ENG-2916: Bump tinycss2 from 1.2.1 to >=1.5.0

[daveqnet]

Ticket ENG-2916

Description Of Changes

Loosens the tinycss2 pin from ==1.2.1 to >=1.5.0 to unblock a weasyprint upgrade in fidesplus. The fides usage of tinycss2 (parse_stylesheet() and FunctionBlock in unsafe_file_util.py) is unchanged between 1.2.1 and 1.5.x — no breaking API changes.

Code Changes

• pyproject.toml: Change tinycss2==1.2.1 → tinycss2>=1.5.0
• uv.lock: Regenerated (tinycss2 1.2.1 → 1.5.1)

Steps to Confirm

1. CI passes — no functional changes to fides code
2. Verify from tinycss2 import parse_stylesheet and from tinycss2.ast import FunctionBlock still work
3. Run unsafe_file_util.py related tests if any exist

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • No UX review needed
• Followup issues:
  • No followup issues
• Database migrations:
  • No migrations
• Documentation:
  • No documentation updates required

Summary by CodeRabbit

• Chores
  • Relaxed the tinycss2 dependency constraint from a strict pinned version to a minimum compatible version (>=1.5.0), allowing newer tinycss2 releases to be used. This broadens compatibility and enables access to newer features and fixes while removing the strict version pin.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ready	Preview, Comment	Mar 17, 2026 5:10am

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
fides-privacy-center	Ignored		Mar 17, 2026 5:10am

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated the tinycss2 dependency in pyproject.toml from a strict pin (==1.2.1) to a minimum-compatible constraint (>=1.5.0) and added a changelog entry documenting the bump.

Changes

Cohort / File(s)	Summary
Dependency Version Bump pyproject.toml	Changed tinycss2 constraint from ==1.2.1 to >=1.5.0.
Changelog Entry changelog/7601.yaml	Added changelog entry documenting the tinycss2 version constraint update.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 I nudged a version, light and spry,
tinycss2 leaps, up to the sky.
Pins unshackled, a gentle cheer,
Compatibility hops ever near. 🌿

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly summarizes the main change: bumping tinycss2 from version 1.2.1 to >=1.5.0, which matches the primary objective of the pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The PR description fully follows the template with all required sections completed: ticket reference, description of changes with clear context, code changes listed, verification steps provided, and pre-merge checklist mostly addressed.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ENG-2916/bump-tinycss2

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

pyproject.toml (1)

113-113: Consider adding an upper bound to follow defensive versioning best practices.

While the tinycss2 APIs used here (parse_stylesheet and FunctionBlock) are stable across the 1.x series and tinycss2 follows semantic versioning (breaking changes only with major version bumps), using >=1.5.0 without an upper bound allows future major versions to be installed. For greater safety, constrain to >=1.5.0,<2.0 or use ~=1.5.0 to allow patches within the 1.x line while preventing unexpected major version upgrades.

♻️ Suggested fix

-    "tinycss2>=1.5.0",
+    "tinycss2>=1.5.0,<2.0",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pyproject.toml` at line 113, Update the tinycss2 dependency specification to
include an upper bound to prevent automatic major upgrades; replace the current
"tinycss2>=1.5.0" requirement with a constrained spec such as
"tinycss2>=1.5.0,<2.0" or a compatible release spec like "tinycss2~=1.5.0" so
that code using tinycss2 (e.g., calls to parse_stylesheet and uses of
FunctionBlock) stays on the stable 1.x API surface.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pyproject.toml`:
- Line 113: Update the tinycss2 dependency specification to include an upper
bound to prevent automatic major upgrades; replace the current "tinycss2>=1.5.0"
requirement with a constrained spec such as "tinycss2>=1.5.0,<2.0" or a
compatible release spec like "tinycss2~=1.5.0" so that code using tinycss2
(e.g., calls to parse_stylesheet and uses of FunctionBlock) stays on the stable
1.x API surface.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b1dc890e-da31-4c45-b4da-e20bc2aaacfd

📥 Commits

Reviewing files that changed from the base of the PR and between 4791199 and 7ed22ec.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• pyproject.toml