chore(deps): update dependency black to v26 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
black (changelog)	==24.10.0 → ==26.3.1
black (changelog)	==24.8.0 → ==26.3.1

GitHub Vulnerability Alerts

CVE-2026-32274

Impact

Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations.

Patches

Fixed in Black 26.3.1.

Workarounds

Do not allow untrusted user input into the value of the --python-cell-magics option.

---

Release Notes

psf/black (black)

v26.3.1

Compare Source

Stable style

• Prevent Jupyter notebook magic masking collisions from corrupting cells by using
  exact-length placeholders for short magics and aborting if a placeholder can no longer
  be unmasked safely (#​5038)

Configuration

• Always hash cache filename components derived from --python-cell-magics so custom
  magic names cannot affect cache paths (#​5038)

Blackd

• Disable browser-originated requests by default, add configurable origin allowlisting
  and request body limits, and bound executor submissions to improve backpressure
  (#​5039)

v26.3.0

Compare Source

Stable style

• Don't double-decode input, causing non-UTF-8 files to be corrupted (#​4964)
• Fix crash on standalone comment in lambda default arguments (#​4993)
• Preserve parentheses when # type: ignore comments would be merged with other
  comments on the same line, preventing AST equivalence failures (#​4888)

Preview style

• Fix bug where if guards in case blocks were incorrectly split when the pattern had
  a trailing comma (#​4884)
• Fix string_processing crashing on unassigned long string literals with trailing
  commas (one-item tuples) (#​4929)
• Simplify implementation of the power operator "hugging" logic (#​4918)

Packaging

• Fix shutdown errors in PyInstaller builds on macOS by disabling multiprocessing in
  frozen environments (#​4930)

Performance

• Introduce winloop for windows as an alternative to uvloop (#​4996)
• Remove deprecated function uvloop.install() in favor of uvloop.new_event_loop()
  (#​4996)
• Rename maybe_install_uvloop function to maybe_use_uvloop to simplify loop
  installation and creation of either a uvloop/winloop evenloop or default eventloop
  (#​4996)

Output

• Emit a clear warning when the target Python version is newer than the running Python
  version, since AST safety checks cannot parse newer syntax. Also replace the
  misleading "INTERNAL ERROR" message with an actionable error explaining the version
  mismatch (#​4983)

Blackd

• Introduce winloop to be used when windows in use which enables blackd to run faster on
  windows when winloop is installed. (#​4996)

Integrations

• Remove unused gallery script (#​5030)
• Harden parsing of black requirements in the GitHub Action when use_pyproject is
  enabled so that only version specifiers are accepted and direct references such as
  black @​ https://... are rejected. Users should upgrade to the latest version of the
  action as soon as possible. This update is received automatically when using
  psf/black@stable, and is independent of the version of Black installed by the
  action. (#​5031)

Documentation

• Expand preview style documentation with detailed examples for wrap_comprehension_in,
  simplify_power_operator_hugging, and wrap_long_dict_values_in_parens features
  (#​4987)
• Add detailed documentation for formatting Jupyter Notebooks (#​5009)

v26.1.0

Compare Source

Highlights

Introduces the 2026 stable style (#​4892), stabilizing the following changes:

• always_one_newline_after_import: Always force one blank line after import
  statements, except when the line after the import is a comment or an import statement
  (#​4489)
• fix_fmt_skip_in_one_liners: Fix # fmt: skip behavior on one-liner declarations,
  such as def foo(): return "mock" # fmt: skip, where previously the declaration would
  have been incorrectly collapsed (#​4800)
• fix_module_docstring_detection: Fix module docstrings being treated as normal
  strings if preceded by comments (#​4764)
• fix_type_expansion_split: Fix type expansions split in generic functions (#​4777)
• multiline_string_handling: Make expressions involving multiline strings more compact
  (#​1879)
• normalize_cr_newlines: Add \r style newlines to the potential newlines to
  normalize file newlines both from and to (#​4710)
• remove_parens_around_except_types: Remove parentheses around multiple exception
  types in except and except* without as (#​4720)
• remove_parens_from_assignment_lhs: Remove unnecessary parentheses from the left-hand
  side of assignments while preserving magic trailing commas and intentional multiline
  formatting (#​4865)
• standardize_type_comments: Format type comments which have zero or more spaces
  between # and type: or between type: and value to # type: (value) (#​4645)

The following change was not in any previous stable release:

• Regenerated the _width_table.py and added tests for the Khmer language (#​4253)

This release alo bumps pathspec to v1 and fixes inconsistencies with Git's
.gitignore logic (#​4958). Now, files will be ignored if a pattern matches them, even
if the parent directory is directly unignored. For example, Black would previously
format exclude/not_this/foo.py with this .gitignore:

exclude/
!exclude/not_this/

Now, exclude/not_this/foo.py will remain ignored. To ensure exclude/not_this/ and
all of it's children are included in formatting (and in Git), use this .gitignore:

*/exclude/*
!*/exclude/not_this/

This new behavior matches Git. The leading */ are only necessary if you wish to ignore
matching subdirectories (like the previous behavior did), and not just matching root
directories.

Output

• Explicitly shutdown the multiprocessing manager when run in diff mode too (#​4952)

Integrations

• Upgraded PyPI upload workflow to use Trusted Publishing (#​4611)

v25.12.0

Compare Source

Highlights

• Black no longer supports running with Python 3.9 (#​4842)

Stable style

• Fix bug where comments preceding # fmt: off/# fmt: on blocks were incorrectly
  removed, particularly affecting Jupytext's # %% [markdown] comments (#​4845)
• Fix crash when multiple # fmt: skip comments are used in a multi-part if-clause, on
  string literals, or on dictionary entries with long lines (#​4872)
• Fix possible crash when fmt: directives aren't on the top level (#​4856)

Preview style

• Fix fmt: skip skipping the line after instead of the line it's on (#​4855)
• Remove unnecessary parentheses from the left-hand side of assignments while preserving
  magic trailing commas and intentional multiline formatting (#​4865)
• Fix fix_fmt_skip_in_one_liners crashing on with statements (#​4853)
• Fix fix_fmt_skip_in_one_liners crashing on annotated parameters (#​4854)
• Fix new lines being added after imports with # fmt: skip on them (#​4894)

Packaging

• Releases now include arm64 Windows binaries and wheels (#​4814)

Integrations

• Add output-file input to GitHub Action psf/black to write formatter output to a
  file for artifact capture and log cleanliness (#​4824)

v25.11.0

Compare Source

Highlights

• Enable base 3.14 support (#​4804)
• Add support for the new Python 3.14 t-string syntax introduced by PEP 750 (#​4805)

Stable style

• Fix bug where comments between # fmt: off and # fmt: on were reformatted (#​4811)
• Comments containing fmt directives now preserve their exact formatting instead of
  being normalized (#​4811)

Preview style

• Move multiline_string_handling from --unstable to --preview (#​4760)
• Fix bug where module docstrings would be treated as normal strings if preceded by
  comments (#​4764)
• Fix bug where python 3.12 generics syntax split line happens weirdly (#​4777)
• Standardize type comments to form # type: <value> (#​4645)
• Fix fix_fmt_skip_in_one_liners preview feature to respect # fmt: skip for compound
  statements with semicolon-separated bodies (#​4800)

Configuration

• Add no_cache option to control caching behavior. (#​4803)

Packaging

• Releases now include arm64 Linux binaries (#​4773)

Output

• Write unchanged content to stdout when excluding formatting from stdin using pipes
  (#​4610)

Blackd

• Implemented BlackDClient. This simple python client allows to easily send formatting
  requests to blackd (#​4774)

Integrations

• Enable 3.14 base CI (#​4804)
• Enhance GitHub Action psf/black to support the required-version major-version-only
  "stability" format when using pyproject.toml (#​4770)
• Improve error message for vim plugin users. It now handles independently vim version
• Vim: Warn on unsupported Vim and Python versions independently (#​4772)
• Vim: Print the import paths when importing black fails (#​4675)
• Vim: Fix handling of virtualenvs that have a different Python version (#​4675)

v25.9.0

Compare Source

Highlights

• Remove support for pre-python 3.7 await/async as soft keywords/variable names
  (#​4676)

Stable style

• Fix crash while formatting a long del statement containing tuples (#​4628)
• Fix crash while formatting expressions using the walrus operator in complex with
  statements (#​4630)
• Handle # fmt: skip followed by a comment at the end of file (#​4635)
• Fix crash when a tuple appears in the as clause of a with statement (#​4634)
• Fix crash when tuple is used as a context manager inside a with statement (#​4646)
• Fix crash when formatting a \ followed by a \r followed by a comment (#​4663)
• Fix crash on a \\r\n (#​4673)
• Fix crash on await ... (where ... is a literal Ellipsis) (#​4676)
• Fix crash on parenthesized expression inside a type parameter bound (#​4684)
• Fix crash when using line ranges excluding indented single line decorated items
  (#​4670)

Preview style

• Fix a bug where one-liner functions/conditionals marked with # fmt: skip would still
  be formatted (#​4552)
• Improve multiline_string_handling with ternaries and dictionaries (#​4657)
• Fix a bug where string_processing would not split f-strings directly after
  expressions (#​4680)
• Wrap the in clause of comprehensions across lines if necessary (#​4699)
• Remove parentheses around multiple exception types in except and except* without
  as. (#​4720)
• Add \r style newlines to the potential newlines to normalize file newlines both from
  and to (#​4710)

Parser

• Rewrite tokenizer to improve performance and compliance (#​4536)
• Fix bug where certain unusual expressions (e.g., lambdas) were not accepted in type
  parameter bounds and defaults. (#​4602)

Performance

• Avoid using an extra process when running with only one worker (#​4734)

Integrations

• Fix the version check in the vim file to reject Python 3.8 (#​4567)
• Enhance GitHub Action psf/black to read Black version from an additional section in
  pyproject.toml: [project.dependency-groups] (#​4606)
• Build gallery docker image with python3-slim and reduce image size (#​4686)

Documentation

• Add FAQ entry for windows emoji not displaying (#​4714)

v25.1.0

Compare Source

Highlights

This release introduces the new 2025 stable style (#​4558), stabilizing the following
changes:

• Normalize casing of Unicode escape characters in strings to lowercase (#​2916)
• Fix inconsistencies in whether certain strings are detected as docstrings (#​4095)
• Consistently add trailing commas to typed function parameters (#​4164)
• Remove redundant parentheses in if guards for case blocks (#​4214)
• Add parentheses to if clauses in case blocks when the line is too long (#​4269)
• Whitespace before # fmt: skip comments is no longer normalized (#​4146)
• Fix line length computation for certain expressions that involve the power operator
  (#​4154)
• Check if there is a newline before the terminating quotes of a docstring (#​4185)
• Fix type annotation spacing between * and more complex type variable tuple (#​4440)

The following changes were not in any previous release:

• Remove parentheses around sole list items (#​4312)
• Generic function definitions are now formatted more elegantly: parameters are split
  over multiple lines first instead of type parameter definitions (#​4553)

Stable style

• Fix formatting cells in IPython notebooks with magic methods and starting or trailing
  empty lines (#​4484)
• Fix crash when formatting with statements containing tuple generators/unpacking
  (#​4538)

Preview style

• Fix/remove string merging changing f-string quotes on f-strings with internal quotes
  (#​4498)
• Collapse multiple empty lines after an import into one (#​4489)
• Prevent string_processing and wrap_long_dict_values_in_parens from removing
  parentheses around long dictionary values (#​4377)
• Move wrap_long_dict_values_in_parens from the unstable to preview style (#​4561)

Packaging

• Store license identifier inside the License-Expression metadata field, see
  PEP 639. (#​4479)

Performance

• Speed up the is_fstring_start function in Black's tokenizer (#​4541)

Integrations

• If using stdin with --stdin-filename set to a force excluded path, stdin won't be
  formatted. (#​4539)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request performs a crucial update of the black code formatter dependency to version 26.3.1. This update is primarily driven by the need to address a significant security vulnerability (CVE-2026-32274) that allowed arbitrary file writes. Beyond the security fix, this upgrade also brings in a multitude of stable style enhancements, performance optimizations, and bug resolutions introduced across several black releases since the previously pinned versions.

Highlights

• Dependency Update: Updated the black code formatter dependency to version 26.3.1 for all Python versions.
• Security Fix: Addressed a critical security vulnerability (CVE-2026-32274) in black related to arbitrary file write via unsanitized --python-cell-magics option.
• Feature and Bug Fixes: Incorporated numerous stable style changes, performance improvements, and bug fixes from black versions 25.1.0 through 26.3.1.

Changelog

• compute/client_library/requirements.txt
  • Updated black from 24.8.0 (for Python < 3.9) and 24.10.0 (for Python >= 3.9) to 26.3.1 for all Python versions.
  • This update includes fixes for a critical security vulnerability (CVE-2026-32274) and numerous other improvements across stable style, preview style, packaging, performance, and integrations from versions 25.1.0 up to 26.3.1.

Activity

• No specific activity (comments, reviews, progress) has been recorded for this pull request.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the black dependency to version 26.3.1, which resolves a security vulnerability. The update is correct. I've added a suggestion to simplify the requirements.txt file by merging the two version-specific lines for black into one, as they now specify the same version.

[gemini-code-assist]

Since the black dependency version is now the same for all Python versions, you can simplify these two lines into a single entry without the Python version markers. This makes the requirements.txt file cleaner and easier to maintain.

black==26.3.1