Update Python dependency versions identified by dependabot

[landonshumway-ia]

In an effort to close out the list of Dependabot generated PRs, this introduces python dependency updates that dependabot has identified.

This includes a list of minor updates, as well as the following major updates:
Marshmallow 3.x -> 4.x see changelog for description of breaking changes

The biggest change for this was replacing the DateTime marshmallow field type with the AwareDateTime type. The DateTime marshmallow type, as of 4.x, is much more permissive and will allow date strings (YYYY-MM-DD) to silently pass validation and will set it as a naive datetime string, which we want to avoid as our datetimes need to be timezone aware to support converting to various local timezones. Scanning through our identified writes to the current datetime fields showed that we already enforce timezone awareness when storing datetime fields, and we migrated off of naive timestamps before we even launched in prod, so it is expected that this is a backwards compatible change with our production environment. Even so, extensive smoke testing, UI testing, and zap scanning should be performed against this change before releasing to prod (unfortunately, given that this is a core schema related update, the feature flag framework will not be feasible to use at this fundamental scope without impacting system performance).

We were not able to update the attrs dependency to the latest 26.x version, as this is a transitive dependency of jsii (used by CDK). Until jsii ships a new version that accepts attrs 26, the CDK app cannot move to attrs 26, so the shared venv can't either. For now it will remain as is and we will have Dependabot ignore that update. The only other location we use it is as a dev dependency for moto in the common tests, so it is not bundled in the runtime code.

Closes #1319

[coderabbitai]

Warning

Rate limit exceeded

@landonshumway-ia has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 10 minutes and 43 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 10 minutes and 43 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dc347bdd-096b-442f-8026-98f84b0a363e

📥 Commits

Reviewing files that changed from the base of the PR and between 2ccfec5 and a23ec2d.

📒 Files selected for processing (4)

• backend/compact-connect/lambdas/python/common/requirements.in
• backend/compact-connect/lambdas/python/purchases/requirements-dev.in
• backend/compact-connect/lambdas/python/purchases/requirements-dev.txt
• backend/cosmetology-app/lambdas/python/common/requirements.in

📝 Walkthrough

Walkthrough

This pull request updates multiple backend project dependencies including AWS SDKs, Lambda Powertools, and Marshmallow, while converting datetime schema fields across both compact-connect and cosmetology-app projects from Marshmallow's generic DateTime type to AwareDateTime to enforce timezone-aware datetime validation and serialization.

Changes

Cohort / File(s)	Summary
Marshmallow Schema Field Type Conversions (compact-connect) backend/compact-connect/lambdas/python/common/cc_common/data_model/schema/adverse_action/record.py, backend/compact-connect/lambdas/python/common/cc_common/data_model/schema/base_record.py, backend/compact-connect/lambdas/python/common/cc_common/data_model/schema/data_event/api.py, backend/compact-connect/lambdas/python/common/cc_common/data_model/schema/investigation/record.py, backend/compact-connect/lambdas/python/common/cc_common/data_model/schema/license/ingest.py, backend/compact-connect/lambdas/python/common/cc_common/data_model/schema/license/record.py, backend/compact-connect/lambdas/python/common/cc_common/data_model/schema/military_affiliation/record.py, backend/compact-connect/lambdas/python/common/cc_common/data_model/schema/privilege/record.py, backend/compact-connect/lambdas/python/common/cc_common/data_model/schema/provider/api.py, backend/compact-connect/lambdas/python/common/cc_common/data_model/schema/provider/record.py	Updated multiple datetime fields across schemas from DateTime to AwareDateTime to enforce timezone-aware datetime validation and serialization.
Marshmallow Schema Field Type Conversions (cosmetology-app) backend/cosmetology-app/lambdas/python/common/cc_common/data_model/schema/adverse_action/record.py, backend/cosmetology-app/lambdas/python/common/cc_common/data_model/schema/base_record.py, backend/cosmetology-app/lambdas/python/common/cc_common/data_model/schema/data_event/api.py, backend/cosmetology-app/lambdas/python/common/cc_common/data_model/schema/investigation/record.py, backend/cosmetology-app/lambdas/python/common/cc_common/data_model/schema/license/ingest.py, backend/cosmetology-app/lambdas/python/common/cc_common/data_model/schema/license/record.py, backend/cosmetology-app/lambdas/python/common/cc_common/data_model/schema/provider/record.py	Updated datetime fields from DateTime to AwareDateTime across provider, license, investigation, adverse action, and data event schemas.
Marshmallow and AWS SDK Version Updates backend/compact-connect/lambdas/python/cognito-backup/requirements*.txt, backend/compact-connect/lambdas/python/common/requirements*.txt, backend/compact-connect/lambdas/python/compact-configuration/requirements-dev.txt, backend/compact-connect/lambdas/python/custom-resources/requirements-dev.txt, backend/compact-connect/lambdas/python/data-events/requirements-dev.txt, backend/compact-connect/lambdas/python/disaster-recovery/requirements-dev.txt, backend/compact-connect/lambdas/python/provider-data-v1/requirements-dev.txt, backend/compact-connect/lambdas/python/search/requirements-dev.txt, backend/compact-connect/lambdas/python/staff-user-pre-token/requirements-dev.txt, backend/compact-connect/lambdas/python/staff-users/requirements-dev.txt	Bumped boto3 and botocore from 1.42.89 to 1.42.90, aws-lambda-powertools from 3.27.0 to 3.28.0, and packaging from 26.0 to 26.1 across development and pinned requirements. Also upgraded marshmallow from 3.26.2 to 4.3.0 in common/requirements.txt.
Marshmallow and AWS SDK Version Updates (cosmetology-app) backend/cosmetology-app/lambdas/python/cognito-backup/requirements*.txt, backend/cosmetology-app/lambdas/python/common/requirements*.txt, backend/cosmetology-app/lambdas/python/compact-configuration/requirements-dev.txt, backend/cosmetology-app/lambdas/python/custom-resources/requirements-dev.txt, backend/cosmetology-app/lambdas/python/data-events/requirements-dev.txt, backend/cosmetology-app/lambdas/python/disaster-recovery/requirements-dev.txt, backend/cosmetology-app/lambdas/python/provider-data-v1/requirements-dev.txt, backend/cosmetology-app/lambdas/python/search/requirements-dev.txt, backend/cosmetology-app/lambdas/python/staff-user-pre-token/requirements-dev.txt, backend/cosmetology-app/lambdas/python/staff-users/requirements-dev.txt	Updated AWS SDK dependencies (boto3, botocore 1.42.89 → 1.42.90), aws-lambda-powertools 3.27.0 → 3.28.0, and upgraded marshmallow to 4.3.0 in common/requirements.txt.
Marshmallow Version Constraints backend/compact-connect/lambdas/python/common/requirements.in, backend/cosmetology-app/lambdas/python/common/requirements.in	Updated marshmallow version constraint from <4.0.0 to <5.0.0 to allow major version 4.x releases.
AWS CDK Dependencies backend/compact-connect/requirements.txt, backend/cosmetology-app/requirements.txt	Bumped AWS CDK packages: aws-cdk-lib 2.249.0 → 2.250.0, aws-cdk-aws-lambda-python-alpha 2.249.0a0 → 2.250.0a0, aws-cdk-cloud-assembly-schema 53.14.0 → 53.16.0.
Development Tool Dependencies backend/compact-connect/requirements-dev.txt, backend/cosmetology-app/requirements-dev.txt	Updated filelock 3.25.2 → 3.28.0, packaging 26.0 → 26.1, and ruff 0.15.10 → 0.15.11.
Test Fixture Timezone Updates backend/compact-connect/lambdas/python/search/tests/function/test_expiration_reminders.py	Updated OpenSearch document fixtures to use ISO 8601 timestamps with explicit UTC offset (+00:00) for dateOfUpdate fields in provider and privilege test data.
Attributes Dependency Constraint backend/cosmetology-app/lambdas/python/common/requirements-dev.in	Removed duplicate attrs>=25, <26 constraint, retaining the tighter attrs>=25.4,<26 constraint.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

The changes span multiple files with a mix of repetitive dependency version bumps (low cognitive load) and systematic datetime field type conversions across many schemas (moderate cognitive load). While the datetime conversions follow a consistent pattern, each schema file requires verification that all appropriate datetime fields are updated consistently. The Marshmallow 4.x upgrade from 3.26.2 requires particular attention for compatibility. Test fixture updates need validation against the new datetime format expectations.

Possibly related PRs

• Set up feature flag framework #1110: Modifies backend/compact-connect/lambdas/python/common/cc_common/data_model/schema/privilege/record.py by adding new schema decorators and classes, creating a direct code-level overlap with this PR's datetime field conversions in the same file.
• Privilege Expiry Email Notifications #1277: Updates expiration-reminder tests and datetime handling logic, directly related to the test fixture timestamp format changes in this PR.
• Feat/validate api responses #1129: Modifies Marshmallow schemas across cc_common/data_model/schema for response schema changes, overlapping with the systematic datetime field updates across the same schema modules in this PR.

Suggested reviewers

• jlkravitz

Poem

🐰 Timezones now make the timestamps aware,
Each datetime field checked with developer's care,
Marshmallow grows from three to four,
Dependencies dance to the latest score,
UTC offsets in every fare! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: updating Python dependency versions identified by dependabot, which is the primary objective of this PR.
Linked Issues check	✅ Passed	The PR successfully addresses the coding requirements of issue #1319 by updating all backend Python dependencies (boto3, botocore, aws-lambda-powertools, marshmallow, aws-cdk packages, etc.) and implementing the necessary schema changes to enforce timezone-aware datetimes required by Marshmallow 4.x.
Out of Scope Changes check	✅ Passed	All changes are directly related to dependency updates and the necessary code modifications to support Marshmallow 4.x (DateTime to AwareDateTime field replacements). No unrelated changes are present; even test file updates maintain scope by only adjusting timestamp formats to include UTC offsets for timezone awareness.
Description check	✅ Passed	The PR description comprehensively explains the dependency updates, highlights the major Marshmallow 3.x→4.x migration with specific field type changes, and provides context about backwards compatibility and testing requirements.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

backend/compact-connect/lambdas/python/common/cc_common/data_model/schema/privilege/record.py (1)

135-142: ⚠️ Potential issue | 🟠 Major

_enforce_datetimes no longer provides the backwards-compat guarantee it claims under Marshmallow 4.

ensure_value_is_datetime (in common.py) only upgrades length-10 date strings (YYYY-MM-DD) to UTC-aware datetime strings — if the input is already a datetime-shaped string, it returns it unchanged. That was fine when these fields were DateTime (tolerant of naive ISO strings), but now with AwareDateTime any historical record whose dateOfIssuance/dateOfRenewal was written as a naive datetime string (e.g. 2024-01-02T03:04:05) will bypass this hook's "fix up" and then fail AwareDateTime validation on load.

Given this is the schema that most explicitly advertises legacy-data tolerance, please either:

1. Extend ensure_value_is_datetime to also coerce naive datetime strings to UTC-aware (parse, set tzinfo=UTC if missing, re-serialize), or
2. Confirm via a migration/backfill that no naive datetime values remain for these fields in production.

Option 1 is minimally invasive and preserves the safety net already described in the docstring. It also transparently fixes the same risk in other schemas that call into ensure_value_is_datetime.

♻️ Sketch of the extended helper

 def ensure_value_is_datetime(value: str):
     ...
     dt = datetime.fromisoformat(value)
     if len(value) == 10:
         value_dt = datetime.combine(dt, datetime.max.time(), tzinfo=UTC).replace(microsecond=0)
         return value_dt.isoformat()
-    # Not a date string, return the original
-    return value
+    # Promote naive datetime strings to UTC-aware for Marshmallow 4 AwareDateTime compatibility
+    if dt.tzinfo is None:
+        return dt.replace(tzinfo=UTC).isoformat()
+    return value

Also note the updated comment on line 138 now reads "for dateOfRenewal and dateOfIssuance to datetime values" but the real intent after this PR is "to timezone-aware datetime values" — worth tightening.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@backend/compact-connect/lambdas/python/common/cc_common/data_model/schema/privilege/record.py`
around lines 135 - 142, The _enforce_datetimes backward-compat guarantee breaks
under Marshmallow 4 because ensure_value_is_datetime currently only upgrades
YYYY-MM-DD strings and leaves naive ISO datetime strings unchanged, causing
AwareDateTime validation failures; update ensure_value_is_datetime (used by
_enforce_datetimes) to parse ISO datetime strings and, if they lack timezone
info, attach UTC (e.g., parse -> set tzinfo=UTC -> re-serialize/return
timezone-aware datetime) so dateOfIssuance and dateOfRenewal are always
timezone-aware before AwareDateTime validation, and update the doc/comment in
_enforce_datetimes to say "timezone-aware datetime values"; ensure function
names referenced: ensure_value_is_datetime, _enforce_datetimes, and fields
dateOfIssuance/dateOfRenewal/AwareDateTime.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@backend/cosmetology-app/lambdas/python/common/cc_common/data_model/schema/license/ingest.py`:
- Line 3: The AwareDateTime field used for eventTime in
SanitizedLicenseIngestDataEventSchema may reject timezone-naive timestamps;
update the schema's eventTime AwareDateTime declaration to set
default_timezone=timezone.utc so Marshmallow will treat naive datetimes as UTC
when loading (import timezone from datetime as needed) and ensure existing
producers' offset-bearing strings continue to validate unchanged.

In `@backend/cosmetology-app/lambdas/python/common/requirements.in`:
- Line 5: Replace the existing dependency line "marshmallow>=3.21.3, <5.0.0"
with a constraint that excludes the vulnerable 4.0.0–4.1.1 releases; either use
the two-platform-specific lines "marshmallow>=3.21.3, <4.0.0; python_version <
'3.x'" and "marshmallow>=4.1.2, <5.0.0; python_version >= '3.x'" or a single
unified exclusion "marshmallow>=3.21.3, <5.0.0, !=4.0.0, !=4.0.1, !=4.1.0,
!=4.1.1" in place of the original "marshmallow>=3.21.3, <5.0.0" entry so the
vulnerable CVE-2025-68480 versions are not installable.

---

Outside diff comments:
In
`@backend/compact-connect/lambdas/python/common/cc_common/data_model/schema/privilege/record.py`:
- Around line 135-142: The _enforce_datetimes backward-compat guarantee breaks
under Marshmallow 4 because ensure_value_is_datetime currently only upgrades
YYYY-MM-DD strings and leaves naive ISO datetime strings unchanged, causing
AwareDateTime validation failures; update ensure_value_is_datetime (used by
_enforce_datetimes) to parse ISO datetime strings and, if they lack timezone
info, attach UTC (e.g., parse -> set tzinfo=UTC -> re-serialize/return
timezone-aware datetime) so dateOfIssuance and dateOfRenewal are always
timezone-aware before AwareDateTime validation, and update the doc/comment in
_enforce_datetimes to say "timezone-aware datetime values"; ensure function
names referenced: ensure_value_is_datetime, _enforce_datetimes, and fields
dateOfIssuance/dateOfRenewal/AwareDateTime.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4f61e516-79f0-49f5-8094-691d74958777

📥 Commits

Reviewing files that changed from the base of the PR and between 0c2b88c and 2ccfec5.

📒 Files selected for processing (48)

• backend/compact-connect/lambdas/python/cognito-backup/requirements-dev.txt
• backend/compact-connect/lambdas/python/common/cc_common/data_model/schema/adverse_action/record.py
• backend/compact-connect/lambdas/python/common/cc_common/data_model/schema/base_record.py
• backend/compact-connect/lambdas/python/common/cc_common/data_model/schema/data_event/api.py
• backend/compact-connect/lambdas/python/common/cc_common/data_model/schema/investigation/record.py
• backend/compact-connect/lambdas/python/common/cc_common/data_model/schema/license/ingest.py
• backend/compact-connect/lambdas/python/common/cc_common/data_model/schema/license/record.py
• backend/compact-connect/lambdas/python/common/cc_common/data_model/schema/military_affiliation/record.py
• backend/compact-connect/lambdas/python/common/cc_common/data_model/schema/privilege/record.py
• backend/compact-connect/lambdas/python/common/cc_common/data_model/schema/provider/api.py
• backend/compact-connect/lambdas/python/common/cc_common/data_model/schema/provider/record.py
• backend/compact-connect/lambdas/python/common/requirements-dev.txt
• backend/compact-connect/lambdas/python/common/requirements.in
• backend/compact-connect/lambdas/python/common/requirements.txt
• backend/compact-connect/lambdas/python/compact-configuration/requirements-dev.txt
• backend/compact-connect/lambdas/python/custom-resources/requirements-dev.txt
• backend/compact-connect/lambdas/python/data-events/requirements-dev.txt
• backend/compact-connect/lambdas/python/disaster-recovery/requirements-dev.txt
• backend/compact-connect/lambdas/python/provider-data-v1/requirements-dev.txt
• backend/compact-connect/lambdas/python/search/requirements-dev.txt
• backend/compact-connect/lambdas/python/search/tests/function/test_expiration_reminders.py
• backend/compact-connect/lambdas/python/staff-user-pre-token/requirements-dev.txt
• backend/compact-connect/lambdas/python/staff-users/requirements-dev.txt
• backend/compact-connect/requirements-dev.txt
• backend/compact-connect/requirements.txt
• backend/cosmetology-app/lambdas/python/cognito-backup/requirements-dev.txt
• backend/cosmetology-app/lambdas/python/cognito-backup/requirements.txt
• backend/cosmetology-app/lambdas/python/common/cc_common/data_model/schema/adverse_action/record.py
• backend/cosmetology-app/lambdas/python/common/cc_common/data_model/schema/base_record.py
• backend/cosmetology-app/lambdas/python/common/cc_common/data_model/schema/data_event/api.py
• backend/cosmetology-app/lambdas/python/common/cc_common/data_model/schema/investigation/record.py
• backend/cosmetology-app/lambdas/python/common/cc_common/data_model/schema/license/ingest.py
• backend/cosmetology-app/lambdas/python/common/cc_common/data_model/schema/license/record.py
• backend/cosmetology-app/lambdas/python/common/cc_common/data_model/schema/provider/record.py
• backend/cosmetology-app/lambdas/python/common/requirements-dev.in
• backend/cosmetology-app/lambdas/python/common/requirements-dev.txt
• backend/cosmetology-app/lambdas/python/common/requirements.in
• backend/cosmetology-app/lambdas/python/common/requirements.txt
• backend/cosmetology-app/lambdas/python/compact-configuration/requirements-dev.txt
• backend/cosmetology-app/lambdas/python/custom-resources/requirements-dev.txt
• backend/cosmetology-app/lambdas/python/data-events/requirements-dev.txt
• backend/cosmetology-app/lambdas/python/disaster-recovery/requirements-dev.txt
• backend/cosmetology-app/lambdas/python/provider-data-v1/requirements-dev.txt
• backend/cosmetology-app/lambdas/python/search/requirements-dev.txt
• backend/cosmetology-app/lambdas/python/staff-user-pre-token/requirements-dev.txt
• backend/cosmetology-app/lambdas/python/staff-users/requirements-dev.txt
• backend/cosmetology-app/requirements-dev.txt
• backend/cosmetology-app/requirements.txt

💤 Files with no reviewable changes (1)

• backend/cosmetology-app/lambdas/python/common/requirements-dev.in

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find producers that publish license ingest events
rg -nP --type=py '\beventTime\b' -C3 -g '!**/tests/**'

Repository: csg-org/CompactConnect

Length of output: 50378

---

🏁 Script executed:

# First, let's examine the actual schema file mentioned in the review
cat -n backend/cosmetology-app/lambdas/python/common/cc_common/data_model/schema/license/ingest.py | head -100

Repository: csg-org/CompactConnect

Length of output: 4257

---

🏁 Script executed:

# Check what config.current_standard_datetime is
rg -nP 'current_standard_datetime' backend/cosmetology-app -A2 -B2 --type=py | head -80

Repository: csg-org/CompactConnect

Length of output: 8989

---

🏁 Script executed:

# Look for config definition and current_standard_datetime
fd -type f -name 'config.py' | xargs grep -l 'current_standard_datetime' 2>/dev/null

Repository: csg-org/CompactConnect

Length of output: 238

---

🏁 Script executed:

# Find config files that might define current_standard_datetime
find . -type f -name '*.py' -path '*/cc_common/*' | xargs grep -l 'def current_standard_datetime\|current_standard_datetime =' 2>/dev/null | head -5

Repository: csg-org/CompactConnect

Length of output: 201

---

🏁 Script executed:

# Search for config class definition
rg -nP 'class.*Config|current_standard_datetime.*=' backend/cosmetology-app/lambdas/python/common/cc_common -B3 -A3 --type=py | head -100

Repository: csg-org/CompactConnect

Length of output: 8633

---

🏁 Script executed:

# Let's look at the actual config module
find . -path '*/cc_common/config.py' | xargs cat -n 2>/dev/null

Repository: csg-org/CompactConnect

Length of output: 26358

---

AwareDateTime on eventTime — current producers are timezone-aware; consider adding default_timezone=timezone.utc for backward compatibility with potential in-flight messages.

SanitizedLicenseIngestDataEventSchema loads from SQS using Marshmallow 4.x, where AwareDateTime rejects timezone-naive input. Verification shows all identified producers already emit offset-bearing ISO strings via config.current_standard_datetime.isoformat() (e.g., 2024-11-08T23:59:59+00:00), so there is no immediate validation failure risk. However, to safely handle any in-flight messages from earlier rollouts that may lack timezone info, consider adding default_timezone=timezone.utc to this field to provide graceful fallback during transition.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@backend/cosmetology-app/lambdas/python/common/cc_common/data_model/schema/license/ingest.py`
at line 3, The AwareDateTime field used for eventTime in
SanitizedLicenseIngestDataEventSchema may reject timezone-naive timestamps;
update the schema's eventTime AwareDateTime declaration to set
default_timezone=timezone.utc so Marshmallow will treat naive datetimes as UTC
when loading (import timezone from datetime as needed) and ensure existing
producers' offset-bearing strings continue to validate unchanged.