deps-dev(deps-dev): bump the python-development group across 1 directory with 3 updates#64
Closed
dependabot[bot] wants to merge 1 commit into
Closed
Conversation
dependabot
Bot
added
dependencies
Owner
|
@dependabot recreate |
…ory with 3 updates Updates the requirements on [mypy](https://github.com/python/mypy), [respx](https://github.com/lundberg/respx) and [ruff](https://github.com/astral-sh/ruff) to permit the latest version. Updates `mypy` to 2.1.0 - [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md) - [Commits](python/mypy@v1.20.2...v2.1.0) Updates `respx` to 0.23.1 - [Release notes](https://github.com/lundberg/respx/releases) - [Changelog](https://github.com/lundberg/respx/blob/master/CHANGELOG.md) - [Commits](lundberg/respx@0.21.1...0.23.1) Updates `ruff` to 0.15.13 - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](astral-sh/ruff@0.15.12...0.15.13) --- updated-dependencies: - dependency-name: mypy dependency-version: 2.1.0 dependency-type: direct:development dependency-group: python-development - dependency-name: respx dependency-version: 0.23.1 dependency-type: direct:development dependency-group: python-development - dependency-name: ruff dependency-version: 0.15.13 dependency-type: direct:development dependency-group: python-development ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/pip/python-development-8ca540a74e
branch
from
9dd16cf to
ce7dc06
Compare
This was referenced May 20, 2026
SimplicityGuy
added a commit
that referenced
this pull request
May 20, 2026
…upgrades (#70) Merge both open Dependabot dependency PRs into one branch, including the major-version bumps, and resolve breaking changes. Production (from #69): - cryptography 46 -> 48 (major; <49 cap retained) - litellm 1.83.14 -> 1.85.0 (cap raised to <1.86.0; clears the 1.82.7/1.82.8 supply-chain incident, pip-audit clean) - tenacity 8 -> 9 (major) - watchdog 4 -> 6 (major) - lxml 6.1.0->6.1.1, numpy 2.4.4->2.4.6, pydantic-settings 2.14.0->2.14.1, python-multipart 0.0.27->0.0.29, sse-starlette 3.4.1->3.4.4, uvicorn 0.46.0->0.47.0 Development (from #64): - mypy 1 -> 2 (major), respx 0.21.1->0.23.1, ruff 0.15.12->0.15.13 Held back: essentia-tensorflow stays at 2.1b6.dev1389. Dependabot's proposed dev1438 ships only cp314 (Python 3.14) wheels and has no cp313 wheel, so it is uninstallable under requires-python ">=3.13,<3.14". uv correctly refuses it; revisit alongside the Python 3.14 bump (PR #1). Verification: ruff, mypy 2.1.0, 886 non-integration tests, all 17 pre-commit hooks, and pip-audit all pass. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
Author
|
Looks like these dependencies are no longer updatable, so this is no longer needed. |
SimplicityGuy
added a commit
that referenced
this pull request
May 20, 2026
…pinning, pre-commit + Docker hygiene (#71) * feat(scripts): sync dependency floors and flag capped deps in update-project.sh `update-project.sh` ran `uv lock --upgrade` + `uv sync`, which refreshes uv.lock within the existing `>=` floors but never raises the floors in pyproject.toml. That left the declared minimums lagging behind what was actually locked and pushed the floor bumps onto Dependabot, and it silently ignored capped deps whose newer releases sit beyond a `,<X` ceiling. Two new steps close both gaps: - sync_dependency_floors: after lock+sync, raises each `>=` floor to the version pinned in uv.lock (caps, extras, and environment markers preserved), then re-locks so uv.lock's recorded requirement metadata matches. Respects --dry-run (reports proposed bumps without writing). - flag_capped_dependencies: warns when a `,<X`-capped dependency has a release available at or beyond the cap (cross-references `uv pip list --outdated`), since uv cannot cross a cap on its own. Both are implemented as inline `uv run python` heredocs (consistent with the existing inline awk; keeps scripts/ free of a tracked .py that would pull in strict mypy + ruff T201). Validated against the current tree: floor-sync proposes exactly the 12 bumps from #64+#69 (litellm and essentia correctly skipped), and the cap-flag fires on litellm 1.85.0 beyond <1.84.0. shellcheck and pre-commit clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(scripts): align update-project.sh with discogsography reference + SHA-pin uv Bring phaze's update-project.sh in line with the discogsography reference script (the project's canonical CI/tooling pattern) while keeping phaze's floor-sync + cap-flag additions. Ported discogsography structure (adapted to phaze: Python + 2 services, no Rust/Node): - main() wrapper + `trap ERR handle_error` with backup-restore guidance - per-file backup_file() into .backups/project-updates-<ts>/ - capture_package_changes(): diff uv.lock before/after for the summary - rich generate_summary() (package/file/security sections + next steps) - verify_components() and show_verification_steps() - robust update_python_version() (root+service pyproject incl. the ">=X,<Y" range form, mypy python_version, ruff target-version, PYTHON_VERSION in workflows, python:X-slim in Dockerfiles) - real update_uv_version(): pins the uv binary to the latest release in Dockerfiles and SHA-pins astral-sh/setup-uv (with a `# vX.Y` comment) - --help|-h; require curl + jq SHA-pin uv tooling now (was floating), matching discogsography: - Dockerfiles: ghcr.io/astral-sh/uv:latest -> :0.11.15 (root + 2 services) - workflows: astral-sh/setup-uv@v7 -> @08807647… # v8.1.0 (3 workflows) Kept phaze-only: sync_dependency_floors, flag_capped_dependencies, update_service_packages (SERVICE_DIRS), and the pip-audit/osv sweeps. Fixed a set -e foot-gun: run_tests early-return now uses explicit `return 0` (a trailing `[[ … ]] &&` was propagating exit 1). Validated: shellcheck clean, `--dry-run` exits 0 and exercises every section (uv 0.11.15 / setup-uv v8.1.0 lookups, 12 floor bumps detected), pre-commit clean on all changed files. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(scripts): add Node.js dependency updates for reference symmetry Both update-project.sh variants should cover the same ground (Python packages, pre-commit, Node package.json/package-lock.json). phaze is currently CDN-based (HTMX/Tailwind, no Node build), so update_node_packages auto-detects any package.json (maxdepth 2, skipping vendored dirs) and no-ops with a clear message when none exists — keeping the script symmetric with discogsography and ready if a frontend is added later. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore: Docker dependency coverage, full action SHA-pinning, pre-commit alignment Round out the discogsography alignment for the update-project tooling and CI/pre-commit hygiene. update-project.sh: - add update_docker_images(): surfaces every Docker dependency (FROM base images incl. eclipse-temurin, the uv image, and docker-compose service images like postgres/redis) so nothing is missed; notes which are Dependabot-managed vs distro-managed (apt) - formatted with shfmt (matches the new pre-commit shfmt hook) GitHub Actions — SHA-pin ALL actions with a `# vX.Y.Z` comment (were floating major tags): actions/checkout, setup-python, cache; docker/ login, metadata, setup-buildx, build-push; codecov, trufflehog, trivy, codeql-action, osv-scanner. (setup-uv/setup-just/ghcr-cleanup/hadolint were already pinned.) Dockerfiles — add `# hadolint ignore=DL3008` to the apt-get install lines in the audfprint/panako services (intentional: pin-free distro packages). .pre-commit-config.yaml — follow applicable discogsography patterns: - add hadolint hook (runs locally + in CI, not just docker-validate) - add shfmt (shell formatting), check-executables-have-shebangs, check-shebang-scripts-are-executable, detect-aws-credentials, detect-private-key, pretty-format-json (generated dirs excluded), check-yaml --unsafe - add `# frozen: vX.Y.Z` comments to every hook rev - omit docker-compose-check (phaze compose needs runtime secrets that the lint context can't interpolate) and the Rust/mdformat hooks (N/A) All 23 pre-commit hooks pass; shellcheck clean; --dry-run exits 0. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * ci: install hadolint in code-quality job (fixes pre-commit run) The new hadolint pre-commit hook needs the hadolint binary on PATH, which the code-quality runner lacks ("Executable hadolint not found"). Install it via alexellis/arkade-get before running pre-commit — the same pattern discogsography uses in its code-quality workflow. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(ci): restore literal emoji in docker-publish workflow + cache action These two files had every emoji written as a YAML `\U0001F500`-style escape (pre-existing on main) — almost certainly from a prior YAML round-trip with allow_unicode=False. In `name:` flow scalars YAML decodes the escape so the GitHub UI still renders it, but inside `run: |` block scalars YAML does NOT process escapes, so bash echoed the literal `\U0001F4CA` text into the CI logs. Convert all 24 \U/\u escapes back to literal emoji for readable source and correct log output. YAML/actionlint/check-jsonschema all pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updates the requirements on mypy, respx and ruff to permit the latest version.
Updates
mypyto 2.1.0Changelog
Sourced from mypy's changelog.
... (truncated)
Commits
c1c336dRemove +dev from version74df14bAdd changelog for mypy 2.1 (#21464)022d9bcRevert "TypeForm: Enable by default (#21262)"8826288[mypyc] Document librt.random (#21463)3f4067bBump librt version to 0.11.0 (#21458)2b1eb58[mypyc] Enable incremental self-compilation (#21369)8152f4aRespect file config comments for stale modules (#21444)116d60bFix nondeterminism from nonassociativity of overload joins (#21455)6c4af8eFix function call message change for small number of args (#21432)4b8fdca[mypyc] Add librt.random module (#21433)Updates
respxto 0.23.1Release notes
Sourced from respx's releases.
Changelog
Sourced from respx's changelog.
... (truncated)
Commits
fc8b43bRelease0.23.11da5d2fStrict detection ofANYin multi items patterns (#313)6f1bf70Bump checkout and python actions (#310)62aaeabRelease0.23.0d8edf3dAdjust badgesb3a193dAdd downloads badge to docs9961e9bHandle multiple routes usingMuitiItemspattern withANY(#289)e51c2a6Update Route.respond json type hint to Any to match HTTPX (#284)a499260Bump less-action/reusables from 8 to 10 (#282)7b44b51Update nix flake and mypy target (#306)Updates
ruffto 0.15.13Release notes
Sourced from ruff's releases.
... (truncated)
Changelog
Sourced from ruff's changelog.
... (truncated)
Commits
2afb467Bump 0.15.13 (#25157)3008796[ty] classify TypeVar semantic tokens as type parameters (#24891)79470e3[isort] Avoid constructingglob::Patterns for literal known modules (#25123)2522549Remove shellcheck from prek (#25154)7db7170[ty] Support TypedDict key completions in incomplete, anonymous contexts (#25...bb3dd53[ty] Run full iteration analysis on narrowed typevars (#25143)828cdb7[ty] Isolate file-watching test environment (#25151)89e1d86[ty] Preserve TypedDict keys through dict unpacking (#24523)86f3064[ty] Avoid accessingargs[0]forstatic_assert(#25149)ed819f9[ty] Treat custom enum__new__values as dynamic (#25136)