Skip to content

chore(deps): update dependency black to v26.3.1 [security]#340

Merged
bchew merged 1 commit intomasterfrom
renovate-pypi-black-vulnerability
Mar 13, 2026
Merged

chore(deps): update dependency black to v26.3.1 [security]#340
bchew merged 1 commit intomasterfrom
renovate-pypi-black-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 12, 2026

This PR contains the following updates:

Package Change Age Confidence
black (changelog) ==26.1.0==26.3.1 age confidence

GitHub Vulnerability Alerts

CVE-2026-32274

Impact

Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations.

Patches

Fixed in Black 26.3.1.

Workarounds

Do not allow untrusted user input into the value of the --python-cell-magics option.

Release Notes

psf/black (black)

v26.3.1

Compare Source

Stable style
  • Prevent Jupyter notebook magic masking collisions from corrupting cells by using
    exact-length placeholders for short magics and aborting if a placeholder can no longer
    be unmasked safely (#​5038)
Configuration
  • Always hash cache filename components derived from --python-cell-magics so custom
    magic names cannot affect cache paths (#​5038)
Blackd
  • Disable browser-originated requests by default, add configurable origin allowlisting
    and request body limits, and bound executor submissions to improve backpressure
    (#​5039)

v26.3.0

Compare Source

Stable style
  • Don't double-decode input, causing non-UTF-8 files to be corrupted (#​4964)
  • Fix crash on standalone comment in lambda default arguments (#​4993)
  • Preserve parentheses when # type: ignore comments would be merged with other
    comments on the same line, preventing AST equivalence failures (#​4888)
Preview style
  • Fix bug where if guards in case blocks were incorrectly split when the pattern had
    a trailing comma (#​4884)
  • Fix string_processing crashing on unassigned long string literals with trailing
    commas (one-item tuples) (#​4929)
  • Simplify implementation of the power operator "hugging" logic (#​4918)
Packaging
  • Fix shutdown errors in PyInstaller builds on macOS by disabling multiprocessing in
    frozen environments (#​4930)
Performance
  • Introduce winloop for windows as an alternative to uvloop (#​4996)
  • Remove deprecated function uvloop.install() in favor of uvloop.new_event_loop()
    (#​4996)
  • Rename maybe_install_uvloop function to maybe_use_uvloop to simplify loop
    installation and creation of either a uvloop/winloop evenloop or default eventloop
    (#​4996)
Output
  • Emit a clear warning when the target Python version is newer than the running Python
    version, since AST safety checks cannot parse newer syntax. Also replace the
    misleading "INTERNAL ERROR" message with an actionable error explaining the version
    mismatch (#​4983)
Blackd
  • Introduce winloop to be used when windows in use which enables blackd to run faster on
    windows when winloop is installed. (#​4996)
Integrations
  • Remove unused gallery script (#​5030)
  • Harden parsing of black requirements in the GitHub Action when use_pyproject is
    enabled so that only version specifiers are accepted and direct references such as
    black @​ https://... are rejected. Users should upgrade to the latest version of the
    action as soon as possible. This update is received automatically when using
    psf/black@stable, and is independent of the version of Black installed by the
    action. (#​5031)
Documentation
  • Expand preview style documentation with detailed examples for wrap_comprehension_in,
    simplify_power_operator_hugging, and wrap_long_dict_values_in_parens features
    (#​4987)
  • Add detailed documentation for formatting Jupyter Notebooks (#​5009)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Mar 12, 2026
@renovate renovate bot requested a review from bchew March 12, 2026 21:40
@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 12, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@bchew bchew merged commit f71dd01 into master Mar 13, 2026
39 checks passed
@bchew bchew deleted the renovate-pypi-black-vulnerability branch March 13, 2026 03:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bchew bchew bchew approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bchew