Skip to content

deps: batched major-version updates + pre-commit hook sync#21

Merged
haasonsaas merged 1 commit into
mainfrom
deps/batch-major-updates
Apr 22, 2026
Merged

deps: batched major-version updates + pre-commit hook sync#21
haasonsaas merged 1 commit into
mainfrom
deps/batch-major-updates

Conversation

@haasonsaas
Copy link
Copy Markdown
Contributor

@haasonsaas haasonsaas commented Apr 22, 2026

Summary

Consolidates the four major-bump Dependabot PRs into a single batch, each individually vetted against actual usage.

Supersedes

PR Package Bump Risk review
#13 flask-limiter 3.8.0 → 4.1.1 Only uses `Limiter(key_func=..., default_limits=...)` + `get_remote_address` — both stable. Smoke-tested `sms_server` import: clean.
#15 pre-commit 3.8.0 → 4.6.0 Requires Python ≥3.9 (we use 3.11/3.12). Config schema compatible as-is.
#16 rich 13.7.1 → 15.0.0 Only uses `rich.console.Console` + `rich.table.Table` — both stable.
#18 gunicorn 22.0.0 → 25.3.0 Used only via README CLI example (`gunicorn -w 2 ...`); no Python imports.

Those 4 Dependabot PRs will close automatically once this merges.

Bonus fix: `.pre-commit-config.yaml` hook-pin sync

The pre-commit hooks were pinning versions that no longer match the repo's own deps:

Hook Was Now
psf/black 24.8.0 26.3.1
ruff-pre-commit v0.6.3 v0.15.11

Previously, a developer running `pre-commit run` locally would install an older black/ruff than the repo actually uses — producing different output than CI. Fixing this alongside the pre-commit version bump for clean scope.

Verification

  • `pytest -q`: 16/16 pass (py3.12)
  • `ruff check .`: clean
  • `black --check .`: clean
  • `from orbit_agent import sms_server`: imports cleanly with Flask-Limiter 4.x
  • `.pre-commit-config.yaml` valid YAML
  • Lock-drift guard satisfied (all 4 files updated pairwise)
  • CI `test (3.11)` + `test (3.12)`

🤖 Generated with Claude Code

@haasonsaas @claude
deps: batched major-version updates + sync pre-commit hook pins
a156e34 
Consolidates four Dependabot major-bump PRs. Each was individually
reviewed against actual usage in the codebase and found low-risk:

  #13  flask-limiter    3.8.0  -> 4.1.1
       Only uses Limiter(key_func=..., default_limits=...) and
       get_remote_address — both stable across 3.x -> 4.x.
       Smoke-tested orbit_agent.sms_server import: OK.

  #15  pre-commit       3.8.0  -> 4.6.0
       Requires Python >=3.9; our matrix is 3.11/3.12. Config schema
       in .pre-commit-config.yaml is compatible as-is.

  #16  rich             13.7.1 -> 15.0.0
       Only uses rich.console.Console and rich.table.Table in
       orbit_agent/cli.py — both stable.

  #18  gunicorn         22.0.0 -> 25.3.0
       Used only via README's CLI example; no Python imports.

Also syncs .pre-commit-config.yaml hook revs to match the repo's
own pinned tool versions:
  black:  24.8.0 -> 26.3.1
  ruff:   0.6.3  -> 0.15.11
Previously the hooks installed older black/ruff than the repo uses,
which could produce different formatting locally vs in CI.

Verified on Python 3.12:
  - pytest -q: 16/16 pass
  - ruff check .: clean
  - black --check .: clean
  - orbit_agent.sms_server imports cleanly with Flask-Limiter 4.x

The 4 corresponding Dependabot PRs (#13, #15, #16, #18) will
close automatically once this merges.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@cursor
Copy link
Copy Markdown

cursor Bot commented Apr 22, 2026
edited
Loading

PR Summary

Medium Risk
Medium risk because it upgrades major versions of runtime/server dependencies (Flask-Limiter, rich, gunicorn) which may introduce breaking behavior changes despite minimal code churn.

Overview
Batches major-version upgrades across runtime and dev tooling, updating Flask-Limiter to 4.x, rich to 15.x, gunicorn to 25.x, and pre-commit to 4.x in requirements*.txt and corresponding lockfiles.

Also syncs .pre-commit-config.yaml hook revisions so black and ruff installed by pre-commit match the versions used by the project, reducing local/CI formatting drift.

Reviewed by Cursor Bugbot for commit a156e34. Bugbot is set up for automated code reviews on this repo. Configure here.

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 22, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedpre-commit@​3.8.0 ⏵ 4.6.093 +1100100100100
Updatedgunicorn@​22.0.0 ⏵ 25.3.096 -1100100100100
Updatedrich@​13.7.1 ⏵ 15.0.098 +1100100100100
Updatedflask-limiter@​3.8.0 ⏵ 4.1.1100100100100100

View full report

@haasonsaas haasonsaas merged commit 610f378 into main Apr 22, 2026
6 checks passed
@haasonsaas haasonsaas deleted the deps/batch-major-updates branch April 22, 2026 02:14
This was referenced Apr 22, 2026
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@haasonsaas