling to use Metadata 2.4 (#2291)
• 5ee4189 release Hatch v1.17.0 (#2290)
• 6109ee7 release Hatchling v1.30.0 (#2289)
• 246e22b Block duplicate files in wheel archives (closes #2066) (#2269)
• d2afcb6 Update docs as pre-release for 1.17.0 (#2287)
• 818d284 Feat hatch check command with new sub command for types (#2278)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pypi/​hatch@​1.16.5 ⏵ 1.17.0
	pypi/​uv@​0.11.17 ⏵ 0.11.18
	pypi/​ruff@​0.15.14 ⏵ 0.15.15

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: pypi hatch is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pyproject.toml → pypi/hatch@1.17.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/hatch@1.17.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[socket-security-staging]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pypi/​uv@​0.11.17 ⏵ 0.11.18
	pypi/​ruff@​0.15.14 ⏵ 0.15.15

View full report