chore(deps-dev): bump types-regex from 2026.1.15.20260116 to 2026.2.28.20260301#4758
chore(deps-dev): bump types-regex from 2026.1.15.20260116 to 2026.2.28.20260301#4758dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
dependabot
Bot
added
dependencies
dependabot
Bot
force-pushed
the
dependabot/uv/types-regex-2026.2.28.20260301
branch
3 times, most recently
from
55d3a47 to
9a8523a
Compare
dependabot
Bot
force-pushed
the
dependabot/uv/types-regex-2026.2.28.20260301
branch
2 times, most recently
from
5b5b551 to
7755d74
Compare
dependabot
Bot
force-pushed
the
dependabot/uv/types-regex-2026.2.28.20260301
branch
4 times, most recently
from
c6cca12 to
059c54e
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| "types-requests~=2.31.0.6", | ||
| "types-pyyaml==6.0.*", | ||
| "types-regex==2026.1.15.*", | ||
| "types-regex==2026.3.32.*", |
There was a problem hiding this comment.
Version in code doesn't match PR description
Medium Severity
The PR title and description state the bump target is types-regex version 2026.2.28.20260301, but the actual changes in pyproject.toml and uv.lock install version 2026.3.32.20260329 instead — a completely different release. Both versions exist on PyPI, so this isn't a resolution artifact. A reviewer trusting the Dependabot description would unknowingly approve a different dependency version than advertised, which is a supply-chain integrity concern.
Additional Locations (2)
dependabot
Bot
force-pushed
the
dependabot/uv/types-regex-2026.2.28.20260301
branch
from
059c54e to
583c393
Compare
Bumps [types-regex](https://github.com/typeshed-internal/stub_uploader) from 2026.1.15.20260116 to 2026.2.28.20260301. - [Commits](https://github.com/typeshed-internal/stub_uploader/commits) --- updated-dependencies: - dependency-name: types-regex dependency-version: 2026.2.28.20260301 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/uv/types-regex-2026.2.28.20260301
branch
from
583c393 to
2ffd04a
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
|
|
||
| [options] | ||
| exclude-newer = "2026-03-31T18:04:18.250213933Z" | ||
| exclude-newer-span = "P3D" |
There was a problem hiding this comment.
New exclude-newer option causes unintended package downgrades
High Severity
A new [options] section with exclude-newer and exclude-newer-span was added to uv.lock. This constrains package resolution to before 2026-03-31T18:04:18Z, causing aiohttp to downgrade from 3.13.5 to 3.13.4 and couchbase from 4.6.0 to 4.5.0. These are unintended side effects of a types-only dependency bump.
|
Dependabot can't resolve your Python dependency files. Because of this, Dependabot cannot update this pull request. |
1 similar comment
|
Dependabot can't resolve your Python dependency files. Because of this, Dependabot cannot update this pull request. |
Bumps types-regex from 2026.1.15.20260116 to 2026.2.28.20260301.
Commits
You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Note
Medium Risk
Primarily a dependency/lockfile update, but the lock refresh also changes runtime packages (notably
aiohttpandcouchbase), which could affect HTTP or database behavior at runtime.Overview
Updates the dev dependency
types-regexto2026.3.32.*and refreshesuv.lockaccordingly.The lockfile refresh also introduces new
uvresolution options (exclude-newer/exclude-newer-span) and shifts some resolved package versions, including downgradingaiohttpto3.13.4andcouchbaseto4.5.0.Written by Cursor Bugbot for commit 2ffd04a. This will update automatically on new commits. Configure here.