chore(deps): update Python dependencies

Signed-off-by: behnazh-w <[email protected]>

Author: behnazh-w

pyproject.toml

@@ -25,19 +25,19 @@ dependencies = [
     "requests >=2.32.3,<3.0.0",
     "pydriller >=2.0,<3.0.0",
     "yamale >=6.0.0,<7.0.0",
-    "packaging >=24.0,<25.0.0",
+    "packaging >=25.0,<27.0.0",
     "jinja2 >=3.1.2,<4.0.0",
     "SQLAlchemy >=2.0.0,<3.0.0",
     "defusedxml >=0.7.1,<1.0.0",
     "packageurl-python >= 0.11.1,<1.0.0",
     "ruamel.yaml >= 0.18.6,<1.0.0",
     "jsonschema >= 4.22.0,<5.0.0",
     "cyclonedx-bom >=7.0.0,<8.0.0",
-    "cyclonedx-python-lib[validation] >=8.0.0,<11.0.0",
+    "cyclonedx-python-lib[validation] >=9.0.0,<12.0.0",
     "beautifulsoup4 >= 4.12.0,<5.0.0",
     "problog >= 2.2.6,<3.0.0",
-    "cryptography >=44.0.0,<45.0.0",
-    "semgrep == 1.149.0",
+    "cryptography >=46.0.5,<47.0.0",
+    "semgrep == 1.151.0",
     "email-validator >=2.2.0,<3.0.0",
     "rich >=13.5.3,<15.0.0",
     "lark >= 1.3.0,<2.0.0",
@@ -71,21 +71,21 @@ macaron = 'macaron.__main__:main'
 # installed. Make sure to keep the requirements in sync with the workflows!
 actions = [
     "commitizen >=4.0.0,<5.0.0",
-    "twine >=5.0.0,<6.0.0",
+    "twine >=6.0.0,<7.0.0",
 ]
 dev = [
     "flit >=3.2.0,<4.0.0",
-    "mypy >=1.0.0,<1.16",
+    "mypy >=1.19.1,<1.20",
     "types-pyyaml >=6.0.4,<7.0.0",
     "types-requests >=2.25.6,<3.0.0",
     "types-jsonschema >=4.22.0,<5.0.0",
     "pip-audit >=2.5.6,<3.0.0",
-    "pylint >=3.0.3,<4.0.0",
+    "pylint >=4.0.4,<5.0.0",
     "cyclonedx-bom >=7.0.0,<8.0.0",
     "types-beautifulsoup4 >= 4.12.0,<5.0.0",
 ]
 docs = [
-    "sphinx >=8.0.0,<9.0.0",
+    "sphinx >=9.0.0,<10.0.0",
     "sphinx-autodoc-typehints >=3.0.0,<4.0.0",
     "sphinx-rtd-theme >=3.0.0,<4.0.0",
     "numpydoc >=1.5.0,<2.0.0",
@@ -98,12 +98,12 @@ hooks = [
 # Note that the `custom_exit_code` and `env` plugins may currently be unmaintained.
 test = [
     "hypothesis >=6.100.1,<7.0.0",
-    "pytest >=8.2.2,<9.0.0",
+    "pytest >=9.0.2,<10.0.0",
     "pytest-custom_exit_code >=0.3.0,<1.0.0",
-    "pytest-cov >=6.0.0,<7.0.0",
+    "pytest-cov >=7.0.0,<8.0.0",
     "pytest-env >=1.0.0,<2.0.0",
     "pytest_httpserver >=1.0.10,<2.0.0",
-    "syrupy >=4.0.0,<5.0.0",
+    "syrupy >=5.1.0,<6.0.0",
 ]
 
 test-docker = [
@@ -217,7 +217,6 @@ ignore_missing_imports = true
 # https://pylint.pycqa.org/en/latest/user_guide/configuration/index.html
 [tool.pylint.MASTER]
 fail-under = 10.0
-suggestion-mode = true  # Remove this setting when pylint v4 is released.
 load-plugins = [
     "pylint.extensions.check_elif",
     "pylint.extensions.for_any_all",

src/macaron/__main__.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2026, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This is the main entrypoint to run Macaron."""
@@ -92,7 +92,7 @@ def analyze_slsa_levels_single(analyzer_single_args: argparse.Namespace) -> None
 
         local_maven_repo = os.path.join(home_dir, ".m2")
         if not os.path.isdir(local_maven_repo):
-            logger.debug("The default local Maven repo at %s does not exist. Ignore ...")
+            logger.debug("The default local Maven repo at %s does not exist. Ignore ...", local_maven_repo)
             global_config.local_maven_repo = None
 
         global_config.local_maven_repo = local_maven_repo

src/macaron/repo_finder/repo_finder_deps_dev.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2023 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2023 - 2026, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module contains the PythonRepoFinderDD class to be used for finding repositories using deps.dev."""
@@ -179,7 +179,7 @@ def get_attestation(purl: PackageURL) -> tuple[dict | None, str | None, bool]:
             and a flag for whether the attestation is verified.
         """
         if purl.type != "pypi":
-            logger.debug("PURL type (%s) attestation not yet supported via deps.dev.")
+            logger.debug("PURL type (%s) attestation not yet supported via deps.dev.", purl.type)
             return None, None, False
 
         if not purl.version:

src/macaron/slsa_analyzer/git_url.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2026, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module provides methods to perform generic actions on Git URLS."""
@@ -338,7 +338,7 @@ def clone_remote_repo(clone_dir: str, url: str) -> Repo | None:
                 )
                 return Repo(path=clone_dir)
             except (subprocess.CalledProcessError, OSError):
-                logger.debug("The clone dir %s is not empty. An attempt to update it failed.")
+                logger.debug("The clone dir %s is not empty. An attempt to update it failed.", clone_dir)
                 return None
 
     # Ensure that the parent directory where the repo is cloned into exists.

tests/integration/run.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2024 - 2026, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """Integration test utility."""
@@ -1220,7 +1220,7 @@ def main(argv: Sequence[str] | None = None) -> int:
 
     path = shutil.which(args.macaron)
     if path is None:
-        logger.error("'%s' is not a command.")
+        logger.error("'%s' is not a command.", args.macaron)
         return 1
     macaron_cmd = os.path.abspath(path)