Skip to content

Bump twine from 6.1.0 to 6.2.0#74

Merged
docktermj merged 2 commits intomainfrom
dependabot/pip/twine-6.2.0
Feb 18, 2026
Merged

Bump twine from 6.1.0 to 6.2.0#74
docktermj merged 2 commits intomainfrom
dependabot/pip/twine-6.2.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Feb 18, 2026
edited by github-actions Bot
Loading

Bumps twine from 6.1.0 to 6.2.0.

Changelog

Sourced from twine's changelog.

twine 6.2.0 (2025-09-04)

Features ^^^^^^^^

  • Automatically refresh short-lived PyPI token in long running Trusted Publishing uploads.

    In the event that a trusted publishing upload job is taking longer than the validity period of a trusted publishing token (15 minutes at the time of this writing), and we are already 10 minutes into that validity period, we will begin to attempt to replace the token on each subsequent request. ([#1246](https://github.com/pypa/twine/issues/1246) <https://github.com/pypa/twine/issues/1246>_)

Bugfixes ^^^^^^^^

  • Fix compatibility kludge for invalid License-File metadata entries emitted by build backends to work also with packaging version 24.0. ([#1217](https://github.com/pypa/twine/issues/1217) <https://github.com/pypa/twine/issues/1217>_)
  • Fix a couple of incorrectly rendered error messages. ([#1224](https://github.com/pypa/twine/issues/1224) <https://github.com/pypa/twine/issues/1224>_)
  • twine now enforces keyring >= 21.2.0, which was previously implicitly required by API usage. ([#1229](https://github.com/pypa/twine/issues/1229) <https://github.com/pypa/twine/issues/1229>_)
  • twine now catches configparser.Error to prevent accidental leaks of secret tokens or passwords to the user's console. ([#1240](https://github.com/pypa/twine/issues/1240) <https://github.com/pypa/twine/issues/1240>_)

Deprecations and Removals ^^^^^^^^^^^^^^^^^^^^^^^^^

  • Remove hacks that support --skip-existing for indexes other than PyPI and TestPyPI.

    To date, these hacks continue to accrue and there have been numerous issues with them, not the least of which being that every time we update them, the paid index providers change things to break the compatibility we implement for them. Beyond that, these hacks do not work when text is internationalized in the response from the index provider.

    For a sample of past issues, see:

... (truncated)

Commits
  • 14ceb29 Update changelog for 6.2.0 (#1264)
  • 60e377b build(deps): bump actions/checkout from 4.2.2 to 5.0.0 (#1263)
  • 88821f2 feat(package): remove MD5 hashing entirely (#1262)
  • ce5fe53 build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0
  • 6a696ed PEP 639 compliance
  • 9175334 rename 1247.misc.rst to changelog/1247.misc.rst
  • d94a475 fix(tests): update expected error message
  • c1c02d1 Remove --skip-existing support for non-PyPI indices
  • a24d308 Set trusted publishing logging to INFO/WARN (#1247)
  • becf1a8 Fix py3.9 mypy error in __init__ around PackageMetadata
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Resolves #1246
Resolves #1217
Resolves #1224
Resolves #1229
Resolves #1240
Resolves #1251
Resolves #1264
Resolves #1263
Resolves #1262
Resolves #1247
Resolves pypa/twine#1251
Resolves pypa/twine#918
Resolves pypa/twine#856
Resolves pypa/twine#693
Resolves pypa/twine#332

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Feb 18, 2026
@dependabot dependabot Bot requested a review from a team as a code owner February 18, 2026 13:13
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Feb 18, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 18, 2026

🤖 Claude Code Review

Code Review

PR Summary: Dependency bump — twine from 6.1.0 to 6.2.0 in development-requirements.txt.

Code Quality

  • Style guide: Single-line change in a requirements file; no style concerns.
  • No commented-out code
  • Meaningful variable names: N/A
  • DRY principle: N/A
  • Defects: No logic or security issues. twine is a dev-only publish tool; bumping a minor version in development-requirements.txt carries minimal risk. No pinned hash or upper bound concerns for a dev dependency.

Testing

  • Unit/integration tests: No new code paths introduced; no tests required for a dependency version bump.
  • Coverage: N/A

Documentation

  • CHANGELOG.md not updated. Dependency bumps, even for dev dependencies, should be recorded. Check whether the project's CHANGELOG convention includes dev dependency updates.
  • README/API docs: No update needed.
  • Markdown formatting: N/A

Security

  • No hardcoded credentials
  • No sensitive data
  • No license files (.lic) detected
  • twine 6.2.0 — this is a well-maintained PyPI publishing tool. The minor bump is low risk; no known CVEs introduced.

Summary

Category Status
Code Quality
Testing
Documentation ❌ CHANGELOG missing
Security

Verdict: Approve with minor note — add a CHANGELOG entry for the twine version bump if the project tracks dev dependency updates there.

Automated code review analyzing defects and coding standards

@dependabot
Bump twine from 6.1.0 to 6.2.0
77f2cc4 
Bumps [twine](https://github.com/pypa/twine) from 6.1.0 to 6.2.0.
- [Release notes](https://github.com/pypa/twine/releases)
- [Changelog](https://github.com/pypa/twine/blob/main/docs/changelog.rst)
- [Commits](pypa/twine@6.1.0...6.2.0)

---
updated-dependencies:
- dependency-name: twine
  dependency-version: 6.2.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot Bot force-pushed the dependabot/pip/twine-6.2.0 branch from a8802db to 77f2cc4 Compare February 18, 2026 14:32
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 18, 2026

🤖 Claude Code Review

Code Review

PR Summary: Dependency version bump — twine from 6.1.0 to 6.2.0 in development-requirements.txt.

Code Quality

Item Notes
Style guide Single-line change, no style concerns
No commented-out code N/A
Meaningful variable names N/A
DRY principle N/A
Defects No logic errors; straightforward version bump
Project memory config N/A

Testing

Item Notes
Unit tests Not required for a dependency bump
Integration tests Not required for a dependency bump
Edge cases N/A
Test coverage N/A

Documentation

Item Notes
README No update needed
API docs No update needed
Inline comments N/A
CHANGELOG.md No CHANGELOG entry for this dependency update. Dependency bumps should typically be recorded, even if minor.
Markdown formatting N/A

Security

Item Notes
No hardcoded credentials N/A
Input validation N/A
Error handling N/A
No sensitive data in logs N/A
No license files (.lic) N/A

Summary

This is a routine development dependency bump (twine is used for publishing to PyPI and is not a runtime dependency). The change is minimal and low-risk.

One minor finding:

  • CHANGELOG.md — Consider adding an entry for this bump. Many projects track dependency updates in a changelog under an "Unreleased" or "Changed" section for auditability.

Overall: Approved with minor suggestion. The change is safe to merge.

Automated code review analyzing defects and coding standards

@docktermj docktermj self-assigned this Feb 18, 2026
@docktermj docktermj enabled auto-merge (squash) February 18, 2026 14:33
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 18, 2026

🤖 Claude Code Review

Code Review

PR Summary: Dependency version bump for twine from 6.1.0 to 6.2.0 in development-requirements.txt.

Code Quality

  • Style guide: Single line change, no style concerns.
  • No commented-out code
  • Meaningful variable names: N/A
  • DRY principle: N/A
  • Defects: No logic errors or security concerns introduced. This is a straightforward dev dependency bump.
  • Project memory config: N/A

Testing

  • Unit/integration tests: No new code requiring tests. Dependency bumps are validated by existing test suite passing.
  • Edge cases: N/A
  • ⚠️ Test coverage: Not assessed in this diff — depends on CI pipeline confirming existing tests pass with the new version.

Documentation

  • README: No update needed for a dev dependency bump.
  • API docs: N/A
  • Inline comments: N/A
  • CHANGELOG.md: Not included in this diff. Dependency bumps, even for dev dependencies, should typically be noted in the changelog. Verify whether this project tracks such changes there.
  • Markdown formatting: N/A

Security

  • No hardcoded credentials
  • No sensitive data
  • No license files (.lic) checked in
  • twine 6.2.0: twine is used for publishing packages to PyPI. Bumping it is low risk, but confirm the 6.2.0 release notes introduce no breaking changes for your publish workflow.

Summary

Category Status
Code Quality
Testing
Documentation ⚠️
Security

Action required: Verify CHANGELOG.md is updated if this project tracks dependency bumps there. Otherwise, this is a clean, minimal change.

Automated code review analyzing defects and coding standards

@docktermj docktermj merged commit f1fc259 into main Feb 18, 2026
17 checks passed
@docktermj docktermj deleted the dependabot/pip/twine-6.2.0 branch February 18, 2026 14:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@docktermj docktermj docktermj approved these changes

Assignees

@docktermj docktermj

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

2 participants

@docktermj @senzingdevops