UN-3449 [FIX] Refresh root uv.lock — fix malformed banks entry#1945
Merged
muhammad-ali-e merged 1 commit intomisc/UN-3447-MISC_expand_workers_coverage_scopefrom May 6, 2026
Conversation
The root uv.lock had a malformed banks entry that prevented uv from
parsing it:
error: Failed to parse `uv.lock`
Caused by: The entry for package `banks` v2.4.1 has wheel
`banks-2.2.0-py3-none-any.whl` with inconsistent version: v2.2.0
The version field claimed v2.4.1 but the sdist/wheel filenames were
both v2.2.0. The PyPI upload-time on the wheel matches banks 2.2.0's
release date, so the artifacts really are 2.2.0 — most likely a
manual edit or a partial-write bug in an older uv version.
banks is a transitive dependency pulled in by llama-index-core v0.14.16
(LlamaIndex's prompt-templating library). Unstract code does not import
banks directly.
Fix: regenerate via `rm uv.lock && uv lock`. After regen, banks resolves
to v2.4.2 with consistent artifacts.
Why 1,557 lines change: the auto-update workflow has been broken since
2026-04-01 (now fixed in UN-3448 / PR #1941), so the root lock has been
5 weeks stale. `uv lock` re-resolves everything against current PyPI,
picking up minor/patch bumps the workflow would have applied over those
5 weeks. So the diff is:
- banks 2.4.1 → 2.4.2 (the actual fix)
- ~271 other packages with incidental drift (what the workflow would
have done anyway)
Surgical hand-editing was considered and rejected — fragile, and a
future pyproject.toml-touching PR would trigger this same refresh
once the workflow runs again.
Verified: `uv lock --check` exits 0 (Resolved 272 packages in 3ms).
Unblocks the `Update UV lock in all directories` check on PR #1940
and any future PRs that touch a pyproject.toml.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
|
No reviewable files after applying ignore patterns. |
Contributor
|
Important Review skippedReview was skipped due to path filters ⛔ Files ignored due to path filters (1)
CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Contributor
Test ResultsSummary
Runner Tests - Full Report
SDK1 Tests - Full Report
|
muhammad-ali-e
changed the base branch from
main
to
misc/UN-3447-MISC_expand_workers_coverage_scope
muhammad-ali-e
merged commit 8c56d6a
into
misc/UN-3447-MISC_expand_workers_coverage_scope
7 checks passed
11 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
uv.lockcleanly to fix a malformedbankspackage entry.Why
The root
uv.lockhad a malformedbanksentry that preventeduvfrom parsing it:The version field claimed
2.4.1but the sdist/wheel filenames were both2.2.0. The PyPI upload-time on the wheel matches banks 2.2.0's release date — so the artifacts really are 2.2.0, most likely a manual edit or a partial-write bug in an olderuvversion.banksis a transitive dependency pulled in byllama-index-core v0.14.16(LlamaIndex's prompt-templating library). Unstract code does not importbanksdirectly.This was surfaced by UN-3448 (the workflow
uv pip installremoval): once the auto-update workflow stopped failing at the setup step, it reached the actual lock-generation step and surfaced the parse error. Currently blocking theUpdate UV lock in all directoriescheck on PR #1940.Reference: UN-3449.
How
cd / rm uv.lock uv lockAfter regen,
banksresolves cleanly tov2.4.2(current latest) with consistent artifacts (sdist + wheel filenames match the version field).Important — this is NOT a surgical fix
The diff is 1,587 lines (772 insertions, 815 deletions) because the lock has been 5 weeks stale. The auto-update workflow has been broken since 2026-04-01, so
uv lockre-resolves everything against current PyPI and picks up any minor/patch bumps that happened in the meantime. So the diff is:banks 2.4.1 → 2.4.2(consistent artifacts)Surgical hand-editing of just the
banksblock was considered and rejected:pyproject.tomlwould trigger the same wholesale refresh once the workflow runs again, so we'd just be deferring the diff.Reviewers: don't audit each version bump line-by-line — the bumps are what
uvchose against current PyPI from the unchanged dependency constraints inpyproject.toml. No deps were added/removed/version-bumped inpyproject.toml. If a specific package's bump is concerning, that's a separate conversation about pinning that package upstream.Security audit
Verified via OSV.dev batch query of all 271 packages in the lock:
Of the 13 advisory-having packages, 12 are pinned at the same version as
main(pre-existing). The single advisory-having package that changed isprotobuf 4.25.8 → 4.25.9, butGHSA-7gcm-g887-7qv7applies to both versions equally — no net security change.This PR is security-neutral. Pre-existing vulnerabilities in
django 4.2.1,requests 2.31.0,urllib3 1.26.20,litellm 1.82.3, etc. are out of scope and need their own dedicated upgrade PRs (each requires constraint changes inpyproject.toml, whichuv lockcan't do automatically).Can this PR break any existing features. If yes, please list possible items. If no, please explain why.
Possible — large lock-file diffs can introduce subtle behaviour changes if a transitive dependency had a regression in a patch/minor release. Mitigations:
[project].dependenciesor[dependency-groups]changed inpyproject.toml. All version constraints are unchanged.uvagainst the same constraints — bumps are within the ranges already accepted onmain.testjob in CI runs against the new lock (will validate basic functionality).If a specific transitive dep is suspect, we can pin it in
pyproject.tomlin a follow-up.Database Migrations
None.
Env Config
None.
Related Issues or PRs
uv pip installline in uv-lock-automation workflow #1941 — workflowuv pip installfix that surfaced this issue (now merged)Dependencies Versions
Per-package version drift across ~141 packages — see the diff. No
pyproject.tomlconstraint changes.Notable:
banks 2.4.1 (malformed) → 2.4.2.Notes on Testing
uv lock --checkpasses (Resolved 272 packages in 3ms).testjob will validate basic functionality against the refreshed lock.Screenshots
N/A — lock file change.
Checklist
uv lock --checkexiting 0 + OSV audit)🤖 Generated with Claude Code