build(deps): bump pdm from 2.26.9 to 2.27.0

[dependabot]

Bumps pdm from 2.26.9 to 2.27.0.

Release notes

Sourced from pdm's releases.

v2.27.0

Breaking Changes

• Update the minimum required Python version to 3.10. (#3787)

Features & Improvements

• Respect existing values of pyproject.toml when running pdm init or pdm new. (#3786)
• Move project plugin installations from .pdm-plugins under the project root to an isolated cache directory, and add a fixer to migrate existing plugin directories. (#3790)
• Remove legacy importlib compatibility wrappers and use standard-library importlib.metadata and importlib.resources APIs directly. (#3796)

Bug Fixes

• Fix a security issue with the installer to disallow installing to paths outside of the scheme directory. (#3787)
• Refuse to write project-local config and state files (pdm.toml, .pdm-python, .python-version) when the destination is a symlink, preventing an untrusted repository from clobbering files outside the project root. (#3788)
• Fix a regression issue that PDM_LOCKFILE env var is not respected. (#3794)
• Allow configuring the default lock --exclude-newer value with strategy.exclude-newer. (#3795)

Changelog

Sourced from pdm's changelog.

Release v2.27.0 (2026-05-21)

Breaking Changes

• Update the minimum required Python version to 3.10. (#3787)

Features & Improvements

• Respect existing values of pyproject.toml when running pdm init or pdm new. (#3786)
• Move project plugin installations from .pdm-plugins under the project root to an isolated cache directory, and add a fixer to migrate existing plugin directories. (#3790)
• Remove legacy importlib compatibility wrappers and use standard-library importlib.metadata and importlib.resources APIs directly. (#3796)

Bug Fixes

• Fix a security issue with the installer to disallow installing to paths outside of the scheme directory. (#3787)
• Refuse to write project-local config and state files (pdm.toml, .pdm-python, .python-version) when the destination is a symlink, preventing an untrusted repository from clobbering files outside the project root. (#3788)
• Fix a regression issue that PDM_LOCKFILE env var is not respected. (#3794)
• Allow configuring the default lock --exclude-newer value with strategy.exclude-newer. (#3795)

Commits

• 09c95b7 chore: Release 2.27.0
• 5397cc9 fix: Use an existing pyproject.toml with PDM (#3797)
• bdf8b5c feat: upgrade the usage and imports to py310+ (#3796)
• fecb9aa feat: add configuration option for default lock --exclude-newer value (#3795)
• c697a28 fix: use_uv with editable package and dynamic version failing.
• c59b734 fix: correct capitalization in completion descriptions for config-setting option
• 01c4265 fix: PDM_LOCKFILE ignored issue.
• 16bab5c fix: update plugin installation path to use project_plugins_dir (#3790)
• 2cf992e Merge commit from fork
• 41aa5f9 feat: update the minimum python version to 3.10 (#3787)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)