chore(deps): update dependency black to v26 [security] (#459)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [black](https://redirect.github.com/psf/black)
([changelog](https://redirect.github.com/psf/black/blob/main/CHANGES.md))
| `==25.9.0` → `==26.3.1` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/black/26.3.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/black/25.9.0/26.3.1?slim=true)
|

### GitHub Vulnerability Alerts

####
[CVE-2026-32274](https://redirect.github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m)

### Impact

Black writes a cache file, the name of which is computed from various
formatting options. The value of the `--python-cell-magics` option was
placed in the filename without sanitization, which allowed an attacker
who controls the value of this argument to write cache files to
arbitrary file system locations.

### Patches

Fixed in Black 26.3.1.

### Workarounds

Do not allow untrusted user input into the value of the
`--python-cell-magics` option.

---

### Release Notes

<details>
<summary>psf/black (black)</summary>

###
[`v26.3.1`](https://redirect.github.com/psf/black/blob/HEAD/CHANGES.md#2631)

[Compare
Source](https://redirect.github.com/psf/black/compare/26.3.0...26.3.1)

##### Stable style

- Prevent Jupyter notebook magic masking collisions from corrupting
cells by using
exact-length placeholders for short magics and aborting if a placeholder
can no longer
be unmasked safely
([#&#8203;5038](https://redirect.github.com/psf/black/issues/5038))

##### Configuration

- Always hash cache filename components derived from
`--python-cell-magics` so custom
magic names cannot affect cache paths
([#&#8203;5038](https://redirect.github.com/psf/black/issues/5038))

##### *Blackd*

- Disable browser-originated requests by default, add configurable
origin allowlisting
and request body limits, and bound executor submissions to improve
backpressure
  ([#&#8203;5039](https://redirect.github.com/psf/black/issues/5039))

###
[`v26.3.0`](https://redirect.github.com/psf/black/blob/HEAD/CHANGES.md#2630)

[Compare
Source](https://redirect.github.com/psf/black/compare/26.1.0...26.3.0)

##### Stable style

- Don't double-decode input, causing non-UTF-8 files to be corrupted
([#&#8203;4964](https://redirect.github.com/psf/black/issues/4964))
- Fix crash on standalone comment in lambda default arguments
([#&#8203;4993](https://redirect.github.com/psf/black/issues/4993))
- Preserve parentheses when `# type: ignore` comments would be merged
with other
comments on the same line, preventing AST equivalence failures
([#&#8203;4888](https://redirect.github.com/psf/black/issues/4888))

##### Preview style

- Fix bug where `if` guards in `case` blocks were incorrectly split when
the pattern had
a trailing comma
([#&#8203;4884](https://redirect.github.com/psf/black/issues/4884))
- Fix `string_processing` crashing on unassigned long string literals
with trailing
commas (one-item tuples)
([#&#8203;4929](https://redirect.github.com/psf/black/issues/4929))
- Simplify implementation of the power operator "hugging" logic
([#&#8203;4918](https://redirect.github.com/psf/black/issues/4918))

##### Packaging

- Fix shutdown errors in PyInstaller builds on macOS by disabling
multiprocessing in
frozen environments
([#&#8203;4930](https://redirect.github.com/psf/black/issues/4930))

##### Performance

- Introduce winloop for windows as an alternative to uvloop
([#&#8203;4996](https://redirect.github.com/psf/black/issues/4996))
- Remove deprecated function `uvloop.install()` in favor of
`uvloop.new_event_loop()`
  ([#&#8203;4996](https://redirect.github.com/psf/black/issues/4996))
- Rename `maybe_install_uvloop` function to `maybe_use_uvloop` to
simplify loop
installation and creation of either a uvloop/winloop evenloop or default
eventloop
  ([#&#8203;4996](https://redirect.github.com/psf/black/issues/4996))

##### Output

- Emit a clear warning when the target Python version is newer than the
running Python
version, since AST safety checks cannot parse newer syntax. Also replace
the
misleading "INTERNAL ERROR" message with an actionable error explaining
the version
mismatch
([#&#8203;4983](https://redirect.github.com/psf/black/issues/4983))

##### *Blackd*

- Introduce winloop to be used when windows in use which enables blackd
to run faster on
windows when winloop is installed.
([#&#8203;4996](https://redirect.github.com/psf/black/issues/4996))

##### Integrations

- Remove unused gallery script
([#&#8203;5030](https://redirect.github.com/psf/black/issues/5030))
- Harden parsing of `black` requirements in the GitHub Action when
`use_pyproject` is
enabled so that only version specifiers are accepted and direct
references such as
`black @&#8203; https://...` are rejected. Users should upgrade to the
latest version of the
action as soon as possible. This update is received automatically when
using
`psf/black@stable`, and is independent of the version of Black installed
by the
action.
([#&#8203;5031](https://redirect.github.com/psf/black/issues/5031))

##### Documentation

- Expand preview style documentation with detailed examples for
`wrap_comprehension_in`,
`simplify_power_operator_hugging`, and `wrap_long_dict_values_in_parens`
features
  ([#&#8203;4987](https://redirect.github.com/psf/black/issues/4987))
- Add detailed documentation for formatting Jupyter Notebooks
([#&#8203;5009](https://redirect.github.com/psf/black/issues/5009))

###
[`v26.1.0`](https://redirect.github.com/psf/black/blob/HEAD/CHANGES.md#2610)

[Compare
Source](https://redirect.github.com/psf/black/compare/25.12.0...26.1.0)

##### Highlights

Introduces the 2026 stable style
([#&#8203;4892](https://redirect.github.com/psf/black/issues/4892)),
stabilizing the following changes:

- `always_one_newline_after_import`: Always force one blank line after
import
statements, except when the line after the import is a comment or an
import statement
  ([#&#8203;4489](https://redirect.github.com/psf/black/issues/4489))
- `fix_fmt_skip_in_one_liners`: Fix `# fmt: skip` behavior on one-liner
declarations,
such as `def foo(): return "mock" # fmt: skip`, where previously the
declaration would
have been incorrectly collapsed
([#&#8203;4800](https://redirect.github.com/psf/black/issues/4800))
- `fix_module_docstring_detection`: Fix module docstrings being treated
as normal
strings if preceded by comments
([#&#8203;4764](https://redirect.github.com/psf/black/issues/4764))
- `fix_type_expansion_split`: Fix type expansions split in generic
functions
([#&#8203;4777](https://redirect.github.com/psf/black/issues/4777))
- `multiline_string_handling`: Make expressions involving multiline
strings more compact
  ([#&#8203;1879](https://redirect.github.com/psf/black/issues/1879))
- `normalize_cr_newlines`: Add `\r` style newlines to the potential
newlines to
normalize file newlines both from and to
([#&#8203;4710](https://redirect.github.com/psf/black/issues/4710))
- `remove_parens_around_except_types`: Remove parentheses around
multiple exception
types in `except` and `except*` without `as`
([#&#8203;4720](https://redirect.github.com/psf/black/issues/4720))
- `remove_parens_from_assignment_lhs`: Remove unnecessary parentheses
from the left-hand
side of assignments while preserving magic trailing commas and
intentional multiline
formatting
([#&#8203;4865](https://redirect.github.com/psf/black/issues/4865))
- `standardize_type_comments`: Format type comments which have zero or
more spaces
between `#` and `type:` or between `type:` and value to `# type:
(value)`
([#&#8203;4645](https://redirect.github.com/psf/black/issues/4645))

The following change was not in any previous stable release:

- Regenerated the `_width_table.py` and added tests for the Khmer
language
([#&#8203;4253](https://redirect.github.com/psf/black/issues/4253))

This release alo bumps `pathspec` to v1 and fixes inconsistencies with
Git's
`.gitignore` logic
([#&#8203;4958](https://redirect.github.com/psf/black/issues/4958)).
Now, files will be ignored if a pattern matches them, even
if the parent directory is directly unignored. For example, Black would
previously
format `exclude/not_this/foo.py` with this `.gitignore`:

```
exclude/
!exclude/not_this/
```

Now, `exclude/not_this/foo.py` will remain ignored. To ensure
`exclude/not_this/` and
all of it's children are included in formatting (and in Git), use this
`.gitignore`:

```
*/exclude/*
!*/exclude/not_this/
```

This new behavior matches Git. The leading `*/` are only necessary if
you wish to ignore
matching subdirectories (like the previous behavior did), and not just
matching root
directories.

##### Output

- Explicitly shutdown the multiprocessing manager when run in diff mode
too ([#&#8203;4952](https://redirect.github.com/psf/black/issues/4952))

##### Integrations

- Upgraded PyPI upload workflow to use Trusted Publishing
([#&#8203;4611](https://redirect.github.com/psf/black/issues/4611))

###
[`v25.12.0`](https://redirect.github.com/psf/black/blob/HEAD/CHANGES.md#25120)

[Compare
Source](https://redirect.github.com/psf/black/compare/25.11.0...25.12.0)

##### Highlights

- Black no longer supports running with Python 3.9
([#&#8203;4842](https://redirect.github.com/psf/black/issues/4842))

##### Stable style

- Fix bug where comments preceding `# fmt: off`/`# fmt: on` blocks were
incorrectly
removed, particularly affecting Jupytext's `# %% [markdown]` comments
([#&#8203;4845](https://redirect.github.com/psf/black/issues/4845))
- Fix crash when multiple `# fmt: skip` comments are used in a
multi-part if-clause, on
string literals, or on dictionary entries with long lines
([#&#8203;4872](https://redirect.github.com/psf/black/issues/4872))
- Fix possible crash when `fmt: ` directives aren't on the top level
([#&#8203;4856](https://redirect.github.com/psf/black/issues/4856))

##### Preview style

- Fix `fmt: skip` skipping the line after instead of the line it's on
([#&#8203;4855](https://redirect.github.com/psf/black/issues/4855))
- Remove unnecessary parentheses from the left-hand side of assignments
while preserving
magic trailing commas and intentional multiline formatting
([#&#8203;4865](https://redirect.github.com/psf/black/issues/4865))
- Fix `fix_fmt_skip_in_one_liners` crashing on `with` statements
([#&#8203;4853](https://redirect.github.com/psf/black/issues/4853))
- Fix `fix_fmt_skip_in_one_liners` crashing on annotated parameters
([#&#8203;4854](https://redirect.github.com/psf/black/issues/4854))
- Fix new lines being added after imports with `# fmt: skip` on them
([#&#8203;4894](https://redirect.github.com/psf/black/issues/4894))

##### Packaging

- Releases now include arm64 Windows binaries and wheels
([#&#8203;4814](https://redirect.github.com/psf/black/issues/4814))

##### Integrations

- Add `output-file` input to GitHub Action `psf/black` to write
formatter output to a
file for artifact capture and log cleanliness
([#&#8203;4824](https://redirect.github.com/psf/black/issues/4824))

###
[`v25.11.0`](https://redirect.github.com/psf/black/blob/HEAD/CHANGES.md#25110)

[Compare
Source](https://redirect.github.com/psf/black/compare/25.9.0...25.11.0)

##### Highlights

- Enable base 3.14 support
([#&#8203;4804](https://redirect.github.com/psf/black/issues/4804))
- Add support for the new Python 3.14 t-string syntax introduced by PEP
750 ([#&#8203;4805](https://redirect.github.com/psf/black/issues/4805))

##### Stable style

- Fix bug where comments between `# fmt: off` and `# fmt: on` were
reformatted
([#&#8203;4811](https://redirect.github.com/psf/black/issues/4811))
- Comments containing fmt directives now preserve their exact formatting
instead of
being normalized
([#&#8203;4811](https://redirect.github.com/psf/black/issues/4811))

##### Preview style

- Move `multiline_string_handling` from `--unstable` to `--preview`
([#&#8203;4760](https://redirect.github.com/psf/black/issues/4760))
- Fix bug where module docstrings would be treated as normal strings if
preceded by
comments
([#&#8203;4764](https://redirect.github.com/psf/black/issues/4764))
- Fix bug where python 3.12 generics syntax split line happens weirdly
([#&#8203;4777](https://redirect.github.com/psf/black/issues/4777))
- Standardize type comments to form `# type: <value>`
([#&#8203;4645](https://redirect.github.com/psf/black/issues/4645))
- Fix `fix_fmt_skip_in_one_liners` preview feature to respect `# fmt:
skip` for compound
statements with semicolon-separated bodies
([#&#8203;4800](https://redirect.github.com/psf/black/issues/4800))

##### Configuration

- Add `no_cache` option to control caching behavior.
([#&#8203;4803](https://redirect.github.com/psf/black/issues/4803))

##### Packaging

- Releases now include arm64 Linux binaries
([#&#8203;4773](https://redirect.github.com/psf/black/issues/4773))

##### Output

- Write unchanged content to stdout when excluding formatting from stdin
using pipes
  ([#&#8203;4610](https://redirect.github.com/psf/black/issues/4610))

##### *Blackd*

- Implemented BlackDClient. This simple python client allows to easily
send formatting
requests to blackd
([#&#8203;4774](https://redirect.github.com/psf/black/issues/4774))

##### Integrations

- Enable 3.14 base CI
([#&#8203;4804](https://redirect.github.com/psf/black/issues/4804))
- Enhance GitHub Action `psf/black` to support the `required-version`
major-version-only
"stability" format when using pyproject.toml
([#&#8203;4770](https://redirect.github.com/psf/black/issues/4770))
- Improve error message for vim plugin users. It now handles
independently vim version
- Vim: Warn on unsupported Vim and Python versions independently
([#&#8203;4772](https://redirect.github.com/psf/black/issues/4772))
- Vim: Print the import paths when importing black fails
([#&#8203;4675](https://redirect.github.com/psf/black/issues/4675))
- Vim: Fix handling of virtualenvs that have a different Python version
([#&#8203;4675](https://redirect.github.com/psf/black/issues/4675))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/googleapis/sphinx-docfx-yaml).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

Author: renovate-bot

packages/gcp-sphinx-docfx-yaml/requirements.txt

@@ -7,5 +7,5 @@ mock
 pytest
 
 # Other dependencies
-black==25.9.0
+black==26.3.1
 parameterized==0.8.1