constrain autobahn (daphne dependency) to <25.11.1

[samuelvkwong]

Added version constraint for autobahn to uv and renovate because beginning from 25.11.1, the ARM64 wheel is broken.

Summary by CodeRabbit

• Chores
  • Added a constraint to keep autobahn versions below 25.11.1.
  • Updated the adit-radis-shared dependency to v0.19.1.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Added a constraint that limits Autobahn versions to below 25.11.1 in Renovate configuration and in the project's uv dependency-constraint settings; also bumped adit-radis-shared from 0.19.0 to 0.19.1 in pyproject.toml.

Changes

Cohort / File(s)	Change Summary
Renovate rule ​.github/renovate.json	Added a pep621 packageRule for autobahn with allowedVersions: "<25.11.1".
Project metadata / uv constraints pyproject.toml	Bumped adit-radis-shared @0.19.0 → @0.19.1; added tool.uv.constraint-dependencies = ["autobahn<25.11.1"].

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify the intended version ceiling "<25.11.1" for autobahn (compatibility rationale).
• Check Renovate pep621 manager behavior to ensure the new rule will be applied.
• Confirm uv constraint format is correct and enforced in CI/build tooling.

Possibly related PRs

• Upgrade adit-radis-shared #276 — Bumps adit-radis-shared dependency similarly (0.19.0 → 0.19.1); likely part of the same version alignment changes.

Poem

🐰 I hopped through two configs, neat and keen,
Tucked Autobahn under a velvet seam,
A tiny bump, constraints set just right,
Now dependency dreams sleep through the night. 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main change: constraining the autobahn dependency to version <25.11.1, with context about its role as a daphne dependency.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch autobahn_version_constraint

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between aa1f668 and 6708932.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• pyproject.toml (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: ci
• GitHub Check: claude-review

🔇 Additional comments (2)

pyproject.toml (2)

10-10: Clarify the unrelated dependency version bump.

The version bump of adit-radis-shared from 0.19.0 to 0.19.1 is not mentioned in the PR description. Is this change intentional and related to the autobahn constraint fix, or should it be in a separate PR?

---

99-99: Approve the autobahn version constraint with verification request.

The constraint correctly limits autobahn to versions below 25.11.1 using uv's constraint-dependencies mechanism, which will prevent problematic versions from being installed as transitive dependencies through daphne.

However, I was unable to find documented evidence of a broken ARM64 wheel specifically in version 25.11.1. Historical issues with ARM64 wheels (SIGILL crashes due to -march=native compilation) were reported and fixed in v25.10.2. Could you provide a link to the issue tracker, discussion, or error logs that document the specific ARM64 wheel problem in 25.11.1?

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Pull Request Review

Summary

This PR constrains the autobahn package (a dependency of daphne) to version <25.11.1 by:

• Adding a constraint in pyproject.toml using uv's constraint-dependencies feature
• Configuring Renovate to respect this version constraint
• Downgrading from 25.11.1 to 25.10.2 in the lock file

Code Quality and Best Practices ✅

Strengths:

• Proper dependency management: Uses uv's built-in constraint mechanism (constraint-dependencies) which is the correct approach for constraining transitive dependencies
• Renovate configuration: Correctly prevents automatic updates past the constraint, preventing future issues
• Consistent approach: Follows the existing pattern already established for factory-boy in the same files
• Clean implementation: Minimal, focused changes that address the specific issue

Potential Issues ⚠️

Missing context:

• No explanation for the constraint: The PR body is empty and the commit message doesn't explain why this constraint is needed. This is important for future maintainability.
  • What issue does autobahn 25.11.1 cause?
  • Is there a related issue or bug report?
  • Is this a compatibility issue with daphne or the project itself?

Recommendations:

1. Add a PR description explaining:

   • The problem encountered with autobahn 25.11.1
   • Steps to reproduce the issue (if applicable)
   • Why 25.10.2 is the last working version
   • Link to any related issues or upstream bug reports

2. Add an inline comment in pyproject.toml explaining the constraint

3. Consider tracking this: If this is a temporary workaround, create an issue to track removing this constraint once the upstream issue is resolved.

Performance Considerations ✅

No performance concerns. The version downgrade actually removes several optional dependencies (cbor2, msgpack, py-ubjson, ujson, u-msgpack-python) that were added in 25.11.1, resulting in a smaller dependency footprint.

Security Considerations ⚠️

• Version pinning risk: Constraining versions can prevent security updates. Monitor for security advisories affecting autobahn 25.10.2 and earlier.
• Recommendation: Set up security monitoring (like Dependabot security alerts) to be notified of vulnerabilities in the constrained version range.

Test Coverage

• No tests are included, but this is acceptable for a dependency constraint change.
• Recommendation: If the constraint addresses a specific runtime issue, consider adding a regression test if feasible.

Overall Assessment

This is a well-implemented technical solution using the correct tooling and following established patterns. However, it lacks documentation and context which are critical for long-term maintainability.

Approval recommendation: ✅ Approve after adding context to the PR description explaining the rationale for the constraint.

---

Action Items:

• Add PR description explaining why this constraint is needed
• Consider adding an inline comment in pyproject.toml
• Create a tracking issue if this is a temporary workaround
• Monitor for security updates to constrained version

[claude]

Updated Pull Request Review

Summary

This PR now includes two changes:

1. Constrains the autobahn package to version <25.11.1 due to a broken ARM64 wheel
2. Updates adit-radis-shared dependency from 0.19.0 to 0.19.1

---

Change 1: Autobahn Version Constraint ✅

What was done:

• Added constraint-dependencies = ["autobahn<25.11.1"] in pyproject.toml
• Configured Renovate to prevent automatic updates past this version
• Downgraded from 25.11.1 to 25.10.2 in the lock file

Strengths:

• ✅ Uses the correct uv mechanism (constraint-dependencies) for constraining transitive dependencies
• ✅ Properly configured Renovate to respect the constraint
• ✅ Follows existing pattern used for factory-boy
• ✅ PR body now includes explanation (ARM64 wheel is broken in 25.11.1+)

Observations:

• The downgrade removes several optional serialization dependencies (cbor2, msgpack, py-ubjson, ujson, u-msgpack-python) that were added in 25.11.1, resulting in ~150 fewer lines in uv.lock
• This is a positive side effect - smaller dependency footprint

---

Change 2: adit-radis-shared Update ⚠️

What was done:

• Updated adit-radis-shared from 0.19.0 to 0.19.1
• Lock file hash changed from cba956e to 2b982d6

Concerns:

1. Mixed scope: This change is unrelated to the autobahn constraint and should ideally be in a separate PR
2. No changelog reference: No information about what changed in adit-radis-shared 0.19.1
3. Testing verification: It's unclear if these two changes have been tested together

Recommendations:

• If the adit-radis-shared update is required for the autobahn fix to work, please add this context to the PR description
• Otherwise, consider moving this to a separate PR for cleaner git history
• Document what changed in adit-radis-shared 0.19.1

---

Code Quality ✅

• Clean, minimal changes
• Follows project conventions (Google Python Style Guide)
• Lock file properly regenerated with uv

Security Considerations ⚠️

• Version pinning: Be aware that constraining autobahn prevents security updates beyond 25.10.2
• Recommendation: Monitor security advisories for autobahn and track when the ARM64 wheel issue is resolved upstream so this constraint can be removed

Test Coverage

• No tests needed for dependency configuration changes
• Recommendation: Verify the application builds and runs correctly on ARM64 architecture

---

Overall Assessment

Autobahn constraint: Well-implemented and properly justified. ✅

adit-radis-shared update: Needs clarification on why it's included in this PR. ⚠️

Recommendation:

• If the two changes are related, explain the relationship in the PR description
• If they're unrelated, consider splitting into separate PRs
• Otherwise, the implementation is solid and ready to merge

---

Action Items

• Clarify the relationship between the two changes
• Consider adding an inline comment in pyproject.toml explaining the autobahn constraint (e.g., # ARM64 wheel broken in 25.11.1+)
• Create a tracking issue to remove the constraint once the upstream issue is resolved
• Test on ARM64 architecture to verify the fix works