chore(deps): update dependency black to v26 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
black (changelog)	25.12.0 → 26.3.1

---

Black: Arbitrary file writes from unsanitized user input in cache file name

CVE-2026-32274 / GHSA-3936-cmfr-pm3m

More information

Details

Impact

Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations.

Patches

Fixed in Black 26.3.1.

Workarounds

Do not allow untrusted user input into the value of the --python-cell-magics option.

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m
• https://github.com/psf/black/pull/5038
• https://github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909d
• https://github.com/psf/black/releases/tag/26.3.1
• https://nvd.nist.gov/vuln/detail/CVE-2026-32274
• https://github.com/advisories/GHSA-3936-cmfr-pm3m

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Black: Arbitrary file writes from unsanitized user input in cache file name

CVE-2026-32274 / GHSA-3936-cmfr-pm3m

More information

Details

Impact

Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations.

Patches

Fixed in Black 26.3.1.

Workarounds

Do not allow untrusted user input into the value of the --python-cell-magics option.

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m
• https://nvd.nist.gov/vuln/detail/CVE-2026-32274
• https://github.com/psf/black/pull/5038
• https://github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909d
• https://github.com/psf/black
• https://github.com/psf/black/releases/tag/26.3.1

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

psf/black (black)

v26.3.1

Compare Source

Stable style

• Prevent Jupyter notebook magic masking collisions from corrupting cells by using
  exact-length placeholders for short magics and aborting if a placeholder can no longer
  be unmasked safely (#​5038)

Configuration

• Always hash cache filename components derived from --python-cell-magics so custom
  magic names cannot affect cache paths (#​5038)

Blackd

• Disable browser-originated requests by default, add configurable origin allowlisting
  and request body limits, and bound executor submissions to improve backpressure
  (#​5039)

v26.3.0

Compare Source

Stable style

• Don't double-decode input, causing non-UTF-8 files to be corrupted (#​4964)
• Fix crash on standalone comment in lambda default arguments (#​4993)
• Preserve parentheses when # type: ignore comments would be merged with other
  comments on the same line, preventing AST equivalence failures (#​4888)

Preview style

• Fix bug where if guards in case blocks were incorrectly split when the pattern had
  a trailing comma (#​4884)
• Fix string_processing crashing on unassigned long string literals with trailing
  commas (one-item tuples) (#​4929)
• Simplify implementation of the power operator "hugging" logic (#​4918)

Packaging

• Fix shutdown errors in PyInstaller builds on macOS by disabling multiprocessing in
  frozen environments (#​4930)

Performance

• Introduce winloop for windows as an alternative to uvloop (#​4996)
• Remove deprecated function uvloop.install() in favor of uvloop.new_event_loop()
  (#​4996)
• Rename maybe_install_uvloop function to maybe_use_uvloop to simplify loop
  installation and creation of either a uvloop/winloop evenloop or default eventloop
  (#​4996)

Output

• Emit a clear warning when the target Python version is newer than the running Python
  version, since AST safety checks cannot parse newer syntax. Also replace the
  misleading "INTERNAL ERROR" message with an actionable error explaining the version
  mismatch (#​4983)

Blackd

• Introduce winloop to be used when windows in use which enables blackd to run faster on
  windows when winloop is installed. (#​4996)

Integrations

• Remove unused gallery script (#​5030)
• Harden parsing of black requirements in the GitHub Action when use_pyproject is
  enabled so that only version specifiers are accepted and direct references such as
  black @​ https://... are rejected. Users should upgrade to the latest version of the
  action as soon as possible. This update is received automatically when using
  psf/black@stable, and is independent of the version of Black installed by the
  action. (#​5031)

Documentation

• Expand preview style documentation with detailed examples for wrap_comprehension_in,
  simplify_power_operator_hugging, and wrap_long_dict_values_in_parens features
  (#​4987)
• Add detailed documentation for formatting Jupyter Notebooks (#​5009)

v26.1.0

Compare Source

Highlights

Introduces the 2026 stable style (#​4892), stabilizing the following changes:

• always_one_newline_after_import: Always force one blank line after import
  statements, except when the line after the import is a comment or an import statement
  (#​4489)
• fix_fmt_skip_in_one_liners: Fix # fmt: skip behavior on one-liner declarations,
  such as def foo(): return "mock" # fmt: skip, where previously the declaration would
  have been incorrectly collapsed (#​4800)
• fix_module_docstring_detection: Fix module docstrings being treated as normal
  strings if preceded by comments (#​4764)
• fix_type_expansion_split: Fix type expansions split in generic functions (#​4777)
• multiline_string_handling: Make expressions involving multiline strings more compact
  (#​1879)
• normalize_cr_newlines: Add \r style newlines to the potential newlines to
  normalize file newlines both from and to (#​4710)
• remove_parens_around_except_types: Remove parentheses around multiple exception
  types in except and except* without as (#​4720)
• remove_parens_from_assignment_lhs: Remove unnecessary parentheses from the left-hand
  side of assignments while preserving magic trailing commas and intentional multiline
  formatting (#​4865)
• standardize_type_comments: Format type comments which have zero or more spaces
  between # and type: or between type: and value to # type: (value) (#​4645)

The following change was not in any previous stable release:

• Regenerated the _width_table.py and added tests for the Khmer language (#​4253)

This release alo bumps pathspec to v1 and fixes inconsistencies with Git's
.gitignore logic (#​4958). Now, files will be ignored if a pattern matches them, even
if the parent directory is directly unignored. For example, Black would previously
format exclude/not_this/foo.py with this .gitignore:

exclude/
!exclude/not_this/

Now, exclude/not_this/foo.py will remain ignored. To ensure exclude/not_this/ and
all of it's children are included in formatting (and in Git), use this .gitignore:

*/exclude/*
!*/exclude/not_this/

This new behavior matches Git. The leading */ are only necessary if you wish to ignore
matching subdirectories (like the previous behavior did), and not just matching root
directories.

Output

• Explicitly shutdown the multiprocessing manager when run in diff mode too (#​4952)

Integrations

• Upgraded PyPI upload workflow to use Trusted Publishing (#​4611)

---

Configuration

📅 Schedule: (in timezone US/Central)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Test Results

    52 files      52 suites   1h 16m 53s ⏱️
   689 tests    685 ✅     0 💤  4 ❌
20 700 runs  19 580 ✅ 1 056 💤 64 ❌

For more details on these failures, see this check.

Results for commit 10fb932.

♻️ This comment has been updated with latest results.

[bkeryan]

Nice try, bot, but no, we are not downgrading ni-python-styleguide

[bkeryan]

I'm closing this until ni-python-styleguide is updated to work with black >=26.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 26.x releases. But if you manually upgrade to 26.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.