chore(deps): update bcrypt requirement from <5.0.0,>=4.0.0 to >=4.0.0,<6.0.0

[dependabot]

Updates the requirements on bcrypt to permit the latest version.

Changelog

Sourced from bcrypt's changelog.

5.0.0

• Bumped MSRV to 1.74.
• Added support for Python 3.14 and free-threaded Python 3.14.
• Added support for Windows on ARM.
• Passing hashpw a password longer than 72 bytes now raises a ValueError. Previously the password was silently truncated, following the behavior of the original OpenBSD bcrypt implementation.

4.3.0

• Dropped support for Python 3.7.
• We now support free-threaded Python 3.13.
• We now support PyPy 3.11.
• We now publish wheels for free-threaded Python 3.13, for PyPy 3.11 on manylinux, and for ARMv7l on manylinux.

4.2.1

• Bump Rust dependency versions - this should resolve crashes on Python 3.13 free-threaded builds.
• We no longer build manylinux wheels for PyPy 3.9.

4.2.0

• Bump Rust dependency versions
• Removed the BCRYPT_ALLOW_RUST_163 environment variable.

4.1.3

• Bump Rust dependency versions

4.1.2

• Publish both py37 and py39 wheels. This should resolve some errors relating to initializing a module multiple times per process.

4.1.1

• Fixed the type signature on the kdf method.
• Fixed packaging bug on Windows.
• Fixed incompatibility with passlib package detection assumptions.

... (truncated)

Commits

• 5060bce 5.0.0 release (#1078)
• e43f568 Bump actions/cache from 4.2.4 to 4.3.0 (#1077)
• fc9f680 Bump libc from 0.2.175 to 0.2.176 in /src/_bcrypt (#1075)
• 633f46f Add support for Python 3.14 (#1073)
• a2fefbb Remove pypy310 builds (#1074)
• f60707e Bump wasi from 0.14.5+wasi-0.2.4 to 0.14.7+wasi-0.2.4 in /src/_bcrypt (#1071)
• c790eed Bump unicode-ident from 1.0.18 to 1.0.19 in /src/_bcrypt (#1070)
• 122cbdc Bump target-lexicon from 0.13.2 to 0.13.3 in /src/_bcrypt (#1069)
• 2bd208d Bump wasi from 0.14.4+wasi-0.2.4 to 0.14.5+wasi-0.2.4 in /src/_bcrypt (#1068)
• e1aa9e8 remove poinless cargo cache paths from CI (#1067)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[Hidden-History]

@claude Review these two Dependabot PRs on the ai-memory repository for breaking changes and compatibility issues.

PR #29: pip-minor-patch group update

• anthropic: 0.77.0 → 0.79.0
• tenacity (retry library)
• ruff (linter)
• fastapi

PR #30: bcrypt version constraint change

• bcrypt: <5.0.0,>=4.0.0 → >=4.0.0,<6.0.0 (allows major version 5.x)

For each PR:

1. Check the changelog/release notes for each package:

   • anthropic SDK: https://github.com/anthropics/anthropic-sdk-python/releases
   • bcrypt: https://github.com/pyca/bcrypt/blob/main/CHANGELOG.rst
   • tenacity: https://github.com/jd/tenacity/releases
   • ruff: https://github.com/astral-sh/ruff/releases
   • fastapi: https://github.com/fastapi/fastapi/releases

2. For each package, answer:

   • Are there breaking API changes?
   • Are there deprecation warnings we should address?
   • Is the update safe for our usage?

3. Our specific usage (check for compatibility):

   • anthropic: Used in src/memory/sdk_wrapper.py for AsyncSDKWrapper — calls client.messages.create()
   • bcrypt: Used ONLY in docker/prometheus/web.yml for generating bcrypt password hashes — we call bcrypt.hashpw()
     and bcrypt.gensalt()
   • tenacity: Used in src/memory/sdk_wrapper.py for @retry decorator with exponential backoff
   • ruff: Dev dependency only (linting) — low risk
   • fastapi: Used in src/memory/monitoring_api.py for the monitoring API server

4. Provide a recommendation: SAFE TO MERGE, MERGE WITH CAUTION, or DO NOT MERGE for each PR.

[github-actions]

🤖 AI Analysis (Ollama kimi-k2.5:cloud)

Code Review: Dependabot PRs #29 and #30

PR #30: bcrypt version constraint change (allow 5.x)

⚠️ Critical Breaking Change Identified

bcrypt 5.0.0 introduces a breaking behavioral change in hashpw():

"Passing hashpw a password longer than 72 bytes now raises a ValueError. Previously the password was silently truncated, following the behavior of the original OpenBSD bcrypt implementation."

Compatibility Analysis

Your Usage Pattern:

• Location: Prometheus monitoring authentication
• Methods: bcrypt.hashpw() and bcrypt.gensalt()
• Context: Generating password hashes for basic auth

Risk Assessment:

• HIGH RISK if your codebase:

  • Accepts user-configured passwords of arbitrary length (>72 bytes)
  • Uses passphrases or long generated secrets without length validation
  • Relies on the silent truncation behavior (legacy compatibility)

• LOW RISK if your codebase:

  • Enforces password length limits <72 bytes before hashing
  • Uses short, fixed-length system-generated tokens (e.g., 16-32 character random strings)

Additional Changes (Low Impact)

• MSRV 1.74: Only affects building from source (Rust dependency)
• Python 3.14 support: Forward-compatible addition
• Windows ARM support: Platform expansion (no breaking changes)

Recommendation: MERGE WITH CAUTION

Required Pre-Merge Actions:

1. Verify password length validation in your Prometheus auth setup:

   # Ensure existing code validates length before calling bcrypt
   if len(password.encode('utf-8')) > 72:
       raise ValueError("Password exceeds 72 bytes")

2. Check configuration: If Prometheus passwords are configurable by users via env vars/config files, ensure documentation specifies the 72-byte limit or add pre-validation.
3. Test migration: If currently truncating long passwords, migrating to 5.x will cause immediate failures for those passwords.

---

PR #29: pip-minor-patch group update

Note: Specific changelogs not provided in context; analysis based on versioning semantics and package stability.

anthropic: 0.77.0 → 0.79.0

Risk Level: Medium-High (0.x instability)

Considerations:

• 0.x SDKs do not guarantee backward compatibility
• Recent 0.7x releases often include:
  • New model support (Claude 3.5 Sonnet variants, Claude 3.7)
  • Beta API changes (message batches, tool use improvements)
  • Deprecation of legacy model string identifiers

Specific Concerns for ai-memory:

• Check if you use client.messages.create() with specific model names that might be deprecated
• Verify tool_use / function_calling patterns if using agent features
• Breaking potential: Anthropic occasionally changes token counting APIs or streaming response formats

Recommendation: MERGE WITH CAUTION

• Test conversation capture flows end-to-end
• Verify no DeprecationWarning in logs regarding model names

tenacity: (retry library)

Risk Level: Low

Stability: Very stable library, widely used across Python ecosystem.

• Minor/patch updates typically add new retry strategies or bug fixes
• Decorator API (@retry) is stable since v4.x

Recommendation: SAFE TO MERGE

ruff: (linter)

Risk Level: Very Low

Considerations:

• Dev dependency only (production code unaffected)
• New versions may introduce additional lint rules that could fail CI
• May require ruff --fix or configuration updates for new rules

Recommendation: SAFE TO MERGE (after CI passes or rules are configured)

fastapi: (monitoring API server)

Risk Level: Medium (depends on version jump)

Considerations:

• If patch (e.g., 0.111.0 → 0.111.1): Safe (bug fixes)
• If minor (e.g., 0.110.x → 0.111.x): Caution (FastAPI 0.x occasionally introduces Pydantic v2 compatibility changes or dependency injection changes)

Check for:

• Pydantic model validation changes in your monitoring endpoints
• Starlette dependency updates (FastAPI depends on Starlette)
• Lifespan event handler changes

Recommendation: MERGE WITH CAUTION (verify monitoring API health checks pass)

---

Summary Table

Package	PR	Risk	Verdict
bcrypt	#30	High (behavioral breaking change)	MERGE WITH CAUTION - Verify <72 byte password constraint
anthropic	#29	Medium	MERGE WITH CAUTION - Test conversation capture
fastapi	#29	Medium	MERGE WITH CAUTION - Verify monitoring endpoints
tenacity	#29	Low	SAFE TO MERGE
ruff	#29	Very Low	SAFE TO MERGE (dev-only)

Priority Action: For PR #30, audit the Prometheus password generation/validation logic to ensure it enforces the 72-byte limit before hashing, or implement pre-validation before upgrading to bcrypt 5.x.

---

Triggered by @Hidden-History

[Hidden-History]

@dependabot rebase