LCORE-1392: Updated dependencies

[asimurka]

Description

This PR updates dependencies and explicitly adds dependencies for lightspeed providers.

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement
• Benchmarks improvement

Tools used to create PR

Identify any AI code assistants used in this PR (for transparency and review context)

• Assisted-by: N/A

Related Tickets & Documents

• Related Issue # LCORE-1392
• Closes #

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• Please provide detailed steps to perform tests related to this code change.
• How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

• Chores
  • Updated multiple dependency versions (aiohttp, urllib3, azure-core, chardet, google-cloud-storage, litellm, oci, openai, protobuf, pythainlp, sse-starlette, trl) for compatibility and security.
  • Added new development/provider dependencies: httpx, pydantic, protobuf, filelock (and related entries).
  • Adjusted package lists to remove a specific package entry and updated dependency pins/hashes accordingly (including adding a pinned attrs entry and removing an older wheel entry).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: eb493d2f-f430-4e01-a9f6-58ed4df49bac

📥 Commits

Reviewing files that changed from the base of the PR and between 8b2818b and 871a702.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (6)

• .tekton/lightspeed-stack-pull-request.yaml
• .tekton/lightspeed-stack-push.yaml
• pyproject.toml
• requirements-build.txt
• requirements.hashes.source.txt
• requirements.hashes.wheel.txt

💤 Files with no reviewable changes (1)

• requirements.hashes.wheel.txt

✅ Files skipped from review due to trivial changes (5)

• .tekton/lightspeed-stack-pull-request.yaml
• requirements-build.txt
• pyproject.toml
• .tekton/lightspeed-stack-push.yaml
• requirements.hashes.source.txt

---

Walkthrough

Updated dependency declarations, lock/hash files, and Tekton pipeline prefetch lists: attrs was removed from pipeline package lists, attrs was added/pinned at 26.1.0 in source hashes while its 25.4.0 wheel entry was removed, several other pinned packages were bumped, and pyproject.toml adjusted aiohttp and urllib3 constraints and added Lightspeed provider packages to the llslibdev group.

Changes

Cohort / File(s)	Summary
Tekton pipeline definitions .tekton/lightspeed-stack-pull-request.yaml, .tekton/lightspeed-stack-push.yaml	Removed attrs from the comma-separated binary.packages / prefetch-input package lists.
Project manifest pyproject.toml	Bumped aiohttp (>=3.12.14 → >=3.13.3); relaxed urllib3 from ==2.6.3 to >=2.6.3; added Lightspeed provider packages to llslibdev: httpx>=0.27.0, pydantic>=2.10.6, protobuf>=6.33.5, filelock>=3.20.3.
Build requirements provenance requirements-build.txt	Recorded attrs as an additional transitive/"via" dependency for hatch-fancy-pypi-readme==25.1.0, hatch-vcs==0.5.0, and hatchling==1.29.0.
Source hash pins requirements.hashes.source.txt	Added attrs==26.1.0 with hashes; bumped pinned versions (and hashes) for: azure-core 1.38.3→1.39.0, chardet 7.1.0→7.2.0, google-cloud-storage 3.9.0→3.10.0, litellm 1.82.3→1.82.4, oci 2.168.1→2.168.2, openai 2.28.0→2.29.0, protobuf 6.33.5→6.33.6, pythainlp 5.3.1→5.3.2, sse-starlette 3.3.2→3.3.3, trl 0.29.0→0.29.1.
Wheel hash manifest requirements.hashes.wheel.txt	Removed the attrs==25.4.0 wheel entry and its hash line.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'LCORE-1392: Updated dependencies' accurately summarizes the main change—updating dependencies across multiple files including pyproject.toml, requirements files, and Tekton configs.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can use OpenGrep to find security vulnerabilities and bugs across 17+ programming languages.

OpenGrep is compatible with Semgrep configurations. Add an opengrep.yml or semgrep.yml configuration file to your project to enable OpenGrep analysis.

[tisnik]

LGTM

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pyproject.toml (1)

61-61: Loosening urllib3 constraint may reduce build reproducibility.

Changing from an exact pin (==2.6.3) to a lower-bounded range (>=2.6.3) allows the resolver to pick any version at or above 2.6.3. While this provides flexibility, it may reduce reproducibility across environments. Consider whether the exact pin was intentional for stability reasons.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pyproject.toml` at line 61, The change to "urllib3>=2.6.3" loosens the
dependency pin and can harm reproducibility; revert to the exact pin
"urllib3==2.6.3" in pyproject.toml if the original exact version was required
for stability, or tighten the constraint (e.g., "urllib3>=2.6.3,<3.0" or
"urllib3==2.6.3") and add a brief comment explaining why that choice was made so
future reviewers know whether the loosening was intentional.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pyproject.toml`:
- Around line 191-197: Remove the duplicate/conflicting package entries in the
pyproject toml groups: in the "Lightspeed providers" list remove "numpy>=1.24.0"
(conflicts with the pinned "numpy==2.3.5" in the llslibdev group) and remove the
redundant "mcp>=1.23.0" (already present in llslibdev); keep the single
authoritative numpy==2.3.5 pin and one mcp>=1.23.0 entry to avoid resolver
conflicts.

---

Nitpick comments:
In `@pyproject.toml`:
- Line 61: The change to "urllib3>=2.6.3" loosens the dependency pin and can
harm reproducibility; revert to the exact pin "urllib3==2.6.3" in pyproject.toml
if the original exact version was required for stability, or tighten the
constraint (e.g., "urllib3>=2.6.3,<3.0" or "urllib3==2.6.3") and add a brief
comment explaining why that choice was made so future reviewers know whether the
loosening was intentional.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a05e2cd9-2e87-4f37-a6a8-7436cbc24426

📥 Commits

Reviewing files that changed from the base of the PR and between 0f4a68c and 8b2818b.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (6)

• .tekton/lightspeed-stack-pull-request.yaml
• .tekton/lightspeed-stack-push.yaml
• pyproject.toml
• requirements-build.txt
• requirements.hashes.source.txt
• requirements.hashes.wheel.txt

💤 Files with no reviewable changes (1)

• requirements.hashes.wheel.txt