build(deps): bump tach from 0.29.0 to 0.32.0

[dependabot]

Bumps tach from 0.29.0 to 0.32.0.

Release notes

Sourced from tach's releases.

v0.32.0

What's Changed

• support python 3.14
• drop support for python 3.7 which has been EOL for 2 years
• remove telemetry
• publish vscode extension to openVSX (see note below about the visual studio marketplace version)
• update upper bounds of the dependencies rich and pydot

Under new management

hello! i'm @​DetachHead and i'll be taking over as the maintainer of tach under the new @​tach-org organization.

some context: a few months ago, the original creators of tach (@​gauge-sh) decided to stop maintaining it and have since handed the project over to myself. see tach-org/tach#791 for more details

i'm super grateful to gauge for creating tach, and for their efforts to support its continued development.

[!NOTE] i don't yet have access to publish the VSCode extension to the visual studio marketplace, so new releases will be published as detachhead.dtach instead of the usual Gauge.tach for the time being.

Full Changelog: tach-org/tach@v0.29.0...v0.32.0

Commits

• 4364cba v0.32.0
• 9339d05 revert accidental rename in the readme
• fe16557 Merge pull request #843 from tach-org/merge-dtach
• 9323156 temporarily publish the vscode extension to detachhead.dtach while i wait t...
• 7372a35 disable auto-initialize in pyo3 (https://github.com/PyO3/maturin-action/iss...
• d3e55f7 update lockfiles
• 652b519 add gnumake pypi package so that makefile tasks can be run on windows
• 520f49c remove telemetry usage from readme as the telemetry has now been completely r...
• acd8b5b sync tach dependencies
• f24ca2e remove telemetry
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pypi/​tach@​0.29.0 ⏵ 0.32.0	+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): pypi tach is 100.0% likely to have a medium risk anomaly Notes: This Python wrapper script automates installation and execution of a tooling package by: 1. Downloading and piping remote installer scripts into a shell or PowerShell without integrity checks (e.g. curl --proto '=' --tlsv1.2 -LsSf https://github[.]com/astral-sh/uv/releases/download/<UV_VERSION>/uv-installer.sh | sh on Unix, or irm https://github[.]com/astral-sh/uv/releases/download/<UV_VERSION>/uv-installer.ps1 | iex on Windows). 2. Invoking pip install on a package name that can be overridden via the PYPROJECTX_PACKAGE environment variable, allowing arbitrary package installation into a newly created virtual environment. 3. Downloading and extracting a zip archive from https://github[.]com/pyprojectx/pyprojectx/releases/latest/download/wrappers.zip into the local directory, potentially overwriting files. These design choices enable remote-code-execution and arbitrary code installation if the upstream sources or network are compromised or if environment variables are manipulated, posing a medium/high supply-chain risk in hostile environments. Confidence: 1.00 Severity: 0.60 From: poetry.lock → pypi/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report