deps: consolidate #64 + #69 dependency upgrades (incl. major bumps)#70
Merged
Conversation
…upgrades Merge both open Dependabot dependency PRs into one branch, including the major-version bumps, and resolve breaking changes. Production (from #69): - cryptography 46 -> 48 (major; <49 cap retained) - litellm 1.83.14 -> 1.85.0 (cap raised to <1.86.0; clears the 1.82.7/1.82.8 supply-chain incident, pip-audit clean) - tenacity 8 -> 9 (major) - watchdog 4 -> 6 (major) - lxml 6.1.0->6.1.1, numpy 2.4.4->2.4.6, pydantic-settings 2.14.0->2.14.1, python-multipart 0.0.27->0.0.29, sse-starlette 3.4.1->3.4.4, uvicorn 0.46.0->0.47.0 Development (from #64): - mypy 1 -> 2 (major), respx 0.21.1->0.23.1, ruff 0.15.12->0.15.13 Held back: essentia-tensorflow stays at 2.1b6.dev1389. Dependabot's proposed dev1438 ships only cp314 (Python 3.14) wheels and has no cp313 wheel, so it is uninstallable under requires-python ">=3.13,<3.14". uv correctly refuses it; revisit alongside the Python 3.14 bump (PR #1). Verification: ruff, mypy 2.1.0, 886 non-integration tests, all 17 pre-commit hooks, and pip-audit all pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Consolidates the two open Dependabot dependency PRs into a single branch and resolves the breaking changes, per request.
Supersedes #64 (python-development) and #69 (python-production).
Production deps (from #69)
<49cap retained. We only generate self-signed certs incert_bootstrap.py; the 48.0 X.509 CRL-parsing change does not affect us.<1.86.0. Clears the 1.82.7/1.82.8 supply-chain incident; pip-audit clean.AsyncRetrying/wait_exponential_jitterAPI unchanged.FileSystemEventHandler/ObserverAPI unchanged.Dev deps (from #64)
uv run mypy .clean, no config changes needed.Held back: essentia-tensorflow
Dependabot #69 proposed
essentia-tensorflowdev1389 → dev1438, but dev1438 ships onlycp314(Python 3.14) wheels — there is nocp313wheel. The project pinsrequires-python = ">=3.13,<3.14", so dev1438 is uninstallable here anduvrefuses to resolve it. Kept at dev1389; revisit alongside the Python 3.14 bump (#1).Why the lockfile barely changed
uv.lockalready contained nearly every target version (mypy 2.1.0, tenacity 9.1.4, watchdog 6.0.0, cryptography 48.0.0, numpy 2.4.6, …) becausescripts/update-project.shkeeps the lockfile fresh within existing constraints. The only lockfile movement here is litellm 1.83.14 → 1.85.0 plus its transitive deps (openai, pydantic 2.12.5→2.13.4, tiktoken, tokenizers, typer, click), unlocked by raising the litellm cap.Verification
check🤖 Generated with Claude Code